156-215.13 Check Point Certified Security Administrator Exam Set 11

Assume you are a Security Administrator for ABCTech. You have allowed authenticated access to users from Mkting_net to Finance_net. But in the user's properties, connections are only permitted within Mkting_net. What is the BEST way to resolve this conflict?


Options are :

  • Select Intersect with user database or Ignore Database in the Action Properties window (Correct)
  • Select Intersect with user database in the Action Properties window.
  • Permit access to Finance_net.
  • Select Ignore Database in the Action Properties window

Answer : Select Intersect with user database or Ignore Database in the Action Properties window

How granular may an administrator filter an Access Role with identity awareness?


Options are :

  • Radius Group
  • AD User (Correct)
  • Specific ICA Certificate
  • Windows Domain

Answer : AD User

Which of the following items should be configured for the Security Management Server to authenticate via LDAP?


Options are :

  • WMI object
  • Windows logon password
  • Check Point Password
  • Active Directory Server object (Correct)

Answer : Active Directory Server object

What happens if the identity of a user is known?


Options are :

  • If the user credentials do not match an Access Role, the system displays the Captive Portal.
  • If the user credentials match an Access Role, the rule is applied and traffic is accepted or dropped based on the defined action. (Correct)
  • If the user credentials do not match an Access Role, the system displays a sandbox.
  • If the user credentials do not match an Access Role, the traffic is automatically dropped.

Answer : If the user credentials match an Access Role, the rule is applied and traffic is accepted or dropped based on the defined action.

Which of the following items should be configured for the Security Management Server to authenticate using LDAP?


Options are :

  • Domain Admin password (Correct)
  • Check Point Password
  • Windows logon password
  • WMI object

Answer : Domain Admin password

You find that Users are not prompted for authentication when they access their Web servers, even though you have created an HTTP rule via User Authentication. Choose the BEST reason why.


Options are :

  • Users must use the SecuRemote Client, to use the User Authentication Rule.
  • Another rule that accepts HTTP without authentication exists in the Rule Base. (Correct)
  • You have forgotten to place the User Authentication Rule before the Stealth Rule
  • You checked the cache password on desktop option in Global Properties.

Answer : Another rule that accepts HTTP without authentication exists in the Rule Base.

Jennifer McHanry is CEO of ACME. She recently bought her own personal iPad. She wants use her iPad to access the internal Finance Web server. Because the iPad is not a member of the Active Directory domain, she cannot identify seamlessly with AD Query. However, she can enter her AD credentials in the Captive Portal and then get the same access as on her office computer. Her access to resources is based on rules in the R76 Firewall Rule Base. To make this scenario work, the IT administrator must: 1) Enable Identity Awareness on a gateway and select Captive Portal as one of the Identity Sources. 2) In the Portal Settings window in the User Access section, make sure that Name and password login is selected. 3) Create a new rule in the Firewall Rule Base to let Jennifer McHanry access network destinations. Select accept as the Action. Ms. McHanry tries to access the resource but is unable. What should she do?


Options are :

  • Have the security administrator select the Action field of the Firewall Rule "Redirect HTTP connections to an authentication (captive) portal" (Correct)
  • Install the Identity Awareness agent on her iPad
  • None
  • Have the security administrator select Any for the Machines tab in the appropriate Access Role
  • Have the security administrator reboot the firewall

Answer : Have the security administrator select the Action field of the Firewall Rule "Redirect HTTP connections to an authentication (captive) portal"

How are cached usernames and passwords cleared from the memory of a R76 Security Gateway?


Options are :

  • By installing a Security Policy (Correct)
  • Usernames and passwords only clear from memory after they time out.
  • By using the Clear User Cache button in SmartDashboard.
  • By retrieving LDAP user information using the command fw fetchldap

Answer : By installing a Security Policy

Which of the following is NOT a valid option when configuring access for Captive Portal?


Options are :

  • Through all interfaces
  • Through internal interfaces
  • From the Internet (Correct)
  • According to the Firewall Policy

Answer : From the Internet

For which service is it NOT possible to configure user authentication?


Options are :

  • FTP
  • HTTPS
  • Telnet
  • SSH (Correct)

Answer : SSH

Which of the following is NOT true for Clientless VPN?


Options are :

  • Secure communication is provided between clients and servers that support HTTP (Correct)
  • The Gateway can enforce the use of strong encryption.
  • User Authentication is supported.
  • The Gateway accepts any encryption method that is proposed by the client and supported in the VPN.

Answer : Secure communication is provided between clients and servers that support HTTP

Which of the following authentication methods can be configured in the Identity Awareness setup wizard?


Options are :

  • TACACS
  • Windows password
  • Check Point Password
  • LDAP (Correct)

Answer : LDAP

Users with Identity Awareness Agent installed on their machines login with __________, so that when the user logs into the domain, that information is also used to meet Identity Awareness credential requests.


Options are :

  • Key-logging
  • Single Sign-On (Correct)
  • SecureClient
  • ICA Certificates

Answer : Single Sign-On

To qualify as an Identity Awareness enabled rule, which column MAY include an Access Role?


Options are :

  • Action
  • User
  • Source (Correct)
  • Track

Answer : Source

You are about to integrate RSA SecurID users into the Check Point infrastructure. What kind of users are to be defined via SmartDashboard?


Options are :

  • Internal user Group
  • A group with generic user (Correct)
  • LDAP Account Unit Group
  • All users

Answer : A group with generic user

When using LDAP as an authentication method for Identity Awareness, the query:


Options are :

  • Requires client and server side software.
  • Is transparent, requiring no client or server side software. (Correct)
  • Requires administrators to specifically allow LDAP traffic to and from the LDAP Server and the Security Gateway.
  • Prompts the user to enter credentials.

Answer : Is transparent, requiring no client or server side software.

Your company has two headquarters, one in London, and one in New York. Each office includes several branch offices. The branch offices need to communicate with the headquarters in their country, not with each other, and only the headquarters need to communicate directly. What is the BEST configuration for establishing VPN Communities for this company? VPN Communities comprised of:


Options are :

  • One star Community with the option to mesh the center of the star: New York and London Gateways added to the center of the star with the mesh center Gateways option checked; all London branch offices defined in one satellite window, but, all New York branch offices defined in another satellite window.
  • Two mesh and one star Community: One mesh Community is set up for each of the headquarters and its branch offices. The star Community is configured with London as the center of the Community and New York is the satellite.
  • Three mesh Communities: One for London headquarters and its branches, one for New York headquarters and its branches, and one for London and New York headquarters.
  • Two star and one mesh Community: One star Community is set up for each site, with headquarters as the Community center, and its branches as satellites. The mesh Community includes only New York and London Gateways. (Correct)

Answer : Two star and one mesh Community: One star Community is set up for each site, with headquarters as the Community center, and its branches as satellites. The mesh Community includes only New York and London Gateways.

Where do you verify that SmartDirectory is enabled?


Options are :

  • Verify that Global Properties > SmartDirectory (LDAP) > Use SmartDirectory (LDAP) for Security Gateways is checked (Correct)
  • Verify that Security Gateway > General Properties > SmartDirectory (LDAP) > UseSmartDirectory (LDAP) for Security Gateways is checked
  • Verify that Security Gateway > General Properties > Authentication > Use SmartDirectory (LDAP) for Security Gateways is checked
  • Verify that Global Properties > Authentication > Use SmartDirectory (LDAP) for Security Gateways is checked

Answer : Verify that Global Properties > SmartDirectory (LDAP) > Use SmartDirectory (LDAP) for Security Gateways is checked

Identity Awareness is implemented to manage access to protected resources based on a user's _____________.


Options are :

  • Identity (Correct)
  • Computer MAC address
  • Time of connection
  • Application requirement

Answer : Identity

If you are experiencing LDAP issues, which of the following should you check?


Options are :

  • Connectivity between the R76 Gateway and LDAP server (Correct)
  • Overlapping VPN Domains
  • Secure Internal Communications (SIC)
  • Domain name resolution

Answer : Connectivity between the R76 Gateway and LDAP server

The User Directory Software Blade is used to integrate which of the following with Security Gateway R76?


Options are :

  • RADIUS server
  • UserAuthority server
  • LDAP server (Correct)
  • Account Management Client server

Answer : LDAP server

Which type of R76 Security Server does not provide User Authentication?


Options are :

  • HTTP Security Server
  • HTTPS Security Server
  • FTP Security Server
  • SMTP Security Server (Correct)

Answer : SMTP Security Server

What happens if the identity of a user is known?


Options are :

  • If the user credentials do not match an Access Role, the system displays a sandbox.
  • If the user credentials do not match an Access Role, the system displays the Captive Portal.
  • If the user credentials do not match an Access Role, the traffic is automatically dropped.
  • If the user credentials do not match an Access Role, the gateway moves onto the next rule. (Correct)

Answer : If the user credentials do not match an Access Role, the gateway moves onto the next rule.

Which of the following firewall modes DOES NOT allow for Identity Awareness to be deployed?


Options are :

  • Bridge (Correct)
  • Fail Open
  • Load Sharing
  • High Availability

Answer : Bridge

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions