156-315.71 Check Point Security Expert R71 Practical Exam Set 4

Which port is typically used by SSL Network Extender, if the Connectra Portal will also be used on the same IP address?


Options are :

  • SSL (TCP/443)
  • SSL (TCP/444)
  • SSL (TCP/900)
  • SSL (TCP/80)

Answer : SSL (TCP/444)

Which utility or command is useful for debugging by capturing packet information, including verifying LDAP authentication?


Options are :

  • um_core enable
  • ping
  • fw debug fwm
  • fw monitor

Answer : fw monitor

Which of the following is NOT accelerated by SecureXL?


Options are :

  • FTP
  • HTTPS
  • Telnet
  • SSH

Answer : FTP

156-315.71 Check Point Security Expert R71 Practical Exam Set 5

Your customer complains of the weak performance of his systems. He has heard that Connection Templates accelerate traffic. How do you explain to the customer about template restrictions and how to verify that they are enabled?


Options are :

  • To enhance connection-establishment acceleration, a mechanism attempts to "group together" all connections that match a particular service and whose sole discriminating element is the source port. To test if connection templates are enabled, use the command "fwaccel stat".
  • To enhance connection-establishment acceleration, a mechanism attempts to "group together" all connections that match a particular service and whose sole discriminating element is the destination port. To test if connection templates are enabled, use the command "fwacel templates".
  • To enhance connection-establishment acceleration, a mechanism attempts to "group together" all connections that match a particular service and whose sole discriminating element is the destination port. To test if connection templates are enabled, use the command "fw ctl templates".
  • To enhance connection-establishment acceleration, a mechanism attempts to "group together" all connections that match a particular service and whose sole discriminating element is the source port. To test if connection templates are enabled, use the command "fw ctl templates".

Answer : To enhance connection-establishment acceleration, a mechanism attempts to "group together" all connections that match a particular service and whose sole discriminating element is the source port. To test if connection templates are enabled, use the command "fwaccel stat".

Among the authentication schemes SSL VPN employs for users, which scheme does Check Point recommend so all servers are replicated?


Options are :

  • LDAP
  • RADIUS
  • Username and password
  • User certificates

Answer : RADIUS

Which of the following is a supported deployment for Connectra?


Options are :

  • VMWare ESX
  • Windows server 2007
  • IPSO 4.9 build 88
  • Solaris 10

Answer : VMWare ESX

156-315.71 Check Point Security Expert R71 Practical Exam Set 6

Which of the following is not supported by CoreXL?


Options are :

  • Route-based VPN
  • IPV4
  • IPS
  • SmartView Tracker

Answer : Route-based VPN

Domain name can NOT be changed in SmartProvisioning and Domain Name is grayed out. What is a possible reason for this?


Options are :

  • Profile is not assigned to any Gateway.
  • Override profile setting on device level is set to Mandatory
  • Domain name settings are always fetched from firewall object.
  • There is no SmartProvisioning license installed

Answer : Override profile setting on device level is set to Mandatory

Network applications accessed using SSL Network Extender have been found to fail after one of their TCP connections has been left idle for more than one hour. You determine that you must enable sending reset (RST) packets upon TCP time-out expiration. Where is it necessary to change the setting?


Options are :

  • $FWDIR/conf/objects_5_0.C
  • $FWDIR/conf/objects.C
  • $WEBISDIR/conf/cpadmin.elg
  • $CVPNDIR/conf/cvpnd.C

Answer : $WEBISDIR/conf/cpadmin.elg

156-315.71 Check Point Security Expert R71 Practical Exam Set 7

You are a SSL VPN administrator. Your users complain that their Outlook Web Access is running extremely slowly, and their overall browsing experience continues to worsen. You suspect it could be a logging problem. Which of the following logs does Check Point recommend you turn off?


Options are :

  • Alert
  • Event
  • Trace
  • Traffic

Answer : Trace

Frank is concerned with performance and wants to configure the affinities settings. His gateway does not have the Performance Pack running. What would Frank need to perform in order configure those settings?


Options are :

  • Run sim affinity and change the settings
  • Edit affinity.conf and change the settings
  • Run fw affinity and change the settings
  • Edit fwaffinity.conf and change the settings

Answer : Edit fwaffinity.conf and change the settings

How can you disable SecureXL via the command line (it does not need to survive a reboot)?


Options are :

  • fwaccel off
  • cphaprob off
  • fw ctl accel off
  • securexl off

Answer : fwaccel off

156-315.71 Check Point Security Expert R71 Practical Exam Set 8

What is a requirement for setting up R71 Management High Availability?


Options are :

  • State synchronization must be enabled on the secondary Security Management Server.
  • All Security Management Servers must have the same number of NICs.
  • All Security Management Servers must reside in the same LAN.
  • All Security Management Servers must have the same operating system.

Answer : All Security Management Servers must have the same operating system.

In CoreXL, what process is responsible for processing incoming traffic from the network interfaces, securely accelerating authorized packets, and distributing non-accelerated packets among kernel instances?


Options are :

  • SND (Secure Network Distributor)
  • SNP (System Networking Process)
  • NAD (Network Accelerator Daemon)
  • SSD (Secure System Distributor)

Answer : SND (Secure Network Distributor)

To configure a client to properly log in to the user portal using a certificate, the Administrator MUST:


Options are :

  • Create a client certificate from SmartDashboard.
  • Install an R71 internal Certificate Authority certificate.
  • Store the client certificate on the SSL VPN Gateway
  • Create an internal user in the admin portal.

Answer : Create an internal user in the admin portal.

156-315.71 Check Point Security Expert R71 Practice Exam Set 1

Your customer asks you about the Performance Pack. You explain to him that a Performance Pack is a software acceleration product which improves the performance of the Security Gateway. There are two ways to enable or disable this acceleration. The first one is to use the command cpconfig (see the Figure 1). The second one is to use the command fwaccel on off (see the Figure 2). What is the difference between those two commands?


Options are :

  • The fwaccel command determines the default setting. The command cpconfig can dynamically change the setting, but after the reboot it reverts to the default setting.
  • The command cpconfig works on the Security Platform only. The command fwaccel can be used on all platforms.
  • The cpconfig command enables acceleration. The command fwaccel can dynamically change the setting, but after the reboot it reverts to the default setting
  • Both commands have thesamefunction.

Answer : The cpconfig command enables acceleration. The command fwaccel can dynamically change the setting, but after the reboot it reverts to the default setting

Which Remote Desktop protocols are supported natively in SSL VPN?


Options are :

  • AT&T VNC, Citrix ICA and Microsoft RDP
  • Citrix ICA and Microsoft RDP
  • Microsoft RDP only
  • AT&T VNC and Microsoft RDP

Answer : Citrix ICA and Microsoft RDP

A user attempts to initialize a network application using SSL Network Extender. The application fails to start. What SSL VPN option would be the MOST LIKELY solution?


Options are :

  • Select the option Auto-detect client capabilities.
  • Select the option Enable SSL Network Extender Application Mode only.
  • Select the option Enable SSL Network Extender Network Mode only.
  • Select the option Turn off all SSL tunneling clients.

Answer : Select the option Enable SSL Network Extender Application Mode only.

156-315.71 Check Point Security Expert R71 Practice Exam Set 2

When Converting Gateways to SmartLSM Security Gateways, you can:


Options are :

  • reset SIC and re-establish communication with the new SmartProvisioning.
  • convert a Security Gateway or UTM-1 Edge Gateway managed with SmartDashboard to a SmartLSM Security Gateway managed with SmartProvisioning.
  • delete the device and re-install it in SmartProvisioning
  • do nothing, the conversion is automatic.

Answer : convert a Security Gateway or UTM-1 Edge Gateway managed with SmartDashboard to a SmartLSM Security Gateway managed with SmartProvisioning.

For an initial installation of Connectra, which of the following statements is TRUE?


Options are :

  • You must configure the Connectra username and password before running the First Time Wizard.
  • It is not possible to use the sysconfig and cpconfig utilities, until the First Time Wizard in the Administration Web GUI is successfully completed.
  • It is not necessary to set up the Rule Base before completing Connectra's installation.
  • It is possible to run the First Time Wizard from Expert Mode on the Connectra server

Answer : It is not possible to use the sysconfig and cpconfig utilities, until the First Time Wizard in the Administration Web GUI is successfully completed.

To force clients to use Integrity Secure Workspace when accessing sensitive applications, the Administrator can configure Connectra:


Options are :

  • Without a special setting. Secure Workspace is automatically configured.
  • Via protection levels
  • To implement Integrity Clientless Security
  • To force the user to re-authenticate at login

Answer : Via protection levels

156-315.71 Check Point Security Expert R71 Practice Exam Set 3

SSL termination takes place:


Options are :

  • In a DMZ and LAN deployment scenario on a Connectra Gateway
  • In a DMZ and LAN deployment scenario on a Security Gateway
  • In a DMZ deployment on a Connectra Gateway
  • In a LAN deployment on a Security Gateway

Answer : In a DMZ and LAN deployment scenario on a Security Gateway

You are a SSL VPN Administrator. Your users complain that their Outlook Web Access is running extremely slowly, and their overall browsing experience continues to worsen. You suspect it could be a logging problem. Which of the following log files does Check Point recommend you purge?


Options are :

  • alert_owd.log
  • mod_ws_owd.log
  • httpd*.log
  • event_ws.log

Answer : httpd*.log

The customer wishes to install a cluster. In his network, there is a switch which is incapable of forwarding multicast. Is it possible to install a cluster in this situation?


Options are :

  • Yes, you can toggle on ClusterXL between broadcast and multicast using the command cphaconf set_ccp broadcast/multicast.
  • Yes, you can toggle on ClusterXL between broadcast and multicast by setting the multicast mode using the command cphaconf set_ccp multicast on off. The default setting is broadcast.
  • Yes, the ClusterXL changes automatically to the broadcast mode if the multicast is not forwarded.
  • No, the customer needs to replace the switch with a new switch, which supports multicastforwarding.

Answer : Yes, you can toggle on ClusterXL between broadcast and multicast using the command cphaconf set_ccp broadcast/multicast.

156-315.71 Check Point Security Expert R71 Practice Exam Set 4

How do you enable SecureXL (command line) on SecurePlatform?


Options are :

  • waccel on
  • fwsecurexl on
  • fw accel on
  • fw securexl on

Answer : waccel on

Even after configuring central logging on Connectra, Connectra logs are not displaying in SmartView Tracker. What could be the cause of this problem?


Options are :

  • You must install the Management Server database.
  • R70 does not support a host object with the same IP address as a Management Server used as secondary log server or management station.
  • You must reestablish logging from Connectra to the Management Server, using a dummy log-server object.
  • You must install the Security Policy, and try again.

Answer : You must install the Management Server database.

When connecting to the SSL VPN portal, you receive a pop-up message indicating that the server hostname does not match the certificate hostname, and the certificate is not signed by a known Certificate Authority (CA). How would you solve this problem?


Options are :

  • Resolve the certificate-hostname conflict between the Connectra portal and the administration GUI.
  • Ignore the message. It only occurs before the portal synchronizes with the GUI.
  • Acquire and install an SSL server certificate from a known CA.
  • The administration GUI is pointing to the wrong certificate-hostname location.

Answer : Acquire and install an SSL server certificate from a known CA.

156-315.71 Check Point Security Expert R71 Practice Exam Set 5

SmartProvisioning is an integral part of the Security Management or Provider-1 CMA. To enable SmartProvisioning on the Security Management server:


Options are :

  • Obtain a SmartProvisioning license, add the License to the Security Management server or CMA, turn on SmartProvisioning on each Gateway to be controlled.
  • Obtain a SmartProvisioning license, add the License to the Security Management server or CMA.
  • Obtain a SmartProvisioning license, add the License to the Security Management server or CMA, disable SecureXL.
  • Obtain a SmartProvisioning license, add the License to the Security Management server or CMA, select the box under Policy for SmartProvisioning.

Answer : Obtain a SmartProvisioning license, add the License to the Security Management server or CMA.

What are the SmartProvisioning Policy Status indicators?


Options are :

  • OK, Down, Up, Synchronized
  • OK, Waiting, Out of Sync, Not Installed, Not communicating
  • OK, Unknown, Not Installed, May be out of date
  • OK, Waiting, Unknown, Not Installed, Not Updated, May be out of date

Answer : OK, Waiting, Unknown, Not Installed, Not Updated, May be out of date

Why would an old Connectra Gateway IP be displayed to remote SSL Network Extender users, after changing it to a different IP? You must:


Options are :

  • Update Connectra's certificate to reflect the newly assigned IP address
  • Make the change using sysconfig instead of the admin portal.
  • Restart service CPwebis.
  • Install a new license corresponding to the newly configured IP.

Answer : Update Connectra's certificate to reflect the newly assigned IP address

156-315.71 Check Point Security Expert R71 Practice Exam Set 6

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions