156-315.65 Check Point Security Administration NGX R65 Exam Set 6

Which service type does NOT invoke a Security Server?


Options are :

  • HTTP
  • CIFS (Correct)
  • FTP
  • SMTP
  • Telnet

Answer : CIFS

If you check the box "Use Aggressive Mode", in the IKE Properties dialog box:


Options are :

  • The standard threE. packet IKE Phase 2 exchange is replaced by a six-packet exchange.
  • The standard threE. packet IKE Phase 1 exchange is replaced by a six-packet exchange.
  • The standard six-packet IKE Phase 1 exchange is replaced by a twelvE. packet exchange.
  • The standard six-packet IKE Phase 2 exchange is replaced by a threE. packet exchange.
  • The standard six-packet IKE Phase 1 exchange is replaced by a threE. packet exchange. (Correct)

Answer : The standard six-packet IKE Phase 1 exchange is replaced by a threE. packet exchange.

156-215.71 Check Point Certified Security Administrator Exam Set 1

When Load Sharing Multicast mode is defined in a ClusterXL cluster object, how are packets being handled by cluster members?


Options are :

  • All members receive all packets. The SmartCenter Server decides which member will process the packets. Other members simply drop the packets.
  • Only one member at a time is active. The active cluster member processes all packets.
  • All cluster members process all packets, and members synchronize with each other
  • All members receive all packets. An algorithm determines which member processes packets, and which member drops packets. (Correct)

Answer : All members receive all packets. An algorithm determines which member processes packets, and which member drops packets.

You are preparing a lab for a ClusterXL environment, with the following topology: Vip internal cluster IP = 172.16.10.1; Vip external cluster IP = 192.168.10.3 Cluster Member 1: four NICs, three enabled: qfeO: 192.168.10.1/24, qfel: 10.10.10.1/24, qfe2: 172.16.10.1/24 Cluster Member 2: five NICs, three enabled; hmeO: 192.168.10.2/24, ethi: 10.10.10.2/24, eth2: 172.16.10.2/24 Member Network tab on internal-cluster interface: is 10.10.10.0, 255.255.255.0 SmartCenter Pro Server: 172.16.10.3 External interfaces 192.168.10.1 and 192.168.10.2 connect to a Virtual Local Area Network (VLAN) switch. The upstream router connects to the same VLAN switch. Internal interfaces 10.10.10.1 and 10.10.10.2 connect to a hub. There is no other machine in the 10.10.10.0 network. 172.19.10.0 is the synchronization network. What is the problem with this configuration?


Options are :

  • There is no problem with this configuration. It is correct. (Correct)
  • Members do not have the same number of NICs.
  • The internal network does not have a third cluster member.
  • Cluster members cannot use the VLAN switch. They must use hubs.
  • The SmartCenter Pro Server cannot be in the synchronization network.

Answer : There is no problem with this configuration. It is correct.

Which of the following QoS rulE. action properties is an Advanced action type, only available in Traditional mode?


Options are :

  • Rule limit
  • Rule weight
  • Guarantee Allocation (Correct)
  • Rule guarantee
  • Apply rule only to encrypted traffic

Answer : Guarantee Allocation

156-115 Check Point Certified Security Master Practice Test Set 3

Where can a Security Administrator adjust the unit of measurement (bps, Kbps or Bps), for Check Point QoS bandwidth?


Options are :

  • Advanced Action options in each QoS rule
  • $CPDIR/conf/qos_props.pf
  • Global Properties (Correct)
  • Check Point gateway object properties
  • QoS Class objects

Answer : Global Properties

Which OPSEC server is used to prevent users from accessing certain Web sites?


Options are :

  • CVP
  • AMON
  • URI
  • UFP (Correct)
  • LEA

Answer : UFP

You receive an alert indicating a suspicious FTP connection is trying to connect to one of your internal hosts. How do you block the connection in real time and verify the connection is successfully blocked?


Options are :

  • Highlight the suspicious connection in SmartView Tracker > Active mode. Block the connection using Tools > Block Intruder menu. Use Active mode to confirm that the suspicious connection is dropped.
  • Highlight the suspicious connection in SmartView Tracker > Log mode. Block the connection using Tools > Block Intruder menu. Use the Log mode to confirm that the suspicious connection is dropped.
  • Highlight the suspicious connection in SmartView Tracker > Log mode. Block the connection using Tools > Block Intruder menu. Use Log mode to confirm that the suspicious connection does not reappear
  • Highlight the suspicious connection in SmartView Tracker > Active mode. Block the connection using the Tools > Block Intruder menu. Use the Active mode to confirm that the suspicious connection does not reappear. (Correct)

Answer : Highlight the suspicious connection in SmartView Tracker > Active mode. Block the connection using the Tools > Block Intruder menu. Use the Active mode to confirm that the suspicious connection does not reappear.

156-315.77 Check Point Certified Security Expert Exam Set 21

Which type of service should a Security Administrator use in a Rule Base to control access to specific shared partitions on target machines?


Options are :

  • HTTP
  • FTP
  • URI
  • CIFS (Correct)
  • Telnet

Answer : CIFS

Check Point Certified Security Expert Exam Set 12

Damon enables an SMTP resource for content protection. He notices that mail seems to slow down on occasion, sometimes being delivered late. Which of the following might improve throughput performance?


Options are :

  • Configuring the SMTP resource to bypass the CVP resource
  • Configuring the SMTP resource to only allow mail with Damon's company's domain name in the header
  • Increasing the Maximum number of mail messages in the Gateway's spool directory
  • Configuring the Content Vector Protocol (CVP) resource to forward the mail to the internal SMTP server, without waiting for a response from the Security Gateway D. Configuring the CVP resource to return the mail to the Gateway (Correct)

Answer : Configuring the Content Vector Protocol (CVP) resource to forward the mail to the internal SMTP server, without waiting for a response from the Security Gateway D. Configuring the CVP resource to return the mail to the Gateway

What is the behavior of ClusterXL in a High Availability environment?


Options are :

  • Both members respond to the virtual IP address, and both members pass traffic when using their physical addresses.
  • The active member responds to the virtual IP address.nd is the only member that passes traffic E. The passive member responds to the virtual IP address, and both members route traffic when using their physical addresses. (Correct)
  • The active member responds to the virtual IP address.nd both members pass traffic when using their physical addresses.
  • Both members respond to the virtual IP address, but only the active member is able to pass traffic.

Answer : The active member responds to the virtual IP address.nd is the only member that passes traffic E. The passive member responds to the virtual IP address, and both members route traffic when using their physical addresses.

How can you completely tear down a specific VPN tunnel in an intranet IKE VPN deployment?


Options are :

  • Run the command vpn tu on the Security Gateway, and choose the option "Delete all IPSec SAs for ALL peers and users".
  • Run the command vpn tu on the Security Gateway, and choose the option "Delete all IPSec+IKE SAs for a given peer (GW)". (Correct)
  • Run the command vpn tu on the SmartCenter Server, and choose the option "Delete all IPSec+IKE SAs for ALL peers and users".
  • Run the command vpn tu on the Security Gateway, and choose the option "Delete all IPSec+IKE SAs for ALL peers and users".
  • Run the command vpn tu on the Security Gateway, and choose the option "Delete all IPSec SAs for a given user (Client)".

Answer : Run the command vpn tu on the Security Gateway, and choose the option "Delete all IPSec+IKE SAs for a given peer (GW)".

Check Point Certified Security Expert Exam Set 6

Which Check Point QoS feature marks the Type of Service (ToS) byte in the IP header?


Options are :

  • Guarantees
  • Differentiated Services (Correct)
  • Low Latency Queuing
  • Weighted Fair Queuing
  • Limits

Answer : Differentiated Services

You are preparing computers for a new ClusterXL deployment. For your cluster, you plan to use three machines with the following configurations:Are these machines correctly configured for a ClusterXL deployment?


Options are :

  • Yes, these machines are configured correctly for a ClusterXL deployment.
  • No, a cluster must have an even number of machines.
  • No, QuadCards are not supported with ClusterXL.
  • No, all machines in a cluster must be running on the same OS. (Correct)
  • No, ClusterXL is not supported on Red Hat Linux.

Answer : No, all machines in a cluster must be running on the same OS.

Robert has configured a Common Internet File System (CIFS) resource to allow access to the public partition of his company's file server, on \\erisco\goldenapple\files\public. Robert receives reports that users are unable to access the shared partition, unless they use the file server's IP address. Which of the following is a possible cause?


Options are :

  • Mapped shares do not allow administrative locks.
  • The CIFS resource is not configured to use Windows name resolution. (Correct)
  • Remote registry access is blocked.
  • Access violations are not logged
  • Null CIFS sessions are blocked.

Answer : The CIFS resource is not configured to use Windows name resolution.

156-315.77 Check Point Certified Security Expert Exam Set 16

You plan to incorporate OPSEC servers, such as Websense and Trend Micro, to do content filtering. Which segment is the BEST location for these OPSEC servers, when you consider Security Server performance and data security?


Options are :

  • Dedicated segment of the network (Correct)
  • Internal network, where users are located
  • DMZ network, where application servers are located
  • On the Security Gateway
  • On the Internet

Answer : Dedicated segment of the network

You must set up SIP with a proxy for your network. IP phones are in the 172.16.100.0 network. The Registrar and proxy are installed on host 172.16.100.100. To allow handover enforcement for outbound calls from SIP-net to network Net_B on the Internet, you have defined the following objects: Network object: SIP-net: 172.16.100.0/24 SIP-gateway: 172.16.100.100 VoIP Domain object: VolP_domain_A 1 .EnD. point domain: SIP-net 2.VoIP gateway installed at: SIP-gateway host object How would you configure the rule?


Options are :

  • SIP-Gateway/Net_B/sip/accept
  • SIP- G ateway/N et_B/s i p_a ny/a c c e pt
  • VolP_domain_A/Net_B/sip/accept (Correct)
  • VolP_Gateway_MJet_B/sip_any/accept
  • VolP_domain_A/Net_B/sip_any, and sip/accept

Answer : VolP_domain_A/Net_B/sip/accept

The following diagram illustrates how a VPN-1 SecureClient user tries to establish a VPN with hosts in the external_net and internal_net from the Internet. How is the Security Gateway VPN Domain created?


Options are :

  • Internal Gateway VPN Domain = internal_net. External Gateway VPN Domain = internal VPN Domain + internal gateway object + external_net (Correct)
  • Internal Gateway VPN Domain = internal_net. External Gateway VPN Domain = external_net + internal gateway object
  • Internal Gateway VPN Domain = internal_net; External Gateway VPN Domain = internal_net + external_net
  • Internal Gateway VPN Domain = internal_net; External VPN Domain = external net + external gateway object + internal_net.

Answer : Internal Gateway VPN Domain = internal_net. External Gateway VPN Domain = internal VPN Domain + internal gateway object + external_net

Check Point Certified Security Expert Exam Set 8

Which of the following commands shows full synchronization status?


Options are :

  • cphastop
  • fwhastat
  • cphaproB. i list (Correct)
  • cphaproB. a if
  • fw ctl pstat

Answer : cphaproB. i list

In a distributed VPN-1 Pro NGX environment, where is the Internal Certificate Authority (ICA) installed?


Options are :

  • On the Smart View Monitor
  • On the Policy Server
  • On the primary SmattCenter Server (Correct)
  • Certificate Manager Server
  • On the Security Gateway

Answer : On the primary SmattCenter Server

Your company has two headquarters, one in London, one in New York. Each headquarters includes several branch offices. The branch offices only need to communicate with the headquarters in their country, not with each other, and only the headquarters need to communicate directly. What is the BEST configuration for VPN Communities among the branch offices and their headquarters, and between the two headquarters? VPN Communities comprised of:


Options are :

  • three mesh Communities: one for London headquarters and its branches, one for New York headquarters and its branches, and one for London and New York headquarters.
  • two star and one mesh Community; each star Community is set up for each site, with headquarters as the center of the Community, and branches as satellites. The mesh Communities are between the New York and London headquarters (Correct)
  • two mesh Communities, one for each headquarters and their branch offices; and one star Community, in which London is the center of the Community and New York is the satellite.
  • two mesh Communities, one for each headquarters and their branch offices; and one star Community, where New York is the center of the Community and London is the satellite.

Answer : two star and one mesh Community; each star Community is set up for each site, with headquarters as the center of the Community, and branches as satellites. The mesh Communities are between the New York and London headquarters

156-315.77 Check Point Certified Security Expert Exam Set 5

Your VPN Community includes three Security Gateways. Each Gateway has its own internal network defined as a VPN Domain. You must test the VPN-1 NGX routE. based VPN feature, without stopping the VPN. What is the correct order of steps?


Options are :

  • 1. Add a new interface on each Gateway. 2. Add the newly added network into the existing VPN Domain for each Gateway. 3. Create VTIs on each gateway object, to point to the other two peers. 4. Enable advanced routing on all three Gateways.
  • 1. Add a new interface on each Gateway. 2. Add the newly added network into the existing VPN Domain for each gateway object. 3. Create VTIs on each gateway object, to point to the other two peers. 4. Add static routes on three Gateways, to route the new networks to each peer's VTI interface.
  • 1. Add a hew interface on each Gateway. 2. Remove the newly added network from the current VPN Domain in each gateway object. 3. Create VPN Tunnel Interfaces (VTI) on each gateway object, to point to the other two peers. 4. Add static routes on three Gateways, to route the new network to each peer's VTI interface. (Correct)
  • 1. Add a new interface on each Gateway. 2. Remove the newly added network from the current VPN Domain for each Gateway. 3. Create VTIs on each Gateway, to point to the other two peers 4. Enable advanced routing on all three Gateways.

Answer : 1. Add a hew interface on each Gateway. 2. Remove the newly added network from the current VPN Domain in each gateway object. 3. Create VPN Tunnel Interfaces (VTI) on each gateway object, to point to the other two peers. 4. Add static routes on three Gateways, to route the new network to each peer's VTI interface.

The following rule contains an FTP resource object in the Service field: Source: local_net Destination: Any Service: FTP-resource object Action: Accept How do you define the FTP Resource Properties > Match tab to prevent internal users from sending corporate files to external FTP servers, while allowing users to retrieve files?


Options are :

  • Enable the "Get" method on the match tab (Correct)
  • Enable the "Put" method only on the match tab.
  • Disable "Get" and "Put" methods on the Match tab.
  • Enable the "Put" and "Get" methods.
  • Disable the "Put" method globally.

Answer : Enable the "Get" method on the match tab

You have an internal FTP server, and you allow uploading, but not downloading. Assume Network Address Translation (NAT) is set up correctly and you want to add an inbound rule with: Source: Any Destination: FTP server Service: an FTP resource object. How do you configure the FTP resource object and the action column in the rule to achieve this goal?


Options are :

  • Enable only the "Get" method in the FTP Resource Properties and use this method in the rule, with action accept.
  • Enable both "Put" and "Get" methods in the FTP Resource Properties and use them in the rule, with action drop.
  • Disable "Get" and "Put" methods in the FTP Resource Properties and use them in the rule, with action accept.
  • Enable only the "Put" method in the FTP Resource Properties and use this method in the rule, with action drop.
  • Enable only "Put" method in the FTP Resource Properties and use this method in the rule, with action accept. (Correct)

Answer : Enable only "Put" method in the FTP Resource Properties and use this method in the rule, with action accept.

Check Point Certified Security Expert Exam Set 8

Barak is a Security Administrator for an organization that has two sites using prE. shared secrets in its VPN. The two sites are Oslo and London. Barak has just been informed that a new office is opening in Madrid, and he must enable all three sites to connect via the VPN to each other. Three Security Gateways are managed by the same SmartCenter Server, behind the Oslo Security Gateway. Barak decides to switch from prE. shared secrets to Certificates issued by the Internal Certificate Authority (ICA). After creating the Madrid gateway object with the proper VPN Domain, what are Barak's remaining steps? 1 .Disable "PrE. Shared Secret" on the London and Oslo gateway objects. 2.Add the Madrid gateway object into the Oslo and London's mesh VPN Community. 3.Manually generate ICA Certificates for all three Security Gateways. 4.Configure "Traditional mode VPN configuration" in the Madrid gateway object's VPN screen. 5.Reinstall the Security Policy on all three Security Gateways.


Options are :

  • 1,2,3,4
  • 1,2,4,5
  • 1,2,3,5
  • 1,2,5 (Correct)
  • 1,3,4,5

Answer : 1,2,5

Which of the following actions is most likely to improve the performance of Check Point QoS?


Options are :

  • Install Checkpoint QoS only on the external interfaces of the QoS Module. (Correct)
  • Turn "per rule guarantees" into "per connection guarantees".
  • Define weights in the Default Rule in multiples of 10.
  • Put the most frequently used rules at the bottom of the QoS Rule Base.
  • Turn "per rule limits" into "per connection limits".

Answer : Install Checkpoint QoS only on the external interfaces of the QoS Module.

Assume an intruder has compromised your current IKE Phase 1 and Phase 2 keys. Which of the following options will end the intruder's access, after the next Phase 2 exchange occurs?


Options are :

  • MD5 Hash Completion
  • Perfect Forward Secrecy (Correct)
  • SHA1 Hash Completion
  • Phase 3 Key Revocation
  • DES Key Reset

Answer : Perfect Forward Secrecy

Check Point Certified Security Expert Exam Set 1

Yoav is a Security Administrator preparing to implement a VPN solution for his multi-site organization. To comply with industry regulations, Yoav's VPN solution must meet the following requirements: Portability: Standard Key management: Automatic, external PKI Session keys: Changed at configured times during a connection's lifetime Key length: No less than 128-bit Data integrity: Secure against inversion and brutE. force attacks What is the most appropriate setting Yoav should choose?


Options are :

  • IKE VPNs: DES encryption for IKE Phase 1, and 3DES encryption for Phase 2; MD5 hash
  • IKE VPNs: SHA1 encryption for IKE Phase 1, and MD5 encryption for Phase 2; AES hash
  • IKE VPNs: CAST encryption for IKE Phase 1, and SHA1 encryption for Phase 2; DES hash
  • IKE VPNs: AES encryption for IKE Phase 1, and DES encryption for Phase 2; SHA1 hash
  • IKE VPNs: AES encryption for IKE Phase 1, and AES encryption for Phase 2; SHA1 hash (Correct)

Answer : IKE VPNs: AES encryption for IKE Phase 1, and AES encryption for Phase 2; SHA1 hash

You are preparing to configure your VoIP Domain Gatekeeper object. Which two other objects should you have created first?


Options are :

  • An object to represent the call manager, AND an object to represent the host on which the transmission router is installed
  • An object to represent the IP phone network, AND an object to represent the host on which the gatekeeper is installed (Correct)
  • An object to represent the PSTN phone network, AND an object to represent the IP phone network
  • An object to represent the IP phone network, AND an object to represent the host on which the proxy is installed
  • An object to represent the Q.931 service origination host, AND an object to represent the H.245 termination host

Answer : An object to represent the IP phone network, AND an object to represent the host on which the gatekeeper is installed

You are running a VPN-1 NG with Application Intelligence R54 SecurePlatform VPN-1 Pro Gateway. The Gateway also serves as a Policy Server. When you run patch add cd from the NGX CD, what does this command allow you to upgrade?


Options are :

  • Only VPN-1 Pro Security Gateway
  • Only the OS
  • Only the patch utility is upgraded using this command
  • All products, except the Policy Server
  • Both the operating system (OS) and all Check Point products (Correct)

Answer : Both the operating system (OS) and all Check Point products

156-315.77 Check Point Certified Security Expert Exam Set 4

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions