Check Point Certified Security Administrator Set 1

Which of the following is NOT true for Clientless VPN?


Options are :

  • User Authentication is supported.
  • The Gateway accepts any encryption method that is proposed by the client and supported in the VPN.
  • Secure communication is provided between clients and servers that support HTTP. (Correct)
  • The Gateway can enforce the use of strong encryption.

Answer : Secure communication is provided between clients and servers that support HTTP.

156-215.77 Check Point Certified Security Administrator Exam Set 6

You run cpconfig to reset SIC on the Security Gateway. After the SIC reset operation is complete, the policy that will be installed is the:


Options are :

  • Initial policy. (Correct)
  • Default filter.
  • Last policy that was installed.
  • Standard policy.

Answer : Initial policy.

Which of the following actions do NOT take place in IKE Phase 1?


Options are :

  • Peers agree on encryption method.
  • Peers agree on integrity method.
  • Diffie-Hellman key is combined with the key material to produce the symmetrical IPsec key. (Correct)
  • Each side generates a session key from its private key and the peer’s public key.

Answer : Diffie-Hellman key is combined with the key material to produce the symmetrical IPsec key.

How many packets are required for IKE Phase 2?


Options are :

  • 12
  • 3 (Correct)
  • 6
  • 2

Answer : 3

156-315.13 Check Point Security Expert R76 (GAiA) Exam Set 1

With the User Directory Software Blade, you can create R77 user definitions on a(n) _________ Server.


Options are :

  • SecureID
  • Radius
  • LDAP (Correct)
  • NT Domain

Answer : LDAP

You would use the Hide Rule feature to:


Options are :

  • View only a few rules without the distraction of others. (Correct)
  • Make rules invisible to incoming packets.
  • Hide rules from a SYN/ACK attack.
  • Hide rules from read-only administrators.

Answer : View only a few rules without the distraction of others.

Although SIC was already established and running, Joe reset SIC between the Security Management Server and a remote Gateway. He set a new activation key on the Gateway’s side with the command cpconfig and put in the same activation key in the Gateway’s object on the Security Management Server. Unfortunately, SIC can not be established. What is a possible reason for the problem?


Options are :

  • The installed policy blocks the communication.
  • Joe forgot to reboot the Gateway.
  • The old Gateway object should have been deleted and recreated.
  • Joe forgot to exit from cpconfig. (Correct)

Answer : Joe forgot to exit from cpconfig.

Check Point Certified Security Expert Exam Set 7

You want to establish a VPN, using certificates. Your VPN will exchange certificates with an external partner. Which of the following activities should you do first?


Options are :

  • Manually import your partner’s Access Control List.
  • Manually import your partner’s Certificate Revocation List.
  • Exchange exported CA keys and use them to create a new server object to represent your partner’s Certificate Authority (CA). (Correct)
  • Create a new logical-server object to represent your partner’s CA.

Answer : Exchange exported CA keys and use them to create a new server object to represent your partner’s Certificate Authority (CA).

As a Security Administrator, you must refresh the Client Authentication authorization time-out every time a new user connection is authorized. How do you do this? Enable the Refreshable Timeout setting:


Options are :

  • in the user object's Authentication screen.
  • in the Gateway object's Authentication screen.
  • in the Limit tab of the Client Authentication Action Properties screen. (Correct)
  • in the Global Properties Authentication screen.

Answer : in the Limit tab of the Client Authentication Action Properties screen.

Which type of R77 Security Server does not provide User Authentication?


Options are :

  • HTTPS Security Server
  • HTTP Security Server
  • FTP Security Server
  • SMTP Security Server (Correct)

Answer : SMTP Security Server

Check Point Certified Security Administrator Set 2

All R77 Security Servers can perform authentication with the exception of one. Which of the Security Servers can NOT perform authentication?


Options are :

  • SMTP (Correct)
  • RLOGIN
  • HTTP
  • FTP

Answer : SMTP

When configuring anti-spoofing on the Security Gateway object interfaces, which of the following is NOT a valid R77 topology configuration?


Options are :

  • Specific
  • Any (Correct)
  • External
  • Not Defined

Answer : Any

Which authentication type permits five different sign-on methods in the authentication properties window?


Options are :

  • User Authentication
  • Manual Authentication
  • Session Authentication
  • Client Authentication (Correct)

Answer : Client Authentication

156-315.77 Check Point Certified Security Expert Exam Set 7

You are a Security Administrator using one Security Management Server managing three different firewalls. One firewall does NOT show up in the dialog box when attempting to install a Security Policy. Which of the following is a possible cause?


Options are :

  • The license for this specific firewall has expired.
  • The firewall is not listed in the Policy Installation Targets screen for this policy package. (Correct)
  • The firewall object has been created but SIC has not yet been established.
  • The firewall has failed to sync with the Security Management Server for 60 minutes.

Answer : The firewall is not listed in the Policy Installation Targets screen for this policy package.

Which do you configure to give remote access VPN users a local IP address?


Options are :

  • Office mode IP pool (Correct)
  • Authentication pool
  • NAT pool
  • Encryption domain pool

Answer : Office mode IP pool

A Security Policy installed by another Security Administrator has blocked all SmartDashboard connections to the stand-alone installation of R77. After running the command fw unloadlocal, you are able to reconnect with SmartDashboard and view all changes. Which of the following change is the most likely cause of the block?


Options are :

  • The Allow Control Connections setting in Policy > Global Properties has been unchecked. (Correct)
  • A Stealth Rule has been configured for the R77 Gateway.
  • The Gateway Object representing your Gateway was configured as an Externally Managed VPN Gateway.
  • The Security Policy installed to the Gateway had no rules in it.

Answer : The Allow Control Connections setting in Policy > Global Properties has been unchecked.

Check Point Certified Security Expert Exam Set 8

Which of the following is a viable consideration when determining Rule Base order?


Options are :

  • Grouping authentication rules with address-translation rules
  • Grouping rules by date of creation
  • Grouping reject and drop rules after the Cleanup Rule
  • Grouping functionally related rules together (Correct)

Answer : Grouping functionally related rules together

Which of the below is the MOST correct process to reset SIC from SmartDashboard?


Options are :

  • Run cpconfig, and click Reset.
  • Click Communication > Reset on the Gateway object, and type a new activation key.
  • Click the Communication button for the firewall object, then click Reset. Run cpconfig and type a new activation key. (Correct)
  • Run cpconfig, and select Secure Internal Communication > Change One Time Password.

Answer : Click the Communication button for the firewall object, then click Reset. Run cpconfig and type a new activation key.

Security Gateway R77 supports User Authentication for which of the following services? Select the response below that contains the MOST correct list of supported services.


Options are :

  • SMTP, FTP, HTTP, TELNET
  • FTP, TELNET
  • SMTP, FTP, TELNET
  • FTP, HTTP, TELNET (Correct)

Answer : FTP, HTTP, TELNET

Check Point Certified Security Expert Exam Set 10

Your company has two headquarters, one in London, and one in New York. Each office includes several branch offices. The branch offices need to communicate with the headquarters in their country, not with each other, and only the headquarters need to communicate directly. What is the BEST configuration for establishing VPN Communities for this company? VPN Communities comprised of:


Options are :

  • Two star and one mesh Community: One star Community is set up for each site, with headquarters as the Community center, and its branches as satellites. The mesh Community includes only New York and London Gateways. (Correct)
  • One star Community with the option to mesh the center of the star: New York and London Gateways added to the center of the star with the mesh center Gateways option checked; all London branch offices defined in one satellite window, but, all New York branch offices defined in another satellite window.
  • Two mesh and one star Community: One mesh Community is set up for each of the headquarters and its branch offices. The star Community is configured with London as the center of the Community and New York is the satellite.
  • Three mesh Communities: One for London headquarters and its branches, one for New York headquarters and its branches, and one for London and New York headquarters.

Answer : Two star and one mesh Community: One star Community is set up for each site, with headquarters as the Community center, and its branches as satellites. The mesh Community includes only New York and London Gateways.

Which of these attributes would be critical for a site-to-site VPN?


Options are :

  • Scalability to accommodate user groups
  • Centralized management
  • Strong authentication
  • Strong data encryption (Correct)

Answer : Strong data encryption

A client has created a new Gateway object that will be managed at a remote location. When the client attempts to install the Security Policy to the new Gateway object, the object does not appear in the Install On check box. What should you look for?


Options are :

  • Secure Internal Communications (SIC) not configured for the object.
  • A Gateway object created using the Check Point > Externally Managed VPN Gateway option from the Network Objects dialog box.
  • Anti-spoofing not configured on the interfaces on the Gateway object.
  • A Gateway object created using the Check Point > Security Gateway option in the network objects, dialog box, but still needs to configure the interfaces for the Security Gateway object. (Correct)

Answer : A Gateway object created using the Check Point > Security Gateway option in the network objects, dialog box, but still needs to configure the interfaces for the Security Gateway object.

156-315.13 Check Point Security Expert R76(GAiA) Exam Set 11

Choose the BEST sequence for configuring user management in SmartDashboard, using an LDAP server.


Options are :

  • Enable User Directory in Global Properties, configure a host-node object for the LDAP server, and configure a server object for the LDAP Account Unit. (Correct)
  • Configure a server object for the LDAP Account Unit, enable LDAP in Global Properties, and create an LDAP resource object.
  • Configure a server object for the LDAP Account Unit, and create an LDAP resource object.
  • Configure a workstation object for the LDAP server, configure a server object for the LDAP Account Unit, and enable LDAP in Global Properties.

Answer : Enable User Directory in Global Properties, configure a host-node object for the LDAP server, and configure a server object for the LDAP Account Unit.

Which statement below describes the most correct strategy for implementing a Rule Base?


Options are :

  • Place the most frequently used rules at the top of the Policy and the ones that are not frequently used further down. (Correct)
  • Place a network-traffic rule above the administrator access rule.
  • Limit grouping to rules regarding specific access.
  • Add the Stealth Rule before the last rule.

Answer : Place the most frequently used rules at the top of the Policy and the ones that are not frequently used further down.

The SIC certificate is stored in the directory _______________.


Options are :

  • $FWDIR/database
  • $CPDIR/conf (Correct)
  • $CPDIR/registry
  • $FWDIR/conf

Answer : $CPDIR/conf

156-315.13 Check Point Security Expert R76(GAiA) Exam Set 11

The technical-support department has a requirement to access an intranet server. When configuring a User Authentication rule to achieve this, which of the following should you remember?


Options are :

  • You can limit the authentication attempts in the User Properties’ Authentication tab.
  • ou can only use the rule for Telnet, FTP, SMTP, and rlogin services.
  • Once a user is first authenticated, the user will not be prompted for authentication again until logging out.
  • The Security Gateway first checks if there is any rule that does not require authentication for this type of connection before invoking the Authentication Security Server. (Correct)

Answer : The Security Gateway first checks if there is any rule that does not require authentication for this type of connection before invoking the Authentication Security Server.

Which Client Authentication sign-on method requires the user to first authenticate via the User Authentication mechanism, when logging in to a remote server with Telnet?


Options are :

  • Agent Automatic Sign On
  • Manual Sign On
  • Standard Sign On
  • Partially Automatic Sign On (Correct)

Answer : Partially Automatic Sign On

Your company’s Security Policy forces users to authenticate to the Gateway explicitly, before they can use any services. The Gateway does not allow the Telnet service to itself from any location. How would you configure authentication on the Gateway? With a:


Options are :

  • Client Authentication rule, using partially automatic sign on
  • Client Authentication for fully automatic sign on
  • Client Authentication rule using the manual sign-on method, using HTTP on port 900 (Correct)
  • Session Authentication rule

Answer : Client Authentication rule using the manual sign-on method, using HTTP on port 900

156-315.77 Check Point Certified Security Expert Exam Set 5

The User Directory Software Blade is used to integrate which of the following with Security Gateway R77?


Options are :

  • UserAuthority server
  • Account Management Client server
  • LDAP server (Correct)
  • RADIUS server

Answer : LDAP server

Which SmartConsole component can Administrators use to track changes to the Rule Base?


Options are :

  • SmartReporter
  • SmartView Tracker (Correct)
  • WebUI
  • SmartView Monitor

Answer : SmartView Tracker

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions

Subscribe to See Videos

Subscribe to my Youtube channel for new videos : Subscribe Now