156-315.77 Check Point Certified Security Expert Exam Set 2

Included in the client’s network are some switches, which rely on IGMP snooping. You must find a solution to work with these switches. Which of the following answers does NOT lead to a successful solution?


Options are :

  • Disable IGMP registration in switches that rely on IGMP packets
  • Configure static CAMs to allow multicast traffic on specific ports.
  • ClusterXL supports IGMP snooping by default. There is no need to configure anything. (Correct)
  • Set the value of fwha_enable_igmp_snooping module configuration parameter to 1.

Answer : ClusterXL supports IGMP snooping by default. There is no need to configure anything.

156-315.77 Check Point Certified Security Expert Exam Set 3

In ClusterXL, _____ is defined by default as a critical device.


Options are :

  • fwm
  • fwd (Correct)
  • assld
  • cpp

Answer : fwd

A customer called to report one cluster member’s status as Down. What command should you use to identify the possible cause?


Options are :

  • cphaprob list (Correct)
  • fw ctl pstat
  • fw ctl debug -m cluster + forward
  • tcpdump/snoop

Answer : cphaprob list

For Management High Availability synchronization, what does the Advance status mean?


Options are :

  • The peer SMS has not been synchronized properly.
  • The peer SMS is more up-to-date. (Correct)
  • The active SMS and its peer have different installed policies and databases.
  • The peer SMS is properly synchronized.

Answer : The peer SMS is more up-to-date.

156-315.77 Check Point Certified Security Expert Exam Set 4

_____ is a proprietary Check Point protocol. It is the basis for Check Point ClusterXL inter-module communication.


Options are :

  • CPP
  • CPHA
  • CCP (Correct)
  • CKPP

Answer : CCP

When Load Sharing Multicast mode is defined in a ClusterXL cluster object, how are packets being handled by cluster members?


Options are :

  • Only one member at a time is active. The active cluster member processes all packets.
  • All members receive all packets. All members run an algorithm which determines which member processes packets further and which members delete the packet from memory. (Correct)
  • All cluster members process all packets and members synchronize with each other.
  • The pivot machine will handle it.

Answer : All members receive all packets. All members run an algorithm which determines which member processes packets further and which members delete the packet from memory.

What is a Sticky Connection?


Options are :

  • A Sticky Connection is a connection that remains the same.
  • A Sticky Connection is a VPN connection that remains up until you manually bring it down.
  • A Sticky Connection is one in which a reply packet returns through the same gateway as the original packet. (Correct)
  • A Sticky Connection is a connection that always chooses the same gateway to set up the initial connection.

Answer : A Sticky Connection is one in which a reply packet returns through the same gateway as the original packet.

156-315.77 Check Point Certified Security Expert Exam Set 5

Which process is responsible for full synchronization in ClusterXL?


Options are :

  • cpd on the Security Gateway
  • Clustering on the Security Gateway
  • fwd on the Security Gateway (Correct)
  • fw kernel on the Security Gateway

Answer : fwd on the Security Gateway

A connection is said to be Sticky when:


Options are :

  • A copy of each packet in the connection sticks in the connection table until a corresponding reply packet is received from the other side.
  • A connection is not terminated by either side by FIN or RST packet.
  • All the connection packets are handled, in either direction, by a single cluster member. (Correct)
  • The connection information sticks in the connection table even after the connection has ended.

Answer : All the connection packets are handled, in either direction, by a single cluster member.

In a R75 Management High Availability (HA) configuration, you can configure synchronization to occur automatically, when: 1) The Security Policy is installed. 2) The Security Policy is saved. 3) The Security Administrator logs in to the secondary Security Management Server and changes its status to Active. 4) A scheduled event occurs. 5) The user data base is installed. Select the BEST response for the synchronization trigger.


Options are :

  • 1,3,4
  • 1, 2, 3, 4
  • 1,2,4 (Correct)
  • 1,2,5

Answer : 1,2,4

156-315.77 Check Point Certified Security Expert Exam Set 6

Fred is troubleshooting a NAT issue and wants to check to see if the inbound connection from this internal network is being translated across the interface in the firewall correctly. He decides to use the fw monitor to capture the traffic from the source 192.168.3.5 or the destination of 10.1.1.25 on his Security Gateway. Green that has an IP of 192.168.4.5. What command captures this traffic in a file that he can download and review with WireShark?


Options are :

  • [email protected]# fw monitor –e “accept src=192.168.3.5 and dst=10.1.1.25;” –o monitor.out
  • [email protected]# fwmonitor –e “accept src=192.168.3.5 or dst=10.1.1.25;” –o monitor.out
  • [email protected]# fw monitor –e “accept src=192.168.3.5 or dst=10.1.1.25;” –o monitor.out (Correct)
  • [email protected]# fwmonitor –e “accept src=192.168.3.5 and dst=10.1.1.25;” –o monitor.out

Answer : [email protected]# fw monitor –e “accept src=192.168.3.5 or dst=10.1.1.25;” –o monitor.out

156-315.77 Check Point Certified Security Expert Exam Set 7

_____ is the called process that starts when opening SmartView Tracker application.


Options are :

  • logtrackerd
  • CPLMD (Correct)
  • FWM
  • fwlogd

Answer : CPLMD

Where do you define NAT properties so that NAT is performed either client side or server side? In SmartDashboard under:


Options are :

  • Implied Rules
  • Global Properties > NAT definition (Correct)
  • NAT Rules
  • Gateway Setting

Answer : Global Properties > NAT definition

You run cphaprob -a if. When you review the output, you find the word DOWN. What does DOWN mean?


Options are :

  • The cluster link is down.
  • The physical interface is administratively set to DOWN.
  • CCP packets couldn't be sent to or didn't arrive from neighbor member. (Correct)
  • The physical interface is down.

Answer : CCP packets couldn't be sent to or didn't arrive from neighbor member.

156-315.77 Check Point Certified Security Expert Exam Set 8

You are troubleshooting a HTTP connection problem. You've started fw monitor -o http.pcap. When you open http.pcap with Wireshark there is only one line. What is the most likely reason?


Options are :

  • Acceleration was turned on and therefore fw monitor sees only SYN. (Correct)
  • Like SmartView Tracker only the first packet of a connection will be captured by fw monitor
  • By default only SYN pakets are captured.
  • fw monitor was restricted to the wrong interface

Answer : Acceleration was turned on and therefore fw monitor sees only SYN.

Check Point support has asked Tony for a firewall capture of accepted packets. What would be the correct syntax to create a capture file to a filename called monitor.out?


Options are :

  • Run fw monitor -e "accept;" -c monitor.out
  • Run fw monitor -e "accept;" -m monitor.out
  • Run fw monitor -e "accept;" -o monitor.out (Correct)
  • Run fw monitor -e "accept;" -f monitor.out

Answer : Run fw monitor -e "accept;" -o monitor.out

Which CLI tool helps on verifying proper ClusterXL sync?


Options are :

  • fw ctl pstat (Correct)
  • .fw ctl sync
  • fw stat
  • cphaprob stat

Answer : fw ctl pstat

156-315.77 Check Point Certified Security Expert Exam Set 1

Which Check Point tool allows you to open a debug file and see the VPN packet exchange details.


Options are :

  • VPNDebugger.exe
  • IPSECDebug.exe
  • PacketDebug.exe
  • IkeView.exe (Correct)

Answer : IkeView.exe

Which three of the following components are required to get a SmartEvent up and running? 1) SmartEvent SIC 2) SmartEvent Correlation Unit 3) SmartEvent Server 4) SmartEvent Analyzer 5) SmartEvent Client


Options are :

  • 3, 4, and 5
  • .1, 2, and 3
  • 1, 2, and 4
  • 2, 3, and 5 (Correct)

Answer : 2, 3, and 5

What firewall kernel table stores information about port allocations for Hide NAT connections?


Options are :

  • NAT_alloc
  • fwx_alloc (Correct)
  • NAT_src_any_list
  • NAT_dst_any_list

Answer : fwx_alloc

156-315.77 Check Point Certified Security Expert Exam Set 10

You are the MegaCorp Security Administrator. This company uses a firewall cluster, consisting of two cluster members. The cluster generally works well but one day you find that the cluster is behaving strangely. You assume that there is a connectivity problem with the cluster synchronization link (cross-over cable). Which of the following commands is the BEST for testing the connectivity of the crossover cable?


Options are :

  • telnet
  • .ifconfig -a
  • arpingarping (Correct)
  • ping

Answer : arpingarping

The “MAC Magic” value must be modified under the following condition:


Options are :

  • A firewall cluster is configured to use Multicast for CCP traffic
  • There is more than one cluster connected to the same VLAN
  • A firewall cluster is configured to use Broadcast for CCP traffic
  • There are more than two members in a firewall cluster (Correct)

Answer : There are more than two members in a firewall cluster

The connection to the ClusterXL member „A? breaks. The ClusterXL member „A? status is now „down?. Afterwards the switch admin set a port to ClusterXL member „B? to „down?. What will happen?


Options are :

  • ClusterXL member „B? also left the cluster.
  • ClusterXL member „B? stays active as last member. (Correct)
  • ClusterXL member „A? is asked to come back to cluster.
  • Both ClusterXL members share load equally

Answer : ClusterXL member „B? stays active as last member.

156-315.77 Check Point Certified Security Expert Exam Set 11

What is the proper CLISH syntax to configure a default route via 192.168.255.1 in GAiA?


Options are :

  • set static-route 192.168.255.0/24 nexthop gateway logical ethl on
  • set static-route 192.168.255.0/24 nexthop gateway address 192.168.255.1 priority 1 on
  • set static-route default nexthop gateway address 192.168.255.1 priority 1 on (Correct)
  • set static-route nexthop default gateway logical 192.168.255.1 priority 1 on

Answer : set static-route default nexthop gateway address 192.168.255.1 priority 1 on

Jon is explaining how the inspection module works to a colleague. If a new connection passes through the inspection module and the packet matches the rule, what is the next step in the process?


Options are :

  • Verify if another rule exists.
  • Verify if the packet should be moved through the TCP/IP stack.
  • Verify if any logging or alerts are defined. (Correct)
  • Verify if the packet should be rejected.

Answer : Verify if any logging or alerts are defined.

Steve is troubleshooting a connection problem with an internal application. If he knows the source IP address is 192.168.4.125, how could he filter this traffic?


Options are :

  • Run fw monitor -e "accept dst-ip=192.168.4.125;"
  • Run fw monitor -e "accept src=192.168.4.125;" (Correct)
  • Run fw monitor -e "accept src-ip=192.168.4.125;"
  • Run fw monitor -e "accept ip=192.168.4.125;"

Answer : Run fw monitor -e "accept src=192.168.4.125;"

156-315.77 Check Point Certified Security Expert Exam Set 12

How would you set the debug buffer size to 1024?


Options are :

  • Run fw ctl kdebug 1024
  • Run fw ctl set int print_cons 1024
  • Run fw ctl debug -buf 1024 (Correct)
  • Run fw ctl set buf 1024

Answer : Run fw ctl debug -buf 1024

What GUI client would you use to view an IPS packet capture?


Options are :

  • Smart Update
  • SmartView Tracker (Correct)
  • Smart Reporter
  • SmartView Monitor.

Answer : SmartView Tracker

MegaCorp is using SmartCenter Server with several gateways. Their requirements result in a heavy log load. Would it be feasible to add the SmartEvent Correlation Unit and SmartEvent Server to their SmartCenter Server?


Options are :

  • Yes. SmartEvent must be installed on your SmartCenter Server.
  • No. If SmartCenter is already under stress, the use of a separate server for SmartEvent is recommended. (Correct)
  • No. SmartCenter SIC will interfere with the function of SmartEvent
  • No, SmartEvent and Smartcenter cannot be installed on the same machine at the same time.

Answer : No. If SmartCenter is already under stress, the use of a separate server for SmartEvent is recommended.

156-315.77 Check Point Certified Security Expert Exam Set 13

Which command will only show the number of entries in the connection table?


Options are :

  • fw tab -t connections -u
  • fw tab -t connections -s (Correct)
  • fw tab -t connections
  • fw tab

Answer : fw tab -t connections -s

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions

Subscribe to See Videos

Subscribe to my Youtube channel for new videos : Subscribe Now