156-315.65 Check Point Security Administration NGX R65 Exam Set 3

For object-based VPN routing to succeed, what must be configured?


Options are :

  • No rules need to be created, implied rules that cover inbound and outbound traffic on the central (HUB) Gateway are already in place from Policy > Properties > Accept VPN-1 Control Connections.
  • VPN routing is not configured in the Rule Base or Community objects. Only the nativerouting mechanism on each Gateway can direct the traffic via its VTI configured interfaces.
  • A single rule in the Rule Base must cover traffic in both directions, inbound and outbound on the central (HUB) Security Gateway.
  • At least two rules in the Rule Base must created, one to cover traffic inbound and the other to cover traffic outbound on the central (HUB) Security Gateway. (Correct)

Answer : At least two rules in the Rule Base must created, one to cover traffic inbound and the other to cover traffic outbound on the central (HUB) Security Gateway.

Consider the following actions that VPN-1 NGX can take when it control packets. The Policy Package has been configured for Traditional Mode VPN. Identify the options that includes the available actions. Select four.


Options are :

  • Accept (Correct)
  • Reject (Correct)
  • Encrypt (Correct)
  • Drop (Correct)
  • Hold

Answer : Accept Reject Encrypt Drop

156-315.13 Check Point Security Expert R76(GAiA) Exam Set 2

You have three Gateways in a mesh community. Each gateway’s VPN Domain is their internal network as defined on the Topology tab setting “All IP Addresses behind Gateway based on Topology information.”You want to test the route-based VPN, so you created VTIs among the Gateways and created static route entries for the VTIs. However, when you test the VPN, you find out the VPN still go through the regular domain IPsec tunnels instead of the routed VTI tunnels.What is the problem and how do you make the VPN to use the VTI tunnels?


Options are :

  • Domain VPN takes precedence over the route-based VTI. To make the VPN go through VTI, use an empty group object as each Gateway’s VPN Domain (Correct)
  • Route-based VTI takes precedence over the Domain VPN. To Make the VPN go through VTI, use dynamic-routing protocol like OSPF or BGP to route the VTI address to the peer instead of static routes.
  • Domain VPN takes precedence over the route-based VTI. To make the VPN go through VTI, remove the Gateways out of the mesh community and replace with a star community.
  • Route-based VTI takes precedence over the Domain VPN. Troubleshoot the static route entries to insure that they are correctly pointing to the VTI gateway IP

Answer : Domain VPN takes precedence over the route-based VTI. To make the VPN go through VTI, use an empty group object as each Gateway’s VPN Domain

What proprietary Check Point protocol is the basis of the functionality of Check Point ClusterXL inter-module communication?


Options are :

  • HA OPCODE
  • RDP
  • IPSec
  • CKPP
  • CCP (Correct)

Answer : CCP

Which of the following is supported with Office Mode?


Options are :

  • SSL Network Extender
  • Connect Mode
  • SecuRemote (Correct)
  • SecureClient

Answer : SecuRemote

156-315.77 Check Point Certified Security Expert Exam Set 22

Which network port does PPTP use for communication?


Options are :

  • 1723/udp
  • 1723/tcp (Correct)
  • 25/udp
  • 25/tco

Answer : 1723/tcp

Which encryption scheme provides in-place encryption?


Options are :

  • IKE
  • DES
  • AES
  • SKIP (Correct)

Answer : SKIP

Central License management allows a Security Administrator to perform which of the following? Select all that apply.


Options are :

  • Check for expired licenses (Correct)
  • Add or remove a license to or from the license repository (Correct)
  • Delete both NGX Local licenses and Central licenses from a remote module F. Attach both NGX Central and Local licenses to a remote moduel
  • Attach and/or delete only NGX Central licenses to a remote module (not Local licenses) (Correct)
  • Sort licenses and view license properties (Correct)

Answer : Check for expired licenses Add or remove a license to or from the license repository Attach and/or delete only NGX Central licenses to a remote module (not Local licenses) Sort licenses and view license properties

156-315.77 Check Point Certified Security Expert Exam Set 6

When synchronizing clusters, which of the following statements are true? Select all that apply.


Options are :

  • In the case of a failover, accounting information on the failed member may be lost despite a properly
  • Client Auth or Session Auth connections through a cluster member will be lost of the cluster member fails. (Correct)
  • Only cluster members running on the same OS platform can be synchronized. (Correct)
  • The state of connections using resources is maintained by a Security Server, so these connections cannot be synchronized. (Correct)

Answer : Client Auth or Session Auth connections through a cluster member will be lost of the cluster member fails. Only cluster members running on the same OS platform can be synchronized. The state of connections using resources is maintained by a Security Server, so these connections cannot be synchronized.

Which of the following uses the same key to decrypt as it does to encrypt?


Options are :

  • dynamic encryption
  • Asymmetric encryption
  • Symmetric encryption (Correct)
  • Certificate-based encryption
  • static encryption

Answer : Symmetric encryption

What is the command to upgrade an NG with Application Intelligence R55 SmartCenter running on SecurePlatform to VPN-1 NGX R65?


Options are :

  • fw install_mgmt
  • fwm upgrade_tool
  • patch add cd (Correct)
  • upgrade_mgmt

Answer : patch add cd

Check Point Certified Security Expert Exam Set 10

Which of the following are supported with the office mode? Select all that apply.


Options are :

  • Transparent Mode
  • SSL Network Extender (Correct)
  • SecureClient (Correct)
  • Gopher
  • L2TP (Correct)

Answer : SSL Network Extender SecureClient L2TP

By default Check Point High Availability components send updates about their state every…


Options are :

  • 5 seconds
  • 0.1 seconds (Correct)
  • 0.5 seconds
  • 1 second
  • 2 seconds

Answer : 0.1 seconds

If a digital signature is used to achieve both data-integrity checking and verification of sender, digital signatures are only used when implementing:


Options are :

  • Triple DES
  • An asymmetric-encryption algorithm (Correct)
  • CBL-DES
  • A symmetric-encryption algorithm

Answer : An asymmetric-encryption algorithm

156-315.77 Check Point Certified Security Expert Exam Set 6

Which of the following is part of the PKI? Select all that apply


Options are :

  • Certificate Revocation Lists (Correct)
  • Attribute Certificate
  • Public-key certificate (Correct)
  • User certificate (Correct)

Answer : Certificate Revocation Lists Public-key certificate User certificate

When distributing IPSec packets to gateways in a Load Sharing Multicast mode cluster, which valid Load Sharing method will consider VPN information in the decision function?


Options are :

  • Load Sharing based on SPIs
  • Load Sharing based on ports, VTI, and IP addresses
  • Load Sharing based on IP addresses, ports, and serial peripheral interfaces.
  • Load Sharing based on IP addresses, ports, and security parameter indexes. (Correct)

Answer : Load Sharing based on IP addresses, ports, and security parameter indexes.

When configuring site-to-site VPN High Availability (HA) with MEP, which of the following is correct?


Options are :

  • If one MEP Security Gateway fails, the connection is lost and the backup Gateway picks up the next connection. (Correct)
  • MEP Gateways must be managed by the same SmartCenter Server.
  • MEP Gateways cannot be geographically separated machines.
  • The decision on which MEP Gateway to use is made on the MEP Gateway’s side of the tunnel.

Answer : If one MEP Security Gateway fails, the connection is lost and the backup Gateway picks up the next connection.

156-315.77 Check Point Certified Security Expert Exam Set 10

Which of the following is an example of the hash function?


Options are :

  • DES and CBC
  • DAC and MAC
  • MD5 and SHA-1 (Correct)
  • SHA and 3DES

Answer : MD5 and SHA-1

Identify the correct step performed by SmartUpdate to upgrade a remote Security Gateway.


Options are :

  • After selecting "Packages: Add… from CD", the entire contents of the CD are copied to the packages directory on the selected remote Security Gateway.
  • After selecting "Packages: Add… from CD", the selected package is copied to the packages directory on the selected remote Security Gateway.
  • After selecting "Packages: Add… from CD", the selected package is copied to the Package Repository on the SmartCenter Server. (Correct)
  • After selecting "Packages: Add… from CD", the entire contents of the CD are copied to the Package Repository on the SmartCenter Server.

Answer : After selecting "Packages: Add… from CD", the selected package is copied to the Package Repository on the SmartCenter Server.

156-215.70 Check Point Certified Security Administrator Exam Set 7

You are configuring the VoIP Domain object for a SIP environment, protected by VPN-1 NGX. Which VoIP Domain object type can you use?


Options are :

  • Gateway
  • Call Manager
  • Proxy (Correct)
  • Gatekeeper
  • Call Agent

Answer : Proxy

What action can be run from SmartUpdate NGX R65?


Options are :

  • upgrade_export
  • remote_uninstall_verifier
  • mds_backup
  • cpinfo (Correct)

Answer : cpinfo

You plan to migrate a VPN-1 NG with Application Intelligence (Al) R55 SmartCenter Server to VPN-1 NGX. You also plan to upgrade four VPN-1 Pro Gateways at remote offices, and one local VPN-1 Pro Gateway at your company's headquarters. The SmartCenter Server configuration must be migrated. What is the correct procedure to migrate the configuration?


Options are :

  • 1. Upgrade the SmartCenter Server, using the VPN-1 NGX CD. 2. Reinstall and update the licenses of the five remote Gateways.
  • 1. Upgrade the five remote Gateways via SmartUpdate. 2. Upgrade the SmartCenter Server, using the VPN-1 NGX CD.
  • Upgrade the SmartCenter Server and the five remote Gateways via SmartUpdate, at the same time.
  • 1. From the VPN-1 NGX CD in the SmartCenter Server, select "advance upgrade". 2. After importing the SmartCenter configuration into the new NGX SmartCenter, reboot. 3. Upgrade all licenses and software on all five remote Gateways via SmartUpdate. (Correct)
  • 1. Copy the $FWDIR\conf directory from the SmartCenter Server. 2. Save directory contents to another directory. 3. Uninstall the SmartCenter Server, and install a new SmartCenter Server. 4. Move directory contents to $FWDIR\conf. 5. Reinstall all gateways using NGX and install a policy.

Answer : 1. From the VPN-1 NGX CD in the SmartCenter Server, select "advance upgrade". 2. After importing the SmartCenter configuration into the new NGX SmartCenter, reboot. 3. Upgrade all licenses and software on all five remote Gateways via SmartUpdate.

Check Point Certified Security Expert Exam Set 1

What action CANNOT be run from SmartUpdate NGX R65?


Options are :

  • Fetch sync status (Correct)
  • Preinstall verifier…
  • Reboot gateway
  • Get all Gateway Data

Answer : Fetch sync status

Why should the upgrade_export configuration file (.tgz) be deleted after you complete the import process?


Options are :

  • It contains your security configuration, which could be exploited. (Correct)
  • It will conflict with any future upgrades run from SmartUpdate.
  • SmartUpdate will start a new installation process if the machine is rebooted.
  • It will prevent a future successful upgrade_export since the .tgz file cannot be overwritten.

Answer : It contains your security configuration, which could be exploited.

Which Security Server can perform content-security tasks, but CANNOT perform authentication tasks?


Options are :

  • HTTP
  • FTP
  • rlogin
  • SMTP (Correct)
  • Telnet

Answer : SMTP

Check Point Certified Security Expert Exam Set 5

If a SmartUpdate upgrade or distribution operation fails on SecurePlatfom, how is the system recovered?


Options are :