156-315.65 Check Point Security Administration NGX R65 Exam Set 4

What is the bit size of DES?


Options are :

  • 112
  • 128
  • 56 (Correct)
  • 32
  • 168

Answer : 56

Check Point Certified Security Expert Exam Set 2

State Synchronization is enabled on both members in a cluster, and the Security Policy is successfully installed. No protocols or services have been unselected for "selective sync". The following is the fw taB. t connections -s output from both members: Is State Synchronization working properly between the two members?


Options are :

  • Members A and B are not synchronized, because #VALS in the connections table are not close. (Correct)
  • Members A and B are not synchronized, because #PEAKfor both members is not close in the connections table.
  • Members A and B are synchronized, because #SLINKS are identical in the connections table.
  • The connections-table output is incomplete. You must run the cphaprob state command, to determine if members A and B are synchronized.
  • Members A and B are synchronized, because ID for both members is identical in the connections table.

Answer : Members A and B are not synchronized, because #VALS in the connections table are not close.

Which of the following is a TRUE statement concerning contract verification?


Options are :

  • Your contract file is stored on the SmartConsole and downloaded to the SmartCenter Server.
  • Your contract file is stored on the User Center and fetched by the Gateway as needed.
  • Your contract file is stored on the SmartConsole and downloaded to the Gateway.
  • Your contract file is stored on the SmartCenter Server and downloaded to the Security Gateway. (Correct)

Answer : Your contract file is stored on the SmartCenter Server and downloaded to the Security Gateway.

Wayne configures an HTTP Security Server to work with the content vectoring protocol to screen forbidden sites. He has created a URI resource object using CVP with the following settings: Use CVP Allow CVP server to modify content Return data after content is approved He adds two rules to his Rule Base: one to inspect HTTP traffic going to known forbidden sites, the other to allow all other HTTP traffic. Wayne sees HTTP traffic going to those problematic sites is not prohibited. What could cause this behavior?


Options are :

  • The Security Server Rule is after the general HTTP Accept Rule. (Correct)
  • The Security Server is not communicating with the CVP server.
  • The Security Server is communicating with the CVP server, but no restriction is defined in the CVP server.
  • The Security Server is not configured correctly.

Answer : The Security Server Rule is after the general HTTP Accept Rule.

Check Point Certified Security Expert Exam Set 2

To change an existing ClusterXL cluster object from Multicast to Unicast mode, what configuration change must be made?


Options are :

  • Change the cluster mode to Unicast on the cluster-member object.
  • Reset Secure Internal Communications (SIC) on the cluster-member objects. Reinstall the Security Policy.
  • Run cpstop and cpstart, to rE. enable High Availability on both objects. Select Pivot mode in cpconfig.
  • Switch the internal network's default Security Gateway to the pivot machine's IP address.
  • Change the cluster mode to Unicast on the cluster object Reinstall the Security Policy. (Correct)

Answer : Change the cluster mode to Unicast on the cluster object Reinstall the Security Policy.

You are a Security Administrator preparing to deploy a new HFA (Hotfix Accumulator) to ten Security Gateways at five geographically separated locations. What is the BEST method to implement this HFA?


Options are :

  • Send a Certified Security Engineer to each site to perform the update
  • Send a CDROM with the HFA to each location and have local personnel install it
  • Use SmartUpdate to install the packages to each of the Security Gateways remotely (Correct)
  • Use a SSH connection to SCP the HFA to each Security Gateway. Once copied locally, initiate a remote installation command and monitor the installation progress with SmartView Monitor.

Answer : Use SmartUpdate to install the packages to each of the Security Gateways remotely

Identify the correct step performed by SmartUpdate to upgrade a remote Security Gateway.


Options are :

  • After selecting "Packages > Distribute…" and choosing the target gateway, the selected package is copied from the CDROM of the SmartUpdate PC directly to the Security Gateway and the installation IS performed.
  • After selecting "Packages > Distribute…" and choosing the target gateway, the SmartUpdate wizard walks the Administrator through a Distributed Installation.
  • After selecting "Packages > Distribute…" and choosing the target gateway, the selected package is copied from the Package Repository on the SmartCenter to the Security Gateway and the installation IS performed.
  • After selecting "Packages > Distribute…" and choosing the target gateway, the selected package is copied from the Package Repository on the SmartCenter to the Security Gateway but the installation IS NOT performed. (Correct)

Answer : After selecting "Packages > Distribute…" and choosing the target gateway, the selected package is copied from the Package Repository on the SmartCenter to the Security Gateway but the installation IS NOT performed.

156-215.77 Check Point Certified Security Administrator Test Set 6

Your network traffic requires preferential treatment by other routers on the network, in addition to the QoS Module, which Check Point QoS feature should you use?


Options are :

  • Low Latency Queuing
  • Differentiated Services (Correct)
  • Limits
  • Weighted Fair Queuing
  • Guarantees

Answer : Differentiated Services

When you add a resource service to a rule, which ONE of the following actions occur?


Options are :

  • Users attempting to connect to the destination of the rule will be required to authenticate.
  • All packets matching that rule are either encrypted or decrypted by the defined resource.
  • VPN-1 SecureClient users attempting to connect to the object defined in the Destination column of the rule will receive a new Desktop Policy from the resource.
  • All packets that match the resource in the rule will be dropped.
  • All packets matching the resource service rule are analyzed or authenticated, based on the resource properties. (Correct)

Answer : All packets matching the resource service rule are analyzed or authenticated, based on the resource properties.

Greg is creating rules and objects to control VoIP traffic in his organization, through a VPN1 NGX Security Gateway. Greg creates VoIP Domain SIP objects to represent each of his organization's three SIP gateways. Greg then creates a simple group to contain the VoIP Domain SIP objects. When Greg attempts to add the VoIP Domain SIP objects to the group, they are not listed. What is the problem?


Options are :

  • The installed VoIP gateways specify host objects.
  • The VoIP gateway object must be added to the group, before the VoIP Domain SIP object is eligible to be added to the group.
  • VoIP Domain SIP objects cannot be placed in simple groups. (Correct)
  • The related enD. points domain specifies an address range
  • The VoIP Domain SIP object's name contains restricted characters.

Answer : VoIP Domain SIP objects cannot be placed in simple groups.

156-315.77 Check Point Certified Security Expert Exam Set 10

What is the greatest benefit derived from VPNs compared to frame relay, leased lines any other types of dedicated networks?


Options are :

  • stronger authentication
  • Greater performance
  • Less failure/downtime
  • lower cost (Correct)

Answer : lower cost

You configure a Check Point QoS Rule Base with two rules: an H.323 rule with a weight of 10, and the Default Rule with a weight of 10. The H.323 rule includes a per-connection guarantee of 384 Kbps, and a per-connection limit of 512 Kbps. The per-connection guarantee is for four connections, and no additional connections are allowed in the Action properties. If traffic passing through the QoS Module matches both rules, which of the following statements is true?


Options are :

  • 50% of available bandwidth will be allocated to the Default Rule.
  • 50% of available bandwidth will be allocated to the H.323 rule.
  • The H.323 rule will consume no more than 2048 Kbps of available bandwidth. (Correct)
  • Each H.323 connection will receive at least 512 Kbps of bandwidth.
  • Neither rule will be allocated more than 10% of available bandwidth.

Answer : The H.323 rule will consume no more than 2048 Kbps of available bandwidth.

Your current VPN-1 NG with Application Intelligence (AI) R55 stand-alone VPN-1 Pro Gateway and SmartCenter Server runs on SecurePlatform. You plan to implement VPN-1 NGX R65 in a distributed environment, where the new machine will be the SmartCenter Server, and the existing machine will be the VPN-1 Pro Gateway only. You need to migrate the NG with AI R55 SmartCenter Server configuration, including licensing.How do you handle licensing for this NGX R65 upgrade?


Options are :

  • Leave the current license on the gateway to be upgraded during the software upgrade. Purchase a new license for the VPN-1 NGX R65 SmartCenter Server.
  • Request an NGX R65 SmartCenter Server license, using the existing gateway machine's IP address. Request a new local license for the NGX R65 VPN-1 Gateway using the new server's IP address.
  • Request an NGX R65 SmartCenter Server license, using the new server's IP address. Request a new central NGX R65 VPN-1 Gateway license also licensed to the new SmartCenter Server's IP address. (Correct)
  • Request an NGX R65 SmartCenter Server license, using the new server's IP address. Request a new central NGX R65 VPN-1 Gateway license for the existing gateway server's IP address.

Answer : Request an NGX R65 SmartCenter Server license, using the new server's IP address. Request a new central NGX R65 VPN-1 Gateway license also licensed to the new SmartCenter Server's IP address.

156-215.13 Check Point Certified Security Administrator Exam Set 2

How can you prevent delay-sensitive applications, such as video and voice traffic, from being dropped due to long queues when using a Check Point QoS solution?


Options are :

  • Low latency class (Correct)
  • guaranteed per VoIP rule
  • DiffServrule
  • guaranteed per connection
  • Weighted Fair Queuing

Answer : Low latency class

Barak is a Security Administrator for an organization that has two sites using prE. shared secrets in its VPN. The two sites are Oslo and London. Barak has just been informed that a new office is opening in Madrid, and he must enable all three sites to connect via the VPN to each other. Three Security Gateways are managed by the same SmartCenter Server, behind the Oslo Security Gateway. Barak decides to switch from prE. shared secrets to Certificates issued by the Internal Certificate Authority (ICA). After creating the Madrid gateway object with the proper VPN Domain, what are Barak's remaining steps? 1 .Disable "PrE. Shared Secret" on the London and Oslo gateway objects. 2.Add the Madrid gateway object into the Oslo and London's mesh VPN Community. 3.Manually generate ICA Certificates for all three Security Gateways. 4.Configure "Traditional mode VPN configuration" in the Madrid gateway object's VPN screen. 5.Reinstall the Security Policy on all three Security Gateways.


Options are :

  • 1,2,4,5
  • 1,2,5 (Correct)
  • 1,3,4,5
  • 1,2,3,5
  • 1,2,3,4

Answer : 1,2,5

Choose all correct statements. SmartUpdate, located on a VPN-1 NGX SmartCenter Server, allows you to: (1) Remotely perform a first time installation of VPN-1 NGX on a new machine (2) Determine OS patch levels on remote machines (3) Update installed Check Point and any OPSEC certified software remotely (4) Update installed Check Point software remotely (5) Track installed versions of Check Point and OPSEC products (6) Centrally manage licenses


Options are :

  • 1 & 4
  • 1, 3, 4, & 6
  • 4, 5, & 6
  • 2, 4, 5, & 6 (Correct)

Answer : 2, 4, 5, & 6

156-215.70 Check Point Certified Security Administrator Exam Set 7

How does ClusterXL Unicast mode handle new traffic?


Options are :

  • All members receive all packets. The SmartCenter Server decides which member will process the packets. Other members simply drop the packets.
  • The pivot machine receives and inspects all new packets, and synchronizes the connections with other members.
  • All cluster members process all packets, and members synchronize with each other.
  • Only the pivot machine receives all packets. It runs an algorithm to determine which member should process the packets. (Correct)

Answer : Only the pivot machine receives all packets. It runs an algorithm to determine which member should process the packets.

You are running the license_upgrade tool on your SecurePlatform Gateway. Which of the following can you NOT do with the upgrade tool?


Options are :

  • Perform the actual license-upgrade process.
  • View the licenses in the SmartUpdate License Repository. (Correct)
  • View the status of currently installed licenses.
  • Simulate the license-upgrade process.

Answer : View the licenses in the SmartUpdate License Repository.

You are using SmartUpdate to fetch data and perform a remote upgrade of an NGX Security Gateway. Which of the following statements is FALSE?


Options are :

  • If SmartDashboard is open during package upload and upgrade, the upgrade will fail.
  • SmartUpdate can query license information running locally on the VPN-1 Gateway
  • SmartUpdate can query the SmartCenter Server and VPN-1 Gateway for product information
  • A remote installation can be performed without the SVN Foundation package installed on a remote NG with Application Intelligence Security Gateway (Correct)

Answer : A remote installation can be performed without the SVN Foundation package installed on a remote NG with Application Intelligence Security Gateway

Check Point Certified Security Expert Exam Set 11

Concerning these products: SecurePlatform, VPN-1 Pro Gateway, UserAuthority Server, Nokia OS, UTM-1, Eventia Reporter, and Performance Pack, which statement is TRUE?


Options are :

  • All can be upgraded to VPN-1 NGX R65 with SmartUpdate. (Correct)
  • All but Performance Pack can be upgraded to VPN-1 NGX R65 with SmartUpdate.
  • All but the Nokia OS can be upgraded to VPN-1 NGX R65 with SmartUpdate.
  • All but the UTM-1 can be upgraded to VPN-1 NGX R65 with SmartUpdate.

Answer : All can be upgraded to VPN-1 NGX R65 with SmartUpdate.

What port is used for communication to the UserCenter with SmartUpdate?


Options are :

  • CPMI
  • HTTP
  • TCP 8080
  • HTTPS (Correct)

Answer : HTTPS

What physical machine must have access to the UserCenter public IP when checking for new packages with SmartUpdate?


Options are :

  • VPN-1 Security Gateway getting the new upgrade package
  • SmartUpdate installed SmartCenter Server PC
  • SmartUpdate Repository SQL database Server
  • SmartUpdate GUI PC (Correct)

Answer : SmartUpdate GUI PC

156-315.77 Check Point Certified Security Expert Exam Set 16

Public-key cryptography is considered which of the following?


Options are :

  • two-key/symmetric
  • one-key/asymmetric
  • one-key/symmetric
  • two-key/asymmetric (Correct)

Answer : two-key/asymmetric

Your network includes ClusterXL running Multicast mode on two members, as shown in this topology:Your network is expanding, and you need to add new interfaces: 10.10.10.1/24 on Member A, and 10.10.10.2/24 on Member B. The virtual IP address for interface 10.10.10.0/24 is 10.10.10.3. What is the correct procedure to add these interfaces?


Options are :

  • 1. Use the ifconfig command to configure and enable the new interface. 2. Run cpstop and cpstart on both members at the same time. 3. Update the topology in the cluster object for the cluster and both members. 4. Install the Security Policy.
  • 1. Disable "Cluster membership" from one Gateway via cpconfig. 2. Configure the new interface via sysconfig from the "non-member" Gateway. 3. RE. enable "Cluster membership" on the Gateway. 4. Perform the same step on the other Gateway. 5. Update the topology in the cluster object for the cluster and members. 6. Install the Security Policy.
  • 1. Run cpstop on one member, and configure the new interface via sysconfig. 2. Run cpstart on the member. Repeat the same steps on another member. 3. Update the new topology in the cluster object for the cluster and members. 4. Install the Security Policy. (Correct)
  • 1. Use sysconfig to configure the new interfaces on both members. 2. Update the topology in the cluster object for the cluster and both members. 3. Install the Security Policy.

Answer : 1. Run cpstop on one member, and configure the new interface via sysconfig. 2. Run cpstart on the member. Repeat the same steps on another member. 3. Update the new topology in the cluster object for the cluster and members. 4. Install the Security Policy.

What tools CANNOT be launched from SmartUpdate NGX R65?


Options are :

  • SecurePlatform Web UI
  • Nokia Voyager
  • cpinfo
  • snapshot (Correct)

Answer : snapshot

156-315.77 Check Point Certified Security Expert Exam Set 11

From the following output of cphaprob state, which ClusterXL mode is this?


Options are :

  • New mode
  • Legacy mode
  • Multicast mode
  • Unicastmode (Correct)
  • Load Balancing Mode

Answer : Unicastmode

What happens in relation to the CRL cache after a cpstop;spstart has been initiated?


Options are :

  • The gateway retrieves a new CRL on startup, then discards the old CRL as invalid.
  • The gateway issues a crl_zap on startup, which empties the cache and forces Certificate retrieval.
  • The gateway continues to use the old CRL even if it is not valid, until a new CRL is cached
  • The gateway continues to use the old CRL, as long as it is valid. (Correct)

Answer : The gateway continues to use the old CRL, as long as it is valid.

You want to upgrade an NG with Application Intelligence R55 Security Gateway running on SecurePlatform to VPN-1 NGX R65 via SmartUpdate. Which package(s) is(are) needed in the Repository prior to upgrade?


Options are :

  • SVN Foundation and VPN-1 Power/UTM packages
  • VPN-1 Power/UTM NGX R65 package
  • SecurePlatform and VPN-1 Power/UTM NGX R65 packages
  • SecurePlatform NGX R65 package (Correct)

Answer : SecurePlatform NGX R65 package

Check Point Certified Security Expert Exam Set 1

Jerry is concerned that a denial-oF. service (DoS) attack may affect his VPN Communities. He decides to implement IKE DoS protection. Jerry needs to minimize the performance impact of implementing this new protection. Which of the following configurations is MOST appropriate for Jerry?


Options are :

  • Set Support IKE Dos Protection from identified source, and Support IKE DoS protection from unidentified source to "Puzzles".
  • Set "Support IKE DoS protection" from identified source, and "Support IKE DoS protection" from unidentified source to "Stateless". (Correct)
  • Set Support IKE DoS protection from identified source to "Stateless", and Support IKE DoS protection from unidentified source to "None".
  • Set Support IKE DoS protection from identified source to "Stateless," and Support IKE DoS protection from unidentified source to "Puzzles".
  • Set Support IKE DoS protection from identified source to "Puzzles", and Support IKE DoS protection from unidentified source to "Stateless".

Answer : Set "Support IKE DoS protection" from identified source, and "Support IKE DoS protection" from unidentified source to "Stateless".

Check Point Certified Security Administrator Set 2

Your company has two headquarters, one in London, one in New York. Each headquarters includes several branch offices. The branch offices ONLY need to communicate with the headquarters in their country, not with each other, and only the headquarters need to communicate directly. Which configuration meets the criteria? VPN Communities comprised of:


Options are :

  • two mesh Communities for each headquarters and their branch offices; and one star Community, in which London is the center of the Community and New York is the satellite.
  • three star Communities: first between New York headquarters and its branches, the second between London headquarters and its branches, the third between New York and London headquarters. (Correct)
  • two mesh and one star Community; each mesh Community is set up for each site, with mesh Communities between their branches. The star Community has New York as the headquarters and London as its satellite.
  • three mesh Communities: one for London headquarters and its branches, one for New York headquarters and its branches, and one for London and New York headquarters.

Answer : three star Communities: first between New York headquarters and its branches, the second between London headquarters and its branches, the third between New York and London headquarters.

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions