156-315.77 Check Point Certified Security Expert Exam Set 5

Robert has configured a Common Internet File System (CIFS) resource to allow access to the public partition of his company's file server, on \\erisco\goldenapple\files\public. Robert receives reports that users are unable to access the shared partition, unless they use the file server's IP address.Which of the following is a possible cause?


Options are :

  • Access violations are not logged.
  • Null CIFS sessions are blocked.
  • Mapped shares do not allow administrative locks.
  • Remote registry access is blocked.
  • The CIFS resource is not configured to use Windows name resolution (Correct)

Answer : The CIFS resource is not configured to use Windows name resolution

156-315.71 Check Point Security Expert R71 Practice Exam Set 2

Which OPSEC server is used to prevent users from accessing certain Web sites?


Options are :

  • LEA
  • AMON
  • URI
  • CVP
  • UFP (Correct)

Answer : UFP

Your VPN Community includes three Security Gateways. Each Gateway has its own internal network defined as a VPN Domain. You must test the VPN-1 NGX route-based VPN feature, without stopping the VPN. What is the correct order of steps?


Options are :

  • 1. Add a new interface on each Gateway. 2. Add the newly added network into the existing VPN Domain for each Gateway. 3. Create VTIs on each gateway object, to point to the other two peers. 4. Enable advanced routing on all three Gateways.
  • 1. Add a new interface on each Gateway. 2. Remove the newly added network from the current VPN Domain in each gateway object. 3. Create VPN Tunnel Interfaces (VTI) on each gateway object, to point to the other two peers. 4. Add static routes on three Gateways, to route the new network to each peer's VTI interface. (Correct)
  • 1. Add a new interface on each Gateway. 2. Remove the newly added network from the current VPN Domain for each Gateway. 3. Create VTIs on each Gateway, to point to the other two peers 4. Enable advanced routing on all three Gateways.
  • 1. Add a new interface on each Gateway. 2.Add the newly added network into the existing VPN Domain for each gateway object. 3.Create VTIs on each gateway object, to point to the other two peers. 4.Add static routes on three Gateways, to route the new networks to each peer's VTI interface.

Answer : 1. Add a new interface on each Gateway. 2. Remove the newly added network from the current VPN Domain in each gateway object. 3. Create VPN Tunnel Interfaces (VTI) on each gateway object, to point to the other two peers. 4. Add static routes on three Gateways, to route the new network to each peer's VTI interface.

You want to create an IKE VPN between two VPN-1 NGX Security Gateways, to protect two networks. The network behind one Gateway is 10.15.0.0/16, and network 192.168.9.0/24 is behind the peer's Gateway.Which type of address translation should you use, to ensure the two networks access each other through the VPN tunnel?


Options are :

  • Static NAT
  • None (Correct)
  • Hide NAT
  • Manual NAT
  • Hide NAT

Answer : None

156-315.13 Check Point Security Expert R76(GAiA) Exam Set 9

You plan to install a VPN-1 Pro Gateway for VPN-1 NGX at your company's headquarters.You have a single Sun SPARC Solaris 9 machine for VPN-1 Pro enterprise plementation. You need this machine to inspect traffic and keep configuration files.Which Check Point software package do you install?


Options are :

  • Policy Server and primary SmartCenter Server
  • VPN-1 Pro Gateway and primary SmartCenter Server (Correct)
  • VPN-1 Pro Gateway
  • SmartCenter Server
  • ClusterXL and SmartCenter Server

Answer : VPN-1 Pro Gateway and primary SmartCenter Server

Which VPN Community object is used to configure VPN routing within the SmartDashboard?


Options are :

  • Remote Access
  • Mesh
  • Map
  • Star (Correct)

Answer : Star

Your organization has many VPN-1 Edge gateways at various branch offices, to allow VPN1 Secure Client users to access company resources. For security reasons, your organization's Security Policy requires all Internet traffic initiated behind the VPN-1 Edge gateways first be inspected by your headquarters' VPN-1 Pro Security Gateway.How do you configure VPN routing in this star VPN Community?


Options are :

  • To the center; or through the center to other satellites, then to the Internet and other VPN targets (Correct)
  • To the Internet and other targets only
  • To the center only
  • To the center and other satellites, through the center

Answer : To the center; or through the center to other satellites, then to the Internet and other VPN targets

156-315.77 Check Point Certified Security Expert Exam Set 8

What is the consequence of clearing the "Log VoIP Connection" box in Global Properties?


Options are :

  • VoIP protocol-specific log fields are not included in SmartView Tracker entries. (Correct)
  • The log field setting in rules for VoIP protocols are ignored
  • IP addresses are used, instead of object names, in log entries that reference VoIP Domain objects.
  • Dropped VoIP traffic is logged, but accepted VoIP traffic is not logged
  • The SmartCenter Server stops importing logs from VoIP servers.

Answer : VoIP protocol-specific log fields are not included in SmartView Tracker entries.

You are running a VPN-1 NG with Application Intelligence R54 SecurePlatform VPN-1 Pro Gateway. The Gateway also serves as a Policy Server.When you run patch add cd from the NGX CD, what does this command allow you to upgrade?


Options are :

  • Only the patch utility is upgraded using this command
  • Only VPN-1 Pro Security Gateway
  • Only the OS
  • All products, except the Policy Server
  • Both the operating system (OS) and all Check Point products (Correct)

Answer : Both the operating system (OS) and all Check Point products

Which of the following TCP port numbers is used to connect the VPN-1 Gateway to the Content Vector Protocol (CVP) server?


Options are :

  • 7242
  • 18182
  • 1456
  • 18181 (Correct)
  • 18180

Answer : 18181

Check Point Certified Security Administrator Set 1

If you check the box "Use Aggressive Mode", in the IKE Properties dialog box:


Options are :

  • The standard six-packet IKE Phase 1 exchange is replaced by a twelve-packet exchange.
  • The standard three-packet IKE Phase 1 exchange is replaced by a six-packet exchange.
  • The standard six-packet IKE Phase 2 exchange is replaced by a three-packet exchange.
  • The standard three-packet IKE Phase 2 exchange is replaced by a six-packet exchange.
  • The standard six-packet IKE Phase 1 exchange is replaced by a three-packet exchange. (Correct)

Answer : The standard six-packet IKE Phase 1 exchange is replaced by a three-packet exchange.

Damon enables an SMTP resource for content protection.He notices that mail seems to slow down on occasion, sometimes being delivered late. Which of the following might improve throughput performance?


Options are :

  • Increasing the Maximum number of mail messages in the Gateway's spool directory
  • Configuring the Content Vector Protocol (CVP) resource to forward the mail to the internal SMTP server, without waiting for a response from the Security Gateway
  • Configuring the SMTP resource to bypass the CVP resource (Correct)
  • Configuring the CVP resource to return the mail to the Gateway
  • Configuring the SMTP resource to only allow mail with Damon's company's domain name in the header

Answer : Configuring the SMTP resource to bypass the CVP resource

You are preparing to configure your VoIP Domain Gatekeeper object.Which two other objects should you have created first?


Options are :

  • An object to represent the IP phone network, AND an object to represent the host on which the proxy is installed
  • An object to represent the call manager, AND an object to represent the host on which the transmission router is installed
  • An object to represent the IP phone network, AND an object to represent the host on which the gatekeeper is installed (Correct)
  • An object to represent the Q.931 service origination host, AND an object to represent the H.245 termination host
  • An object to represent the PSTN phone network, AND an object to represent the IP phone network

Answer : An object to represent the IP phone network, AND an object to represent the host on which the gatekeeper is installed

156-215.77 Check Point Certified Security Administrator Exam Set 1

Barak is a Security Administrator for an organization that has two sites using pershared secrets in its VPN. The two sites are Oslo and London. Barak has just been informed that a new office is opening in Madrid, and he must enable all three sites to connect via the VPN to each other. Three Security Gateways are managed by the same SmartCenter Server, behind the Oslo Security Gateway. Barak decides to switch from pershared secrets to Certificates issued by the Internal Certificate Authority (ICA).After creating the Madrid gateway object with the proper VPN Domain, what are Barak's remaining steps? 1. Disable "PreShared Secret" on the London and Oslo gateway objects 2. Add the Madrid gateway object into the Oslo and London's mesh VPN Community 3. Manually generate ICA Certificates for all three Security Gateways. 4. Configure "Traditional mode VPN configuration" in the Madrid gateway object's VPN screen 5. Reinstall the Security Policy on all three Security Gateways.


Options are :

  • 1,2,5 (Correct)
  • 1,3,4,5
  • 1,2,3,5
  • 1,2,3,4
  • 1,2,4,5

Answer : 1,2,5

Which operating system is NOT supported by VPN-1 Secure Client?


Options are :

  • Windows 2000 Professional
  • MacOSX
  • IPSO 3.9 (Correct)
  • Windows XP SP2
  • RedHat Linux 8.0

Answer : IPSO 3.9

Which service type does NOT invoke a Security Server?


Options are :

  • CIFS (Correct)
  • HTTP
  • Telnet
  • SMTP
  • FTP

Answer : CIFS

156-315.71 Check Point Security Expert R71 Practice Exam Set 4

You have an internal FTP server, and you allow downloading, but not uploading.Assume Network Address Translation is set up correctly, and you want to add an inbound rule with: Source: Any Destination: FTP server Service: FTP resources object. How do you configure the FTP resource object and the action column in the rule to achieve this goal?


Options are :

  • Enable only the "Put" method in the FTP Resource Properties and use it in the rule, with action accept.
  • Enable only the "Get" method in the FTP Resource Properties, and use this method in the rule, with action accept. (Correct)
  • Enable only the "Get" method in the FTP Resource Properties and use it in the rule, with action drop.
  • Enable both "Put" and "Get" methods in the FTP Resource Properties and use them in the rule, with action drop.
  • Disable "Get" and "Put" methods in the FTP Resource Properties and use it in the rule, with action accept.

Answer : Enable only the "Get" method in the FTP Resource Properties, and use this method in the rule, with action accept.

Regarding QoS guarantees and limits, which of the following statements is FALSE?


Options are :

  • A rule guarantee must not be less than the sum the guarantees defined in its sub-rules.
  • .If both a rule limit and a per connection limit are defined for a rule, the per connection limit must not be greater than the rule limit.
  • If both a limit and a guarantee per rule are defined in a QoS rule, then the limit must be smaller than the guarantee. (Correct)
  • .If a guarantee is defined in a sub-rule, then a guarantee must be defined for the rule above it.

Answer : If both a limit and a guarantee per rule are defined in a QoS rule, then the limit must be smaller than the guarantee.

Which Security Server can perform authentication tasks, but CANNOT perform content security tasks?


Options are :

  • FTP
  • rlogin (Correct)
  • Telnet
  • HTTP
  • SMTP

Answer : rlogin

156-215.77 Check Point Certified Security Administrator Exam Set 3

DShield is a Check Point feature used to block which of the following threats?


Options are :

  • SQL injection
  • DDOS (Correct)
  • Cross Site Scripting
  • Buffer overflows
  • Trojan horses

Answer : DDOS

In a distributed VPN-1 Pro NGX environment, where is the Internal Certificate Authority (ICA) installed?


Options are :

  • Certificate Manager Server
  • On the Policy Server
  • On the Smart View Monitor
  • On the primary SmartCenter Server (Correct)
  • On the Security Gateway

Answer : On the primary SmartCenter Server

Your current VPN-1 NG with Application Intelligence (Al) R55standalone VPN-1 Pro Gateway and SmartCenter Server run on SecurePlatform.You plan to implement VPN-1 NGX in a distributed environment, where the existing machine will be the SmartCenter Server, and a new machine will be the VPN-1 Pro Gateway only.You need to migrate the NG with Al R55 SmartCenter Server configuration, including such items as Internal Certificate Authority files, databases, and Security Policies.How do you request a new license for this VPN-1 NGX upgrade?


Options are :

  • Request a VPN-1 NGX SmartCenter Server license, using the new machine's IP address.Request a new local license for the NGX VPN-1 Pro Gateway.
  • Request a VPN-1 NGX SmartCenter Server license, using the NG with Al SmartCenter Server IP address. Request a new central license for the NGX VPN-1 Pro Gateway, licensed for the existing SmartCenter Server IP address (Correct)
  • Request a new VPN-1 NGX SmartCenter Server license, using the NG with Al SmartCenter Server IP address. Request a new central license for the NGX VPN-1 Pro Gateway.
  • Request a VPN-1 NGX SmartCenter Server license, using the new machine's IP address.Request a new central license for the NGX VPN-1 Pro Gateway.

Answer : Request a VPN-1 NGX SmartCenter Server license, using the NG with Al SmartCenter Server IP address. Request a new central license for the NGX VPN-1 Pro Gateway, licensed for the existing SmartCenter Server IP address

156-315.77 Check Point Certified Security Expert Exam Set 3

Greg is creating rules and objects to control VoIP traffic in his organization, through a VPN- 1 NGX Security Gateway. Greg creates VoIP Domain SIP objects to represent each of his organization's three SIP gateways. Greg then creates a simple group to contain the VoIP Domain SIP objects.When Greg attempts to add the VoIP Domain SIP objects to the group, they are not listed. What is the problem?


Options are :

  • The installed VoIP gateways specify host objects.
  • VoIP Domain SIP objects cannot be placed in simple groups. (Correct)
  • The VoIP Domain SIP object's name contains restricted characters.
  • The VoIP gateway object must be added to the group, before the VoIP Domain SIP object is eligible to be added to the group.
  • The related end points domain specifies an address range.

Answer : VoIP Domain SIP objects cannot be placed in simple groups.

You receive an alert indicating a suspicious FTP connection is trying to connect to one of your internal hosts. How do you block the connection in real time and verify the connection is successfully blocked?


Options are :

  • Highlight the suspicious connection in SmartView Tracker > Active mode.Block the connection using Tools > Block Intruder menu.Use Active mode to confirm that the suspicious connection is dropped.
  • Highlight the suspicious connection in SmartView Tracker > Active mode.Block the connection using the Tools > Block Intruder menu.Use the Active mode to confirm that the suspicious connection does not reappear. (Correct)
  • .Highlight the suspicious connection in SmartView Tracker > Log mode.Block the connection using Tools > Block Intruder menu.Use the Log mode to confirm that the suspicious connection is dropped.
  • Highlight the suspicious connection in SmartView Tracker > Log mode.Block the connection using Tools > Block Intruder menu.Use Log mode to confirm that the suspicious connection does not reappear.

Answer : Highlight the suspicious connection in SmartView Tracker > Active mode.Block the connection using the Tools > Block Intruder menu.Use the Active mode to confirm that the suspicious connection does not reappear.

Which of the following QoS rule action properties is an Advanced action type, only available in Traditional mode?


Options are :

  • Rule weight
  • Apply rule only to encrypted traffic
  • Rule limit
  • Rule guarantee
  • .Guarantee Allocation (Correct)

Answer : .Guarantee Allocation

156-215.77 Check Point Certified Security Administrator Exam Set 5

Your current stands alone VPN-1 NG with Application Intelligence (Al) R55 installation is running on SecurePlatform. You plan to implement VPN-1 NGX in a distributed environment, where the existing machine will be the VPN-1 Pro Gateway. An additional machine will serve as the SmartCenter Server. The new machine runs on a Windows Server 2003.You need to upgrade the NG with Al R55 SmartCenter Server configuration to VPN-1 NGX.How do you upgrade to VPN-1 NGX?


Options are :

  • .Insert the NGX CD in the existing NGwithAI R55 SecurePlatform machine, and answer yes to backup the configuration.Copy the backup file to the Windows Server 2003.Continue the upgrade process.Reboot after upgrade is finished.After SecurePlatform NGX reboots, run sysconfig, select VPN-1 Pro Gateway, and finish the sysconfig process.Reboot again.Use the NGX CD to install the primary SmartCenter on the Windows Server 2003.Import the backup file. (Correct)
  • Copy the $FWDIR\conf and $FWDIR\lib files from the existing SecurePlatform machine.Create a tar.gzfile, and copy it to the Windows Server 2003.Use VPN-1 NGX CD on the existing SecurePlatform machine to do a new installation.Reboot.Run sysconfig and select VPN-1 Pro Gateway.Reboot.Use the NGX CD to install the primary SmartCenter Server on the Windows Server 2003.On the Windows Server 2003, run upgradeimport command to import $FWDIR\conf and $FWDIR\lib from the SecurePlatform machine.
  • Run the backup command in the existing SecurePlatform machine, to create a backup file.opy the file to the Windows Server 2003.Uninstall all Check Point products on SecurePlatform by running rpm CPsuite.R55 command.Reboot.Install new VPN-1 NGX on the existing SecurePlatform machine.Run sysconfig, select VPN-1 Pro Gateway, and reboot.Use VPN-1 NGX CD to install primary SmartCenter Server on the Windows Server 2003.Import the backup file.
  • Run backup command on the existing SecurePlatform machine to create a backup file.Copy the file to the Windows Server 2003.Uninstall the primary SmartCenter Server package from NG with Al R55 SecurePlatform using sysconfig.Reboot.Install the NGX primary SmartCenter Server and import the backup file.Open the NGX SmartUpdate, and select "upgrade all packages" on the NG with Al R55 Security Gateway.

Answer : .Insert the NGX CD in the existing NGwithAI R55 SecurePlatform machine, and answer yes to backup the configuration.Copy the backup file to the Windows Server 2003.Continue the upgrade process.Reboot after upgrade is finished.After SecurePlatform NGX reboots, run sysconfig, select VPN-1 Pro Gateway, and finish the sysconfig process.Reboot again.Use the NGX CD to install the primary SmartCenter on the Windows Server 2003.Import the backup file.

Cody is notified by blacklist.org that his site has been reported as a spam relay, due to his SMTP Server being unprotected. Cody decides to implement an SMTP Security Server, to prevent the server from being a spam relay.Which of the following is the most efficient configuration method?


Options are :

  • Configure the SMTP Security Server to work with an OPSEC based product, for content checking.
  • Configure the SMTP Security Server to allow only mail to or from names, within Cody's corporate domain. (Correct)
  • Configure the SMTP Security Server to perform filtering, based on IP address and SMTP protocols.
  • .Configure the SMTP Security Server to apply a generic "from" address to all outgoing mail.
  • Configure the SMTP Security Server to perform MX resolving

Answer : Configure the SMTP Security Server to allow only mail to or from names, within Cody's corporate domain.

The following rule contains an FTP resource object in the Service field: Source: local_net Destination: Any Service: FTP-resource object Action: Accept How do you define the FTP Resource Properties > Match tab to prevent internal users from receiving corporate files from external FTP servers, while allowing users to send files?


Options are :

  • Enable the "Get" method on the Match tab.
  • Enable "Put" and "Get" methods.
  • Enable the "Put" method only on the Match tab. (Correct)
  • Disable the "Put" method globally.
  • Disable "Get" and "Put" methods on the Match tab.

Answer : Enable the "Put" method only on the Match tab.

156-315.77 Check Point Certified Security Expert Exam Set 9

You must set up SIP with a proxy for your network. IP phones are in the 172.16.100.0 network.The Registrar and proxy are installed on host 172.16.100.100.To allow handover enforcement for outbound calls from SIP-net to network Net_B on the Internet, you have defined the following objects: Network object: SIP-net: 172.16.100.0/24 SIP-gateway: 172.16.100.100 VoIP Domain object: VolP_domain_A 1.Endpoint domain: SIP-net 2.VoIP gateway installed at: SIP-gateway host object How would you configure the rule?


Options are :

  • .VolP_domain_A/Net_B/sip/accept (Correct)
  • SIP- G ateway/N et_B/s i p_a ny/a c c e pt
  • VolP_Gateway_MJet_B/sip_any/accept
  • SIP-Gateway/Net_B/sip/accept
  • VolP_domain_A/Net_B/sip_any, and sip/accept

Answer : .VolP_domain_A/Net_B/sip/accept

How would you configure a rule in a Security Policy to allow SIP traffic from end point Net_Ato end point Net_B, through an NGX Security Gateway?


Options are :

  • Net_A/Net_BM3lP/accept
  • Net_A/Net_B/sip and sip_any/accept
  • .Net_A/Net_B/VolP_any/accept
  • Net_A/Net_B/sip/accept (Correct)

Answer : Net_A/Net_B/sip/accept

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions