156-315.65 Check Point Security Administration NGX R65 Exam Set 7

Jennifer wants to protect internal users from malicious Java code, but she does not want to strip Java scripts. Which is the BEST configuration option?


Options are :

  • Use the URI resource to strip script tags
  • Use the URI resource to strip applet tags
  • Use the URI resource to block Java code (Correct)
  • Use the URI resource to strip ActiveX tags
  • Use CVP in the URI resource to block Java code

Answer : Use the URI resource to block Java code

What is the consequence of clearing the "Log VoIP Connection" box in Global Properties?


Options are :

  • VoIP protocol-specific log fields are not included in SmartView Tracker entries. (Correct)
  • Dropped VoIP traffic is logged, but accepted VoIP traffic is not logged.
  • IP addresses are used, instead of object names, in log entries that reference VoIP Domain objects.
  • The SmartCenter Server stops importing logs from VoIP servers.
  • The log field setting in rules for VoIP protocols are ignored.

Answer : VoIP protocol-specific log fields are not included in SmartView Tracker entries.

Which Check Point QoS feature allows a Security Administrator to define special classes of service for delay-sensitive applications?


Options are :

  • Weighted Fair Queuing
  • Guarantees
  • Differentiated Services
  • Limits
  • Low Latency Queuing (Correct)

Answer : Low Latency Queuing

156-315.71 Check Point Security Expert R71 Practical Exam Set 2

You have an internal FTP server, and you allow downloading, but not uploading. Assume Network Address Translation is set up correctly, and you want to add an inbound rule with: Source: Any Destination: FTP server Service: an FTP resource object. How do you configure the FTP resource object and the action column in the rule to achieve this goal?


Options are :

  • Enable only the "Get" method in the FTP Resource Properties, and use this method in the rule, with action accept. (Correct)
  • Enable only the "Put" method in the FTP Resource Properties and use it in the rule, with action accept.
  • Disable "Get" and "Put" methods in the FTP Resource Properties and use it in the rule, with action accept.
  • Enable both "Put" and "Get" methods in the FTP Resource Properties and use them in the rule, with action drop.
  • Enable only the "Get" method in the FTP Resource Properties and use it in the rule, with action drop.

Answer : Enable only the "Get" method in the FTP Resource Properties, and use this method in the rule, with action accept.

Steve tries to configure Directional VPN Rule Match in the Rule Base. But the Match column does not have the option to see the Directional Match. Steve sees the following screen. What is the problem?


Options are :

  • Steve must enable VPN Directional Match on the gateway object's VPN tab.
  • Steve must enable Advanced Routing on each Security Gateway.
  • Steve must enable a dynamiC. routing protocol, such as OSPF, on the Gateways.
  • Steve must enable VPN Directional Match on the VPN Advanced screen, in Global properties. (Correct)
  • Steve must enable directional_match(true) in the objects_5_0.C file on SmartCenter Server.

Answer : Steve must enable VPN Directional Match on the VPN Advanced screen, in Global properties.

Your organization has many VPN-1 Edge gateways at various branch offices, to allow VPN1 SecureClient users to access company resources. For security reasons, your organization's Security Policy requires all Internet traffic initiated behind the VPN-1 Edge gateways first be inspected by your headquarters' VPN-1 Pro Security Gateway. How do you configure VPN routing in this star VPN Community?


Options are :

  • To the center; or through the center to other satellites, then to the Internet and other VPN targets (Correct)
  • To the center and other satellites, through the center
  • To the center only
  • To the Internet and other targets only

Answer : To the center; or through the center to other satellites, then to the Internet and other VPN targets

156-315.77 Check Point Certified Security Expert Exam Set 7

How would you configure a rule in a Security Policy to allow SIP traffic from end point Net_Ato end point Net_B, through an NGX Security Gateway?


Options are :

  • Net_A/Net_B/sip/accept (Correct)
  • Net_A/Net_BM3lP/accept
  • Net_A/Net_B/sip and sip_any/accept
  • Net_A/Net_B/VolP_any/accept

Answer : Net_A/Net_B/sip/accept

You want only RAS signals to pass through H.323 Gatekeeper and other H.323 protocols, passing directly between end points. Which routing mode in the VoIP Domain Gatekeeper do you select?


Options are :

  • Call Setup
  • Direct (Correct)
  • Direct and Call Setup
  • Call Setup and Call Control

Answer : Direct

In a distributed VPN-1 Pro NGX environment, where is the Internal Certificate Authority (ICA) installed?


Options are :

  • On the Security Gateway
  • On the primary SmattCenter Server (Correct)
  • Certificate Manager Server
  • On the Policy Server
  • On the Smart View Monitor

Answer : On the primary SmattCenter Server

156-315.77 Check Point Certified Security Expert Exam Set 13

Your VPN Community includes three Security Gateways. Each Gateway has its own internal network defined as a VPN Domain. You must test the VPN-1 NGX routE. based VPN feature, without stopping the VPN. What is the correct order of steps?


Options are :

  • 1. Add a new interface on each Gateway. 2. Remove the newly added network from the current VPN Domain for each Gateway. 3. Create VTIs on each Gateway, to point to the other two peers 4. Enable advanced routing on all three Gateways.
  • 1. Add a new interface on each Gateway. 2. Add the newly added network into the existing VPN Domain for each Gateway. 3. Create VTIs on each gateway object, to point to the other two peers. 4. Enable advanced routing on all three Gateways.
  • 1. Add a hew interface on each Gateway. 2. Remove the newly added network from the current VPN Domain in each gateway object. 3. Create VPN Tunnel Interfaces (VTI) on each gateway object, to point to the other two peers. 4. Add static routes on three Gateways, to route the new network to each peer's VTI interface. (Correct)
  • 1. Add a new interface on each Gateway. 2. Add the newly added network into the existing VPN Domain for each gateway object. 3. Create VTIs on each gateway object, to point to the other two peers. 4. Add static routes on three Gateways, to route the new networks to each peer's VTI interface.

Answer : 1. Add a hew interface on each Gateway. 2. Remove the newly added network from the current VPN Domain in each gateway object. 3. Create VPN Tunnel Interfaces (VTI) on each gateway object, to point to the other two peers. 4. Add static routes on three Gateways, to route the new network to each peer's VTI interface.

How does ClusterXL Unicast mode handle new traffic?


Options are :

  • All cluster members process all packets, and members synchronize with each other.
  • All members receive all packets. The SmartCenter Server decides which member will process the packets. Other members simply drop the packets.
  • The pivot machine receives and inspects all new packets, and synchronizes the connections with other members.
  • Only the pivot machine receives all packets. It runs an algorithm to determine which member should process the packets. (Correct)

Answer : Only the pivot machine receives all packets. It runs an algorithm to determine which member should process the packets.

The following rule contains an FTP resource object in the Service field: Source: local_net Destination: Any Service: FTP-resource object Action: Accept How do you define the FTP Resource Properties > Match tab to prevent internal users from receiving corporate files from external FTP servers, while allowing users to send files?


Options are :

  • Enable the "Put" method only on the Match tab. (Correct)
  • Disable "Get" and "Put" methods on the Match tab.
  • Enable the "Get" method on the Match tab.
  • Enable "Put" and "Get" methods.
  • Disable the "Put" method globally

Answer : Enable the "Put" method only on the Match tab.

156-315.77 Check Point Certified Security Expert Exam Set 9

Assume an intruder has compromised your current IKE Phase 1 and Phase 2 keys. Which of the following options will end the intruder's access, after the next Phase 2 exchange occurs?


Options are :

  • SHA1 Hash Completion
  • Perfect Forward Secrecy (Correct)
  • DES Key Reset
  • MD5 Hash Completion
  • Phase 3 Key Revocation

Answer : Perfect Forward Secrecy

You want to create an IKE VPN between two VPN-1 NGX Security Gateways, to protect two networks. The network behind one Gateway is 10.15.0.0/16, and network 192.168.9.0/24 is behind the peer's Gateway. Which type of address translation should you use, to ensure the two networks access each other through the VPN tunnel?


Options are :

  • Manual NAT
  • Hide NAT
  • Static NAT
  • Hide NAT
  • None (Correct)

Answer : None

VPN-1 NGX includes a resource mechanism for working with the Common Internet File System (CIFS). However, this service only provides a limited level of actions for CIFS security. Which of the following services is provided by a CIFS resource?


Options are :

  • Logging Mapped Shares (Correct)
  • Access Violation logging
  • Allow Unix file sharing.
  • Allow MS print shares

Answer : Logging Mapped Shares

156-315.65 Check Point Security Administration NGX R65 Exam Set 3

After you add new interfaces to this cluster, how can you check if the new interfaces and associated virtual IP address are recognized by ClusterXL?


Options are :

  • By running the cphaproB. a if command on both members (Correct)
  • By running the cphaproB. I list command on both members
  • By running the cphaprob state command on both members
  • By running the cpconfig command on both members
  • By running the fw ctl iflist command on both members

Answer : By running the cphaproB. a if command on both members

You configure a Check Point QoS Rule Base with two rules: an HTTP rule with a weight of 40, and the Default Rule with a weight of 10. If the only traffic passing through your QoS Module is HTTP traffic, what percent of bandwidth will be allocated to the HTTP traffic?


Options are :

  • 10%
  • 40%
  • 50%
  • 80%
  • 100% (Correct)

Answer : 100%

Which Security Server can perform authentication tasks, but CANNOT perform content security tasks?


Options are :

  • HTTP
  • rlogin (Correct)
  • SMTP
  • Telnet
  • FTP

Answer : rlogin

156-315.77 Check Point Certified Security Expert Exam Set 2

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions