156-215.13 Check Point Certified Security Administrator Exam Set 3

Which of the below is the MOST correct process to reset SIC from SmartDashboard?


Options are :

  • Run cpconfig, and click Reset.
  • Click Communication > Reset on the Gateway object, and type a new activation key.
  • Click the Communication button for the firewall object, then click Reset. Run cpconfig and type a new activation key. (Correct)
  • Run cpconfig, and select Secure Internal Communication > Change One Time Password.

Answer : Click the Communication button for the firewall object, then click Reset. Run cpconfig and type a new activation key.

Which statement is TRUE about implicit rules?


Options are :

  • Changes to the Security Gateway's default settings do not affect implicit rules.
  • The Gateway enforces implicit rules that enable outgoing packets only.
  • They are derived from Global Properties and explicit object properties. (Correct)
  • You create them in SmartDashboard.

Answer : They are derived from Global Properties and explicit object properties.

You installed Security Management Server on a computer using GAiA in the MegaCorp home office. You use IP address 10.1.1.1. You also installed the Security Gateway on a second SecurePlatform computer, which you plan to ship to another Administrator at a MegaCorp hub office. What is the correct order for pushing SIC certificates to the Gateway before shipping it?


Options are :

  • 2, 1, 3, 4, 5 (Correct)
  • 2, 3, 4, 1, 5
  • 1, 3, 2, 4, 5
  • 2, 3, 4, 5, 1

Answer : 2, 1, 3, 4, 5

When you change an implicit rule's order from Last to First in Global Properties, how do you make the change take effect?


Options are :

  • Select Install Database from the Policy menu.
  • Select Save from the File menu.
  • Run fw fetch from the Security Gateway.
  • Reinstall the Security Policy (Correct)

Answer : Reinstall the Security Policy

ALL of the following options are provided by the SecurePlatform sysconfig utility, EXCEPT:


Options are :

  • GUI Clients (Correct)
  • DHCP Server configuration
  • Time & Date
  • Export setup

Answer : GUI Clients

A Cleanup rule


Options are :

  • logs connections that would otherwise be dropped without logging by default (Correct)
  • logs connections that would otherwise be accepted without logging by default.
  • drops packets without logging connections that would otherwise be dropped and logged by default.
  • drops packets without logging connections that would otherwise be accepted and logged by default.

Answer : logs connections that would otherwise be dropped without logging by default

Chris has lost SIC communication with his Security Gateway and he needs to re-establish SIC.What would be the correct order of steps needed to perform this task?


Options are :

  • 5, 1, 4, 2
  • 5, 1, 2, 4 (Correct)
  • 3, 1, 4, 2
  • 2, 3, 1, 4

Answer : 5, 1, 2, 4

How do you recover communications between your Security Management Server and Security Gateway if you lock yourself out through a rule or policy mis-configuration?


Options are :

  • fw unloadlocal (Correct)
  • fw unload policy
  • fwm unloadlocal
  • fw delete all.all@localhost

Answer : fw unloadlocal

NAT can NOT be configured on which of the following objects?


Options are :

  • Gateway
  • Address Range
  • Host
  • HTTP Logical Server (Correct)

Answer : HTTP Logical Server

You have included the Cleanup Rule in your Rule Base. Where in the Rule Base should the Accept ICMP Requests implied rule have no effect?


Options are :

  • Before Last
  • Last (Correct)
  • After Stealth Rule
  • First

Answer : Last

You are working with multiple Security Gateways that enforce an extensive number of rules. To simplify security administration, which one of the following would you choose to do?


Options are :

  • Create a separate Security Policy package for each remote Security Gateway. (Correct)
  • Eliminate all possible contradictory rules such as the Stealth or Cleanup rules
  • Create network objects that restrict all applicable rules to only certain networks.
  • Run separate SmartConsole instances to login and configure each Security Gateway directly.

Answer : Create a separate Security Policy package for each remote Security Gateway.

Which of the following statements accurately describes the command snapshot?


Options are :

  • A Gateway snapshot includes configuration settings and Check Point product information from the remote Security Management Server.
  • snapshot creates a full OS-level backup, including network-interface data, Check Point product information, and configuration settings during an upgrade of a SecurePlatform Security Gateway. (Correct)
  • snapshot creates a Security Management Server full system-level backup on any OS
  • snapshot stores only the system-configuration settings on the Gateway.

Answer : snapshot creates a full OS-level backup, including network-interface data, Check Point product information, and configuration settings during an upgrade of a SecurePlatform Security Gateway.

You have installed a R76 Security Gateway on GAiA. To manage the Gateway from the enterprise Security Management Server, you create a new Gateway object and Security Policy. When you install the new Policy from the Policy menu, the Gateway object does not appear in the Install Policy window as a target. What is the problem?


Options are :

  • The Gateway object is not specified in the first policy rule column Install On
  • The object was created with Node > Gateway. (Correct)
  • No Masters file is created for the new Gateway
  • The new Gateway's temporary license has expired.

Answer : The object was created with Node > Gateway.

When you use the Global Properties' default settings on R76, which type of traffic will be dropped if NO explicit rule allows the traffic?


Options are :

  • Outgoing traffic originating from the Security Gateway
  • RIP traffic (Correct)
  • SmartUpdate connections
  • Firewall logging and ICA key-exchange information

Answer : RIP traffic

Which rules are not applied on a first-match basis?


Options are :

  • Client Authentication
  • Session Authentication
  • User Authentication (Correct)
  • Cleanup

Answer : User Authentication

Your main internal network 10.10.10.0/24 allows all traffic to the Internet using Hide NAT. You also have a small network 10.10.20.0/24 behind the internal router. You want to configure the kernel to translate the source address only when network 10.10.20.0 tries to access the Internet for HTTP, SMTP, and FTP services. Which of the following configurations will allow this network to access the Internet?


Options are :

  • Configure three Manual Static NAT rules for network 10.10.20.0/24, one for each service.
  • Configure Automatic Static NAT on network 10.10.20.0/24.
  • Configure one Manual Hide NAT rule for HTTP, FTP, and SMTP services for network 10.10.20.0/24. (Correct)
  • Configure Automatic Hide NAT on network 10.10.20.0/24 and then edit the Service column in the NAT Rule Base on the automatic rule.

Answer : Configure one Manual Hide NAT rule for HTTP, FTP, and SMTP services for network 10.10.20.0/24.

John is the Security Administrator in his company. He installs a new R76 Security Management Server and a new R76 Gateway. He now wants to establish SIC between them. After entering the activation key, he gets the following message in SmartDashboard -"Trust established" SIC still does not seem to work because the policy won't install and interface fetching does not work. What might be a reason for this?


Options are :

  • This must be a human error.
  • It always works when the trust is established
  • The Gateway's time is several days or weeks in the future and the SIC certificate is not yet valid. (Correct)
  • SIC does not function over the network.

Answer : The Gateway's time is several days or weeks in the future and the SIC certificate is not yet valid.

Which command would provide the most comprehensive diagnostic information to Check Point Technical Support?


Options are :

  • cpinfo -o date.cpinfo.txt (Correct)
  • cpstat - date.cpstat.txt
  • diag
  • fw cpinfo

Answer : cpinfo -o date.cpinfo.txt

What CANNOT be configured for existing connections during a policy install?


Options are :

  • Keep all connections
  • Keep data connections
  • Re-match connections
  • Reset all connections (Correct)

Answer : Reset all connections

The SIC certificate is stored in the directory _______________.


Options are :

  • $CPDIR/registry
  • $FWDIR/database
  • $FWDIR/conf
  • $CPDIR/conf (Correct)

Answer : $CPDIR/conf

Certificates for Security Gateways are created during a simple initialization from _____________.


Options are :

  • SmartUpdate
  • The ICA management tool
  • SmartDashboard (Correct)
  • sysconfig

Answer : SmartDashboard

Which NAT option applicable for Automatic NAT applies to Manual NAT as well?


Options are :

  • Automatic ARP configuration
  • Allow bi-directional NAT
  • Enable IP Pool NAT
  • Translate destination on client-side (Correct)

Answer : Translate destination on client-side

Installing a policy usually has no impact on currently existing connections. Which statement is TRUE?


Options are :

  • All FTP downloads are reset; users have to start their downloads again.
  • Site-to-Site VPNs need to re-authenticate, so Phase 1 is passed again after installing the Security Policy.
  • All connections are reset, so a policy install is recommended during announced downtime only.
  • Users being authenticated by Client Authentication have to re-authenticate (Correct)

Answer : Users being authenticated by Client Authentication have to re-authenticate

You want to generate a cpinfo file via CLI on a system running GAiA. This will take about 40 minutes since the log files are also needed. What action do you need to take regarding timeout?


Options are :

  • Log in as the default user expert and start cpinfo
  • Log in as admin, switch to expert mode, set the timeout to one hour with the command, idle 60, then start cpinfo.
  • Log in as Administrator, set the timeout to one hour with the command idle 60 and start cpinfo. (Correct)
  • No action is needed because cpshell has a timeout of one hour by default

Answer : Log in as Administrator, set the timeout to one hour with the command idle 60 and start cpinfo.

You enable Hide NAT on the network object, 10.1.1.0 behind the Security Gateway's external interface. You browse to from host, 10.1.1.10 successfully. You enable a log on the rule that allows 10.1.1.0 to exit the network. How many log entries do you see for that connection in SmartView Tracker?


Options are :

  • Only one, outbound (Correct)
  • Only one, inbound
  • Two, both outbound, one for the real IP connection and one for the NAT IP connection
  • Two, one for outbound, one for inbound

Answer : Only one, outbound

Which of the following statements BEST describes Check Point's Hide Network Address Translation method?


Options are :

  • Translates many destination IP addresses into one destination IP address
  • Many-to-one NAT which implements PAT (Port Address Translation) for accomplishing both Source and Destination IP address translation
  • Translates many source IP addresses into one source IP address (Correct)
  • One-to-one NAT which implements PAT (Port Address Translation) for accomplishing both Source and Destination IP address translation

Answer : Translates many source IP addresses into one source IP address

Which of the following describes the default behavior of an R76 Security Gateway?


Options are :

  • IP protocol types listed as secure are allowed by default, i.e. ICMP, TCP, UDP sessions are inspected.
  • Traffic not explicitly permitted is dropped. (Correct)
  • Traffic is filtered using controlled port scanning.
  • All traffic is expressly permitted via explicit rules.

Answer : Traffic not explicitly permitted is dropped.

A Security Policy has several database versions. What configuration remains the same no matter which version is used?


Options are :

  • Rule Bases_5_0.fws
  • Internal Certificate Authority (ICA) certificate (Correct)
  • fwauth.NDB
  • Objects_5_0.C

Answer : Internal Certificate Authority (ICA) certificate

In a distributed management environment, the administrator has removed all default check boxes from the Policy > Global Properties > Firewall tab. In order for the Security Gateway to send logs to the Security Management Server, an explicit rule must be created to allow the Security Gateway to communicate to the Security Management Server on port ______


Options are :

  • 257 (Correct)
  • 259
  • 256
  • 900

Answer : 257

Which item below in a Security Policy would be enforced first?


Options are :

  • Administrator-defined Rule Base
  • Security Policy First rule
  • Network Address Translation
  • IP spoofing/IP options (Correct)

Answer : IP spoofing/IP options

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions