156-315.71 Check Point Security Expert R71 Practice Exam Set 2

Yoav is a Security Administrator preparing to implement a VPN solution for his multi-site organization. To comply with industry regulations, Yoav's VPN solution must meet the following requirements: Portability: Standard Key management: Automatic, external PKI Session keys: Changed at configured times during a connection's lifetime Key length: No less than 128-bit Data integrity: Secure against inversion and brutE. force attacks What is the most appropriate setting Yoav should choose?


Options are :

  • IKE VPNs: SHA1 encryption for IKE Phase 1, and MD5 encryption for Phase 2; AES hash
  • IKE VPNs: AES encryption for IKE Phase 1, and DES encryption for Phase 2; SHA1 hash
  • IKE VPNs: CAST encryption for IKE Phase 1, and SHA1 encryption for Phase 2; DES hash
  • IKE VPNs: DES encryption for IKE Phase 1, and 3DES encryption for Phase 2; MD5 hash
  • IKE VPNs: AES encryption for IKE Phase 1, and AES encryption for Phase 2; SHA1 hash

Answer : IKE VPNs: AES encryption for IKE Phase 1, and AES encryption for Phase 2; SHA1 hash

156-315.71 Check Point Security Expert R71 Practice Exam Set 3

You have an internal FTP server, and you allow downloading, but not uploading. Assume Network Address Translation is set up correctly, and you want to add an inbound rule with: Source: Any Destination: FTP server Service: FTP resources object. How do you configure the FTP resource object and the action column in the rule to achieve this goal?


Options are :

  • Disable "Get" and "Put" methods in the FTP Resource Properties and use it in the rule, with action accept.
  • Enable only the "Get" method in the FTP Resource Properties and use it in the rule, with action drop.
  • Enable both "Put" and "Get" methods in the FTP Resource Properties and use them in the rule, with action drop.
  • Enable only the "Get" method in the FTP Resource Properties, and use this method in the rule, with action accept.
  • Enable only the "Put" method in the FTP Resource Properties and use it in the rule, with action accept.

Answer : Enable only the "Get" method in the FTP Resource Properties, and use this method in the rule, with action accept.

Your organization has many VPN-1 Edge gateways at various branch offices, to allow VPN1 Secure Client users to access company resources. For security reasons, your organization's Security Policy requires all Internet traffic initiated behind the VPN-1 Edge gateways first be inspected by your headquarters' VPN-1 Pro Security Gateway. How do you configure VPN routing in this star VPN Community?


Options are :

  • To the center and other satellites, through the center
  • To the Internet and other targets only
  • To the center only
  • To the center; or through the center to other satellites, then to the Internet and other VPN targets

Answer : To the center; or through the center to other satellites, then to the Internet and other VPN targets

Which is the BEST configuration option to protect internal users from malicious Java code, without stripping Java scripts?


Options are :

  • Use CVP in the URI resource to block Java code
  • Use the URI resource to strip ActiveX tags
  • Use the URI resource to strip applet tags
  • Use the URI resource to block Java code

Answer : Use the URI resource to block Java code

156-315.71 Check Point Security Expert R71 Practice Exam Set 4

VPN-1 NGX supports VoIP traffic in all of the following environments, EXCEPT which environment?


Options are :

  • MGCP
  • SIP
  • H.323
  • SCCP
  • MEGACO

Answer : MEGACO

DES Key Reset


Options are :

  • Net_A/Net_B/VolP_any/accept
  • Net_A/Net_BM3lP/accept
  • Net_A/Net_B/sip and sip_any/accept
  • Net_A/Net_B/sip/accept

Answer : Net_A/Net_B/sip/accept

Damon enables an SMTP resource for content protection. He notices that mail seems to slow down on occasion, sometimes being delivered late. Which of the following might improve throughput performance?


Options are :

  • Configuring the SMTP resource to bypass the CVP resource
  • Configuring the SMTP resource to only allow mail with Damon's company's domain name in the header
  • Increasing the Maximum number of mail messages in the Gateway's spool directory
  • Configuring the CVP resource to return the mail to the Gateway
  • Configuring the Content Vector Protocol (CVP) resource to forward the mail to the internal SMTP server, without waiting for a response from the Security Gateway

Answer : Configuring the Content Vector Protocol (CVP) resource to forward the mail to the internal SMTP server, without waiting for a response from the Security Gateway

156-315.71 Check Point Security Expert R71 Practice Exam Set 5

Robert has configured a Common Internet File System (CIFS) resource to allow access to the public partition of his company's file server, on \\erisco\goldenapple\files\public. Robert receives reports that users are unable to access the shared partition, unless they use the file server's IP address. Which of the following is a possible cause?


Options are :

  • Access violations are not logged.
  • Mapped shares do not allow administrative locks.
  • Remote registry access is blocked.
  • The CIFS resource is not configured to use Windows name resolution
  • Null CIFS sessions are blocked.

Answer : The CIFS resource is not configured to use Windows name resolution

Your current VPN-1 NG with Application Intelligence (Al) R55 stanD. alone VPN-1 Pro Gateway and SmartCenter Server run on SecurePlatform. You plan to implement VPN-1 NGX in a distributed environment, where the existing machine will be the SmartCenter Server, and a new machine will be the VPN-1 Pro Gateway only. You need to migrate the NG with Al R55 SmartCenter Server configuration, including such items as Internal Certificate Authority files, databases, and Security Policies.How do you request a new license for this VPN-1 NGX upgrade?


Options are :

  • Request a VPN-1 NGX SmartCenter Server license, using the new machine's IP address. Request a new central license for the NGX VPN-1 Pro Gateway.
  • Request a VPN-1 NGX SmartCenter Server license, using the new machine's IP address. Request a new local license for the NGX VPN-1 Pro Gateway
  • Request a VPN-1 NGX SmartCenter Server license, using the NG with Al SmartCenter Server IP address. Request a new central license for the NGX VPN-1 Pro Gateway, licensed for the existing SmartCenter Server IP address.
  • Request a new VPN-1 NGX SmartCenter Server license, using the NG with Al SmartCenter Server IP address. Request a new central license for the NGX VPN-1 Pro Gateway.

Answer : Request a VPN-1 NGX SmartCenter Server license, using the NG with Al SmartCenter Server IP address. Request a new central license for the NGX VPN-1 Pro Gateway, licensed for the existing SmartCenter Server IP address.

Which Security Server can perform authentication tasks, but CANNOT perform content security tasks?


Options are :

  • Telnet
  • FTP
  • HTTP
  • SMTP
  • rlogin

Answer : rlogin

156-315.71 Check Point Security Expert R71 Practice Exam Set 6

What is the behavior of ClusterXL in a High Availability environment?


Options are :

  • The active member responds to the virtual address and, using sync network forwarding, both members pass traffic
  • The active member responds to the virtual address and is the only member that passes traffic.
  • Both members respond to the virtual address but only the active member is able to pass traffic
  • Both members respond to the virtual address and both members pass traffic.

Answer : The active member responds to the virtual address and is the only member that passes traffic.

156-315.71 Check Point Security Expert R71 Practice Exam Set 7

How can you prevent delay-sensitive applications, such as video and voice traffic, from being dropped due to long queue using Check Point QoS solution?


Options are :

  • Weighted Fair queuing
  • Low latency class
  • guaranteed per connection
  • guaranteed per VoIP rule

Answer : Low latency class

You have a production implementation of Management High Availability, at version VPN-1 NG with Application Intelligence R55. You must upgrade your two SmartCenter Servers to VPN-1 NGX. What is the correct procedure?


Options are :

  • 1. Synchronize the two SmartCenter Servers. 2. Perform an advanced upgrade on the primary SmartCenter Server. 3. Upgrade the secondary SmartCenter Server. 4. Configure both SmartCenter Server host objects to version VPN-1 NGX. 5. Synchronize the Servers again.
  • 1. Perform an advanced upgrade on the primary SmartCenter Server. 2. Configure the primary SmartCenter Server host object to version VPN-1 NGX. 3. Synchronize the primary with the secondary SmartCenter Server. 4. Upgrade the secondary SmartCenter Server. 5. Configure the secondary SmartCenter Server host object to version VPN-1 NGX. 6. Synchronize the Servers again.
  • 1. Synchronize the two SmartCenter Servers. 2. Perform an advanced upgrade on the primary SmartCenter Server. 3. Configure the primary SmartCenter Server host object to version VPN-1 NGX. 4. Synchronize the two Servers again. 5. Upgrade the secondary SmartCenter Server. 6. Configure the secondary SmartCenter Server host object to version VPN-1 NGX. 7. Synchronize the Servers again.
  • 1. Synchronize the two SmartCenter Servers. 2. Upgrade the secondary SmartCenter Server. 3. Upgrade the primary SmartCenter Server. 4. Configure both SmartCenter Server host objects version to VPN-1 NGX. 5. Synchronize the Servers again.

Answer : 1. Synchronize the two SmartCenter Servers. 2. Perform an advanced upgrade on the primary SmartCenter Server. 3. Upgrade the secondary SmartCenter Server. 4. Configure both SmartCenter Server host objects to version VPN-1 NGX. 5. Synchronize the Servers again.

Your primary SmartCenter Server is installed on a SecurePlatform Pro machine, which is also a VPN-1 Pro Gateway. You want to implement Management High Availability (HA). You have a spare machine to configure as the secondary SmartCenter Server. How do you configure the new machine to be the standby SmartCenter Server, without making any changes to the existing primary SmartCenter Server? (Changes can include uninstalling and reinstalling.)


Options are :

  • The new machine cannot be installed as the Internal Certificate Authority on its own.
  • The secondary Server cannot be installed on a SecurePlatform Pro machine alone.
  • You cannot configure Management HA, when either the primary or secondary SmartCenter Server is running on a VPN-1 Pro Gateway.
  • Install the secondary Server on the spare machine. Add the new machine to the same network as the primary Server.

Answer : You cannot configure Management HA, when either the primary or secondary SmartCenter Server is running on a VPN-1 Pro Gateway.

156-315.77 Check Point Certified Security Expert Exam Set 1

You set up a mesh VPN Community, so your internal networks can access your partner's network, and vice versa. Your Security Policy encrypts only FTP and HTTP traffic through a VPN tunnel. All other traffic among your internal and partner networks is sent in clear text. How do you configure the VPN Community?


Options are :

  • Disable "accept all encrypted traffic" in the Community, and add FTP and HTTP services to the Security Policy, with that Community object in the VPN field.
  • Disable "accept all encrypted traffic", and put FTP and HTTP in the Excluded services in the Community object. Add a rule in the Security Policy for services FTP and http, with the Community object in the VPN field.
  • Put FTP and HTTP in the Excluded services in the Community object. Then add a rule in the Security Policy to allow Any as the service, with the Community object in the VPN field.
  • Enable "accept all encrypted traffic", but put FTP and HTTP in the Excluded services in the Community. Add a rule in the Security Policy, with services FTP and http, and the Community object in the VPN field.

Answer : Disable "accept all encrypted traffic" in the Community, and add FTP and HTTP services to the Security Policy, with that Community object in the VPN field.

When load sharing Multicast mode is defined in a ClusterXL cluster object, how are packets being handled by cluster members?


Options are :

  • All members receive all packets. The Security Management Server decides which member will process the packets. Other members delete the packets from memory.
  • All members receive all packets. All members run an algorithm which determines which member processes packets further and which members delete the packet from memory.
  • AB cluster members process all packets and members synchronize with each other.
  • only one member at a time is active. The active cluster member processes all packets.

Answer : All members receive all packets. All members run an algorithm which determines which member processes packets further and which members delete the packet from memory.

You are preparing to deploy a VPN-1 Pro Gateway for VPN-1 NGX. You have five systems to choose from for the new Gateway, and you must conform to the following requirements: Operating-system vendor's license agreement Check Point's license agreement Minimum operating-system hardware specification Minimum Gateway hardware specification Gateway installed on a supported operating system (OS) Which machine meets ALL of the following requirements?


Options are :

  • Processor: 2.2 GHz RAM: 256 MB Hard disk: 20 GB OS: Windows 2000 Server
  • Processor: 2.0 GHz RAM: 512MB Hard disk: 10 GB OS: Windows ME
  • Processor: 1.5 GHz RAM: 256 MB Hard disk: 20 GB OS: Red Hat Linux 8.0
  • Processor: 1.67 GHz RAM: 128 MB Hard disk: 5 GB OS: FreeBSD
  • Processor: 1.1 GHz RAM: 512MB Hard disk: 10 GB OS: Windows 2000 Workstation

Answer : Processor: 2.2 GHz RAM: 256 MB Hard disk: 20 GB OS: Windows 2000 Server

156-315.77 Check Point Certified Security Expert Exam Set 2

You are configuring the VoIP Domain object for a Skinny Client Control Protocol (SCCP) environment protected by VPN-1 NGX. Which VoIP Domain object type can you use?


Options are :

  • CallManager
  • Gateway
  • Proxy
  • Transmission Router
  • Gatekeeper

Answer : CallManager

Wayne configures an HTTP Security Server to work with the content vectoring protocol to screen forbidden sites. He has created a URI resource object using CVP with the following settings: Use CVP Allow CVP server to modify content Return data after content is approved He adds two rules to his Rule Base: one to inspect HTTP traffic going to known forbidden sites, the other to allow all other HTTP traffic. Wayne sees HTTP traffic going to those problematic sites is not prohibited. What could cause this behavior?


Options are :

  • The Security Server Rule is after the general HTTP Accept Rule.
  • The Security Server is communicating with the CVP server, but no restriction is defined in the CVP server.
  • The Security Server is not communicating with the CVP server.
  • The Security Server is not configured correctly.

Answer : The Security Server Rule is after the general HTTP Accept Rule.

You have two Nokia Appliances: one IP530 and one IP380. Both Appliances have IPSO 3.9 and VPN-1 Pro NGX installed in a distributed deployment. Can they be members of a gateway cluster?


Options are :

  • No, because the Gateway versions must not be the same on both security gateways
  • Yes, as long as they have the same IPSO version and the same VPN-1 Pro version
  • No, because the appliances must be of the same model (Both should be IP530 or IP380.)
  • No, because members of a security gateway cluster must be installed as standalone deployments
  • Yes, because both gateways are from Nokia, whether they have the same VPN-1 PRO version or not

Answer : Yes, as long as they have the same IPSO version and the same VPN-1 Pro version

156-315.77 Check Point Certified Security Expert Exam Set 3

You are preparing computers for a new ClusterXL deployment. For your cluster, you plan to use four machines with the following configurations: Cluster Member 1: OS: SecurePlatform, NICs: QuadCard, memory: 256 MB, Security Gateway version: VPN-1 NGX Cluster Member 2: OS: SecurePlatform, NICs: four Intel 3Com, memory: 512 MB, Security Gateway version: VPN-1 NGX Cluster Member 3: OS: SecurePlatform, NICs: four other manufacturers, memory: 128 MB, Security Gateway version: VPN-1 NGX SmartCenter Pro Server: MS Windows Server 2003, NIC: Intel NIC (one), Security Gateway and primary SmartCenter Server installed version: VPN-1 NGX Are these machines correctly configured for a ClusterXL deployment?


Options are :

  • Yes, these machines are configured correctly for a ClusterXL deployment.
  • No, the SmartCenter Pro Server has only one NIC.
  • No, the SmartCenter Pro Server is not using the same operating system as the cluster members.
  • No, Cluster Member 3 does not have the required memory

Answer : Yes, these machines are configured correctly for a ClusterXL deployment.

Which Protection Mode does not exist in IPS?


Options are :

  • Prevent
  • Inactive
  • Detect
  • Allow

Answer : Allow

Problems sometimes occur when distributing IPSec packets to a few machines in a Load Sharing Multicast mode cluster, even though the machines have the same source and destination IP addresses. What is the best Load Sharing method for preventing this type of problem?


Options are :

  • Load Sharing based on IP addresses, ports, and serial peripheral interfaces (SPI)
  • Load Sharing based on IP addresses and ports
  • Load Sharing based on SPIs only
  • Load Sharing based on IP addresses only
  • Load Sharing based on SPIs and ports only

Answer : Load Sharing based on IP addresses and ports

156-315.77 Check Point Certified Security Expert Exam Set 4

Where is the encryption domain for a SmartLSM Security Gateway configured in R71?


Options are :

  • Inside the SmartLSM Security Gateway object in the SmartProvisioning GUI
  • Inside the SmartLSM Security Gateway profile in the SmartProvisioning GUI
  • Inside the SmartLSM Security Gateway profile in the SmartDashboard GUI
  • Inside the SmartLSM Security Gateway object in the SmartDashboard GUI

Answer : Inside the SmartLSM Security Gateway profile in the SmartProvisioning GUI

What is the proper command for importing users into the R71 User Database?


Options are :

  • fwm dbimport
  • fwm import
  • fwm importusrs
  • fwm importdb

Answer : fwm dbimport

To change the default port of the Management Portal,


Options are :

  • Edit the masters. conf file on the Portal server
  • Re-initialize SIC
  • Modify the file cp_httpd_admin .conf.
  • Run sysconfig and change the management interface

Answer : Modify the file cp_httpd_admin .conf.

156-315.77 Check Point Certified Security Expert Exam Set 5

Management Portal should be installed on: (i) Management Server (ii) Security Gateway (iii) Dedicated Server


Options are :

  • (ii) only
  • (i) or (ii) only
  • (iii) only
  • All are possible solutions

Answer : (i) or (ii) only

You want only RAS signals to pass through H.323 Gatekeeper and other H.323 protocols, passing directly between end points. Which routing mode in the VoIP Domain Gatekeeper do you select?


Options are :

  • Call Setup and Call Control
  • Direct and Call Setup
  • Direct
  • Call Setup

Answer : Direct

Jerry is concerned that a denial-oF. service (DoS) attack may affect his VPN Communities. He decides to implement IKE DoS protection. Jerry needs to minimize the performance impact of implementing this new protection. Which of the following configurations is MOST appropriate for Jerry?


Options are :

  • Set "Support IKE DoS protection" from identified source, and "Support IKE DoS protection" from unidentified source to "Stateless".
  • Set Support IKE DoS protection from identified source to "Puzzles", and Support IKE DoS protection from unidentified source to "Stateless".
  • Set Support IKE Dos Protection from identified source, and Support IKE DoS protection from unidentified source to "Puzzles".
  • Set Support IKE DoS protection from identified source to "Stateless", and Support IKE DoS protection from unidentified source to "None".
  • Set Support IKE DoS protection from identified source to "Stateless," and Support IKE DoS protection from unidentified source to "Puzzles".

Answer : Set "Support IKE DoS protection" from identified source, and "Support IKE DoS protection" from unidentified source to "Stateless".

156-315.77 Check Point Certified Security Expert Exam Set 6

Rachel is the Security Administrator for a university. The university's FTP servers have old hardware and software. Certain FTP commands cause the FTP servers to malfunction. Upgrading the FTP servers is not an option at this time. Which of the following options will allow Rachel to control which FTP commands pass through the Security Gateway protecting the FTP servers?


Options are :

  • Global Properties > Security Server > Allowed FTP Commands
  • Web Intelligence > Application Layer > FTP Settings
  • Rule Base > Action Field > Properties
  • SmartDefense > Application Intelligence > FTP Security Server
  • FTP Service Object > Advanced > Blocked FTP Commands

Answer : SmartDefense > Application Intelligence > FTP Security Server

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions

Subscribe to See Videos

Subscribe to my Youtube channel for new videos : Subscribe Now