156-315.71 Check Point Security Expert R71 Practical Exam Set 5

Frank is concerned with performance and wants to configure the affinities settings. His gateway does not have the Performance Pack running. What would Frank need to perform in order configure those settings?


Options are :

  • Run fw affinity and change the settings
  • Edit fwaffinity.conf and change the settings (Correct)
  • Run sim affinity and change the settings
  • Edit affinity.conf and change the settings

Answer : Edit fwaffinity.conf and change the settings

156-215.75 Check Point Certified Security Administrator Exam Set 1

Which port is typically used by SSL Network Extender, if the Connectra Portal will also be used on the same IP address?


Options are :

  • SSL (TCP/443)
  • SSL (TCP/80)
  • SSL (TCP/900)
  • SSL (TCP/444) (Correct)

Answer : SSL (TCP/444)

What is a requirement for setting up R71 Management High Availability?


Options are :

  • State synchronization must be enabled on the secondary Security Management Server.
  • All Security Management Servers must have the same number of NICs.
  • All Security Management Servers must reside in the same LAN.
  • All Security Management Servers must have the same operating system. (Correct)

Answer : All Security Management Servers must have the same operating system.

Even after configuring central logging on Connectra, Connectra logs are not displaying in SmartView Tracker. What could be the cause of this problem?


Options are :

  • You must install the Management Server database. (Correct)
  • You must reestablish logging from Connectra to the Management Server, using a dummy log-server object.
  • R70 does not support a host object with the same IP address as a Management Server used as secondary log server or management station.
  • You must install the Security Policy, and try again.

Answer : You must install the Management Server database.

156-215.75 Check Point Certified Security Administrator Exam Set 8

You are using tracelogger to debug SSL VPN's server side and obtain a textual traffic dump. Which type of traffic will you NOT see in the output?


Options are :

  • Traffic inbound from the external networks
  • Traffic to the portal (Correct)
  • Traffic outbound from the internal networks
  • Traffic outbound to the external networks

Answer : Traffic to the portal

Your customer complains of the weak performance of his systems. He has heard that Connection Templates accelerate traffic. How do you explain to the customer about template restrictions and how to verify that they are enabled?


Options are :

  • To enhance connection-establishment acceleration, a mechanism attempts to "group together" all connections that match a particular service and whose sole discriminating element is the source port. To test if connection templates are enabled, use the command "fw ctl templates".
  • To enhance connection-establishment acceleration, a mechanism attempts to "group together" all connections that match a particular service and whose sole discriminating element is the destination port. To test if connection templates are enabled, use the command "fw ctl templates".
  • To enhance connection-establishment acceleration, a mechanism attempts to "group together" all connections that match a particular service and whose sole discriminating element is the source port. To test if connection templates are enabled, use the command "fwaccel stat". (Correct)
  • To enhance connection-establishment acceleration, a mechanism attempts to "group together" all connections that match a particular service and whose sole discriminating element is the destination port. To test if connection templates are enabled, use the command "fwacel templates".

Answer : To enhance connection-establishment acceleration, a mechanism attempts to "group together" all connections that match a particular service and whose sole discriminating element is the source port. To test if connection templates are enabled, use the command "fwaccel stat".

You have configured an LDAP account unit and confirmed the Apply & Fetch Branches option works in SSL VPN, but end users still cannot be authenticated. What is the MOST LIKELY cause?


Options are :

  • The LDAP account unit's login Distinguished Name is incorrectly configured. (Correct)
  • The LDAP server is incorrectly configured.
  • The Administrator's login is incorrect.
  • The user is not defined in Active Directory.

Answer : The LDAP account unit's login Distinguished Name is incorrectly configured.

156-215.70 Check Point Certified Security Administrator Exam Set 3

Can end users be forced to authenticate by using client certificates and username/password credentials?


Options are :

  • SSL VPN only supports server certificates
  • Yes, by editing the protection-level settings. (Correct)
  • Yes, but by manually changing the parameter :IsPasswordWarning to true in the $FWDIR/conf/objects_5_0.C file, to allow for LDAP password remediation; and through the use of multiple-challenge login pages.
  • No, R71 only supports authentication by client certificates.

Answer : Yes, by editing the protection-level settings.

SSL termination takes place:


Options are :

  • In a LAN deployment on a Security Gateway
  • In a DMZ deployment on a Connectra Gateway
  • In a DMZ and LAN deployment scenario on a Connectra Gateway
  • In a DMZ and LAN deployment scenario on a Security Gateway (Correct)

Answer : In a DMZ and LAN deployment scenario on a Security Gateway

How can you disable SecureXL via the command line (it does not need to survive a reboot)?


Options are :

  • fwaccel off (Correct)
  • securexl off
  • fw ctl accel off
  • cphaprob off

Answer : fwaccel off

156-315.65 Check Point Security Administration NGX R65 Exam Set 1

A user attempts to initialize a network application using SSL Network Extender. The application fails to start. What SSL VPN option would be the MOST LIKELY solution?


Options are :

  • Select the option Auto-detect client capabilities.
  • Select the option Enable SSL Network Extender Application Mode only. (Correct)
  • Select the option Enable SSL Network Extender Network Mode only.
  • Select the option Turn off all SSL tunneling clients.

Answer : Select the option Enable SSL Network Extender Application Mode only.

How do you enable SecureXL (command line) on SecurePlatform?


Options are :

  • waccel on (Correct)
  • fwsecurexl on
  • fw accel on
  • fw securexl on

Answer : waccel on

To configure a client to properly log in to the user portal using a certificate, the Administrator MUST:


Options are :

  • Create an internal user in the admin portal. (Correct)
  • Install an R71 internal Certificate Authority certificate.
  • Store the client certificate on the SSL VPN Gateway
  • Create a client certificate from SmartDashboard.

Answer : Create an internal user in the admin portal.

Check Point Certified Security Expert Exam Set 9

When Converting Gateways to SmartLSM Security Gateways, you can:


Options are :

  • convert a Security Gateway or UTM-1 Edge Gateway managed with SmartDashboard to a SmartLSM Security Gateway managed with SmartProvisioning. (Correct)
  • reset SIC and re-establish communication with the new SmartProvisioning.
  • do nothing, the conversion is automatic.
  • delete the device and re-install it in SmartProvisioning

Answer : convert a Security Gateway or UTM-1 Edge Gateway managed with SmartDashboard to a SmartLSM Security Gateway managed with SmartProvisioning.

To force clients to use Integrity Secure Workspace when accessing sensitive applications, the Administrator can configure Connectra:


Options are :

  • Via protection levels (Correct)
  • To implement Integrity Clientless Security
  • Without a special setting. Secure Workspace is automatically configured.
  • To force the user to re-authenticate at login

Answer : Via protection levels

Which of the following is not supported by CoreXL?


Options are :

  • IPS
  • Route-based VPN (Correct)
  • IPV4
  • SmartView Tracker

Answer : Route-based VPN

156-315.77 Check Point Certified Security Expert Exam Set 10

To configure a Security Management Server for an SSL VPN Gateway, you can set up log forwarding from that Gateway. All of the following tasks must be performed to accomplish this, EXCEPT:


Options are :

  • Providing the Security Management Server's IP address.
  • Defining a remote log server in the "Remote Log Server" box. (Correct)
  • Initiating the putkey process in order to facilitate Secure Internal Communications (SIC).
  • Establishing SIC between the Security Management Server and the SSL VPN Gateway.

Answer : Defining a remote log server in the "Remote Log Server" box.

You are a SSL VPN Administrator. Your users complain that their Outlook Web Access is running extremely slowly, and their overall browsing experience continues to worsen. You suspect it could be a logging problem. Which of the following log files does Check Point recommend you purge?


Options are :

  • alert_owd.log
  • httpd*.log (Correct)
  • event_ws.log
  • mod_ws_owd.log

Answer : httpd*.log

The CoreXL SND (Secure Network Distributor) is responsible for:


Options are :

  • shutting down cores when they are not needed.
  • changing routes to distribute the load across multiple firewalls.
  • distributing non-accelerated packets among kernel instances. (Correct)
  • accelerating VPN traffic.

Answer : distributing non-accelerated packets among kernel instances.

156-315.13 Check Point Security Expert R76(GAiA) Exam Set 8

Network applications accessed using SSL Network Extender have been found to fail after one of their TCP connections has been left idle for more than one hour. You determine that you must enable sending reset (RST) packets upon TCP time-out expiration. Where is it necessary to change the setting?


Options are :

  • $FWDIR/conf/objects_5_0.C
  • $FWDIR/conf/objects.C
  • $WEBISDIR/conf/cpadmin.elg (Correct)
  • $CVPNDIR/conf/cvpnd.C

Answer : $WEBISDIR/conf/cpadmin.elg

Which utility or command is useful for debugging by capturing packet information, including verifying LDAP authentication?


Options are :

  • fw debug fwm
  • fw monitor (Correct)
  • ping
  • um_core enable

Answer : fw monitor

When connecting to the SSL VPN portal, you receive a pop-up message indicating that the server hostname does not match the certificate hostname, and the certificate is not signed by a known Certificate Authority (CA). How would you solve this problem?


Options are :

  • The administration GUI is pointing to the wrong certificate-hostname location.
  • Acquire and install an SSL server certificate from a known CA. (Correct)
  • Ignore the message. It only occurs before the portal synchronizes with the GUI.
  • Resolve the certificate-hostname conflict between the Connectra portal and the administration GUI.

Answer : Acquire and install an SSL server certificate from a known CA.

156-315.71 Check Point Security Expert R71 Practical Exam Set 4

What are the SmartProvisioning Policy Status indicators?


Options are :

  • OK, Down, Up, Synchronized
  • OK, Waiting, Out of Sync, Not Installed, Not communicating
  • OK, Waiting, Unknown, Not Installed, Not Updated, May be out of date (Correct)
  • OK, Unknown, Not Installed, May be out of date

Answer : OK, Waiting, Unknown, Not Installed, Not Updated, May be out of date

Among the authentication schemes SSL VPN employs for users, which scheme does Check Point recommend so all servers are replicated?


Options are :

  • User certificates
  • LDAP
  • RADIUS (Correct)
  • Username and password

Answer : RADIUS

SmartProvisioning is an integral part of the Security Management or Provider-1 CMA. To enable SmartProvisioning on the Security Management server:


Options are :

  • Obtain a SmartProvisioning license, add the License to the Security Management server or CMA, select the box under Policy for SmartProvisioning.
  • Obtain a SmartProvisioning license, add the License to the Security Management server or CMA, disable SecureXL.
  • Obtain a SmartProvisioning license, add the License to the Security Management server or CMA, turn on SmartProvisioning on each Gateway to be controlled.
  • Obtain a SmartProvisioning license, add the License to the Security Management server or CMA. (Correct)

Answer : Obtain a SmartProvisioning license, add the License to the Security Management server or CMA.

Check Point Certified Security Expert Exam Set 9

The customer wishes to install a cluster. In his network, there is a switch which is incapable of forwarding multicast. Is it possible to install a cluster in this situation?


Options are :

  • Yes, you can toggle on ClusterXL between broadcast and multicast by setting the multicast mode using the command cphaconf set_ccp multicast on off. The default setting is broadcast.
  • Yes, you can toggle on ClusterXL between broadcast and multicast using the command cphaconf set_ccp broadcast/multicast. (Correct)
  • No, the customer needs to replace the switch with a new switch, which supports multicastforwarding.
  • Yes, the ClusterXL changes automatically to the broadcast mode if the multicast is not forwarded.

Answer : Yes, you can toggle on ClusterXL between broadcast and multicast using the command cphaconf set_ccp broadcast/multicast.

Which of the following statements about SSL VPN is TRUE?


Options are :

  • All traffic is always encrypted.
  • Traffic is encrypted, when it is initiated from a LAN.
  • Traffic is not encrypted in a LAN deployment, where clear text requests are forwarded to internal servers. (Correct)
  • Administration traffic is not encrypted.

Answer : Traffic is not encrypted in a LAN deployment, where clear text requests are forwarded to internal servers.

Which internal user authentication protocols are supported in SSL VPN?


Options are :

  • Check Point Password, SecurID, LDAP, RADIUS, TACACS
  • Point Password, SecurID, OS Password, RADIUS, TACACS (Correct)
  • Check Point Password, SecurID, L2TP, RADIUS, TACACS
  • Check Point Password, SecurID, Active Directory, RADIUS, TACACS

Answer : Point Password, SecurID, OS Password, RADIUS, TACACS

156-315.77 Check Point Certified Security Expert Exam Set 15

You are a SSL VPN administrator. Your users complain that their Outlook Web Access is running extremely slowly, and their overall browsing experience continues to worsen. You suspect it could be a logging problem. Which of the following logs does Check Point recommend you turn off?


Options are :

  • Traffic
  • Trace (Correct)
  • Event
  • Alert

Answer : Trace

Your customer asks you about the Performance Pack. You explain to him that a Performance Pack is a software acceleration product which improves the performance of the Security Gateway. There are two ways to enable or disable this acceleration. The first one is to use the command cpconfig (see the Figure 1). The second one is to use the command fwaccel on off (see the Figure 2). What is the difference between those two commands?


Options are :

  • The cpconfig command enables acceleration. The command fwaccel can dynamically change the setting, but after the reboot it reverts to the default setting (Correct)
  • The fwaccel command determines the default setting. The command cpconfig can dynamically change the setting, but after the reboot it reverts to the default setting.
  • Both commands have thesamefunction.
  • The command cpconfig works on the Security Platform only. The command fwaccel can be used on all platforms.

Answer : The cpconfig command enables acceleration. The command fwaccel can dynamically change the setting, but after the reboot it reverts to the default setting

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions