156-315.77 Check Point Certified Security Expert Exam Set 4

Regarding QoS guarantees and limits, which of the following statements is FALSE?


Options are :

  • If both a limit and a guarantee per rule are defined in a QoS rule, then the limit must be smaller than the guarantee. (Correct)
  • .If both a rule limit and a per connection limit are defined for a rule, the per connection limit must not be greater than the rule limit.
  • A rule guarantee must not be less than the sum the guarantees defined in its sub-rules.
  • .If a guarantee is defined in a sub-rule, then a guarantee must be defined for the rule above it.

Answer : If both a limit and a guarantee per rule are defined in a QoS rule, then the limit must be smaller than the guarantee.

Which VPN Community object is used to configure VPN routing within the SmartDashboard?


Options are :

  • Remote Access
  • Map
  • Mesh
  • Star (Correct)

Answer : Star

Which service type does NOT invoke a Security Server?


Options are :

  • FTP
  • Telnet
  • HTTP
  • CIFS (Correct)
  • SMTP

Answer : CIFS

156-315.77 Check Point Certified Security Expert Exam Set 10

Which operating system is NOT supported by VPN-1 Secure Client?


Options are :

  • MacOSX
  • Windows 2000 Professional
  • IPSO 3.9 (Correct)
  • RedHat Linux 8.0
  • Windows XP SP2

Answer : IPSO 3.9

You plan to install a VPN-1 Pro Gateway for VPN-1 NGX at your company's headquarters.You have a single Sun SPARC Solaris 9 machine for VPN-1 Pro enterprise plementation. You need this machine to inspect traffic and keep configuration files.Which Check Point software package do you install?


Options are :

  • SmartCenter Server
  • ClusterXL and SmartCenter Server
  • Policy Server and primary SmartCenter Server
  • VPN-1 Pro Gateway
  • VPN-1 Pro Gateway and primary SmartCenter Server (Correct)

Answer : VPN-1 Pro Gateway and primary SmartCenter Server

You want to upgrade a SecurePlatform NG with Application Intelligence (Al) R55 Gateway to SecurePlatform NGX R60 via SmartUpdate.Which package is needed in the repository before upgrading?


Options are :

  • SecurePlatform NGX R60 (Correct)
  • SVN Foundation 3
  • VPN-1 Pro/Express NGXR60
  • VPN-1 and Firewall-1
  • SVN Foundation and VPN-1 Express/Pro

Answer : SecurePlatform NGX R60

Check Point Certified Security Expert Exam Set 11

Greg is creating rules and objects to control VoIP traffic in his organization, through a VPN- 1 NGX Security Gateway. Greg creates VoIP Domain SIP objects to represent each of his organization's three SIP gateways. Greg then creates a simple group to contain the VoIP Domain SIP objects.When Greg attempts to add the VoIP Domain SIP objects to the group, they are not listed. What is the problem?


Options are :

  • The VoIP Domain SIP object's name contains restricted characters.
  • The related end points domain specifies an address range.
  • The installed VoIP gateways specify host objects.
  • VoIP Domain SIP objects cannot be placed in simple groups. (Correct)
  • The VoIP gateway object must be added to the group, before the VoIP Domain SIP object is eligible to be added to the group.

Answer : VoIP Domain SIP objects cannot be placed in simple groups.

You must set up SIP with a proxy for your network. IP phones are in the 172.16.100.0 network.The Registrar and proxy are installed on host 172.16.100.100.To allow handover enforcement for outbound calls from SIP-net to network Net_B on the Internet, you have defined the following objects: Network object: SIP-net: 172.16.100.0/24 SIP-gateway: 172.16.100.100 VoIP Domain object: VolP_domain_A 1.Endpoint domain: SIP-net 2.VoIP gateway installed at: SIP-gateway host object How would you configure the rule?


Options are :

  • VolP_domain_A/Net_B/sip_any, and sip/accept
  • .VolP_domain_A/Net_B/sip/accept (Correct)
  • VolP_Gateway_MJet_B/sip_any/accept
  • SIP- G ateway/N et_B/s i p_a ny/a c c e pt
  • SIP-Gateway/Net_B/sip/accept

Answer : .VolP_domain_A/Net_B/sip/accept

In a distributed VPN-1 Pro NGX environment, where is the Internal Certificate Authority (ICA) installed?


Options are :

  • On the Smart View Monitor
  • On the Security Gateway
  • Certificate Manager Server
  • On the Policy Server
  • On the primary SmartCenter Server (Correct)

Answer : On the primary SmartCenter Server

156-215.77 Check Point Certified Security Administrator Test Set 6

How would you configure a rule in a Security Policy to allow SIP traffic from end point Net_Ato end point Net_B, through an NGX Security Gateway?


Options are :

  • Net_A/Net_B/sip and sip_any/accept
  • Net_A/Net_B/sip/accept (Correct)
  • .Net_A/Net_B/VolP_any/accept
  • Net_A/Net_BM3lP/accept

Answer : Net_A/Net_B/sip/accept

The following rule contains an FTP resource object in the Service field: Source: local_net Destination: Any Service: FTP-resource object Action: Accept How do you define the FTP Resource Properties > Match tab to prevent internal users from receiving corporate files from external FTP servers, while allowing users to send files?


Options are :

  • Disable the "Put" method globally.
  • Enable "Put" and "Get" methods.
  • Disable "Get" and "Put" methods on the Match tab.
  • Enable the "Put" method only on the Match tab. (Correct)
  • Enable the "Get" method on the Match tab.

Answer : Enable the "Put" method only on the Match tab.

You receive an alert indicating a suspicious FTP connection is trying to connect to one of your internal hosts. How do you block the connection in real time and verify the connection is successfully blocked?


Options are :

  • .Highlight the suspicious connection in SmartView Tracker > Log mode.Block the connection using Tools > Block Intruder menu.Use the Log mode to confirm that the suspicious connection is dropped.
  • Highlight the suspicious connection in SmartView Tracker > Log mode.Block the connection using Tools > Block Intruder menu.Use Log mode to confirm that the suspicious connection does not reappear.
  • Highlight the suspicious connection in SmartView Tracker > Active mode.Block the connection using the Tools > Block Intruder menu.Use the Active mode to confirm that the suspicious connection does not reappear. (Correct)
  • Highlight the suspicious connection in SmartView Tracker > Active mode.Block the connection using Tools > Block Intruder menu.Use Active mode to confirm that the suspicious connection is dropped.

Answer : Highlight the suspicious connection in SmartView Tracker > Active mode.Block the connection using the Tools > Block Intruder menu.Use the Active mode to confirm that the suspicious connection does not reappear.

156-315.77 Check Point Certified Security Expert Exam Set 10

Assume an intruder has compromised your current IKE Phase 1 and Phase 2 keys.Which of the following options will end the intruder's access, after the next Phase 2 exchange occurs?


Options are :

  • MD5 Hash Completion
  • SHA1 Hash Completion
  • DES Key Reset
  • Perfect Forward Secrecy (Correct)
  • Phase 3 Key Revocation

Answer : Perfect Forward Secrecy

Which of the following TCP port numbers is used to connect the VPN-1 Gateway to the Content Vector Protocol (CVP) server?


Options are :

  • 18182
  • 7242
  • 1456
  • 18180
  • 18181 (Correct)

Answer : 18181

Your current VPN-1 NG with Application Intelligence (Al) R55standalone VPN-1 Pro Gateway and SmartCenter Server run on SecurePlatform.You plan to implement VPN-1 NGX in a distributed environment, where the existing machine will be the SmartCenter Server, and a new machine will be the VPN-1 Pro Gateway only.You need to migrate the NG with Al R55 SmartCenter Server configuration, including such items as Internal Certificate Authority files, databases, and Security Policies.How do you request a new license for this VPN-1 NGX upgrade?


Options are :

  • Request a VPN-1 NGX SmartCenter Server license, using the new machine's IP address.Request a new local license for the NGX VPN-1 Pro Gateway.
  • Request a new VPN-1 NGX SmartCenter Server license, using the NG with Al SmartCenter Server IP address. Request a new central license for the NGX VPN-1 Pro Gateway.
  • Request a VPN-1 NGX SmartCenter Server license, using the NG with Al SmartCenter Server IP address. Request a new central license for the NGX VPN-1 Pro Gateway, licensed for the existing SmartCenter Server IP address (Correct)
  • Request a VPN-1 NGX SmartCenter Server license, using the new machine's IP address.Request a new central license for the NGX VPN-1 Pro Gateway.

Answer : Request a VPN-1 NGX SmartCenter Server license, using the NG with Al SmartCenter Server IP address. Request a new central license for the NGX VPN-1 Pro Gateway, licensed for the existing SmartCenter Server IP address

156-215.77 Check Point Certified Security Administrator Exam Set 4

Your organization has many VPN-1 Edge gateways at various branch offices, to allow VPN1 Secure Client users to access company resources. For security reasons, your organization's Security Policy requires all Internet traffic initiated behind the VPN-1 Edge gateways first be inspected by your headquarters' VPN-1 Pro Security Gateway.How do you configure VPN routing in this star VPN Community?


Options are :

  • To the Internet and other targets only
  • To the center only
  • To the center; or through the center to other satellites, then to the Internet and other VPN targets (Correct)
  • To the center and other satellites, through the center

Answer : To the center; or through the center to other satellites, then to the Internet and other VPN targets

Which Security Server can perform authentication tasks, but CANNOT perform content security tasks?


Options are :

  • rlogin (Correct)
  • SMTP
  • Telnet
  • HTTP
  • FTP

Answer : rlogin

What is a requirement for setting up Management High Availability?


Options are :

  • All SmartCenter Servers must have the same amount of memory.
  • You can only have one Secondary SmartCenter Server.
  • All SmartCenter Servers must have the same operating system. (Correct)
  • All SmartCenter Servers must have the BIOS release.
  • All SmartCenter Servers must reside in the same Local Area Network (LAN)

Answer : All SmartCenter Servers must have the same operating system.

156-215.77 Check Point Certified Security Administrator Test Set 5

How do you control the maximum mail messages in a spool directory?


Options are :

  • In the Security Server window in Global Properties
  • In the SMTP resource object
  • In the smtp.conf file on the SmartCenter Server
  • In the gateway object's SMTP settings in the Advanced window (Correct)
  • In SmartDefense SMTP settings

Answer : In the gateway object's SMTP settings in the Advanced window

Your VPN Community includes three Security Gateways. Each Gateway has its own internal network defined as a VPN Domain. You must test the VPN-1 NGX route-based VPN feature, without stopping the VPN. What is the correct order of steps?


Options are :

  • 1. Add a new interface on each Gateway. 2.Add the newly added network into the existing VPN Domain for each gateway object. 3.Create VTIs on each gateway object, to point to the other two peers. 4.Add static routes on three Gateways, to route the new networks to each peer's VTI interface.
  • 1. Add a new interface on each Gateway. 2. Add the newly added network into the existing VPN Domain for each Gateway. 3. Create VTIs on each gateway object, to point to the other two peers. 4. Enable advanced routing on all three Gateways.
  • 1. Add a new interface on each Gateway. 2. Remove the newly added network from the current VPN Domain in each gateway object. 3. Create VPN Tunnel Interfaces (VTI) on each gateway object, to point to the other two peers. 4. Add static routes on three Gateways, to route the new network to each peer's VTI interface. (Correct)
  • 1. Add a new interface on each Gateway. 2. Remove the newly added network from the current VPN Domain for each Gateway. 3. Create VTIs on each Gateway, to point to the other two peers 4. Enable advanced routing on all three Gateways.

Answer : 1. Add a new interface on each Gateway. 2. Remove the newly added network from the current VPN Domain in each gateway object. 3. Create VPN Tunnel Interfaces (VTI) on each gateway object, to point to the other two peers. 4. Add static routes on three Gateways, to route the new network to each peer's VTI interface.

Which of the following QoS rule action properties is an Advanced action type, only available in Traditional mode?


Options are :

  • Apply rule only to encrypted traffic
  • Rule weight
  • Rule limit
  • .Guarantee Allocation (Correct)
  • Rule guarantee

Answer : .Guarantee Allocation

156-315.77 Check Point Certified Security Expert Exam Set 18

VPN-1 NGX includes a resource mechanism for working with the Common Internet File System (CIFS). However, this service only provides a limited level of actions for CIFS security.Which of the following services is NOT provided by a CIFS resource?


Options are :

  • Log access shares
  • Log mapped shares
  • Allow MS print shares (Correct)
  • Block Remote Registry Access

Answer : Allow MS print shares

Barak is a Security Administrator for an organization that has two sites using pershared secrets in its VPN. The two sites are Oslo and London. Barak has just been informed that a new office is opening in Madrid, and he must enable all three sites to connect via the VPN to each other. Three Security Gateways are managed by the same SmartCenter Server, behind the Oslo Security Gateway. Barak decides to switch from pershared secrets to Certificates issued by the Internal Certificate Authority (ICA).After creating the Madrid gateway object with the proper VPN Domain, what are Barak's remaining steps? 1. Disable "PreShared Secret" on the London and Oslo gateway objects 2. Add the Madrid gateway object into the Oslo and London's mesh VPN Community 3. Manually generate ICA Certificates for all three Security Gateways. 4. Configure "Traditional mode VPN configuration" in the Madrid gateway object's VPN screen 5. Reinstall the Security Policy on all three Security Gateways.


Options are :

  • 1,3,4,5
  • 1,2,3,5
  • 1,2,5 (Correct)
  • 1,2,4,5
  • 1,2,3,4

Answer : 1,2,5

You are preparing to configure your VoIP Domain Gatekeeper object.Which two other objects should you have created first?


Options are :

  • An object to represent the IP phone network, AND an object to represent the host on which the proxy is installed
  • An object to represent the PSTN phone network, AND an object to represent the IP phone network
  • An object to represent the Q.931 service origination host, AND an object to represent the H.245 termination host
  • An object to represent the IP phone network, AND an object to represent the host on which the gatekeeper is installed (Correct)
  • An object to represent the call manager, AND an object to represent the host on which the transmission router is installed

Answer : An object to represent the IP phone network, AND an object to represent the host on which the gatekeeper is installed

Check Point Certified Security Expert Exam Set 6

Which type of service should a Security Administrator use in a Rule Base to control access to specific shared partitions on target machines?


Options are :

  • HTTP
  • FTP
  • Telnet
  • URI
  • CIFS (Correct)

Answer : CIFS

Which OPSEC server is used to prevent users from accessing certain Web sites?


Options are :

  • URI
  • LEA
  • UFP (Correct)
  • AMON
  • CVP

Answer : UFP

Your current stands alone VPN-1 NG with Application Intelligence (Al) R55 installation is running on SecurePlatform. You plan to implement VPN-1 NGX in a distributed environment, where the existing machine will be the VPN-1 Pro Gateway. An additional machine will serve as the SmartCenter Server. The new machine runs on a Windows Server 2003.You need to upgrade the NG with Al R55 SmartCenter Server configuration to VPN-1 NGX.How do you upgrade to VPN-1 NGX?


Options are :

  • Copy the $FWDIR\conf and $FWDIR\lib files from the existing SecurePlatform machine.Create a tar.gzfile, and copy it to the Windows Server 2003.Use VPN-1 NGX CD on the existing SecurePlatform machine to do a new installation.Reboot.Run sysconfig and select VPN-1 Pro Gateway.Reboot.Use the NGX CD to install the primary SmartCenter Server on the Windows Server 2003.On the Windows Server 2003, run upgradeimport command to import $FWDIR\conf and $FWDIR\lib from the SecurePlatform machine.
  • .Insert the NGX CD in the existing NGwithAI R55 SecurePlatform machine, and answer yes to backup the configuration.Copy the backup file to the Windows Server 2003.Continue the upgrade process.Reboot after upgrade is finished.After SecurePlatform NGX reboots, run sysconfig, select VPN-1 Pro Gateway, and finish the sysconfig process.Reboot again.Use the NGX CD to install the primary SmartCenter on the Windows Server 2003.Import the backup file. (Correct)
  • Run the backup command in the existing SecurePlatform machine, to create a backup file.opy the file to the Windows Server 2003.Uninstall all Check Point products on SecurePlatform by running rpm CPsuite.R55 command.Reboot.Install new VPN-1 NGX on the existing SecurePlatform machine.Run sysconfig, select VPN-1 Pro Gateway, and reboot.Use VPN-1 NGX CD to install primary SmartCenter Server on the Windows Server 2003.Import the backup file.
  • Run backup command on the existing SecurePlatform machine to create a backup file.Copy the file to the Windows Server 2003.Uninstall the primary SmartCenter Server package from NG with Al R55 SecurePlatform using sysconfig.Reboot.Install the NGX primary SmartCenter Server and import the backup file.Open the NGX SmartUpdate, and select "upgrade all packages" on the NG with Al R55 Security Gateway.

Answer : .Insert the NGX CD in the existing NGwithAI R55 SecurePlatform machine, and answer yes to backup the configuration.Copy the backup file to the Windows Server 2003.Continue the upgrade process.Reboot after upgrade is finished.After SecurePlatform NGX reboots, run sysconfig, select VPN-1 Pro Gateway, and finish the sysconfig process.Reboot again.Use the NGX CD to install the primary SmartCenter on the Windows Server 2003.Import the backup file.

Check Point Certified Security Expert Exam Set 3

Damon enables an SMTP resource for content protection.He notices that mail seems to slow down on occasion, sometimes being delivered late. Which of the following might improve throughput performance?


Options are :

  • Configuring the Content Vector Protocol (CVP) resource to forward the mail to the internal SMTP server, without waiting for a response from the Security Gateway
  • Configuring the SMTP resource to bypass the CVP resource (Correct)
  • Configuring the SMTP resource to only allow mail with Damon's company's domain name in the header
  • Increasing the Maximum number of mail messages in the Gateway's spool directory
  • Configuring the CVP resource to return the mail to the Gateway

Answer : Configuring the SMTP resource to bypass the CVP resource

What is the consequence of clearing the "Log VoIP Connection" box in Global Properties?


Options are :

  • Dropped VoIP traffic is logged, but accepted VoIP traffic is not logged
  • IP addresses are used, instead of object names, in log entries that reference VoIP Domain objects.
  • VoIP protocol-specific log fields are not included in SmartView Tracker entries. (Correct)
  • The log field setting in rules for VoIP protocols are ignored
  • The SmartCenter Server stops importing logs from VoIP servers.

Answer : VoIP protocol-specific log fields are not included in SmartView Tracker entries.

Yoav is a Security Administrator preparing to implement a VPN solution for his multi-site organization.To comply with industry regulations, Yoav's VPN solution must meet the following requirements: Portability: Standard Key management: Automatic, external PKI Session keys: Changed at configured times during a connection's lifetime Key length: No less than 128-bit Data integrity: Secure against inversion and brute force attacks What is the most appropriate setting Yoav should choose?


Options are :

  • IKE VPNs: CAST encryption for IKE Phase 1, and SHA1 encryption for Phase 2; DES hash
  • IKE VPNs: SHA1 encryption for IKE Phase 1, and MD5 encryption for Phase 2; AES hash
  • IKE VPNs: DES encryption for IKE Phase 1, and 3DES encryption for Phase 2; MD5 hash
  • .IKE VPNs: AES encryption for IKE Phase 1, and AES encryption for Phase 2; SHA1 hash (Correct)
  • IKE VPNs: AES encryption for IKE Phase 1, and DES encryption for Phase 2; SHA1 hash

Answer : .IKE VPNs: AES encryption for IKE Phase 1, and AES encryption for Phase 2; SHA1 hash

Check Point Certified Security Expert Exam Set 4

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions