156-315.77 Check Point Certified Security Expert Exam Set 20

You are using trace logger to debug SSL VPN's server side and obtain a textual traffic dump. Which type of traffic will you NOT see in the output?


Options are :

  • Traffic outbound from the internal networks
  • Traffic inbound from the external networks
  • Traffic outbound to the external networks
  • Traffic to the portal (Correct)

Answer : Traffic to the portal

156-215.77 Check Point Certified Security Administrator Exam Set 4

Which of the following is NOT TRUE regarding HTTPS traffic being passed through a DLP gateway?


Options are :

  • You must configure the DLP gateway to allow HTTP/HTTPS traffic through the proxy if you have a web proxy between the DLP gateway and the internet.
  • HTTPS traffic is not scanned by DLP
  • Only one proxy can be configured for DLP
  • You must edit the $FWDIR/conf/fwauthd.conf file in order for HTTPS traffic to be passed to your Web Proxy through a DLP gateway. (Correct)

Answer : You must edit the $FWDIR/conf/fwauthd.conf file in order for HTTPS traffic to be passed to your Web Proxy through a DLP gateway.

In Company XYZ, the DLP Administrator defined a new template Data Type that is based on an empty PDF form for an insurance claim.Which of the following statements about this new data type are CORRECT?


Options are :

  • Word, Excel, PDF filled in insurance claim forms that were based on the empty PDF insurance claim form will be matched by this Data Type. (Correct)
  • If the empty PDF insurance claim form is sent, it will NOT be matched by this Data Type.
  • Only completed insurance claim forms of PDF file-type that were based on the empty PDF form will be matched by this Data Type.
  • The Data Type will match only files where the name and file size is similar to that of the original insurance claim forms in PDF format.

Answer : Word, Excel, PDF filled in insurance claim forms that were based on the empty PDF insurance claim form will be matched by this Data Type.

How do you block some seldom-used FTP commands, such as CWD, and FIND from passing through the Gateway?


Options are :

  • Configure the restricted FTP commands in the Security Servers screen of the Global Properties
  • Modify the desired profile in the FTP commands under Protection Details in the IPS tab. (Correct)
  • Enable FTP Bounce checking / Application Intelligence / Protocol Protections from the IPS tab
  • Add the restricted commands to the aftpd.conf file in the Security Management Server.

Answer : Modify the desired profile in the FTP commands under Protection Details in the IPS tab.

156-215.75 Check Point Certified Security Administrator Exam Set 8

Before upgrading SecurePlatform, you should create a backup.To save time, many administrators use the command backup.This creates a backup of the Check Point configuration as well as the system configuration.An administrator has installed the latest HFA on the system for fixing traffic problems after creating a backup file. There is a mistake in the very complex static routing configuration.The Check Point configuration has not been changed.Can the administrator use a restore to fix the errors in static routing?


Options are :

  • The restore is not possible because the backup file does not have the same build number (version).
  • The restore is done by selecting Snapshot Management from the SecurePlatform boot menu.
  • A back up cannot be restored, because the binary files are missing.
  • The restore can be done easily by the command restore and selecting the appropriate backup file. (Correct)

Answer : The restore can be done easily by the command restore and selecting the appropriate backup file.

Which command can be used to verify SecureXL statistics?


Options are :

  • cphaprob stat
  • fwaccel top
  • fw ctl pstat
  • fwaccel stats (Correct)

Answer : fwaccel stats

In a particular IPS protection in R76 in the Logging Settings, what does the Capture Packets option do?


Options are :

  • Attaches a packet capture of the traffic that matches this particular protection to each log that the protection generates. (Correct)
  • This is not a valid selection in R76
  • Starts a packet capture at the time of policy install to capture all of the traffic until this protection is hit.
  • Collects all of the logs for packets that have matched this protection within the last 30 days

Answer : Attaches a packet capture of the traffic that matches this particular protection to each log that the protection generates.

156-315.77 Check Point Certified Security Expert Exam Set 8

To backup all events stored in the SmartEvent Server, you should back up the contents of which folder(s)?


Options are :

  • $RTDIR/events_db
  • $RTDIR/distrib_db and $FWDIR/events
  • $RTDIR/distrib
  • $RTDIR/distrib and $FWDIR/events_db (Correct)

Answer : $RTDIR/distrib and $FWDIR/events_db

You are a SSL VPN Administrator. Your users complain that their Outlook Web Access is running extremely slowly, and their overall browsing experience continues to worsen. You suspect it could be a logging problem.Which of the following log files does Check Point recommend you purge?


Options are :

  • httpd*.log (Correct)
  • mod_ws_owd.log
  • alert_owd.log
  • event_ws.log

Answer : httpd*.log

The TotallyCoolSecurity Company has a large security staff. Bob configured a new IPS Chicago_Profile for fw-chicago using Detect mode. After reviewing logs, Matt noticed that fw-Chicago is not detecting any of the IPS protections that Bob had previously setup.Analyze the output below and determine how Matt can correct the problem.


Options are :

  • Matt should change the Chicago_Profile to use Protect mode because Detect mode will not work.
  • Matt should assign the fw-chicago Security Gateway to the Chicago_Profile. (Correct)
  • Matt should activate the Chicago_Profile as it is currently not activated.
  • Matt should re-create the Chicago_Profile and select Activate protections manually instead of per the IPS Policy.

Answer : Matt should assign the fw-chicago Security Gateway to the Chicago_Profile.

Check Point Certified Security Expert Exam Set 7

Which of the following statements about the Port Scanning feature of IPS is TRUE?


Options are :

  • The Port Scanning feature actively blocks the scanning, and sends an alert to SmartView Monitor.
  • When a port scan is detected, only a log is issued, never an alert.
  • Port Scanning does not block scanning; it detects port scans with one of three levels of detection sensitivity. (Correct)
  • The default scan detection is when more than 500 open inactive ports are open for a period of 120 seconds.

Answer : Port Scanning does not block scanning; it detects port scans with one of three levels of detection sensitivity.

What is a task of the SmartEvent Server?


Options are :

  • Analyze each IPS log entry as it enters the Log server.
  • Display the received events.
  • Forward what is known as an event to the SmartEvent Server.
  • Assign a severity level to an event. (Correct)

Answer : Assign a severity level to an event.

Network applications accessed using SSL Network Extender have been found to fail after one of their TCP connections has been left idle for more than one hour.You determine that you must enable sending reset (RST) packets upon TCP time-out expiration.Where is it necessary to change the setting?


Options are :

  • $FWDIR/conf/objects.C
  • $FWDIR/conf/objects_5_0.C (Correct)
  • $WEBISDIR/conf/cpadmin.elg
  • $CVPNDIR/conf/cvpnd.C

Answer : $FWDIR/conf/objects_5_0.C

156-315.65 Check Point Security Administration NGX R65 Exam Set 3

Your online bookstore has customers connecting to a variety of Web servers to place or change orders and check order status. You ran penetration tests through the Security Gateway to determine if the Web servers were protected from a recent series of cross-site scripting attacks. The penetration testing indicated the Web servers were still vulnerable.You have checked every box in the Web Intelligence tab, and installed the Security Policy.What else might you do to reduce the vulnerability?


Options are :

  • The penetration software you are using is malfunctioning and is reporting a falsepositive.
  • Check the Products / Web Server box on the host node objects representing your Web servers (Correct)
  • Add Port (TCP 443) as an additional port on the Web Server tab for the host node.
  • Configure the Security Gateway protecting the Web servers as a Web server.

Answer : Check the Products / Web Server box on the host node objects representing your Web servers

In ClusterXL, which of the following are defined by default as a critical device?


Options are :

  • Filter (Correct)
  • PROT_SRV.EXE
  • protect.exe
  • fw.d

Answer : Filter

Which of the following functions CANNOT be performed in Client Info on computer information collected?


Options are :

  • Save the information in the active tab to an .exe file. (Correct)
  • Copy the contents of the selected cells.
  • Run Google.com search using the contents of the selected cell.
  • Enter new credential for accessing the computer information.

Answer : Save the information in the active tab to an .exe file.

Check Point Certified Security Expert Exam Set 4

When deploying a dedicated DLP Gateway behind a perimeter firewall on an interface leading to the internal network (there is only one internal network):


Options are :

  • The DLP Gateway can inspect SMTP traffic if a MS Exchange server is located on the internal network, and it either sends e-mails directly to the Internet using SMTP or sends emails to the Internet in SMTP via a mail relay that is located on the perimeter's firewall DMZ network. (Correct)
  • The DLP Gateway can inspect internal e-mails (e-mails between two users on the internal network) if the organization's internal mail server is located in the internal network and users are configured to send e-mails to this mail server using SMTP.
  • The DLP Gateway can inspect e-mails (e-mails between two users on an internal or external network) if the organization's internal mail server is located on another network (not the internal network; for instance the DMZ or a different internal network) and users are configured to send e-mails to this mail server using SMTP.
  • User's HTTPS and FTP traffic can be inspected by the R71 DLP Gateway

Answer : The DLP Gateway can inspect SMTP traffic if a MS Exchange server is located on the internal network, and it either sends e-mails directly to the Internet using SMTP or sends emails to the Internet in SMTP via a mail relay that is located on the perimeter's firewall DMZ network.

Which technology would describe RDED for Qos?


Options are :

  • A mechanism for managing packet buffers.
  • A mechanism to accurately classify traffic and place it in the proper transmission queue
  • A mechanism for reducing the number of retransmits and retransmit storms (Correct)
  • A mechanism to derive complete state and context information for all network traffic.

Answer : A mechanism for reducing the number of retransmits and retransmit storms

Your R76 enterprise Security Management Server is running abnormally on Windows 2008 Server. You decide to try reinstalling the Security Management Server, but you want to try keeping the critical Security Management Server configuration settings intact (i.e., all Security Policies, databases, SIC, licensing etc.)What is the BEST method to reinstall the Server and keep its critical configuration?


Options are :

  • 1. Insert the F70 CD-ROM, and select the option to export the configuration using the latest upgrade utilities 2. Perform any requested upgrade_verification suggested steps and re-export the configuration if needed 3. Save the export " tgz file to a local c: \temp directory 4. Uninstall all R70 packages via Add/Remove Programs and reboot 5. Install again using the R70 CD-ROM as a primary Security Management Server and reboot 6. Run upgrade_import to import the configuration
  • 1. Download the latest upgrade_export utility and run it from a c; \temp directory to export the configuration into a .tgz file 2. Skip any upgrade_verification warnings since you are not upgrading 3. Transfer the .tgz file to another networked machine 4. Download and run the cpclean utility and reboot 5. Use the R70 CD-ROM to select the upgrade_import option to import the configuration
  • 1. Create a database revision control backup using the Smart Dashboard 2. Create a compressed archive of the *FWDlR*\ conf and >FWDiR8\lib directories and copy them to another networked machine. 3. Uninstall all R70 packages via Add/Remove Programs and reboot. 4. Install again as a primary Security Management Server using the R70 CD. 5. Reboot and restore the two archived directories over the top of the new installation, choosing to overwrite existing files.
  • 1. Download the latest upgrade_export utility and run it from a \temp directory to export the configuration into a .tgz file 2. Perform any requested upgrade_version suggested steps 3. Uninstall all R70 packages via Add/Remove Programs and reboot 4. Use SmartUpdate to reinstall the Security Management Server and reboot 5. Transfer the tgz file back to the local \temp 6. Run upgrade_import to import the configuration (Correct)

Answer : 1. Download the latest upgrade_export utility and run it from a \temp directory to export the configuration into a .tgz file 2. Perform any requested upgrade_version suggested steps 3. Uninstall all R70 packages via Add/Remove Programs and reboot 4. Use SmartUpdate to reinstall the Security Management Server and reboot 5. Transfer the tgz file back to the local \temp 6. Run upgrade_import to import the configuration

Check Point Certified Security Expert Exam Set 6

Which of the following is NOT a ClusterXL mode?


Options are :

  • New
  • Broadcast (Correct)
  • Legacy
  • Multicast

Answer : Broadcast

156-315.77 Check Point Certified Security Expert Exam Set 7

Which of the following methods will provide the most complete backup of an R76 configuration?


Options are :

  • Upgrade export command (Correct)
  • Database Revision Control
  • Policy Package Management
  • Copying the directories $FWDIR\conf and $CPDIR\conf to another server

Answer : Upgrade export command

Each entry in Smart Directory has a unique _______________?


Options are :

  • Schema
  • Organizational Unit
  • Distinguished Name (Correct)
  • Port Number Association

Answer : Distinguished Name

A Fast Path Upgrade of a cluster:


Options are :

  • Treats each individual cluster member as an individual gateway.
  • Is not a valid upgrade method in R76. (Correct)
  • Is only supported in major releases (R70 to R71, R75 to R76).
  • Upgrades all cluster members except one at the same time.

Answer : Is not a valid upgrade method in R76.

156-315.77 Check Point Certified Security Expert Exam Set 11

When you use the Global Properties' default settings on R77, which type of traffic will be dropped if NO explicit rule allows the traffic?


Options are :

  • SmartUpdate connections
  • Outgoing traffic originating from the Security Gateway
  • Firewall logging and ICA key-exchange information
  • RIP traffic (Correct)

Answer : RIP traffic

Which SmartConsole component can Administrators use to track changes to the Rule Base?


Options are :

  • WebUI
  • SmartReporter
  • SmartView Monitor
  • SmartView Tracker (Correct)

Answer : SmartView Tracker

What Shell is required in Gaia to use WinSCP?


Options are :

  • CLISH
  • CPShell
  • UNIX
  • Bash (Correct)

Answer : Bash

156-515.65 Check Point Certified Security Expert Plus Exam Set 1

Which command would you use to save the routing information before upgrading a Secure Platform Gateway?


Options are :

  • cp /etc/sysconfig/network.C [location] (Correct)
  • ipconfig -a > [filename].txt
  • netstat -m > [filename].txt
  • ifconfig > [filename].txt

Answer : cp /etc/sysconfig/network.C [location]

Which of the following describes the default behavior of an R77 Security Gateway?


Options are :

  • All traffic is expressly permitted via explicit rules.
  • Traffic is filtered using controlled port scanning.
  • Traffic not explicitly permitted is dropped. (Correct)
  • IP protocol types listed as secure are allowed by default, i.e. ICMP, TCP, UDP sessions are inspected.

Answer : Traffic not explicitly permitted is dropped.

John is upgrading a cluster from NGX R65 to R76. John knows that you can verify the upgrade process using the pre-upgrade verifier tool. When John is running Pre-Upgrade Verification, he sees the warning message:Title: Incompatible pattern.What is happening?


Options are :

  • Pre-Upgrade Verification tool only shows that message but it is only informational.
  • R76 uses a new pattern matching engine. Incompatible patterns should be deleted before upgrade process to complete it successfully.
  • The actual configuration contains user defined patterns in IPS that are not supported in R76. If the patterns are not fixed after upgrade, they will not be used with R76 Security Gateways. (Correct)
  • Pre-Upgrade Verification process detected a problem with actual configuration and upgrade will be aborted.

Answer : The actual configuration contains user defined patterns in IPS that are not supported in R76. If the patterns are not fixed after upgrade, they will not be used with R76 Security Gateways.

156-315.13 Check Point Security Expert R76 (GAiA) Exam Set 1

A customer is calling saying one member's status is Down. What will you check?


Options are :

  • fw ctl pstat (check sync)
  • fw ctl debug -m cluster + forward (forwarding layer debug)
  • cphaprob list (verify what critical device is down) (Correct)
  • tcpdump/snoop (CCP traffic)

Answer : cphaprob list (verify what critical device is down)

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions