156-315.71 Check Point Security Expert R71 Practical Exam Set 8

In Company XYZ, the DLP Administrator defined a new template Data Type that is based on an empty PDF form for an insurance claim. Which of the following statements about this new data type are CORRECT?


Options are :

  • Word, Excel, PDF filled in insurance claim forms that were based on the empty PDF insurance claim form will be matched by this Data Type. (Correct)
  • If the empty PDF insurance claim form is sent, it will NOT be matched by this Data Type
  • Only completed insurance claim forms of PDF file-type that were based on the empty PDF form will be matched by this Data Type.
  • The Data Type will match only files where the name and file size is similar to that of the original insurance claim forms in PDF format.

Answer : Word, Excel, PDF filled in insurance claim forms that were based on the empty PDF insurance claim form will be matched by this Data Type.

For best performance in Event Correlation, you should use:


Options are :

  • Nothing slows down Event Correlation
  • IP address ranges (Correct)
  • Large groups
  • Many objects

Answer : IP address ranges

In R71, how would you define a rule to block all traffic sent to or from Germany?


Options are :

  • This action is not possible.
  • Go to Policy / Global Properties / Geographical Protection Enforcement and add Germany to the blocked countries list.
  • Create a country specific policy within IPS Geo Protections with Germany as the country, block as the action, and from and to country for direction. (Correct)
  • Create a policy rule with destination being a custom dynamic object representing Germany and action block. You must also create a rule in the opposite direction.

Answer : Create a country specific policy within IPS Geo Protections with Germany as the country, block as the action, and from and to country for direction.

Check Point Certified Security Expert Exam Set 5

You have selected the event Port Scan from Internal Network in SmartEvent, to detect an event when 30 port scans have occurred within 60 seconds. You also want to detect two port scans from a host within 10 seconds of each other. How would you accomplish this?


Options are :

  • Define the two port-scan detections as an exception. (Correct)
  • Select the two port-scan detections as a new event.
  • You cannot set SmartEvent to detect two port scans from a host within 10 seconds of each other.
  • Select the two port-scan detections as a sub-event.

Answer : Define the two port-scan detections as an exception.

With SmartEvent, what is the Analyzer's function?


Options are :

  • Assign severity levels to events. (Correct)
  • Generate a threat analysis report from the Analyzer database.
  • Display received threats and tune the Events Policy
  • Analyze log entries, looking for Event Policy patterns.

Answer : Assign severity levels to events.

Which of the following functions CANNOT be performed in ClientInfo on computer information collected?


Options are :

  • Run Google.com search using the contents of the selected cell.
  • Copy the contents of the selected cells
  • Save the information in the active tab to an .exe file (Correct)
  • Enter new credential for accessing the computer information.

Answer : Save the information in the active tab to an .exe file

156-215.77 Check Point Certified Security Administrator Test Set 4

What is the purpose of the pre-defined exclusions included with SmartEvent R71?


Options are :

  • To avoid incorrect event generation by the default IPS event definition; a scenario that may occur in deployments that include Security Gateways of versions prior to R71. (Correct)
  • To allow SmartEvent R71 to function properly with all other R71 release devices.
  • As a base for starting and building exclusions.
  • To give samples of how to write your own exclusion.

Answer : To avoid incorrect event generation by the default IPS event definition; a scenario that may occur in deployments that include Security Gateways of versions prior to R71.

Which of the following generates a SmartEvent Report from its SQL database?


Options are :

  • SmartEvent Client
  • SmartReporter (Correct)
  • Security Management Server
  • SmartDashboard Log Consolidator

Answer : SmartReporter

What is a task of the SmartEvent Client?


Options are :

  • Display the received events. (Correct)
  • Analyze each IPS log entry as it enters the Log server.
  • Assign a severity level to an event.
  • Add events to the events database

Answer : Display the received events.

Check Point Certified Security Expert Exam Set 8

What is a task of the SmartEvent Server?


Options are :

  • Assign a severity level to an event (Correct)
  • Display the received events.
  • Analyze each IPS log entry as it enters the Log server.
  • Forward what is known as an event to the SmartEvent Server.

Answer : Assign a severity level to an event

When deploying a dedicated DLP Gateway behind a perimeter firewall on an interface leading to the internal network (there is only one internal network):


Options are :

  • The DLP Gateway can inspect e-mails (e-mails between two users on an internal or external network) if the organization's internal mail server is located on another network (not the internal network; for instance the DMZ or a different internal network) and users are configured to send e-mails to this mail server using SMTP.
  • The DLP Gateway can inspect SMTP traffic if a MS Exchange server is located on the internal network, and it either sends e-mails directly to the Internet using SMTP or sends emails to the Internet in SMTP via a mail relay that is located on the perimeter's firewall DMZ network. (Correct)
  • The DLP Gateway can inspect internal e-mails (e-mails between two users on the internal network) if the organization's internal mail server is located in the internal network and users are configured to send e-mails to this mail server using SMTP
  • User's HTTPS and FTP traffic can be inspected by the R71 DLP Gateway.

Answer : The DLP Gateway can inspect SMTP traffic if a MS Exchange server is located on the internal network, and it either sends e-mails directly to the Internet using SMTP or sends emails to the Internet in SMTP via a mail relay that is located on the perimeter's firewall DMZ network.

All of the following are used by the DLP engine to match a message during a scan, EXCEPT:


Options are :

  • Protocol
  • Data Type
  • Destination
  • Message Body (Correct)

Answer : Message Body

Check Point Certified Security Expert Exam Set 1

What is the best tool to produce a report which represents historical system information?


Options are :

  • SmartView Tracker
  • SmartReporter-Express Reports (Correct)
  • SmartReporter-Standard Reports
  • Smartview Monitor

Answer : SmartReporter-Express Reports

Which Check Point product is used to create and save changes to a Log Consolidation Policy?


Options are :

  • Security Management Server
  • SmartReporter Client
  • SmartDashboard Log Consolidator (Correct)
  • SmartEvent Server

Answer : SmartDashboard Log Consolidator

What is the benefit to running SmartEvent in Learning Mode?


Options are :

  • There is no SmartEvent Learning Mode
  • To run SmartEvent with preloaded sample data in a test environment
  • To run SmartEvent, with a step-by-step online configuration guide for training/setup purposes
  • To generate a report with system Event Policy modification suggestions (Correct)

Answer : To generate a report with system Event Policy modification suggestions

156-315.77 Check Point Certified Security Expert Exam Set 2

Which of the following components contains the Events Data Base?


Options are :

  • SmartEvent Server (Correct)
  • SmartEvent Client
  • SmartEvent DataServer
  • SmartEvent Correlation Unit

Answer : SmartEvent Server

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions