156-315.77 Check Point Certified Security Expert Exam Set 9

When do modifications to the Event Policy take effect?


Options are :

  • When saved on the SmartEvent Client, and installed on the SmartEvent Server.
  • When saved on the Correlation Units, and pushed as a policy.
  • When saved on the SmartEvent Server and installed to the Correlation Units.
  • As soon as the Policy Tab window is closed.

Answer : When saved on the SmartEvent Server and installed to the Correlation Units.

The process _____ provides service to access the GAIA configuration database.


Options are :

  • confd
  • configdbd
  • fwm
  • ipsrd

Answer : confd

156-315.77 Check Point Certified Security Expert Exam Set 1

What tool exports the Management Configuration into a single file?


Options are :

  • Upgrade_Export
  • Backup
  • migrate export
  • CPConfig_Export

Answer : migrate export

Which of the following is the preferred method for adding static routes in GAiA?


Options are :

  • In the CLI via sysconfig
  • In the CLI with the command “route add”
  • In Web Portal, under Network Management > IPv4 Static Routes
  • In SmartDashboard under Gateway Properties > Topology

Answer : In Web Portal, under Network Management > IPv4 Static Routes

Check Point New Mode HA is a(n) _____ solution.


Options are :

  • load-balancing
  • acceleration
  • active-standby
  • primary-domain

Answer : active-standby

156-315.77 Check Point Certified Security Expert Exam Set 10

To help organize events, SmartReporter uses filtered queries. Which of the following is NOT an Smart Event event property you can query?


Options are :

  • TypE. Scans, Denial of Service, Unauthorized Entry
  • TimE. Last Hour, Last Day, Last Week
  • Event: Critical, Suspect, False Alarm
  • StatE. Open, Closed, False Alarm

Answer : Event: Critical, Suspect, False Alarm

Which protocol can be used to provide logs to third-party reporting?


Options are :

  • AMON (Application Monitoring)
  • LEA (Log Export API)
  • ELA (Event Logging API)
  • CPMI (Check Point Management Interface)

Answer : LEA (Log Export API)

Where is it necessary to configure historical records in SmartView Monitor to generate Express reports in SmartReporter?


Options are :

  • In SmartDashboard, the SmartView Monitor page in the R77 Security Gateway object
  • In SmartView Monitor, under Global Properties > Log and Masters
  • In SmartReporter, under Standard > Custom
  • In SmartReporter, under Express > Network Activity

Answer : In SmartDashboard, the SmartView Monitor page in the R77 Security Gateway object

156-315.77 Check Point Certified Security Expert Exam Set 2

Which of the following is NOT part of the policy installation process?


Options are :

  • Initiation
  • Validation
  • Code generation
  • Code compilation

Answer : Validation

When, during policy installation, does the atomic load task run?


Options are :

  • Immediately after fwm load runs on the SmartCenter.
  • It is the first task during policy installation.
  • Before CPD runs on the Gateway.
  • It is the last task during policy installation.

Answer : It is the last task during policy installation.

What is the best tool to produce a report which represents historical system information?


Options are :

  • Smartview Monitor
  • SmartReporter-Express Reports
  • SmartReporter-Standard Reports
  • SmartView Tracker

Answer : SmartReporter-Express Reports

156-315.77 Check Point Certified Security Expert Exam Set 3

Select the right answer to export IPS profiles to copy to another management server?


Options are :

  • fwm dbexport –p
  • ips_export_import export
  • SmartDashboard – IPS tab – Profiles – select profile + right click and select “export profile”
  • IPS profile exports is not allowed

Answer : ips_export_import export

David wants to manage hundreds of gateways using a central management tool. What tool would David use to accomplish his goal?


Options are :

  • SmartDashboard
  • SmartProvisioning
  • SmartLSM
  • SmartBlade

Answer : SmartProvisioning

To clean the system of all SmartEvent events, you should delete the files in which folder(s)?


Options are :

  • $RTDIR/events_db
  • $FWDIR/distrib_db and $FWDIR/events
  • $RTDIR/distrib and $RTDIR/events_db
  • $FWDIR/distrib

Answer : $RTDIR/distrib and $RTDIR/events_db

156-315.77 Check Point Certified Security Expert Exam Set 4

The SmartEvent Correlation Unit:


Options are :

  • looks for patterns according to the installed Event Policy.
  • adds events to the events database.
  • displays the received events.
  • assigns a severity level to an event.

Answer : looks for patterns according to the installed Event Policy.

156-315.77 Check Point Certified Security Expert Exam Set 5

Which SmartReporter report type is generated from the SmartView Monitor history file?


Options are :

  • Traditiona
  • Express
  • Custom
  • Standard

Answer : Express

You are establishing a ClusterXL environment, with the following topology: VIP internal cluster IP = 172.16.10.3; VIP external cluster IP = 192.168.10.3 Cluster Member 1: 4 NICs, 3 enabled. hme0: 192.168.10.1/24, hme1: 10.10.10.1/24, qfe2: 172.16.10.1/24 Cluster Member 2: 5 NICs, 3 enabled; hme3: 192.168.10.2/24, hme1: 10.10.10.2/24, hme2: 172.16.10.2/24 External interfaces 192.168.10.1 and 192.168.10.2 connect to a VLAN switch. The upstream router connects to the same VLAN switch. Internal interfaces 172.16.10.1 and 172.16.10.2 connect to a hub. 10.10.10.0 is the synchronization network. The Security Management Server is located on the internal network with IP 172.16.10.3. What is the problem with this configuration?


Options are :

  • Cluster members cannot use the VLAN switch. They must use hubs.
  • The Cluster interface names must be identical across all cluster members.
  • The Security Management Server must be in the dedicated synchronization network, not the internal network.
  • There is an IP address conflict.

Answer : There is an IP address conflict.

Which of the following is NOT accelerated by SecureXL?


Options are :

  • HTTPS
  • Telnet
  • SSH
  • FTP

Answer : FTP

156-315.77 Check Point Certified Security Expert Exam Set 6

A tracked SmartEvent Candidate in a Candidate Pool becomes an Event. What does NOT happen in the Analyzer Server?


Options are :

  • SmartEvent stops tracking logs related to the Candidate
  • The Event is kept open, but condenses many instances into one Event.
  • The Correlation Unit keeps adding matching logs to the Event.
  • SmartEvent provides the beginning and end time of the Event.

Answer : SmartEvent stops tracking logs related to the Candidate

What is the SmartEvent Analyzer's function?


Options are :

  • Generate a threat analysis report from the Analyzer database.
  • Display received threats and tune the Events Policy.
  • Assign severity levels to events.
  • Analyze log entries, looking for Event Policy patterns.

Answer : Assign severity levels to events.

If the number of kernel instances for CoreXL shown is 6, how many cores are in the physical machine?


Options are :

  • 8
  • 3
  • 6
  • 4

Answer : 8

156-315.77 Check Point Certified Security Expert Exam Set 7

You are reviewing computer information collected in ClientInfo. You can NOT:


Options are :

  • Run Google.com search using the contents of the selected cell.
  • Save the information in the active tab to an .exe file.
  • Copy the contents of the selected cells.
  • Enter new credential for accessing the computer information.

Answer : Save the information in the active tab to an .exe file.

In which ClusterXL Load Sharing mode, does the pivot machine get chosen automatically by ClusterXL?


Options are :

  • Unicast Load Sharing
  • CCP Load Sharing
  • Hot Standby Load Sharing
  • Multicast Load Sharing

Answer : Unicast Load Sharing

How do new connections get established through a Security Gateway with SecureXL enabled?


Options are :

  • New connection packets never reach the SecureXL module.
  • If the connection matches a connection or drop template in SecureXL, it will either be established or dropped without performing a rule match, else it will be passed to the firewall module for a rule match.
  • The new connection will be first inspected by SecureXL and if it does not match the drop table of SecureXL, then it will be passed to the firewall module for a rule match.
  • New connections are always inspected by the firewall and if they are accepted, the subsequent packets of the same connection will be passed through SecureXL

Answer : If the connection matches a connection or drop template in SecureXL, it will either be established or dropped without performing a rule match, else it will be passed to the firewall module for a rule match.

156-315.77 Check Point Certified Security Expert Exam Set 8

Which component receives events and assigns severity levels to the events; invokes any defined automatic reactions, and adds the events to the Events Data Base?


Options are :

  • SmartEvent Analysis DataServer
  • SmartEvent Server
  • SmartEvent Client
  • SmartEvent Correlation Unit

Answer : SmartEvent Server

The SmartEvent Client:


Options are :

  • analyzes each IPS log entry as it enters the Log server.
  • assigns a severity level to an event.
  • displays the received events.
  • adds events to the events database.

Answer : displays the received events.

What is a requirement for setting up R77 Management High Availability?


Options are :

  • All Security Management Servers must reside in the same LAN.
  • All Security Management Servers must have the same operating system.
  • All Security Management Servers must have the same number of NICs.
  • State synchronization must be enabled on the secondary Security Management Server

Answer : All Security Management Servers must have the same operating system.

156-315.77 Check Point Certified Security Expert Exam Set 9

What configuration change must you make to change an existing ClusterXL cluster object from Multicast to Unicast mode?


Options are :

  • Reset Secure Internal Communications (SIC) on the cluster-member objects. Reinstall the Security Policy.
  • Change the cluster mode to Unicast on each of the cluster-member objects.
  • Change the cluster mode to Unicast on the cluster object. Reinstall the Security Policy.
  • Run cpstop and cpstart, to re-enable High Availability on both objects. Select Pivot mode in cpconfig.

Answer : Change the cluster mode to Unicast on the cluster object. Reinstall the Security Policy.

What is the SmartEvent Correlation Unit’s function?


Options are :

  • Analyze log entries, looking for Event Policy patterns.
  • Assign severity levels to events.
  • Display received threats and tune the Events Policy.
  • Invoke and define automatic reactions and add events to the database.

Answer : Analyze log entries, looking for Event Policy patterns.

What is the benefit to running SmartEvent in Learning Mode?


Options are :

  • There is no SmartEvent Learning Mode
  • To run SmartEvent, with a step-by-step online configuration guide for training/setup purposes
  • To generate a report with system Event Policy modification suggestions
  • To run SmartEvent with preloaded sample data in a test environment

Answer : To generate a report with system Event Policy modification suggestions

156-315.77 Check Point Certified Security Specialist Exam Set 1

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions