156-215.13 Check Point Certified Security Administrator Exam Set 4

Which of the following tools is used to generate a Security Gateway R76 configuration report?


Options are :

  • infoCP
  • cpinfo (Correct)
  • fw cpinfo
  • infoview

Answer : cpinfo

How does the button Get Address, found on the Host Node Object > General Properties page retrieve the address?


Options are :

  • Route Table
  • Name resolution (hosts file, DNS, cache) (Correct)
  • Address resolution (ARP, RARP)
  • SNMP Get

Answer : Name resolution (hosts file, DNS, cache)

Spoofing is a method of:


Options are :

  • Detecting people using false or wrong authentication logins
  • Disguising an illegal IP address behind an authorized IP address through Port Address Translation.
  • Hiding your firewall from unauthorized users.
  • Making packets appear as if they come from an authorized IP address. (Correct)

Answer : Making packets appear as if they come from an authorized IP address.

Anti-Spoofing is typically set up on which object type?


Options are :

  • Network
  • Security Gateway (Correct)
  • Host
  • Security Management object

Answer : Security Gateway

The ____________ and ____________ rules are the two basic rules which should be used by all Security Administrators.


Options are :

  • Cleanup; Administrator Access
  • Administrator Access; Stealth
  • Network Traffic; Stealth
  • Cleanup; Stealth (Correct)

Answer : Cleanup; Stealth

Which of the following options is available with the Secure Platform cpconfig utility?


Options are :

  • DHCP Server configuration
  • Time & Date
  • Export setup
  • GUI Clients (Correct)

Answer : GUI Clients

How can you check whether IP forwarding is enabled on an IP Security Appliance?


Options are :

  • cat /proc/sys/net/ipv4/ip_forward
  • clish -c show routing active enable
  • echo 1 > /proc/sys/net/ipv4/ip_forward
  • ipsofwd list (Correct)

Answer : ipsofwd list

Which rule position in the Rule Base should hold the Cleanup Rule? Why?


Options are :

  • Last. It serves a logging function before the implicit drop. (Correct)
  • Before last followed by the Stealth Rule.
  • Last. It explicitly drops otherwise accepted traffic.
  • First. It explicitly accepts otherwise dropped traffic

Answer : Last. It serves a logging function before the implicit drop.

In a distributed management environment, the administrator has removed the default check from Accept Control Connections under the Policy > Global Properties > FireWall tab. In order for the Security Management Server to install a policy to the Firewall, an explicit rule must be created to allow the server to communicate to the Security Gateway on port __________.


Options are :

  • 256 (Correct)
  • 259
  • 900
  • 80

Answer : 256

Several Security Policies can be used for different installation targets. The firewall protecting Human Resources' servers should have a unique Policy Package. These rules may only be installed on this machine and not accidentally on the Internet firewall. How can this be configured?


Options are :

  • A Rule Base is always installed on all possible targets. The rules to be installed on a firewall are defined by the selection in the row Install On of the Rule Base.
  • A Rule Base can always be installed on any Check Point firewall object. It is necessary to select the appropriate target directly after selecting Policy > Install.
  • When selecting the correct firewall in each line of the row Install On of the Rule Base, only this firewall is shown in the list of possible installation targets after selecting Policy > Install.
  • In the SmartDashboard policy, select the correct firewall to be the Specific Target of the rule. (Correct)

Answer : In the SmartDashboard policy, select the correct firewall to be the Specific Target of the rule.

What is the purpose of a Stealth Rule?


Options are :

  • To permit implied rules.
  • To drop all traffic to the management server that is not explicitly permitted.
  • To prevent users from connecting directly to the gateway. (Correct)
  • To permit management traffic.

Answer : To prevent users from connecting directly to the gateway.

How can you activate the SNMP daemon on a Check Point Security Management Server?


Options are :

  • In SmartDashboard, right-click a Check Point object and select Activate SNMP.
  • Using the command line, enter snmp_install.
  • From cpconfig, select SNMP extension. (Correct)
  • Any of these options will work.

Answer : From cpconfig, select SNMP extension.

A ___________ rule is used to prevent all traffic going to the R75 Security Gateway.


Options are :

  • Cleanup
  • IPS
  • Stealth (Correct)
  • Reject

Answer : Stealth

Which command allows you to view the contents of an R76 table?


Options are :

  • fw tab -t (Correct)
  • fw tab -x
  • fw tab -a
  • fw tab -s
  • Answer : fw tab -t

    When you hide a rule in a Rule Base, how can you then disable the rule?


    Options are :

    • Hidden rules are already effectively disabled from Security Gateway enforcement.
    • Right-click on the hidden rule place-holder bar and uncheck Hide, then right-click and select Disable Rule(s); re-hide the rule. (Correct)
    • Right-click on the hidden rule place-holder bar and select Disable Rule(s).
    • Use the search utility in SmartDashboard to view all hidden rules. Select the relevant rule and click Disable Rule(s).

    Answer : Right-click on the hidden rule place-holder bar and uncheck Hide, then right-click and select Disable Rule(s); re-hide the rule.

    Which of the following is a CLI command for Security Gateway R76?


    Options are :

    • fw merge
    • fw shutdown
    • fw tab -u (Correct)
    • fwm policy_print

    Answer : fw tab -u

    Although SIC was already established and running, Joe reset SIC between the Security Management Server and a remote Gateway. He set a new activation key on the Gateway's side with the command cpconfig and put in the same activation key in the Gateway's object on the Security Management Server. Unfortunately, SIC cannot be established. What is a possible reason for the problem?


    Options are :

    • The old Gateway object should have been deleted and recreated.
    • The installed policy blocks the communication.
    • Joe forgot to reboot the Gateway.
    • Joe forgot to exit from cpconfig. (Correct)

    Answer : Joe forgot to exit from cpconfig.

    You are the Security Administrator for MegaCorp. A Check Point firewall is installed and in use on a platform using GAiA. You have trouble configuring the speed and duplex settings of your Ethernet interfaces. Which of the following commands can be used in Expert Mode to configure the speed and duplex settings of an Ethernet interface and will survive a reboot? Give the BEST answer.


    Options are :

    • ethtool
    • mii_tool
    • ifconfig -a
    • eth_set (Correct)

    Answer : eth_set

    Many companies have defined more than one administrator. To increase security, only one administrator should be able to install a Rule Base on a specific Firewall. How do you configure this?


    Options are :

    • Right-click on the object representing the specific administrator, and select that Firewall in Policy Targets.
    • In the object General Properties representing the specific Firewall, go to the Software Blades product list and select Firewall. Right-click in the menu, select Administrator to Install to define only this administrator.
    • Put the one administrator in an Administrator group and configure this group in the specific Firewall object in Advanced > Permission to Install. (Correct)
    • Define a permission profile in SmartDashboard with read/write privileges, but restrict it to all other firewalls by placing them in the Policy Targets field. Then, an administrator with this permission profile cannot install a policy on any Firewall not listed here.

    Answer : Put the one administrator in an Administrator group and configure this group in the specific Firewall object in Advanced > Permission to Install.

    Which Check Point address translation method is necessary if you want to connect from a host on the Internet via HTTP to a server with a reserved (RFC 1918) IP address on your DMZ?


    Options are :

    • Static Destination Address Translation (Correct)
    • None
    • Port Address Translation
    • Hide Address Translation
    • Dynamic Source Address Translation

    Answer : Static Destination Address Translation

    Because of pre-existing design constraints, you set up manual NAT rules for your HTTP server. However, your FTP server and SMTP server are both using automatic NAT rules. All traffic from your FTP and SMTP servers are passing through the Security Gateway without a problem, but traffic from the Web server is dropped on rule 0 because of antispoofing settings. What is causing this?


    Options are :

    • Manual NAT rules are not configured correctly.
    • Routing is not configured correctly.
    • Allow bi-directional NAT is not checked in Global Properties.
    • Translate destination on client side is not checked in Global Properties under Manual NAT Rules. (Correct)

    Answer : Translate destination on client side is not checked in Global Properties under Manual NAT Rules.

    Which Check Point address translation method allows an administrator to use fewer ISPassigned IP addresses than the number of internal hosts requiring Internet connectivity?


    Options are :

    • Static Destination
    • Static Source
    • Dynamic Destination
    • Hide (Correct)

    Answer : Hide

    Which of these Security Policy changes optimize Security Gateway performance?


    Options are :

    • Putting the least-used rule at the top of the Rule Base.
    • Using groups within groups in the manual NAT Rule Base.
    • Use Automatic NAT rules instead of Manual NAT rules whenever possible. (Correct)
    • Using domain objects in rules when possible

    Answer : Use Automatic NAT rules instead of Manual NAT rules whenever possible.

    To check the Rule Base, some rules can be hidden so they do not distract the administrator from the unhidden rules. Assume that only rules accepting HTTP or SSH will be shown. How do you accomplish this?


    Options are :

    • In SmartDashboard, right-click in the column field Service > Query Column. Then, put the services HTTP and SSH in the list. Do the same in the field Action and select Accept here.
    • In SmartDashboard menu, select Search > Rule Base Queries. In the window that opens, create a new Query, give it a name (e.g. "HTTP_SSH") and define a clause regarding the two services HTTP and SSH. When having applied this, define a second clause for the action Accept and combine them with the Boolean operator AND. (Correct)
    • This cannot be configured since two selections (Service, Action) are not possible
    • Ask your reseller to get a ticket for Check Point SmartUse and deliver him the Security Management Server cpinfo file.

    Answer : In SmartDashboard menu, select Search > Rule Base Queries. In the window that opens, create a new Query, give it a name (e.g. "HTTP_SSH") and define a clause regarding the two services HTTP and SSH. When having applied this, define a second clause for the action Accept and combine them with the Boolean operator AND.

    You run cpconfig to reset SIC on the Security Gateway. After the SIC reset operation is complete, the policy that will be installed is the


    Options are :

    • Initial policy (Correct)
    • Default filter.
    • Last policy that was installed.
    • Standard policy.

    Answer : Initial policy

    All of the following are Security Gateway control connections defined by default implied rules, EXCEPT:


    Options are :

    • Exclusion of specific services for reporting purposes. (Correct)
    • Communication with server types, such as RADIUS, CVP, UFP, TACACS, and LDAP.
    • Acceptance of IKE and RDP traffic for communication and encryption purposes.
    • Specific traffic that facilitates functionality, such as logging, management, and key exchange.

    Answer : Exclusion of specific services for reporting purposes.

    After implementing Static Address Translation to allow Internet traffic to an internal Web Server on your DMZ, you notice that any NATed connections to that machine are being dropped by anti-spoofing protections. Which of the following is the MOST LIKELY cause?


    Options are :

    • The Global Properties setting Translate destination on client side is checked. But the topology on the DMZ interface is set to Internal - Network defined by IP and Mask. Uncheck the Global Properties setting Translate destination on client side.
    • The Global Properties setting Translate destination on client side is unchecked. But the topology on the external interface is set to Others +. Change topology to External.
    • The Global Properties setting Translate destination on client side is checked. But the topology on the external interface is set to External. Change topology to Others +.
    • The Global Properties setting Translate destination on client side is unchecked. But the topology on the DMZ interface is set to Internal - Network defined by IP and Mask. Check the Global Properties setting Translate destination on client side. (Correct)

    Answer : The Global Properties setting Translate destination on client side is unchecked. But the topology on the DMZ interface is set to Internal - Network defined by IP and Mask. Check the Global Properties setting Translate destination on client side.

    You want to implement Static Destination NAT in order to provide external, Internet users access to an internal Web Server that has a reserved (RFC 1918) IP address. You have an unused valid IP address on the network between your Security Gateway and ISP router. You control the router that sits between the firewall external interface and the Internet. What is an alternative configuration if proxy ARP cannot be used on your Security Gateway?


    Options are :

    • Place a static host route on the firewall for the valid IP address to the internal Web server.
    • Publish a proxy ARP entry on the internal Web server instead of the firewall for the valid IP address.
    • Place a static ARP entry on the ISP router for the valid IP address to the firewall's external address. (Correct)
    • Publish a proxy ARP entry on the ISP router instead of the firewall for the valid IP address.

    Answer : Place a static ARP entry on the ISP router for the valid IP address to the firewall's external address.

    Which command enables IP forwarding on IPSO?


    Options are :

    • echo 0 > /proc/sys/net/ipv4/ip_forward
    • clish -c set routing active enable
    • echo 1 > /proc/sys/net/ipv4/ip_forward
    • ipsofwd on admin (Correct)

    Answer : ipsofwd on admin

    What is the officially accepted diagnostic tool for IP Appliance Support?


    Options are :

    • CST (Correct)
    • ipsoinfo
    • cpinfo
    • uag-diag

    Answer : CST

    Comment / Suggestion Section
    Point our Mistakes and Post Your Suggestions