Check Point Certified Security Administrator Set 2

Which of the following allows administrators to allow or deny traffic to or from a specific network based on the user’s credentials?


Options are :

  • Access Policy
  • Access Rule
  • Access Role (Correct)
  • Access Certificate

Answer : Access Role

156-315.77 Check Point Certified Security Expert Exam Set 6

You are conducting a security audit. While reviewing configuration files and logs, you notice logs accepting POP3 traffic, but you do not see a rule allowing POP3 traffic in the Rule Base. Which of the following is the most likely cause?


Options are :

  • The POP3 rule is disabled.
  • POP3 is accepted in Global Properties.
  • The POP3 rule is hidden. (Correct)
  • POP3 is one of 3 services (POP3, IMAP, and SMTP) accepted by the default mail object in R77.

Answer : The POP3 rule is hidden.

Identify the ports to which the Client Authentication daemon listens by default.


Options are :

  • 8080, 529
  • 80, 256
  • 256, 600
  • 259, 900 (Correct)

Answer : 259, 900

Why are certificates preferred over pre-shared keys in an IPsec VPN?


Options are :

  • Weak performancE. PSK takes more time to encrypt than Diffie-Hellman.
  • Weak Security: PSK are static and can be brute-forced. (Correct)
  • Weak scalability: PSKs need to be set on each and every Gateway.
  • Weak security: PSKs can only have 112 bit length.

Answer : Weak Security: PSK are static and can be brute-forced.

156-215.77 Check Point Certified Security Administrator Test Set 2

When using an encryption algorithm, which is generally considered the best encryption method?


Options are :

  • Triple DES
  • AES-256 (Correct)
  • CAST cipher
  • DES

Answer : AES-256

You are about to integrate RSA SecurID users into the Check Point infrastructure. What kind of users are to be defined via SmartDashboard?


Options are :

  • LDAP Account Unit Group
  • All users
  • Internal user Group
  • A group with generic user (Correct)

Answer : A group with generic user

John is the Security Administrator in his company. He installs a new R77 Security Management Server and a new R77 Gateway. He now wants to establish SIC between them. After entering the activation key, he gets the following message in SmartDashboard - “Trust established?” SIC still does not seem to work because the policy won’t install and interface fetching does not work. What might be a reason for this?


Options are :

  • This must be a human error.
  • The Gateway’s time is several days or weeks in the future and the SIC certificate is not yet valid. (Correct)
  • SIC does not function over the network.
  • It always works when the trust is established

Answer : The Gateway’s time is several days or weeks in the future and the SIC certificate is not yet valid.

156-315.77 Check Point Certified Security Expert Exam Set 1

UDP packets are delivered if they are ___________.


Options are :

  • bypassing the kernel by the forwarding layer of ClusterXL
  • referenced in the SAM related dynamic tables
  • a valid response to an allowed request on the inverse UDP ports and IP (Correct)
  • a stateful ACK to a valid SYN-SYN/ACK on the inverse UDP ports and IP

Answer : a valid response to an allowed request on the inverse UDP ports and IP

You cannot use SmartDashboard’s User Directory features to connect to the LDAP server. What should you investigate?

1) Verify you have read-only permissions as administrator for the operating system.

2) Verify there are no restrictions blocking SmartDashboard's User Manager from connecting to the LDAP server.

3) Check that the login Distinguished Name configured has root permission (or at least write permission Administrative access) in the LDAP Server's access control configuration.


Options are :

  • 1 and 3
  • 1, 2, and 3
  • 2 and 3 (Correct)
  • 1 and 2

Answer : 2 and 3

Your manager requires you to setup a VPN to a new business partner site. The administrator from the partner site gives you his VPN settings and you notice that he setup AES 128 for IKE phase 1 and AES 256 for IKE phase 2. Why is this a problematic setup?


Options are :

  • All is fine and can be used as is.
  • Only 128 bit keys are used for phase 1 keys which are protecting phase 2, so the longer key length in phase 2 only costs performance and does not add security due to a shorter key in phase 1. (Correct)
  • The two algorithms do not have the same key length and so don’t work together. You will get the error …. No proposal chosen….
  • All is fine as the longest key length has been chosen for encrypting the data and a shorter key length for higher performance for setting up the tunnel.

Answer : Only 128 bit keys are used for phase 1 keys which are protecting phase 2, so the longer key length in phase 2 only costs performance and does not add security due to a shorter key in phase 1.

156-315.77 Check Point Certified Security Expert Exam Set 16

Identity Awareness is implemented to manage access to protected resources based on a user’s _____________.


Options are :

  • Application requirement
  • Time of connection
  • Identity (Correct)
  • Computer MAC address

Answer : Identity

Your company has two headquarters, one in London, one in New York. Each of the headquarters includes several branch offices. The branch offices only need to communicate with the headquarters in their country, not with each other, and the headquarters need to communicate directly. What is the BEST configuration for establishing VPN Communities among the branch offices and their headquarters, and between the two headquarters? VPN Communities comprised of:


Options are :

  • One star Community with the option to mesh the center of the star: New York and London Gateways added to the center of the star with the “mesh center Gateways?? option checked; all London branch offices defined in one satellite window; but, all New York branch offices defined in another satellite window.
  • Two mesh and one star Community: Each mesh Community is set up for each site between headquarters their branches. The star Community has New York as the center and London as its satellite.
  • Two star communities and one mesh: A star community for each city with headquarters as center, and branches as satellites. Then one mesh community for the two headquarters. (Correct)
  • Three mesh Communities: one for London headquarters and its branches; one for New York headquarters and its branches; and one for London and New York headquarters.

Answer : Two star communities and one mesh: A star community for each city with headquarters as center, and branches as satellites. Then one mesh community for the two headquarters.

The INSPECT engine inserts itself into the kernel between which two OSI model layers?


Options are :

  • Physical and Data
  • Datalink and Network (Correct)
  • Presentation and Application
  • Session and Transport

Answer : Datalink and Network

156-215.75 Check Point Certified Security Administrator Exam Set 6

Your shipping company uses a custom application to update the shipping distribution database. The custom application includes a service used only to notify remote sites that the distribution database is malfunctioning. The perimeter Security Gateway’s Rule Base includes a rule to accept this traffic. Since you are responsible for multiple sites, you want notification by a text message to your cellular phone, whenever traffic is accepted on this rule. Which of the following would work BEST for your purpose?


Options are :

  • SmartView Monitor Threshold
  • SNMP trap
  • User-defined alert script (Correct)
  • Logging implied rules

Answer : User-defined alert script

Certificates for Security Gateways are created during a simple initialization from _____________.


Options are :

  • SmartDashboard (Correct)
  • sysconfig
  • SmartUpdate
  • The ICA management tool

Answer : SmartDashboard

If you are experiencing LDAP issues, which of the following should you check?


Options are :

  • Connectivity between the R77 Gateway and LDAP server (Correct)
  • Overlapping VPN Domains
  • Secure Internal Communications (SIC)
  • Domain name resolution

Answer : Connectivity between the R77 Gateway and LDAP server

Check Point Certified Security Expert Exam Set 4

Which of the following are authentication methods that Security Gateway R77 uses to validate connection attempts? Select the response below that includes the MOST complete list of valid authentication methods.


Options are :

  • User, Client, Session (Correct)
  • Connection, User, Client
  • User, Proxied, Session
  • Proxied, User, Dynamic, Session

Answer : User, Client, Session

What is the Manual Client Authentication TELNET port?


Options are :

  • 259 (Correct)
  • 900
  • 264
  • 23

Answer : 259

Your company is still using traditional mode VPN configuration on all Gateways and policies. Your manager now requires you to migrate to a simplified VPN policy to benefit from the new features. This needs to be done with no downtime due to critical applications which must run constantly. How would you start such a migration?


Options are :

  • This can not be done as it requires a SIC- reset on the Gateways first forcing an outage.
  • This cannot be done without downtime as a VPN between a traditional mode Gateway and a simplified mode Gateway does not work.
  • Convert the required Gateway policies using the simplified VPN wizard, check their logic and then migrate Gateway per Gateway. (Correct)
  • You first need to completely rewrite all policies in simplified mode and then push this new policy to all Gateways at the same time.

Answer : Convert the required Gateway policies using the simplified VPN wizard, check their logic and then migrate Gateway per Gateway.

Check Point Certified Security Expert Exam Set 7

Which Security Gateway R77 configuration setting forces the Client Authentication authorization time-out to refresh, each time a new user is authenticated? The:


Options are :

  • Time properties, adjusted on the user objects for each user, in the Client Authentication rule Source.
  • IPS > Application Intelligence > Client Authentication > Refresh User Timeout option enabled.
  • Global Properties > Authentication parameters, adjusted to allow for Regular Client Refreshment.
  • Refreshable Timeout setting, in Client Authentication Action Properties > Limits. (Correct)

Answer : Refreshable Timeout setting, in Client Authentication Action Properties > Limits.

Jennifer McHanry is CEO of ACME. She recently bought her own personal iPad. She wants use her iPad to access the internal Finance Web server. Because the iPad is not a member of the Active Directory domain, she cannot identify seamlessly with AD Query. However, she can enter her AD credentials in the Captive Portal and then get the same access as on her office computer. Her access to resources is based on rules in the R77 Firewall Rule Base.

To make this scenario work, the IT administrator must:

1) Enable Identity Awareness on a gateway and select Captive Portal as one of the Identity Sources.

2) In the Portal Settings window in the User Access section, make sure that Name and password login is selected.

3) Create a new rule in the Firewall Rule Base to let Jennifer McHanry access network destinations. Select accept as the Action.

4) Install policy.

Ms. McHanry tries to access the resource but is unable. What should she do?


Options are :

  • Have the security administrator reboot the firewall
  • Have the security administrator select the Action field of the Firewall Rule “Redirect HTTP connections to an authentication (captive) portal? (Correct)
  • Install the Identity Awareness agent on her iPad
  • Have the security administrator select Any for the Machines tab in the appropriate Access Role

Answer : Have the security administrator select the Action field of the Firewall Rule “Redirect HTTP connections to an authentication (captive) portal?

Check Point Certified Security Administrator Set 1

What mechanism does a gateway configured with Identity Awareness and LDAP initially use to communicate with a Windows 2003 or 2008 server?


Options are :

  • WMI (Correct)
  • RCP
  • LDAP
  • CIFS

Answer : WMI

Which of the following statements accurately describes the command upgrade_export?


Options are :

  • upgrade_export is used when upgrading the Security Gateway, and allows certain files to be included or excluded before exporting.
  • This command is no longer supported in GAiA.
  • upgrade_export stores network-configuration data, objects, global properties, and the database revisions prior to upgrading the Security Management Server.
  • Used primarily when upgrading the Security Management Server, upgrade_export stores all object databases and the /conf directories for importing to a newer Security Gateway version. (Correct)

Answer : Used primarily when upgrading the Security Management Server, upgrade_export stores all object databases and the /conf directories for importing to a newer Security Gateway version.

When using LDAP as an authentication method for Identity Awareness, the query:


Options are :

  • Requires administrators to specifically allow LDAP traffic to and from the LDAP Server and the Security Gateway.
  • Requires client and server side software.
  • Is transparent, requiring no client or server side software, or client intervention. (Correct)
  • Prompts the user to enter credentials.

Answer : Is transparent, requiring no client or server side software, or client intervention.

156-315.77 Check Point Certified Security Expert Exam Set 19

Identify the correct step performed by SmartUpdate to upgrade a remote Security Gateway. After selecting Packages > Distribute and Install Selected Package and choosing the target Gateway, the:


Options are :

  • selected package is copied from the SmartUpdate PC CD-ROM directly to the Security Gateway and the installation IS performed.
  • selected package is copied from the Package Repository on the Security Management Server to the Security Gateway but the installation IS NOT performed.
  • selected package is copied from the Package Repository on the Security Management Server to the Security Gateway and the installation IS performed. (Correct)
  • SmartUpdate wizard walks the Administrator through a distributed installation.

Answer : selected package is copied from the Package Repository on the Security Management Server to the Security Gateway and the installation IS performed.

John Adams is an HR partner in the ACME organization. ACME IT wants to limit access to HR servers to designated IP addresses to minimize malware infection and unauthorized access risks. Thus, the gateway policy permits access only from John's desktop which is assigned an IP address 10.0.0.19 via DHCP. John received a laptop and wants to access the HR Web Server from anywhere in the organization. The IT department gave the laptop a static IP address, but that limits him to operating it only from his desk. The current Rule Base contains a rule that lets John Adams access the HR Web Server from his laptop. He wants to move around the organization and continue to have access to the HR Web Server. To make this scenario work, the IT administrator:

1) Enables Identity Awareness on a gateway, selects AD Query as one of the Identity Sources installs the policy.

2) Adds an access role object to the Firewall Rule Base that lets John Adams PC access the HR Web Server from any machine and from any location. John plugged in his laptop to the network on a different network segment and he is not able to connect. How does he solve this problem?


Options are :

  • Investigate this as a network connectivity issue
  • The firewall admin should install the Security Policy (Correct)
  • John should install the Identity Awareness Agent
  • John should lock and unlock the computer

Answer : The firewall admin should install the Security Policy

What is the primary benefit of using the command upgrade_export over either backup or snapshot?


Options are :

  • upgrade_export will back up routing tables, hosts files, and manual ARP configurations, where backup and snapshot will not.
  • upgrade_export is operating system independent and can be used when backup or snapshot is not available. (Correct)
  • upgrade_export has an option to back up the system and SmartView Tracker logs while backup and snapshot will not.
  • The commands backup and snapshot can take a long time to run whereas upgrade_export will take a much shorter amount of time.

Answer : upgrade_export is operating system independent and can be used when backup or snapshot is not available.

156-315.77 Check Point Certified Security Expert Exam Set 11

A Cleanup rule:


Options are :

  • logs connections that would otherwise be accepted without logging by default.
  • drops packets without logging connections that would otherwise be accepted and logged by default.
  • drops packets without logging connections that would otherwise be dropped and logged by default.
  • logs connections that would otherwise be dropped without logging by default. (Correct)

Answer : logs connections that would otherwise be dropped without logging by default.

What is the purpose of a Stealth Rule?


Options are :

  • To permit implied rules.
  • To drop all traffic to the management server that is not explicitly permitted.
  • To permit management traffic.
  • To prevent users from connecting directly to the gateway. (Correct)

Answer : To prevent users from connecting directly to the gateway.

In a distributed management environment, the administrator has removed the default check from Accept Control Connections under the Policy > Global Properties > FireWall tab. In order for the Security Management Server to install a policy to the Firewall, an explicit rule must be created to allow the server to communicate to the Security Gateway on port ______.


Options are :

  • 256 (Correct)
  • 259
  • 900
  • 80

Answer : 256

156-215.77 Check Point Certified Security Administrator Exam Set 2

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions