156-315.71 Check Point Security Expert R71 Practice Exam Set 3

You are configuring the VoIP Domain object for an H.323 environment, protected by VPN-1 NGX. Which VoIP Domain object type can you use?


Options are :

  • Proxy
  • Call Agent
  • Gatekeeper (Correct)
  • Call Manager
  • Transmission Router

Answer : Gatekeeper

What type of packet does a VPN-1 SecureClient send to its Policy Server, to report its Secure Configuration Verification status?


Options are :

  • IKE Key Exchange
  • ICMP Port Unreachable
  • ICMP Destination Unreachable
  • TCP keep alive
  • UDP keep alive (Correct)

Answer : UDP keep alive

156-315.71 Check Point Security Expert R71 Practice Exam Set 4

You want to establish a VPN, using Certificates. Your VPN will exchange Certificates with an external partner. Which of the following activities should you do first?


Options are :

  • Exchange exported CAkeys and use them to create a new server object, to represent your partner's Certificate Authority (CA). (Correct)
  • Manually import your partner's Access Control List.
  • Exchange a shared secret, before importing Certificates.
  • Manually import your partner's Certificate Revocation List
  • Create a new logical-server object, to represent your partner's CA

Answer : Exchange exported CAkeys and use them to create a new server object, to represent your partner's Certificate Authority (CA).

From the following output of chaprob state, which ClusterXL mode is this?


Options are :

  • Multicast mode
  • Legacy mode (Correct)
  • New mode
  • Unicast mode

Answer : Legacy mode

Which Security Servers can perform Content Security tasks, but CANNOT perform authentication tasks?


Options are :

  • SMTP (Correct)
  • FTP
  • HTTP
  • Telnet

Answer : SMTP

156-315.71 Check Point Security Expert R71 Practice Exam Set 5

Which of the following does NOT happen when using Pivot Mode in ClusterXL?


Options are :

  • The Pivotís Load Sharing decision function decides which cluster member should handle the packet.
  • The Pivot forwards the packet to the appropriate cluster member.
  • The packet is forwarded through the same physical interface from which it originally came, not on the sync interface
  • The Security Gateway analyzes the packet and forwards it to the Pivot. (Correct)

Answer : The Security Gateway analyzes the packet and forwards it to the Pivot.

Where can a Security Administrator adjust the unit of measurement (bps, Kbps or Bps), for Check Point QoS bandwidth?


Options are :

  • Check Point gateway object properties
  • QoS Class objects
  • $CPDIR/conf/qos_props.pf
  • Global Properties (Correct)

Answer : Global Properties

Using SmartProvisioning Profiles, which of the following could be configured for both SecurePlatform AND UTM-1 Edge devices? (i) Backup (ii) Routing (iii) Interfaces (iv) Hosts (v) NTP server (vi) DNS


Options are :

  • none of these options are available for both. (Correct)
  • (i), (ii) and (iv)
  • (ii), (iii), (iv) and (vi)
  • (i), (iii), (iv) and (vi)

Answer : none of these options are available for both.

156-315.71 Check Point Security Expert R71 Practice Exam Set 6

You are reviewing SmartView Tracker entries, and see a Connection Rejection on a Check Point QoS rule. What causes the Connection Rejection?


Options are :

  • The Constant Bit Rate for a Low Latency Class has been exceeded by greater than 10%, and the Maximal Delay is set below requirements.
  • The guarantee of one of the rule's sub-rules exceeds the guarantee in the rule itself.
  • The number of guaranteed connections is exceeded. The rule's action properties are not set to accept additional connections. (Correct)
  • Burst traffic matching the Default Rule is exhausting the Check Point QoS global packet buffers.

Answer : The number of guaranteed connections is exceeded. The rule's action properties are not set to accept additional connections.

You want VPN traffic to match packets from internal interfaces. You also want the traffic to exit the Security Gateway, bound for all sitE. to-site VPN Communities, including Remote Access Communities. How should you configure the VPN match rule?


Options are :

  • internal_clear > AII_GwToGw
  • Communities > Communities
  • lnternal_clear > External_Clear
  • internal clear>All communities (Correct)
  • lnternal_clear > Communities

Answer : internal clear>All communities

Mark the configuration options that are available for Data Loss Prevention in R71.


Options are :

  • The DLP Gateway running only the Management Server on the same machine.
  • The DLP as an integrated software blade which can be enabled on a Check Point Security Gateway running other software blades such as firewall, IPS and Management.
  • A Dedicated DLP Gateway running only the DLP Software Blade. (Correct)
  • The DLP Gateway running only the Firewall Software Blade

Answer : A Dedicated DLP Gateway running only the DLP Software Blade.

156-315.71 Check Point Security Expert R71 Practice Exam Set 7

What is the advantage for deploying SSL VPN in a DMZ, versus a LAN?


Options are :

  • Traffic is authenticated without hiding behind Connectra's IP address
  • SSL Network Extender is ineffective in a LAN deployment.
  • Traffic is in clear text when forwarded to internal servers, but the back connection is encrypted for remote users
  • SSL VPN adds another layer of access security to internal resources, when it resides in a DMZ. (Correct)

Answer : SSL VPN adds another layer of access security to internal resources, when it resides in a DMZ.

Which component functions as the Internal Certificate Authority for VPN-1 NGX?


Options are :

  • SmartCenterServer (Correct)
  • Policy Server
  • SmartLSM
  • Security Gateway
  • VPN-1 Certificate Manager

Answer : SmartCenterServer

In a Management High Availability (HA) configuration, you can configure synchronization to occur automatically, when: 1. The Security Policy is installed. 2. The Security Policy is saved. 3. The Security Administrator logs in to the secondary SmartCenter Server, and changes its status to active. 4. A scheduled event occurs. 5. The user database is installed. Select the BEST response for the synchronization sequence. Choose one.


Options are :

  • 1,2,4 (Correct)
  • 1,2,3,4
  • 1,2,3
  • 1,2,5
  • 1,3,4

Answer : 1,2,4

156-315.77 Check Point Certified Security Expert Exam Set 1

Which of the following actions is most likely to improve the performance of Check Point QoS?


Options are :

  • Put the most frequently used rules at the bottom of the QoS Rule Base.
  • Turn per rule guarantees into per connection guarantees.
  • Turn per rule limits into per connection limits
  • Define Check Point QoS only on the external interfaces of the QoS Module. (Correct)

Answer : Define Check Point QoS only on the external interfaces of the QoS Module.

What is NOT true about Management Portal?


Options are :

  • Management Portal could be reconfigured for using HTTP instead of HTTPS
  • Management Portal requires a license
  • Choosing Accept control connections in Implied Rules includes Management Portal access (Correct)
  • Default Port for Management Portal access is 4433

Answer : Choosing Accept control connections in Implied Rules includes Management Portal access

What port is used for Administrator access for your SSL VPN?


Options are :

  • 80
  • 4434
  • 4433 (Correct)
  • 443

Answer : 4433

156-315.77 Check Point Certified Security Expert Exam Set 2

What is the command to upgrade a SecurePlatform NG with Application Intelligence (Al) R55 SmartCenter Server to VPN-1 NGX using a CD?


Options are :

  • patch add cd (Correct)
  • fwm upgrade_tool
  • cppkg add
  • cd patch add
  • patch add

Answer : patch add cd

How can you completely tear down a specific VPN tunnel in an intranet IKE VPN deployment?


Options are :

  • Run the command vpn tu on the Security Gateway, and choose the option "Delete all IPSec+IKE SAs for ALL peers and users".
  • Run the command vpn tu on the Security Gateway, and choose the option "Delete all IPSec SAs for a given user (Client)".
  • Run the command vpn tu on the Security Gateway, and choose the option "Delete all IPSec SAs for ALL peers and users".
  • Run the command vpn tu on the SmartCenter Server, and choose the option "Delete all IPSec+IKE SAs for ALL peers and users".
  • Run the command vpn tu on the Security Gateway, and choose the option "Delete all IPSec+IKE SAs for a given peer (GW)". (Correct)

Answer : Run the command vpn tu on the Security Gateway, and choose the option "Delete all IPSec+IKE SAs for a given peer (GW)".

How does a standby SmartCenter Server receive logs from all Security Gateways, when an active SmartCenter Server fails over?


Options are :

  • Create a Check Point host object to represent the standby SmartCenter Server. Then select "Secondary SmartCenter Server" and Log Server", from the list of Check Point Products on theGeneral properties screen.
  • On the Log Servers screen (from the Logs and Masters tree on the gateway object's General Properties screen), add the secondary SmartCenter Server object as the additional log server. Reinstall the Security Policy. (Correct)
  • The secondary Server's host name and IP address must be added to the Masters file, on the remote Gateways.
  • The remote Gateways must set up SIC with the secondary SmartCenter Server, for logging.
  • Establish Secure Internal Communications (SIC) between the primary and secondary Servers. The secondary Server can then receive logs from the Gateways, when the active Server fails over.

Answer : On the Log Servers screen (from the Logs and Masters tree on the gateway object's General Properties screen), add the secondary SmartCenter Server object as the additional log server. Reinstall the Security Policy.

156-315.77 Check Point Certified Security Expert Exam Set 3

You are concerned that the processor for your firewall running NGX R71 SecurePlatform may be overloaded. What file would you view to determine the speed of your processor(s)?


Options are :

  • cat /etc/cpuinfo
  • cat /proc/cpuinfo (Correct)
  • cat /etc/sysconfig/cpuinfo
  • cat /var/opt/CPsuite-R71/fw1/conf/cpuinfo

Answer : cat /proc/cpuinfo

156-315.77 Check Point Certified Security Expert Exam Set 4

Which of the following components receives events and assigns severity levels to the events; then invokes any defined automatic reactions and adds the events to the Events Data Base?


Options are :

  • SmartEvent Analysis Data Server
  • SmartEvent Correlation Unit
  • SmartEvent Server (Correct)
  • SmartEvent Client

Answer : SmartEvent Server

Which of the following statements is FALSE regarding ospf configuration on SecurePlatform Pro?


Options are :

  • router ospf l creates an ospf routing instance and this process ID should be different for each Security Gateway.
  • router ospf 1 creates an ospf routing instance and this process ID should be the same on all Gateways.
  • router ospf 1 creates the Router ID for the Security Gateway and should be different for all Gateways.
  • router ospf 1 creates the Router ID for the Security Gateway and should be the same ID for all Gateways. (Correct)

Answer : router ospf 1 creates the Router ID for the Security Gateway and should be the same ID for all Gateways.

A user cannot authenticate to SSL VPN. You have verified the user is assigned a user group and reproduced the problem, confirming a failed-login session. You do not see an indication of this attempt in the traffic log. The user is not using a client certificate for login. To debug this error, where in the authentication process could the solution be found?


Options are :

  • admin
  • cvpnd (Correct)
  • cpauth
  • apache

Answer : cvpnd

156-315.77 Check Point Certified Security Expert Exam Set 5

In which case is a Sticky Decision Function relevant?


Options are :

  • Load Sharing - Multicast
  • Load Balancing - Forward
  • High Availability (Correct)
  • Load Sharing - Unicast

Answer : High Availability

You have pushed a policy to your firewall and you are not able to access the firewall. What command will allow you to remove the current policy from the machine?


Options are :

  • fw purge active
  • fw purge active
  • fw purge policy (Correct)
  • fw fetch policy

Answer : fw purge policy

Which statement about LDAP and Active Directory (AD) with SSL VPN is TRUE?


Options are :

  • SSL VPN does not support LDAP password remediation.
  • By default. SSL VPN sends username and password credentials to LDAP servers in UTF-8 encoding
  • SSL VPN never stores the user records of LDAP/AD groups.
  • SSL VPN is capable of administering or creating users and groups directly on an LDAP server. (Correct)

Answer : SSL VPN is capable of administering or creating users and groups directly on an LDAP server.

156-315.77 Check Point Certified Security Expert Exam Set 6

The following graphic illustrates which command being issued on SecurePlatform?


Options are :

  • The old status is removed and a new session is created with the same name, but with a note stating New session after repair.
  • The administrator will have to open the old session and make the changes, no note is added automatically, however, the manager adds his notes stating the changes required.
  • The same session is modified with a note automatically added stating Under repair.
  • A new session is created by the name Repairing Session and the old session status is updated to Repaired with a note stating Repaired by Session (Correct)

Answer : A new session is created by the name Repairing Session and the old session status is updated to Repaired with a note stating Repaired by Session

How do new connections get established through a Security Gateway with SecureXL enabled?


Options are :

  • New connection packets never reach the SecureXL module.
  • The new connection will be first inspected by SecureXL and if it does not match the drop table of SecureXL, then it will be passed to the firewall module for a rule match.
  • If the connection matches a connection or drop template in SecureXL, it will either be established or dropped without performing a rule match, else it will be passed to the firewall module for a rule match. (Correct)
  • New connections are always inspected by the firewall and if they are accepted, the subsequent packets of the same connection will be passed through SecureXL.

Answer : If the connection matches a connection or drop template in SecureXL, it will either be established or dropped without performing a rule match, else it will be passed to the firewall module for a rule match.

How can you verify that SecureXL is running?


Options are :

  • fwaccel stat (Correct)
  • fw ver
  • secureXL stat
  • cpstat os

Answer : fwaccel stat

156-315.77 Check Point Certified Security Expert Exam Set 7

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions

Subscribe to See Videos

Subscribe to my Youtube channel for new videos : Subscribe Now