156-315.71 Check Point Security Expert R71 Practice Exam Set 7

By default, a standby SmartCenter Server is automatically synchronized by an active SmartCenter Server, when:


Options are :

  • The standby SmartCenter Server starts for the first time.
  • The Security Policy is installed. (Correct)
  • The Security Administrator logs in to the standby SmartCenter Server, for the first time.
  • The user database is installed.
  • The Security Policy is saved.

Answer : The Security Policy is installed.

What is the bit size of DES?


Options are :

  • 128
  • 32
  • 112
  • 168
  • 56 (Correct)

Answer : 56

Check Point Certified Security Expert Exam Set 7

What happens in relation to the CRL cache after a cpstop;spstart has been initiated?


Options are :

  • The gateway continues to use the old CRL even if it is not valid, until a new CRL is cached
  • The gateway retrieves a new CRL on startup, then discards the old CRL as invalid.
  • The gateway continues to use the old CRL, as long as it is valid. (Correct)
  • The gateway issues a crl_zap on startup, which empties the cache and forces Certificate retrieval.

Answer : The gateway continues to use the old CRL, as long as it is valid.

To change an existing ClusterXL cluster object from Multicast to Unicast mode, what configuration change must be made?


Options are :

  • Change the cluster mode to Unicast on the cluster-member object.
  • Run cpstop and cpstart, to rE. enable High Availability on both objects. Select Pivot mode in cpconfig.
  • Reset Secure Internal Communications (SIC) on the cluster-member objects. Reinstall the Security Policy.
  • Switch the internal network's default Security Gateway to the pivot machine's IP address.
  • Change the cluster mode to Unicast on the cluster object Reinstall the Security Policy. (Correct)

Answer : Change the cluster mode to Unicast on the cluster object Reinstall the Security Policy.

What action can be run from SmartUpdate NGX R65?


Options are :

  • remote_uninstall_verifier
  • cpinfo (Correct)
  • mds_backup
  • upgrade_export

Answer : cpinfo

156-315.77 Check Point Certified Security Expert Exam Set 2

Check Point Certified Security Expert Exam Set 7

You plan to migrate a VPN-1 NG with Application Intelligence (Al) R55 SmartCenter Server to VPN-1 NGX. You also plan to upgrade four VPN-1 Pro Gateways at remote offices, and one local VPN-1 Pro Gateway at your company's headquarters. The SmartCenter Server configuration must be migrated. What is the correct procedure to migrate the configuration?


Options are :

  • 1. Copy the $FWDIR\conf directory from the SmartCenter Server. 2. Save directory contents to another directory. 3. Uninstall the SmartCenter Server, and install a new SmartCenter Server. 4. Move directory contents to $FWDIR\conf. 5. Reinstall all gateways using NGX and install a policy.
  • 1. From the VPN-1 NGX CD in the SmartCenter Server, select "advance upgrade". 2. After importing the SmartCenter configuration into the new NGX SmartCenter, reboot. 3. Upgrade all licenses and software on all five remote Gateways via SmartUpdate. (Correct)
  • 1. Upgrade the five remote Gateways via SmartUpdate. 2. Upgrade the SmartCenter Server, using the VPN-1 NGX CD.
  • 1. Upgrade the SmartCenter Server, using the VPN-1 NGX CD. 2. Reinstall and update the licenses of the five remote Gateways.
  • Upgrade the SmartCenter Server and the five remote Gateways via SmartUpdate, at the same time.

Answer : 1. From the VPN-1 NGX CD in the SmartCenter Server, select "advance upgrade". 2. After importing the SmartCenter configuration into the new NGX SmartCenter, reboot. 3. Upgrade all licenses and software on all five remote Gateways via SmartUpdate.

You are running the license_upgrade tool on your SecurePlatform Gateway. Which of the following can you NOT do with the upgrade tool?


Options are :

  • View the status of currently installed licenses.
  • Simulate the license-upgrade process
  • Perform the actual license-upgrade process.
  • View the licenses in the SmartUpdate License Repository. (Correct)

Answer : View the licenses in the SmartUpdate License Repository.

Identify the correct step performed by SmartUpdate to upgrade a remote Security Gateway.


Options are :

  • After selecting "Packages: Add… from CD", the entire contents of the CD are copied to the packages directory on the selected remote Security Gateway.
  • After selecting "Packages: Add… from CD", the selected package is copied to the packages directory on the selected remote Security Gateway.
  • After selecting "Packages: Add… from CD", the entire contents of the CD are copied to the Package Repository on the SmartCenter Server.
  • After selecting "Packages: Add… from CD", the selected package is copied to the Package Repository on the SmartCenter Server. (Correct)

Answer : After selecting "Packages: Add… from CD", the selected package is copied to the Package Repository on the SmartCenter Server.

156-315.77 Check Point Certified Security Expert Exam Set 6

Concerning these products: SecurePlatform, VPN-1 Pro Gateway, UserAuthority Server, Nokia OS, UTM-1, Eventia Reporter, and Performance Pack, which statement is TRUE?


Options are :

  • All but Performance Pack can be upgraded to VPN-1 NGX R65 with SmartUpdate.
  • All but the UTM-1 can be upgraded to VPN-1 NGX R65 with SmartUpdate.
  • All but the Nokia OS can be upgraded to VPN-1 NGX R65 with SmartUpdate.
  • All can be upgraded to VPN-1 NGX R65 with SmartUpdate. (Correct)

Answer : All can be upgraded to VPN-1 NGX R65 with SmartUpdate.

Which of the following QoS rulE. action properties is an Advanced action type, only available in Traditional mode?


Options are :

  • Rule limit
  • Guarantee Allocation (Correct)
  • Apply rule only to encrypted traffic
  • Rule guarantee
  • Rule weight

Answer : Guarantee Allocation

Which of these components does NOT require a VPN-1 NGX R65 license?


Options are :

  • SmartConsole (Correct)
  • SmartUpdate upgrading/patching
  • SmartCenter Server
  • Check Point Gateway

Answer : SmartConsole

156-315.71 Check Point Security Expert R71 Practical Exam Set 8

You configure a Check Point QoS Rule Base with two rules: an H.323 rule with a weight of 10, and the Default Rule with a weight of 10. The H.323 rule includes a per-connection guarantee of 384 Kbps, and a per-connection limit of 512 Kbps. The per-connection guarantee is for four connections, and no additional connections are allowed in the Action properties.If traffic is passing through the QoS Module matches both rules. Which of the following statements is true?


Options are :

  • 50% of available bandwidth will be allocated to the H.323 rule.
  • Each H.323 connection will receive at least 512 Kbps of bandwidth.
  • Neither rule will be allocated more than 10% of available bandwidth.
  • The H.323 rule will consume no more than 2048 Kbps of available bandwidth. (Correct)
  • 0% of available bandwidth will be allocated to the Default Rule.

Answer : The H.323 rule will consume no more than 2048 Kbps of available bandwidth.

You receive an alert indicating a suspicious FTP connection is trying to connect to one of your internal hosts. How do you block the connection in real time and verify the connection is successfully blocked?


Options are :

  • Highlight the suspicious connection in SmartView Tracker > Log mode. Block the connection using Tools > Block Intruder menu. Use the Log mode to confirm that the suspicious connection is dropped.
  • Highlight the suspicious connection in SmartView Tracker > Active mode. Block the connection using Tools > Block Intruder menu. Use Active mode to confirm that the suspicious connection is dropped.
  • Highlight the suspicious connection in SmartView Tracker > Active mode. Block the connection using the Tools > Block Intruder menu. Use the Active mode to confirm that the suspicious connection does not reappear. (Correct)
  • Highlight the suspicious connection in SmartView Tracker > Log mode. Block the connection using Tools > Block Intruder menu. Use Log mode to confirm that the suspicious connection does not reappear.

Answer : Highlight the suspicious connection in SmartView Tracker > Active mode. Block the connection using the Tools > Block Intruder menu. Use the Active mode to confirm that the suspicious connection does not reappear.

You are configuring the VoIP Domain object for an H.323 environment, protected by VPN-1 NGX. Which VoIP Domain object type can you use?


Options are :

  • Proxy
  • Call Manager
  • Gatekeeper (Correct)
  • Call Agent
  • Transmission Router

Answer : Gatekeeper

156-215.75 Check Point Certified Security Administrator Exam Set 7

Which of the following is a TRUE statement concerning contract verification?


Options are :

  • Your contract file is stored on the SmartConsole and downloaded to the SmartCenter Server.
  • Your contract file is stored on the User Center and fetched by the Gateway as needed.
  • Your contract file is stored on the SmartCenter Server and downloaded to the Security Gateway. (Correct)
  • Your contract file is stored on the SmartConsole and downloaded to the Gateway.

Answer : Your contract file is stored on the SmartCenter Server and downloaded to the Security Gateway.

Why should the upgrade_export configuration file (.tgz) be deleted after you complete the import process?


Options are :

  • It will prevent a future successful upgrade_export since the .tgz file cannot be overwritten.
  • It will conflict with any future upgrades run from SmartUpdate.
  • It contains your security configuration, which could be exploited. (Correct)
  • SmartUpdate will start a new installation process if the machine is rebooted.

Answer : It contains your security configuration, which could be exploited.

Identify the correct step performed by SmartUpdate to upgrade a remote Security Gateway.


Options are :

  • After selecting "Packages > Distribute…" and choosing the target gateway, the selected package is copied from the Package Repository on the SmartCenter to the Security Gateway but the installation IS NOT performed. (Correct)
  • After selecting "Packages > Distribute…" and choosing the target gateway, the selected package is copied from the CDROM of the SmartUpdate PC directly to the Security Gateway and the installation IS performed.
  • After selecting "Packages > Distribute…" and choosing the target gateway, the selected package is copied from the Package Repository on the SmartCenter to the Security Gateway and the installation IS performed.
  • After selecting "Packages > Distribute…" and choosing the target gateway, the SmartUpdate wizard walks the Administrator through a Distributed Installation.

Answer : After selecting "Packages > Distribute…" and choosing the target gateway, the selected package is copied from the Package Repository on the SmartCenter to the Security Gateway but the installation IS NOT performed.

156-115 Check Point Certified Security Master Practice Test Set 7

Your network traffic requires preferential treatment by other routers on the network, in addition to the QoS Module, which Check Point QoS feature should you use?


Options are :

  • Differentiated Services (Correct)
  • Guarantees
  • Low Latency Queuing
  • Limits
  • Weighted Fair Queuing

Answer : Differentiated Services

You are using SmartUpdate to fetch data and perform a remote upgrade of an NGX Security Gateway.Which of the following statements is FALSE?


Options are :

  • If SmartDashboard is open during package upload and upgrade, the upgrade will fail
  • A remote installation can be performed without the SVN Foundation package installed on a remote NG with Application Intelligence Security Gateway (Correct)
  • SmartUpdate can query the SmartCenter Server and VPN-1 Gateway for product information
  • SmartUpdate can query license information running locally on the VPN-1 Gateway

Answer : A remote installation can be performed without the SVN Foundation package installed on a remote NG with Application Intelligence Security Gateway

Which OPSEC server is used to prevent users from accessing certain Web sites?


Options are :

  • UFP (Correct)
  • LEA
  • CVP
  • AMON
  • URI

Answer : UFP

156-315.77 Check Point Certified Security Expert Exam Set 14

You are configuring the VoIP Domain object for a SIP environment, protected by VPN-1 NGX. Which VoIP Domain object type can you use?


Options are :

  • Call Manager
  • Call Agent
  • Proxy (Correct)
  • Gateway
  • Gatekeeper

Answer : Proxy

What action CANNOT be run from SmartUpdate NGX R65?


Options are :

  • Reboot gateway
  • Fetch sync status (Correct)
  • Preinstall verifier…
  • Get all Gateway Data

Answer : Fetch sync status

When you add a resource service to a rule, which ONE of the following actions occur?


Options are :

  • All packets matching the resource service rule are analyzed or authenticated, based on the resource properties. (Correct)
  • All packets that match the resource in the rule will be dropped.
  • All packets matching that rule are either encrypted or decrypted by the defined resource.
  • Users attempting to connect to the destination of the rule will be required to authenticate.
  • VPN-1 Secure Client users attempting to connect to the object defined in the Destination column of the rule will receive a new Desktop Policy from the resource.

Answer : All packets matching the resource service rule are analyzed or authenticated, based on the resource properties.

156-215.13 Check Point Certified Security Administrator Exam Set 10

Regarding QoS guarantees and limits, which of the following statements is FALSE?


Options are :

  • If both a rule limit and a per connection limit are defined for a rule, the per connection limit must not be greater than the rule limit.
  • If a guarantee is defined in a sub-rule, then a guarantee must be defined for the rule above it.
  • If both a limit and a guarantee per rule are defined in a QoS rule, then the limit must be smaller than the guarantee. (Correct)
  • A rule guarantee must not be less than the sum the guarantees defined in its sub-rules.

Answer : If both a limit and a guarantee per rule are defined in a QoS rule, then the limit must be smaller than the guarantee.

Public-key cryptography is considered which of the following?


Options are :

  • two-key/asymmetric (Correct)
  • one-key/asymmetric
  • one-key/symmetric
  • two-key/symmetric

Answer : two-key/asymmetric

Your network includes ClusterXL running Multicast mode on two members, as shown in this topology: Your network is expanding, and you need to add new interfaces: 10.10.10.1/24 on Member A, and 10.10.10.2/24 on Member B. The virtual IP address for interface 10.10.10.0/24 is 10.10.10.3. What is the correct procedure to add these interfaces?


Options are :

  • 1. Use sysconfig to configure the new interfaces on both members. 2. Update the topology in the cluster object for the cluster and both members. 3. Install the Security Policy.
  • 1. Run cpstop on one member, and configure the new interface via sysconfig. 2. Run cpstart on the member. Repeat the same steps on another member. 3. Update the new topology in the cluster object for the cluster and members. 4. Install the Security Policy. (Correct)
  • 1. Disable "Cluster membership" from one Gateway via cpconfig. 2. Configure the new interface via sysconfig from the "non-member" Gateway. 3. RE. enable "Cluster membership" on the Gateway. 4. Perform the same step on the other Gateway. 5. Update the topology in the cluster object for the cluster and members. 6. Install the Security Policy.
  • 1. Use the ifconfig command to configure and enable the new interface. 2. Run cpstop and cpstart on both members at the same time. 3. Update the topology in the cluster object for the cluster and both members. 4. Install the Security Policy

Answer : 1. Run cpstop on one member, and configure the new interface via sysconfig. 2. Run cpstart on the member. Repeat the same steps on another member. 3. Update the new topology in the cluster object for the cluster and members. 4. Install the Security Policy.

156-315.77 Check Point Certified Security Expert Exam Set 9

Which Security Server can perform content-security tasks, but CANNOT perform authentication tasks?


Options are :

  • SMTP (Correct)
  • HTTP
  • rlogin
  • FTP
  • Telnet

Answer : SMTP

If a SmartUpdate upgrade or distribution operation fails on SecurePlatform, how is the system recovered?


Options are :

  • The Administrator can only revert to a previously created snapshot (if there is one) with the command cprinstall snapshot
  • The Administrator must reinstall the last version via the command cprinstall revert
  • SecurePlatform will reboot and automatically revert to the last snapshot version prior to upgrade. (Correct)
  • The Administrator must remove the rpm packages manually, and reattempt the upgrade.

Answer : SecurePlatform will reboot and automatically revert to the last snapshot version prior to upgrade.

When upgrading to NGX R65, which Check Point products do not require a license upgrade to be current?


Options are :

  • VPN-1 NGX (R64) and later
  • VPN-1 NG with Application Intelligence (R54) and later
  • None, all versions require a license upgrade
  • VPN-1 NGX (R60) and later (Correct)

Answer : VPN-1 NGX (R60) and later

156-315.77 Check Point Certified Security Expert Exam Set 5

What physical machine must have access to the UserCenter public IP when checking for new packages with SmartUpdate?


Options are :

  • VPN-1 Security Gateway getting the new upgrade package
  • SmartUpdate installed SmartCenter Server PC
  • SmartUpdate GUI PC (Correct)
  • SmartUpdate Repository SQL database Server

Answer : SmartUpdate GUI PC

You want to upgrade an NG with Application Intelligence R55 Security Gateway running on SecurePlatform to VPN-1 NGX R65 via SmartUpdate. Which package(s) is(are) needed in the Repository prior to upgrade?


Options are :

  • SecurePlatform NGX R65 package (Correct)
  • SVN Foundation and VPN-1 Power/UTM packages
  • SecurePlatform and VPN-1 Power/UTM NGX R65 packages
  • VPN-1 Power/UTM NGX R65 package

Answer : SecurePlatform NGX R65 package

Your current VPN-1 NG with Application Intelligence (AI) R55 stand-alone VPN-1 Pro Gateway and SmartCenter Server runs on SecurePlatform. You plan to implement VPN-1 NGX R65 in a distributed environment, where the new machine will be the SmartCenter Server, and the existing machine will be the VPN-1 Pro Gateway only. You need to migrate the NG with AI R55 SmartCenter Server configuration, including licensing. How do you handle licensing for this NGX R65 upgrade?


Options are :

  • Leave the current license on the gateway to be upgraded during the software upgrade. Purchase a new license for the VPN-1 NGX R65 SmartCenter Server.
  • Request an NGX R65 SmartCenter Server license, using the new server's IP address. Request a new central NGX R65 VPN-1 Gateway license also licensed to the new SmartCenter Server's IP address. (Correct)
  • Request an NGX R65 SmartCenter Server license, using the new server's IP address. Request a new central NGX R65 VPN-1 Gateway license for the existing gateway server's IP address.
  • Request an NGX R65 SmartCenter Server license, using the existing gateway machine's IP address. Request a new local license for the NGX R65 VPN-1 Gateway using the new server's IP address.

Answer : Request an NGX R65 SmartCenter Server license, using the new server's IP address. Request a new central NGX R65 VPN-1 Gateway license also licensed to the new SmartCenter Server's IP address.

156-315.77 Check Point Certified Security Expert Exam Set 2

You want to upgrade a cluster with two members to VPN-1 NGX. The SmartCenter Server and both members are version VPN-1/Firewall-1 NG FP3, with the latest Hotfix. What is the correct upgrade procedure? 1. Change the version, in the General Properties of the gateway-cluster object. 2. Upgrade the SmartCenter Server, and reboot after upgrade. 3. Run cpstop on one member, while leaving the other member running. Upgrade one member at a time, and reboot after upgrade. 4. Reinstall the Security Policy.


Options are :

  • 1, 3, 2, 4
  • 2, 3, 1, 4 (Correct)
  • 3, 2, 1, 4
  • 1, 2, 3, 4
  • 2, 4, 3, 1

Answer : 2, 3, 1, 4

What port is used for communication to the UserCenter with SmartUpdate?


Options are :

  • HTTPS (Correct)
  • TCP 8080
  • CPMI
  • HTTP

Answer : HTTPS

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions

Subscribe to See Videos

Subscribe to my Youtube channel for new videos : Subscribe Now