156-115 Check Point Certified Security Master Practice Exam Set 7

In Wire mode. if a packet reaches the gateway from a trusted source and is destined to a trusted destination, will the firewall do stateful inspection?


Options are :

  • No (Correct)
  • Yes, but only if SecureXL is disabled.
  • Yes, the Firewall always performs stateful inspection.
  • No, but IPS inspection will still be enforced.

Answer : No

A new packet has arrived to a firewall's interface. The packet was compared with the connection table and there is no match. What process does the firewall start with that connection?


Options are :

  • The new packet represents a new flow and requires a new connection table entry.
  • The packet will be rejected by the kernel firewall.
  • The packet will be then forwarded to the outbound interface for handling.
  • The packet will be forwarded to the firewall to apply the Security Policy. (Correct)

Answer : The packet will be forwarded to the firewall to apply the Security Policy.

If you need to use a Domain object in the Rule Base, where should this rule be located?


Options are :

  • The last rule before the clean up rule. (Correct)
  • The first rule in the Rule Base.
  • The last rule after the clean up rule.
  • No higher than the 2nd rule.

Answer : The last rule before the clean up rule.

Why would you choose to combine dynamic routing protocols and VPNs?


Options are :

  • All options listed. (Correct)
  • Dynamic-routing information can propagate over the VPN, utilizing the VPN as just another point-to-point link in the network.
  • The VPN device can be automatically updated with network changes on any VPN peer Gateway without the need to update the VPN Domain's configuration.
  • In the case of one tunnel failure, other tunnels may be used to route the traffic

Answer : All options listed.

What happens to manual changes in the file $FWDIR/conf/local.arp when adding Proxy ARP entries through the GAiA portal or Clish?


Options are :

  • They are merged with the new entries added from the GAiA Portal / Clish.
  • They are overwritten. (Correct)
  • If the file $FWDIR/conf/local.arp has been edited manually, you are not able to add Proxy ARP entries through the GAiA portal or Clish.
  • Nothing.

Answer : They are overwritten.

When are rules that include Identity Awareness Access (IDA) roles accelerated through SecureXL?


Options are :

  • Always, the inclusion of an IDA role guarantees the connection for the rule is accelerated.
  • The inclusion of an IDA role has no bearing on whether the connection for the rule is accelerated. (Correct)
  • Never, the inclusion of an IDA role disables SecureXL.
  • Only when „Unauthenticated Guests? is included in the access role.

Answer : The inclusion of an IDA role has no bearing on whether the connection for the rule is accelerated.

In order to prevent outgoing NTP traffic from being hidden behind a Cluster IP you should?


Options are :

  • Edit the relevant table.def on the Management Server and add the line no_hide_services_ports = { <17, 123> }; and then push policy.
  • Edit the relevant table.def on the Management Server and add the line no_hide_services_ports = { <123, 17> }; and then push policy. (Correct)
  • Edit the relevant table.def on the gateway and add the line no_hide_services_ports = { <123, 17> }.
  • Edit the relevant table.def on the gateway and add the line no_hide_services_ports = { <17, 123> };.

Answer : Edit the relevant table.def on the Management Server and add the line no_hide_services_ports = { <123, 17> }; and then push policy.

By default, the size of the fwx_alloc table is:


Options are :

  • 65535
  • 25000 (Correct)
  • 65536
  • 1024

Answer : 25000

Ann wants to hide FTP traffic behind the virtual IP of her cluster. Where is the relevant file table.def located to make this modification?


Options are :

  • $FWDIR/log/table.def
  • $FWDIR/lib/table.def (Correct)
  • $FWDIR/bin/table.def
  • $FWDIR/conf/table.def

Answer : $FWDIR/lib/table.def

How do you designate the “enforcement point gateway” for the peers involved in “VPN Directional Enforcement”?


Options are :

  • Designate this gateway in the VPN community properties.
  • In the file $FWDIR/conf/user.def on each peer with a route entry to the enforcement point gateway.
  • Editing file $FWDIR/conf/vpn_route.conf on each peer with a route entry to the enforcement point gateway. (Correct)
  • From the WebUI?s of the peers add a static route to the “designated enforcement point”.

Answer : Editing file $FWDIR/conf/vpn_route.conf on each peer with a route entry to the enforcement point gateway.

Using the default values in R77 how many kernel instances will there be on a 16-core gateway?


Options are :

  • 16
  • 12
  • 14 (Correct)
  • 8

Answer : 14

How can you see a dropped connection and the cause from the kernel?


Options are :

  • fw ctl zdebug drop (Correct)
  • fw ctl debug drop on
  • fw zdebug drop
  • fw debug drop on

Answer : fw ctl zdebug drop

Your customer receives an alert from their network operation center, they are seeing ARP and Ping scans of their network originating from the firewall. What could be the reason for the behaviour?


Options are :

  • One or both of the firewalls in a cluster have stopped receiving CCP packets on an interface. (Correct)
  • Check Point's Antibot blade performs anti-bot scans of the surrounding network.
  • Check Point firewalls probe adjacent networking devices during normal operation.
  • IPS is disabled on the firewalls and there is a known OpenSSL vulnerability that allows a hacker to cause a network scan to originate from the firewall.

Answer : One or both of the firewalls in a cluster have stopped receiving CCP packets on an interface.

Which command can be used to see all active modules on the Security Gateway:


Options are :

  • fw ctl zdebug drop
  • fw ctl chain (Correct)
  • fw ctl debug -m
  • fw ctl debug -h

Answer : fw ctl chain

While troubleshooting a connectivity issue with an internal web server, you know that packets are getting to the upstream router, but when you run a tcpdump on the external interface of the gateway, the only traffic you observe is ARP requests coming from the upstream router. Does the problem lie on the Check Point Gateway?


Options are :

  • No – The firewall is not dropping the traffic, therefore the problem does not lie with the firewall.
  • No – This is a layer 2 connectivity issue and has nothing to do with the firewall.
  • Yes – This could be due to a misconfigured Static NAT in the firewall policy. (Correct)
  • Yes – This could be due to a misconfigured route on the firewall.

Answer : Yes – This could be due to a misconfigured Static NAT in the firewall policy.

From the output of the following cphaprob -i list, what is the most likely cause of the clustering issue? Cluster B> cphaprob -i list Built-in Devices: Device Name: Interface Active Check Current state: OK Device Name: HA Initialization Current state: OK Device Name: Recovery Delay Current state: OK Registered Devices: Device Name: Synchronization Registration number: 0 Timeout: none Current state: OK Time since last report: 3651.5 sec Device Name: Filter Registration number: 1 Timeout: none Current state: problem Time since last report: 139 sec Device Name: routed Registration number: 2 Timeout: none Current state: OK Time since last report: 3651.9 sec Device Name: cphad Registration number: 3 Timeout: none Current state: OK Time since last report: 3696.5 sec Device Name: fwd Registration number: 4 Timeout: none Current state: OK Time since last report: 3696.5 sec


Options are :

  • The routing table on Cluster B is different from Cluster A
  • Cluster B and Cluster A have different versions of policy installed. (Correct)
  • There is a sync network issue between Cluster A and Cluster B
  • There is an interface down on Cluster A

Answer : Cluster B and Cluster A have different versions of policy installed.

How do you clear the connections table?


Options are :

  • Run the command fw tab –t connections –x (Correct)
  • In Gateway Properties > Optimizations click Clear connections table
  • Run the command fw tab –t connections –c
  • Run the command fw tab –t conns –c

Answer : Run the command fw tab –t connections –x

Of the following answer choices, which best describes a possible effect of expanding the connections table?


Options are :

  • Increased connection duration
  • Decreased memory consumption
  • Increased memory consumption (Correct)
  • Decreased connection duration

Answer : Increased memory consumption

Your cluster member is showing a state of "Ready". Which of the following is NOT a reason one would expect for this behaviour?


Options are :

  • Firewall policy has not yet been installed to the firewall (Correct)
  • One cluster member is configured for 32 bit and the other is configured for 64 bit B. CoreXL is configured differently on the two machines
  • None
  • The firewall that is showing "Ready" has been upgraded but the other firewall has not yet been upgraded

Answer : Firewall policy has not yet been installed to the firewall

Which of the following commands shows the high watermark threshold for triggering the cluster under load mechanism in R77?


Options are :

  • fw ctl get int fwha_cul_policy_freeze_event_timeout_millisec
  • fw ctl get int fwha_cul_member_cpu_load_limit (Correct)
  • fw ctl get int fwha_cul_cluster_short_timeout
  • fw ctl get int fwha_cul_mechanism_enable

Answer : fw ctl get int fwha_cul_member_cpu_load_limit

The "Hide internal networks behind the Gateway's external IP" option is selected. What defines what traffic will be NATted?


Options are :

  • The Firewall policy of the gateway
  • The VPN encryption domain of the gateway object
  • The topology configuration of the gateway object (Correct)
  • The network objects configured for the network

Answer : The topology configuration of the gateway object

Tom is troubleshooting NAT issues using fw monitor and Wireshark. He tries to initiate a connection from the external network to a DMZ server using the public IP which the firewall translates to the actual IP of the server. He analyzes the captured packets using Wireshark and observes that the destination IP is being changed as required by the firewall but does not see the packet leave the external interface. What could be the reason?


Options are :

  • The translation might be happening on the server side and the packet is being routed by OS back to the external interface. (Correct)
  • After the translation, the packet is dropped by the Anti-Spoofing Protection.
  • The translation might be happening on the client side and the packet is being routed by the OS back to the external interface.
  • Packet is dropped by the firewall.

Answer : The translation might be happening on the server side and the packet is being routed by OS back to the external interface.

Which definition best describes the file table.def function? It is a placeholder for:


Options are :

  • user defined implied rules for Security Gateways.
  • definitions of various kernel tables for Security Gateways. (Correct)
  • user defined implied rules for Management Servers.
  • definitions of various kernel tables for Management Servers

Answer : definitions of various kernel tables for Security Gateways.

What mechanism solves asymmetric routing issues in a load sharing cluster?


Options are :

  • Flush and ACK (Correct)
  • SYN Defender
  • Stateful Inspection
  • State Synchronization

Answer : Flush and ACK

When you have edited the local.arp configuration, to support a manual NAT, what must be done to ensure proxy arps for both manual and automatic NAT rules function?


Options are :

  • Run the command fw ctl ARP –a on the gateway
  • In Global Properties > NAT tree select Merge manual proxy ARP configuration check box (Correct)
  • In Global Properties > NAT tree select Translate on client side check box
  • Create and run a script to forward changes to the local.arp tables of your gateway

Answer : In Global Properties > NAT tree select Merge manual proxy ARP configuration check box

What are the kernel parameters that control “Magic MACs”?


Options are :

  • fwha_mac_magic and fw_mac_forward_magic (Correct)
  • cpha_mac_magic and cp_mac_forward_magic
  • fwha_magic_mac and fw_forward_magic_mac
  • cpha_magic_mac and cpha_mac_forward_magic

Answer : fwha_mac_magic and fw_mac_forward_magic

You have set up a manual NAT rule, however fw monitor shows you that the device still uses the automatic Hide NAT rule. How should you correct this?


Options are :

  • Move your manual NAT rule above the automatic NAT rule. (Correct)
  • In Global Properties > NAT ensure that server side NAT is enabled.
  • Set the following fwx_alloc_man kernel parameter to 1.
  • In Global Properties > NAT ensure that Merge Automatic to Manual NAT is selected.

Answer : Move your manual NAT rule above the automatic NAT rule.

When viewing connections using the command fw tab -t connections, all entries are displayed with a 6-tuple key, the elements of the 6-tuple include the following EXCEPT:


Options are :

  • destination port number
  • direction (inbound / outbound)
  • source port number
  • interface id (Correct)

Answer : interface id

Which command should you run to debug the VPN-1 kernel module?


Options are :

  • fw debug vpn on
  • fw ctl zdebug crypt kbuf
  • vpn debug on TDERROR_ALL_ALL=5
  • fw ctl debug -m VPN all (Correct)

Answer : fw ctl debug -m VPN all

You are trying to set “VPN Directional Match” on the VPN column but the “Directional Match Condition” option is not there. Why is this missing?


Options are :

  • This can only be done in Traditional Mode.
  • You must turn this feature on through Global Properties > VPN > Advanced, then select Enable VPN Directional Match in VPN column. (Correct)
  • This must be enabled on the Gateway in “Advanced Settings”.
  • The peer does not support this feature.

Answer : You must turn this feature on through Global Properties > VPN > Advanced, then select Enable VPN Directional Match in VPN column.

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions