Check Point Certified Security Expert Exam Set 3

What utility would you use to configure route-based VPNs?


Options are :

  • vpn set_slim_server
  • vpn shell (Correct)
  • vpn tu
  • vpn sw_topology

Answer : vpn shell

156-215.75 Check Point Certified Security Administrator Exam Set 5

You have three Gateways in a mesh community. Each gateway’s VPN Domain is their internal network as defined on the Topology tab setting All IP Addresses behind Gateway based on Topology information.

You want to test the route-based VPN, so you created VTIs among the Gateways and created static route entries for the VTIs. However, when you test the VPN, you find out the VPN still go through the regular domain IPsec tunnels instead of the routed VTI tunnels.

What is the problem and how do you make the VPN use the VTI tunnels?


Options are :

  • Domain VPN takes precedence over the route-based VTI. To make the VPN go through VTI, use an empty group object as each Gateway’s VPN Domain (Correct)
  • Domain VPN takes precedence over the route-based VTI. To make the VPN go through VTI, remove the Gateways out of the mesh community and replace with a star community
  • Route-based VTI takes precedence over the Domain VPN. Troubleshoot the static route entries to insure that they are correctly pointing to the VTI gateway IP.
  • Route-based VTI takes precedence over the Domain VPN. To make the VPN go through VTI, use dynamic-routing protocol like OSPF or BGP to route the VTI address to the peer instead of static routes

Answer : Domain VPN takes precedence over the route-based VTI. To make the VPN go through VTI, use an empty group object as each Gateway’s VPN Domain

Which command provides cluster upgrade status?


Options are :

  • cphaprob fcustat (Correct)
  • cphaprob ldstat
  • cphaprob tablestat
  • cphaprob status

Answer : cphaprob fcustat

You need to back up the routing, interface, and DNS configuration information from your R76

Secure Platform Security Gateway. Which backup-and-restore solution do you use?


Options are :

  • Secure Platform back up utilities (Correct)
  • Database Revision Control
  • Manual copies of the directory $FWDIR/conf
  • Commands upgrade_export and upgrade_import

Answer : Secure Platform back up utilities

156-315.65 Check Point Security Administration NGX R65 Exam Set 4

MicroCorp experienced a security appliance failure. (LEDs of all NICs are off.) The age of the unit required that the RMA-unit be a different model. Will a revert to an existing snapshot bring the new unit up and running?


Options are :

  • No. At installation the necessary hardware support is selected. The snapshot saves this state. (Correct)
  • There is no dynamic update at reboot
  • No. The revert will most probably not match to hard disk.
  • Yes. Everything is dynamically updated at reboot

Answer : No. At installation the necessary hardware support is selected. The snapshot saves this state.

Remote clients are using SSL VPN to authenticate via LDAP server to connect to the organization. Which gateway process is responsible for the authentication?


Options are :

  • fwm
  • vpnd
  • cvpnd (Correct)
  • fwd

Answer : cvpnd

Which of the following log files contains only information about the negotiation process for encryption?


Options are :

  • ike.elg (Correct)
  • iked.elg
  • vpn.elg
  • vpnd.elg

Answer : ike.elg

156-315.65 Check Point Security Administration NGX R65 Exam Set 1

In ClusterXL, _______ is defined by default as a critical device.


Options are :

  • Filter (Correct)
  • protect.exe
  • fw.d
  • PROT_SRV.EXE

Answer : Filter

Which components allow you to reset a VPN tunnel?


Options are :

  • SmartView monitor only
  • delete vpn ike sa or vpn shell command (Correct)
  • vpn tunnelutil or delete vpn ike sa command
  • vpn tu command or SmartView monitor

Answer : delete vpn ike sa or vpn shell command

When configuring an LDAP Group object, which option should you select if you do NOT want the gateway to reference the groups defined on the LDAP server for authentication purposes?


Options are :

  • Group Agnostic
  • Only Group in Branch
  • OU Accept and select appropriate domain
  • Only Sub Tree (Correct)

Answer : Only Sub Tree

156-215.77 Check Point Certified Security Administrator Test Set 1

Where do you verify that Smart Directory is enabled?


Options are :

  • Gateway properties> Smart Directory (LDAP) > Use Smart Directory(LDAP) for Security Gateways is checked
  • Global properties > Smart Directory (LDAP) > Use Smart Directory(LDAP) for Security Gateways is checked (Correct)
  • Gateway properties > Authentication> Use Smart Directory(LDAP) for Security Gateways is checked
  • Global properties > Authentication> Use Smart Directory(LDAP) for Security Gateways is checked

Answer : Global properties > Smart Directory (LDAP) > Use Smart Directory(LDAP) for Security Gateways is checked

When defining an Organizational Unit, which of the following are NOT valid object categories?


Options are :

  • Users
  • Domains (Correct)
  • Resources
  • Services

Answer : Domains

In a “zero downtime” scenario, which command do you run manually after all cluster members are upgraded?


Options are :

  • cphaconf set_ccp multicast (Correct)
  • cphaconf set mc_relod
  • cphaconf set clear_subs
  • cphaconf set_ccp broadcast

Answer : cphaconf set_ccp multicast

Check Point Certified Security Expert Exam Set 12

Which type of VPN routing relies on a VPN Tunnel Interface (VTI) to route traffic?


Options are :

  • Subnet-based VPN
  • Host-based VPN
  • Route-based VPN (Correct)
  • Domain-based VPN

Answer : Route-based VPN

Which of the following statements accurately describes the upgrade_export command?


Options are :

  • upgrade export is used when upgrading the Security Gateway, and allows certain files to be included or excluded before exporting.
  • upgrade export stores network-configuration data, objects, global properties, and the database revisions prior to upgrading the Security Management Server.
  • Used primarily when upgrading the Security Management Server, upgrade export stores all object databases and the conf directories for importing to a newer version of the Security Gateway (Correct)
  • Used when upgrading the Security Gateway, upgrade exporting cludes modified files, such as in the directories /lib and /conf.

Answer : Used primarily when upgrading the Security Management Server, upgrade export stores all object databases and the conf directories for importing to a newer version of the Security Gateway

How does Check Point recommend that you secure the sync interface between gateways?


Options are :

  • Encrypt all sync traffic between cluster members
  • Configure the sync network to operate within the DMZ.
  • Use a dedicated sync network (Correct)
  • Secure each sync interface in a cluster with Endpoint

Answer : Use a dedicated sync network

Check Point Certified Security Administrator Set 5

What is the most common cause for a Quick mode packet 1 failing with the error “No Proposal Chosen” error?


Options are :

  • There is a network connectivity issue
  • The previously established Permanent Tunnel has failed
  • The encryption strength and hash settings of one peer does not match the other. (Correct)
  • The OS and patch level of one gateway does not match the other.

Answer : The encryption strength and hash settings of one peer does not match the other.

What is the command to show OSPF adjacencies?


Options are :

  • show ospf neighbors (Correct)
  • show ospf interface
  • show ospf summary-address
  • show running-config

Answer : show ospf neighbors

Typically, when you upgrade the Security Management Server, you install and configure a fresh R76 installation on a new computer and then migrate the database from the original machine.

Which of the following statements are TRUE?


Options are :

  • All product databases are included in the migration
  • Both machines must have the same number of interfaces installed and configured before migration can be attempted.
  • The new machine may not have more Check Point products installed than the original Security Management Server
  • The Security Management Server on the new machine must be the same or greater than the version on the original machine (Correct)

Answer : The Security Management Server on the new machine must be the same or greater than the version on the original machine

Check Point Certified Security Administrator Set 4

What is the default port number for standard TCP connections with the LDAP server?


Options are :

  • 398
  • 363
  • 636
  • 389 (Correct)

Answer : 389

Which of the following commands can be used to troubleshoot ClusterXL sync issues?


Options are :

  • fw debug cxl connections > file_name
  • fw ctl -s -t connections > file_name
  • fw tab -s -t connections > file_name (Correct)
  • fw tab -u connections > file_name

Answer : fw tab -s -t connections > file_name

When configuring an LDAP Group object, which option should you select if you want the gateway to reference the groups defined on the LDAP server for authentication purposes?


Options are :

  • Only Sub Tree
  • OU Auth and select Group Name
  • Only Group in Branch (Correct)
  • All Account-Unit's Users

Answer : Only Group in Branch

Check Point Certified Security Administrator Set 2

In Gaia, the operating system can be changed to 32-bit or 64-bit, provided the processor supports 64-bit. What command toggles to 64-bit.


Options are :

  • set bitrate 64
  • set edition default 64
  • set edition default 64-bit
  • configure edition 64-bit (Correct)

Answer : configure edition 64-bit

At what router prompt would you save your OSPF configuration?


Options are :

  • localhost.localdomain# (Correct)
  • localhost.localdomain(config)#
  • localhost.localdomain(config-if)#
  • localhost.localdomain(config-router-ospf)#

Answer : localhost.localdomain#

Your primary Security Management Server runs on GAiA. What is the easiest way to back up

your Security Gateway R76 configuration, including routing and network configuration files?


Options are :

  • Using the native GAiA backup utility from command line or in the Web-based user interface (Correct)
  • Copying the directories $FWDIR/conf and $FWDIR/lib to another location
  • Using the command upgrade_export.
  • Run the command pre_upgrade verifier and save the file *.tgz to the directory c:/temp.

Answer : Using the native GAiA backup utility from command line or in the Web-based user interface

Check Point Certified Security Expert Exam Set 2

In GAiA, if one is unsure about a possible command, what command lists all possible commands.


Options are :

  • show commands (Correct)
  • get all commands
  • show configuration
  • show all |grep commands

Answer : show commands

Which of the following statements is TRUE concerning MEP VPN’s?


Options are :

  • MEP VPN’s are restricted to the location of the gateways
  • MEP Security Gateways cannot be managed by separate Management Servers.
  • State synchronization between Security Gateways is NOT required. (Correct)
  • The VPN Client is assigned a Security Gateway to connect to based on a priority list, should the first connection fail.

Answer : State synchronization between Security Gateways is NOT required.

When restoring R76 using the command upgrade_import, which of the following items are NOT restored?


Options are :

  • Licenses
  • Route tables (Correct)
  • Global properties
  • SIC Certificates

Answer : Route tables

156-315.77 Check Point Certified Security Expert Exam Set 9

Which of the following statements is TRUE concerning MEP VPN’s?


Options are :

  • MEP Security Gateways can be managed by separate Management Servers (Correct)
  • The VPN Client is assigned a Security Gateway to connect to based on a priority list, should the first connection fail.
  • State synchronization between Security Gateways is required.
  • MEP VPN’s are restricted to the location of the gateways

Answer : MEP Security Gateways can be managed by separate Management Servers

Which of the following commands can provide the most complete restore of an R76 configuration?


Options are :

  • upgrade_import (Correct)
  • cpinfo -recover
  • cpconfig
  • fwm dbimport -p

Answer : upgrade_import

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions