Check Point Certified Security Expert Exam Set 8

Fill in the blank.

MultiCorp is located in Atlanta. It has a branch office in Europe, Asia, and Africa. Each location has its own AD controller for local user login. How many ADqueries have to be configured?


Options are :

  • 5
  • 8
  • 6
  • 4 (Correct)

Answer : 4

156-215.75 Check Point Certified Security Administrator Exam Set 8

Which of the following is TRUE concerning unnumbered VPN Tunnel Interfaces (VTIs)?


Options are :

  • VTIs cannot be assigned a proxy interface
  • VTIs are only supported on SecurePlatform
  • Local IP addresses are not configured, remote IP addresses are configured
  • VTI specific additional local and remote IP addresses are not configured (Correct)

Answer : VTI specific additional local and remote IP addresses are not configured

Which two processes are responsible on handling Identity Awareness?


Options are :

  • pep and lad
  • pdp and pep (Correct)
  • pdp and pdp-11
  • pdp and lad

Answer : pdp and pep

In the following cluster configuration; if you reboot sglondon_1 which device will be active when sglondon_1 is back up and running? Why?


Options are :

  • sglondon_2 because sglondon_1 has highest IP.
  • sglondon_1 because it the first configured object with the lowest IP.
  • sglondon_1, because it is up again, sglondon_2 took over during reboot
  • sglondon_2 because it has highest priority. (Correct)

Answer : sglondon_2 because it has highest priority.

156-315.77 Check Point Certified Security Expert Exam Set 22

Security server configuration settings are stored in _____.


Options are :

  • $FWDIR/conf/Fwauth.c
  • $FWDIR/conf/fwauthd.conf (Correct)
  • $FWDIR/conf/fwopsec.conf
  • $FWDIR/conf/AMT.conf

Answer : $FWDIR/conf/fwauthd.conf

Paul has just joined the MegaCorp security administration team. Natalie, the administrator, creates a new administrator account for Paul in SmartDashboard and installs the policy. When Paul tries to login it fails. How can Natalie verify whether Paulís IP address is predefined on the security management server?


Options are :

  • Login to Smart Dashboard, access Properties of the SMS, and verify whether Paulís IP address is listed.
  • Type cpconfig on the Management Server and select the option ďGUI client ListĒ to see if Paulís IP address is listed (Correct)
  • Login in to Smart Dashboard, access Global Properties, and select Security Management, to verify whether Paulís IP address is listed.
  • Access the WEBUI on the Security Gateway, and verify whether Paulís IP address is listed as a GUI client.

Answer : Type cpconfig on the Management Server and select the option ďGUI client ListĒ to see if Paulís IP address is listed

There are times when you want to use Link Selection to manage high-traffic VPN connections. With Link Selection you can:


Options are :

  • Use links based on Day/Time.
  • Assign links to use Dynamic DNS.
  • Use Load Sharing to distribute VPN traffic (Correct)
  • Use links based on authentication method.

Answer : Use Load Sharing to distribute VPN traffic

156-315.77 Check Point Certified Security Expert Exam Set 6

MegaCorp is running Smartcenter R70, some Gateways at R65 and some other Gateways with R60. Management wants to upgrade to the most comprehensive IPv6 support. What should the administrator do first?


Options are :

  • Upgrade every unit directly to R77
  • Check the ReleaseNotes to verify that every step is supported (Correct)
  • Upgrade Smartcenter to R77 first
  • Upgrade R60-Gateways to R65

Answer : Check the ReleaseNotes to verify that every step is supported

Fill in the blanks.

To view the number of concurrent connections going through your firewall, you would use the

command and syntax _____ _____ _____ _____ _____.


Options are :

  • fw tab -t connections -u
  • fw tab -t connections -s (Correct)
  • fw tab -t connections
  • fw tab -s -t connections

Answer : fw tab -t connections -s

The ďMAC MagicĒ value must be modified under the following condition


Options are :

  • A firewall cluster is configured to use Multicast for CCP traffic
  • There are more than two members in a firewall cluster (Correct)
  • There is more than one cluster connected to the same VLAN
  • A firewall cluster is configured to use Broadcast for CCP traffic

Answer : There are more than two members in a firewall cluster

Check Point Certified Security Expert Exam Set 12

The process that performs the authentication for SSL VPN Users is:


Options are :

  • cvpnd (Correct)
  • vpnd
  • fwm
  • cpd

Answer : cvpnd

Where do you define NAT properties so that NAT is performed either client side or server side? In SmartDashboard under:


Options are :

  • Global Properties > NAT definition (Correct)
  • Gateway Setting
  • NAT Rules
  • Implied Rules

Answer : Global Properties > NAT definition

Which of the following is TRUE concerning numbered VPN Tunnel Interfaces (VTIs)?


Options are :

  • VTIs cannot share IP addresses
  • VTIs can use an already existing physical-interface IP address
  • VTIs are assigned only local addresses, not remote addresses
  • VTIs are supported on SecurePlatform Pro (Correct)

Answer : VTIs are supported on SecurePlatform Pro

156-515.65 Check Point Certified Security Expert Plus Exam Set 2

When configuring an LDAP Group object, select option _____ if you want the gateway to reference a specific group defined on the LDAP server for authentication purposes.


Options are :

  • Only Sub Tree (Correct)
  • Group Agnostic
  • All Account-Unit's Users
  • Only Group in Branch

Answer : Only Sub Tree

What type of object may be explicitly defined as a MEP VPN?


Options are :

  • Any VPN Community
  • Star VPN Community (Correct)
  • Remote Access VPN Community
  • Mesh VPN Community

Answer : Star VPN Community

What is used to validate a digital certificate?


Options are :

  • CRL (Correct)
  • PKCS
  • IPsec
  • S/MIME

Answer : CRL

156-315.71 Check Point Security Expert R71 Practical Exam Set 7

Which of the following access options would you NOT use when configuring Captive Portal?


Options are :

  • Through the Firewall policy
  • From the Internet (Correct)
  • Through internal interfaces
  • Through all interfaces

Answer : From the Internet

If you need strong protection for the encryption of user data, what option would be the BEST choice?


Options are :

  • When you need strong encryption, IPsec is not the best choice. SSL VPNís are a better choice
  • Use Diffie-Hellman for key construction and pre-shared keys for Quick Mode. Choose SHA in Quick Mode and encrypt with AES. Use AH protocol. Switch to Aggressive Mode.
  • Disable Diffie-Hellman by using stronger certificate based key-derivation. Use AES-256 bit on all encrypted channels and add PFS to QuickMode. Use double encryption by implementing AH and ESP as protocols
  • Use certificates for Phase 1, SHA for all hashes, AES for all encryption and PFS, and use ESP protocol. (Correct)

Answer : Use certificates for Phase 1, SHA for all hashes, AES for all encryption and PFS, and use ESP protocol.

When configuring an LDAP Group object, select the option _____ if you want the gateway to reference all groups defined on the LDAP server for authentication purposes.


Options are :

  • Only Sub Tree
  • All Account-Unitís Users (Correct)
  • Only Group in Branch
  • OU Accept and select appropriate domain

Answer : All Account-Unitís Users

156-215.77 Check Point Certified Security Administrator Exam Set 3

There are times when you want to use Link Selection to manage high-traffic VPN connections. With Link Selection you can:


Options are :

  • Assign links to use Dynamic DNS.
  • Assign links to specific VPN communities.
  • Set up links for Remote Access (Correct)
  • Use links based on Day/Time

Answer : Set up links for Remote Access

Which is NOT a method through which Identity Awareness receives its identities?


Options are :

  • Captive Portal
  • AD Query
  • Identity Agent
  • Group Policy (Correct)

Answer : Group Policy

You want VPN traffic to match packets from internal interfaces. You also want the traffic to exit the Security Gateway bound for all site-to-site VPN Communities, including Remote Access Communities. How should you configure the VPN match rule?


Options are :

  • Communities > Communities
  • internal_clear > All_GwToGw
  • internal_clear > All_communities (Correct)
  • Internal_clear > External_Clear

Answer : internal_clear > All_communities

156-315.77 Check Point Certified Security Expert Exam Set 2

You want to establish a VPN, using certificates. Your VPN will exchange certificates with an external partner. Which of the following activities should you do first?


Options are :

  • Create a new logical-server object to represent your partnerís CA.
  • Manually import your partnerís Access Control List.
  • Exchange exported CA keys and use them to create a new server object to represent your partnerís Certificate Authority (CA). (Correct)
  • Manually import your partnerís Certificate Revocation List.

Answer : Exchange exported CA keys and use them to create a new server object to represent your partnerís Certificate Authority (CA).

When using Captive Portal to send unidentified users to a Web portal for authentication, which of the following is NOT a recommended use for this method?


Options are :

  • For deployment of Identity Agents
  • Basic identity enforcement in the internal network (Correct)
  • Identity-based enforcement for non-AD users (non-Windows and guest users)
  • Leveraging identity in Internet application control

Answer : Basic identity enforcement in the internal network

Which statement defines Public Key Infrastructure? Security is provided:


Options are :

  • via both private and public keys, without the use of digital Certificates
  • by authentication.
  • by Certificate Authorities, digital certificates, and two-way symmetric-key encryption.
  • by Certificate Authorities, digital certificates, and public key encryption (Correct)

Answer : by Certificate Authorities, digital certificates, and public key encryption

Check Point Certified Security Expert Exam Set 11

Control connections between the Security Management Server and the Gateway are not encrypted by the VPN Community. How are these connections secured?


Options are :

  • They are secured by PPTP
  • They are encrypted and authenticated using SIC. (Correct)
  • They are not encrypted, but are authenticated by the Gateway
  • They are not secured.

Answer : They are encrypted and authenticated using SIC.

Your organization maintains several IKE VPNís. Executives in your organization want to know which mechanism Security Gateway R77 uses to guarantee the authenticity and integrity of messages. Which technology should you explain to the executives?


Options are :

  • Application Intelligence
  • Key-exchange protocols
  • Certificate Revocation Lists
  • Digital signatures (Correct)

Answer : Digital signatures

What is the proper CLISH syntax to configure a default route via 192.168.255.1 in GAiA?


Options are :

  • set static-route 192.168.255.0/24 nexthop gateway logical ethl on
  • set static-route 192.168.255.0/24 nexthop gateway address 192.168.255.1 priority 1 on
  • set static-route nexthop default gateway logical 192.168.255.1 priority 1 on
  • set static-route default nexthop gateway address 192.168.255.1 priority 1 on (Correct)

Answer : set static-route default nexthop gateway address 192.168.255.1 priority 1 on

Check Point Certified Security Expert Exam Set 7

Identity Agent is a lightweight endpoint agent that authenticates securely with Single Sign-On (SSO). Which of the following is NOT a recommended use for this method?


Options are :

  • When accuracy in detecting identity is crucial
  • Protecting highly sensitive servers
  • Leveraging machine name or identity
  • Identity based enforcement for non-AD users (non-Windows and guest users) (Correct)

Answer : Identity based enforcement for non-AD users (non-Windows and guest users)

Which of the following is TRUE concerning unnumbered VPN Tunnel Interfaces (VTIs)?


Options are :

  • VTIs must be assigned a proxy interface. (Correct)
  • VTIs can only be physical, not loopback.
  • VTIs are only supported on SecurePlatform
  • Local IP addresses are not configured, remote IP addresses are configured

Answer : VTIs must be assigned a proxy interface.

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions