156-315.77 Check Point Certified Security Expert Exam Set 4

At what router prompt would you save your OSPF configuration?


Options are :

  • localhost.localdomain(config-if)#
  • localhost.localdomain(config-router-ospf)#
  • localhost.localdomain(config)#
  • .localhost.localdomain#

Answer : .localhost.localdomain#

What type of object may be explicitly defined as a MEP VPN?


Options are :

  • Mesh VPN Community
  • Remote Access VPN Community
  • Any VPN Community
  • Star VPN Community

Answer : Star VPN Community

156-315.77 Check Point Certified Security Expert Exam Set 5

How do you verify a VPN Tunnel Interface (VTI) is configured properly?


Options are :

  • vpn shell show interface detailed
  • vpn shell display detailed
  • vpn shell show detailed
  • vpn shell display interface detailed

Answer : vpn shell show interface detailed

Which of the following statements is TRUE concerning MEP VPN?s?


Options are :

  • MEP VPN?s are restricted to the location of the gateways.
  • .The VPN Client is assigned a Security Gateway to connect to based on a priority list, should the first connection fail.
  • State synchronization between Security Gateways is required.
  • MEP Security Gateways can be managed by separate Management Servers.

Answer : MEP Security Gateways can be managed by separate Management Servers.

You want to establish a VPN, using certificates. Your VPN will exchange certificates with an external partner. Which of the following activities should you do first?


Options are :

  • Create a new logical-server object to represent your partner?s CA.
  • Manually import your partner?s Access Control List.
  • Exchange exported CA keys and use them to create a new server object to represent your partner?s Certificate Authority (CA).
  • Manually import your partner?s Certificate Revocation List.

Answer : Exchange exported CA keys and use them to create a new server object to represent your partner?s Certificate Authority (CA).

156-315.77 Check Point Certified Security Expert Exam Set 6

There are times when you want to use Link Selection to manage high-traffic VPN connections.With Link Selection you can:


Options are :

  • Probe links for availability.
  • .Use links based on Day/Time.
  • Assign links to specific VPN communities.
  • Use links based on authentication method.

Answer : Probe links for availability.

A VPN Tunnel Interface (VTI) is defined on GAiA as: vpn shell interface add numbered 10.10.0.1 10.10.0.2 madrid.cp What do you know about this VTI?


Options are :

  • The peer Security Gateway?s name is madrid.cp.
  • The local Gateway's object name is madrid.cp.
  • The VTI name is madrid.cp
  • 10.10.0.1 is the local Gateway?s internal interface, and 10.10.0.2 is the internal interface of the remote Gateway.

Answer : The peer Security Gateway?s name is madrid.cp.

There are times when you want to use Link Selection to manage high-traffic VPN connections.With Link Selection you can:


Options are :

  • Assign links to use Dynamic DNS
  • Use links based on authentication method.
  • Use Load Sharing to distribute VPN traffic.
  • Use links based on Day/Time.

Answer : Use Load Sharing to distribute VPN traffic.

156-315.77 Check Point Certified Security Expert Exam Set 7

Review the following list of actions that Security Gateway R75 can take when it controls packets. The Policy Package has been configured for Simplified Mode VPN. Select the response below that includes the available actions:


Options are :

  • Accept, Reject, Encrypt, Drop
  • Accept, Drop, Encrypt, Session Auth
  • Accept, Hold, Reject, Proxy
  • Accept, Drop, Reject, Client Auth

Answer : Accept, Drop, Reject, Client Auth

Which of the following statements is TRUE concerning MEP VPN?s?


Options are :

  • The VPN Client is assigned a Security Gateway to connect to based on a priority list, should the first connection fail.
  • MEP VPN?s are restricted to the location of the gateways.
  • State synchronization between Security Gateways is NOT required.
  • MEP Security Gateways cannot be managed by separate Management Servers.

Answer : State synchronization between Security Gateways is NOT required.

Which of the following statements is TRUE concerning MEP VPN?s?


Options are :

  • MEP Security Gateways cannot be managed by separate Management Servers.
  • The VPN Client selects which Security Gateway takes over, should the first connection fail.
  • State synchronization between Security Gateways is required.
  • MEP VPN?s are restricted to the location of the gateways.

Answer : The VPN Client selects which Security Gateway takes over, should the first connection fail.

156-315.77 Check Point Certified Security Expert Exam Set 8

What is used to validate a digital certificate?


Options are :

  • IPsec
  • PKCS
  • CRL
  • S/MIME

Answer : CRL

Your organization maintains several IKE VPN?s. Executives in your organization want to know which mechanism Security Gateway R77 uses to guarantee the authenticity and integrity of messages. Which technology should you explain to the executives?


Options are :

  • Certificate Revocation Lists
  • Key-exchange protocols
  • Digital signatures
  • Application Intelligence

Answer : Digital signatures

You want VPN traffic to match packets from internal interfaces. You also want the traffic to exit the Security Gateway bound for all site-to-site VPN Communities, including Remote Access Communities. How should you configure the VPN match rule?


Options are :

  • internal_clear > All_communities
  • Internal_clear > External_Clear
  • Communities > Communities
  • internal_clear > All_GwToGw

Answer : internal_clear > All_communities

156-315.77 Check Point Certified Security Expert Exam Set 1

There are times when you want to use Link Selection to manage high-traffic VPN connections.With Link Selection you can:


Options are :

  • Set up links for Remote Access
  • Use links based on Day/Time
  • Assign links to specific VPN communities
  • Assign links to use Dynamic DNS.

Answer : Set up links for Remote Access

Which statement defines Public Key Infrastructure? Security is provided:


Options are :

  • via both private and public keys, without the use of digital Certificates.
  • by Certificate Authorities, digital certificates, and two-way symmetric-key encryption
  • by authentication.
  • by Certificate Authorities, digital certificates, and public key encryption

Answer : by Certificate Authorities, digital certificates, and public key encryption

What is the command to show OSPF adjacencies?


Options are :

  • show ospf summary-address
  • show running-config
  • show ospf neighbors
  • show ospf interface

Answer : show ospf neighbors

156-315.77 Check Point Certified Security Expert Exam Set 10

If you need strong protection for the encryption of user data, what option would be the BEST choice?


Options are :

  • Disable Diffie-Hellman by using stronger certificate based key-derivation. Use AES-256 bit on all encrypted channels and add PFS to QuickMode. Use double encryption by implementing AH and ESP as protocols
  • When you need strong encryption, IPsec is not the best choice. SSL VPN?s are a better choice
  • Use certificates for Phase 1, SHA for all hashes, AES for all encryption and PFS, and use ESP protocol.
  • Use Diffie-Hellman for key construction and pre-shared keys for Quick Mode. Choose SHA in Quick Mode and encrypt with AES. Use AH protocol. Switch to Aggressive Mode.

Answer : Use certificates for Phase 1, SHA for all hashes, AES for all encryption and PFS, and use ESP protocol.

Which of the following is TRUE concerning numbered VPN Tunnel Interfaces (VTIs)?


Options are :

  • VTIs cannot share IP addresses
  • VTIs are supported on SecurePlatform Pro
  • VTIs can use an already existing physical-interface IP address
  • VTIs are assigned only local addresses, not remote addresses

Answer : VTIs are supported on SecurePlatform Pro

156-315.77 Check Point Certified Security Expert Exam Set 11

MultiCorp is running Smartcenter R71 on an IPSO platform and wants to upgrade to a new Appliance with R77. Which migration tool is recommended?


Options are :

  • Use Migration Tool from CD/ISO
  • Fetch Migration Tool R71 for IPSO and Migration Tool R77 for Splat/Linux from CheckPoint website
  • Download Migration Tool R77 for IPSO and Splat/Linux from Check Point website.
  • Use already installed Migration Tool

Answer : Download Migration Tool R77 for IPSO and Splat/Linux from Check Point website.

In the following cluster configuration; if you reboot sglondon_1 which device will be active when sglondon_1 is back up and running? Why?


Options are :

  • sglondon_1, because it is up again, sglondon_2 took over during reboot.
  • sglondon_2 because sglondon_1 has highest IP.
  • sglondon_1 because it the first configured object with the lowest IP.
  • sglondon_2 because it has highest priority.

Answer : sglondon_2 because it has highest priority.

If using AD Query for seamless identity data reception from Microsoft Active Directory (AD), which of the following methods is NOT Check Point recommended?


Options are :

  • Basic identity enforcement in the internal network
  • Identity-based auditing and logging
  • Leveraging identity in Internet application control
  • Identity-based enforcement for non-AD users (non-Windows and guest users)

Answer : Identity-based enforcement for non-AD users (non-Windows and guest users)

156-315.77 Check Point Certified Security Expert Exam Set 12

MegaCorp is running Smartcenter R70, some Gateways at R65 and some other Gateways with R60. Management wants to upgrade to the most comprehensive IPv6 support. What should the administrator do first?


Options are :

  • Upgrade Smartcenter to R77 first
  • Upgrade every unit directly to R77.
  • Check the ReleaseNotes to verify that every step is supported.
  • Upgrade R60-Gateways to R65.

Answer : Check the ReleaseNotes to verify that every step is supported.

Which is NOT a method through which Identity Awareness receives its identities?


Options are :

  • Captive Portal
  • Group Policy
  • AD Query
  • .Identity Agent

Answer : Group Policy

If both domain-based and route-based VPN?s are configured, which will take precedence?


Options are :

  • Must be chosen/configured manually by the Administrator in the Policy > Global Properties
  • Domain-based
  • Route-based
  • Must be chosen/configured manually by the Administrator in the VPN community object

Answer : Domain-based

156-315.77 Check Point Certified Security Expert Exam Set 13

Which of the following access options would you NOT use when configuring Captive Portal?


Options are :

  • Through the Firewall policy
  • From the Internet
  • Through internal interfaces
  • Through all interfaces

Answer : From the Internet

Which of the following is TRUE concerning unnumbered VPN Tunnel Interfaces (VTIs)?


Options are :

  • VTIs are only supported on SecurePlatform.
  • VTIs must be assigned a proxy interface.
  • VTIs can only be physical, not loopback.
  • Local IP addresses are not configured, remote IP addresses are configured.

Answer : VTIs must be assigned a proxy interface.

Identity Agent is a lightweight endpoint agent that authenticates securely with Single SignOn (SSO). Which of the following is NOT a recommended use for this method?


Options are :

  • Protecting highly sensitive servers
  • Leveraging machine name or identity
  • When accuracy in detecting identity is crucial
  • .Identity based enforcement for non-AD users (non-Windows and guest users)

Answer : .Identity based enforcement for non-AD users (non-Windows and guest users)

156-315.77 Check Point Certified Security Expert Exam Set 14

Which of the following is TRUE concerning unnumbered VPN Tunnel Interfaces (VTIs)?


Options are :

  • VTIs cannot be assigned a proxy interface.
  • Local IP addresses are not configured, remote IP addresses are configured.
  • VTIs can only be physical, not loopback.
  • They are supported on the GAiA Operating System.

Answer : They are supported on the GAiA Operating System.

Which of the following is TRUE concerning numbered VPN Tunnel Interfaces (VTIs)?


Options are :

  • VTIs cannot share IP addresses
  • VTIs cannot use an already existing physical-interface IP address
  • VTIs are only supported on IPSO
  • VTIs are assigned only local addresses, not remote addresses

Answer : VTIs cannot use an already existing physical-interface IP address

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions