156-315.71 Check Point Security Expert R71 Practical Exam Set 6

Why would an old Connectra Gateway IP be displayed to remote SSL Network Extender users, after changing it to a different IP? You must:


Options are :

  • Make the change using sysconfig instead of the admin portal.
  • Install a new license corresponding to the newly configured IP.
  • Restart service CPwebis.
  • Update Connectra's certificate to reflect the newly assigned IP address (Correct)

Answer : Update Connectra's certificate to reflect the newly assigned IP address

156-215.77 Check Point Certified Security Administrator Exam Set 1

Which procedure enables the SSL VPN blade on the gateway?


Options are :

  • Log into WebUI on the gateway and check the SSL VPN Blade check box.
  • Log into SmartDashboard, edit the properties of the Gateway, and select the SSL VPN check box. (Correct)
  • Log into SmartDashboard, Create a new rule with the source and destination addresses of the needed remote network, set the action to Encrypt and push the policy to that gateway.
  • Log into SmartDashboard, Select the VPN Communities tab and add the gateway to the appropriate community.

Answer : Log into SmartDashboard, edit the properties of the Gateway, and select the SSL VPN check box.

In CoreXL, what process is responsible for processing incoming traffic from the network interfaces, securely accelerating authorized packets, and distributing non-accelerated packets among kernel instances?


Options are :

  • NAD (Network Accelerator Daemon)
  • SSD (Secure System Distributor)
  • SNP (System Networking Process)
  • SND (Secure Network Distributor) (Correct)

Answer : SND (Secure Network Distributor)

For an initial installation of Connectra, which of the following statements is TRUE?


Options are :

  • It is not possible to use the sysconfig and cpconfig utilities, until the First Time Wizard in the Administration Web GUI is successfully completed. (Correct)
  • It is possible to run the First Time Wizard from Expert Mode on the Connectra server
  • It is not necessary to set up the Rule Base before completing Connectra's installation.
  • You must configure the Connectra username and password before running the First Time Wizard.

Answer : It is not possible to use the sysconfig and cpconfig utilities, until the First Time Wizard in the Administration Web GUI is successfully completed.

156-315.13 Check Point Security Expert R76 (GAiA) Exam Set 1

Domain name can NOT be changed in SmartProvisioning and Domain Name is grayed out. What is a possible reason for this?


Options are :

  • Profile is not assigned to any Gateway.
  • Override profile setting on device level is set to Mandatory (Correct)
  • Domain name settings are always fetched from firewall object.
  • There is no SmartProvisioning license installed

Answer : Override profile setting on device level is set to Mandatory

A user attempts to initialize a network application using SSL Network Extender. The application fails to start. What is the MOST LIKELY solution?


Options are :

  • Select the option Turn off all SSL tunneling clients.
  • Select the option Enable SSL Network Extender Application Mode only (Correct)
  • Select the option Auto-detect client capabilities.
  • Select the option Enable SSL Network Extender Network Mode only.

Answer : Select the option Enable SSL Network Extender Application Mode only

Which of the following is a supported deployment for Connectra?


Options are :

  • Solaris 10
  • VMWare ESX (Correct)
  • IPSO 4.9 build 88
  • Windows server 2007

Answer : VMWare ESX

156-315.77 Check Point Certified Security Expert Exam Set 24

Which of the following is NOT accelerated by SecureXL?


Options are :

  • HTTPS
  • SSH
  • FTP (Correct)
  • Telnet

Answer : FTP

Which Remote Desktop protocols are supported natively in SSL VPN?


Options are :

  • Microsoft RDP only
  • AT&T VNC, Citrix ICA and Microsoft RDP
  • Citrix ICA and Microsoft RDP (Correct)
  • AT&T VNC and Microsoft RDP

Answer : Citrix ICA and Microsoft RDP

Which command can be used to verify SecureXL statistics?


Options are :

  • fwaccel stats (Correct)
  • cphaprob stat
  • fwaccel top
  • fw ctl pstat

Answer : fwaccel stats

156-315.77 Check Point Certified Security Expert Exam Set 9

In Management High Availability, what is an Active SMS?


Options are :

  • Active Smart Master Server
  • Active Security Master Server
  • Active Security Management Server (Correct)
  • Active Smart Management Server

Answer : Active Security Management Server

156-315.71 Check Point Security Expert R71 Practical Exam Set 3

The ________ Check Point ClusterXL mode must synchronize the physical interface IP and MAC addresses on all clustered interfaces.


Options are :

  • Multicast Mode Load Sharing
  • Pivot Mode Load Sharing
  • Legacy Mode HA (Correct)
  • New Mode HA

Answer : Legacy Mode HA

What is the meaning of the option Connect to the Internet?


Options are :

  • SmartDashboard will retrieve information from Check Point over the Internet
  • SmartDashboard will retrieve information from Check Point over the Internet. Your informationwill be sent anonymously to Check Point.
  • SmartDashboard will retrieve information from Check Point over the Internet. No information will be sent.
  • SmartDashboard will retrieve information from Check Point over the Internet using your User Center login. (Correct)

Answer : SmartDashboard will retrieve information from Check Point over the Internet using your User Center login.

In the following cluster configuration; if you reboot sglondon_1 which device will be active when sglondon_1 is back up and running? Why?


Options are :

  • Sglondon_1 because it the first configured object with the lowest IP
  • Sglondon_1, because it is up again, sglondon_2 took over during reboot
  • Sglondon_2 because it has highest priority (Correct)
  • Sglondon_2 because I has highest IP

Answer : Sglondon_2 because it has highest priority

156-215.75 Check Point Certified Security Administrator Exam Set 8

The following configuration is for R71. Is this configuration correct for Management High Availability?


Options are :

  • No, a R71 Security Management Server cannot run on Red Hat Linux 9.0.
  • No, the Security Management Servers must reside on the same network
  • No, the Security Management Servers do not have the same number of NICs.
  • No, the Security Management Servers must be installed on the same operating system. (Correct)

Answer : No, the Security Management Servers must be installed on the same operating system.

How do you verify a VPN Tunnel Interface (VTI) is configured properly?


Options are :

  • vpn shell show interface detailed (Correct)
  • vpn shell display interface detailed
  • vpn shell display detailed
  • vpn shell show detailed

Answer : vpn shell show interface detailed

You have installed SecurePlatform R71 as Security Gateway operating system. As company requirements changed, you need the VTI features of R71. What should you do?


Options are :

  • In SmartDashboard click on the OS drop down menu and choose SecurePlatform Pro. You have to reboot the Security Gateway in order for the change to take effect.
  • You have to re-install your Security Gateway with SecurePlatform Pro R71, as SecurePlatform R71 does not support VTIs.
  • Type pro enable on your Security Gateway and reboot it. (Correct)
  • Only IPSO 3.9 supports VTI feature, so you have to replace your Security Gateway with Nokia appliances.

Answer : Type pro enable on your Security Gateway and reboot it.

156-215.77 Check Point Certified Security Administrator Test Set 6

When a failed cluster member recovers, which of the following actions is NOT taken by the recovering member?


Options are :

  • It will not check for any updated policy and load the last installed policy with a warning message indicating that the Security Policy needs to be installed from the Security Management Server. (Correct)
  • If the Security Management Server has a newer policy, it will be retrieved, else the local policy will be loaded.
  • It will try to take the policy from one of the other cluster members
  • It compares its local policy to the one on the Security Management Server.

Answer : It will not check for any updated policy and load the last installed policy with a warning message indicating that the Security Policy needs to be installed from the Security Management Server.

Which of the following commands can be used to troubleshoot ClusterXL sync issues?


Options are :

  • fw tab -s -t connections > file_name (Correct)
  • fw ctl -s -t connections > file_name
  • fw debug cxl connections > file_name
  • fw tab -u connections > file_name

Answer : fw tab -s -t connections > file_name

Refer to the network topology below. You have IPS Software Blades active on the Security Gateways sglondon, sgla, and sgny, but still experience attacks on the Web server in the New York DMZ. How is this possible?


Options are :

  • An IPS may combine different detection technologies, but is dependent on regular signature updates and well-tuned anomaly algorithms. Even if this is accomplished, no technology can offer 100% protection.
  • The attacker may have used a bunch of evasion techniques like using escape sequences instead of cleartext commands. It is also possible that there are entry points not shown in the network layout, like rogue access points.
  • All of these options are possible. (Correct)
  • Since other Gateways do not have IPS activated, attacks may originate from their networks without anyone noticing.

Answer : All of these options are possible.

156-315.77 Check Point Certified Security Expert Exam Set 15

In a R71 ClusterXL Load Sharing configuration, which type of ARP related problem can force the use of Unicast Mode (Pivot) configuration due to incompatibility on some adjacent routers and switches?


Options are :

  • Multicast MAC address response to a RARP request
  • Unicast MAC address response to a Multicast IP request
  • Multicast MAC address response to a Unicast IP request (Correct)
  • MGCP MAC address response to a Multicast IP request

Answer : Multicast MAC address response to a Unicast IP request

When using ClusterXl in load sharing, what method is used be default?


Options are :

  • IPs, Ports, SPIs (Correct)
  • IPs
  • IPs, SPIs
  • IPs, Ports

Answer : IPs, Ports, SPIs

Which of the following QoS rule-action properties is an Advanced action type, only available in Traditional mode?


Options are :

  • Rule weight
  • Apply rule only to encrypted traffic
  • Rule guarantee
  • Per Connection Guarantee (Correct)

Answer : Per Connection Guarantee

156-215.77 Check Point Certified Security Administrator Exam Set 6

Using the output below, why is the QoS rule not limiting the internal users to 2000 Bps of GNUtella traffic?


Options are :

  • Rule Guarantee needs to be changed to Rule Limit (Correct)
  • Encrypted traffic needs to be added to the Action field
  • The Source and Destination columns need to be reversed
  • Rule Weight needs to be changed to 10

Answer : Rule Guarantee needs to be changed to Rule Limit

Your online bookstore has customers connecting to a variety of Web servers to place or change orders and check order status. You ran penetration tests through the Security Gateway to determine if the Web servers were protected from a recent series of cross-site scripting attacks. The penetration testing indicated the Web servers were still vulnerable. You have checked every box in the Web Intelligence tab, and installed the Security Policy. What else might you do to reduce the vulnerability?


Options are :

  • Check the Products / Web Server box on the host node objects representing your Web servers. (Correct)
  • The penetration software you are using is malfunctioning and is reporting a falsepositive
  • Configure the Security Gateway protecting the Web servers as a Web server
  • Add Port (TCP 443) as an additional port on the Web Server tab for the host node.

Answer : Check the Products / Web Server box on the host node objects representing your Web servers.

You are the Security Administrator for a university. The university's FTP servers have old hardware and software. Certain FTP commands cause the FTP servers to malfunction. Upgrading the FTP servers is not an option at this time. Where can you define blocked FTP commands passing through the Security Gateway protecting the FTP servers?


Options are :

  • Global Properties / FireWall / Security Server / Allowed FTP Commands
  • IPS > Protections / By Protocol / IPS Software Blade / Application Intelligence / FTP / FTP Advanced Protections / FTP Commands (Correct)
  • FTP Service Object / Advanced / Blocked FTP Commands
  • Rule Base / Service Field / Edit Properties

Answer : IPS > Protections / By Protocol / IPS Software Blade / Application Intelligence / FTP / FTP Advanced Protections / FTP Commands

Check Point Certified Security Expert Exam Set 1

A customer is calling saying one member's status is Down. What will you check?


Options are :

  • cphaprob list (verify what critical device is down) (Correct)
  • fw ctl pstat (check sync)
  • tcpdump/snoop (CCP traffic)
  • fw ctl debug -m cluster + forward (forwarding layer debug)

Answer : cphaprob list (verify what critical device is down)

You are trying to configure Directional VPN Rule Match in the Rule Base. But the Match column does not have the option to see the Directional Match. You see the following window. What must you enable to see the Directional Match?


Options are :

  • directional_match(true) in the objects_5_0.C file on Security Management Server
  • Advanced Routing on each Security Gateway
  • VPN Directional Match on the Gateway object's VPN tab
  • VPN Directional Match on the VPN advanced window, in Global Properties (Correct)

Answer : VPN Directional Match on the VPN advanced window, in Global Properties

What is the command to enter the router shell?


Options are :

  • routerd
  • router (Correct)
  • clirouter
  • gated

Answer : router

156-315.77 Check Point Certified Security Expert Exam Set 8

For Management High Availability, if an Active SMS goes down, does the Standby SMS automatically take over?


Options are :

  • Yes, if you set up VRRP
  • Yes, if you set up ClusterXL
  • No, the transition should be initiated manually (Correct)
  • Yes, if you set up SecureXL

Answer : No, the transition should be initiated manually

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions