156-215.70 Check Point Certified Security Administrator Exam Set 3

How many packets does the IKE exchange use for Phase 1 Main Mode?


Options are :

  • 6 (Correct)
  • 3
  • 12
  • 1

Answer : 6

Which OPSEC server can be used to prevent users from accessing certain Web sites?


Options are :

  • UFP (Correct)
  • LEA
  • AMON
  • CVP

Answer : UFP

How do you block some seldom-used FTP commands, such as CWD, and FIND from passing through the Gateway?


Options are :

  • Enable FTP Bounce checking in Application Intelligence in Protocol Protections from the IPS tab.
  • Configure the restricted FTP commands in the Security Servers screen of the Global Properties.
  • Add the restricted commands to the aftpd.conf file in the Security Management Server
  • Modify the desired profile in the FTP commands under Protection Details in the IPS tab. (Correct)

Answer : Modify the desired profile in the FTP commands under Protection Details in the IPS tab.

Which type of resource could a Security Administrator use to control access to specific file shares on target machines?


Options are :

  • URI
  • CIFS (Correct)
  • FTP
  • Telnet

Answer : CIFS

In which IKE phase are IPsec SA's negotiated?


Options are :

  • Phase 4
  • .Phase 1
  • Phase 3
  • Phase 2 (Correct)

Answer : Phase 2

You are the Security Administrator for a university. The university’s FTP servers have old hardware and software. Certain FTP commands cause the FTP servers to malfunction. Upgrading the FTP servers is not an option at this time. Where can you define blocked FTP commands passing through the Security Gateway protecting the FTP servers?


Options are :

  • Global Properties > FireWall > Security Server > Allowed FTP Commands
  • FTP Service Object > Advanced > Blocked FTP Commands
  • Rule Base > Service Field > Edit Properties
  • IPS > Protections > By Protocol > IPS Software Blade > Application Intelligence > FTP > FTP Advanced Protections > FTP Commands (Correct)

Answer : IPS > Protections > By Protocol > IPS Software Blade > Application Intelligence > FTP > FTP Advanced Protections > FTP Commands

As a Security Administrator, you are required to create users for authentication. When you create a user for User Authentication, the data is stored in the _____________.


Options are :

  • SmartUpdate repository
  • User Database (Correct)
  • Objects Database
  • Rules Database

Answer : User Database

Which of these attributes would be critical for a site-to-site VPN?


Options are :

  • Strong authentication
  • Strong data encryption (Correct)
  • Scalability to accommodate user groups
  • Centralized management

Answer : Strong data encryption

Why are certificates preferred over pre-shared keys in an IPsec VPN?


Options are :

  • Weak Security: PSK are static and can be brute-forced. (Correct)
  • Weak performance: PSK takes more time to encrypt than Diffie-Hellman.
  • Weak security: PSKs can only have 112 bit length.
  • Weak scalability: PSKs need to be set on each and every Gateway.

Answer : Weak Security: PSK are static and can be brute-forced.

Which of the following is TRUE concerning control connections between the Security Management Server and the Gateway in a VPN Community? Control Connections are:


Options are :

  • .encrypted using SIC and re-encrypted again by the Community regardless of VPN domain configuration.
  • encrypted by the Community.
  • not encrypted, only authenticated.
  • encrypted using SIC. (Correct)

Answer : encrypted using SIC.

Identify the ports to which the Client Authentication daemon listens by default.


Options are :

  • 8080, 529
  • 80, 256
  • 259, 900 (Correct)
  • 256, 600

Answer : 259, 900

Review the following list of actions that Security Gateway R70 can take when it controls packets. The Policy Package has been configured for Simplified Mode VPN. Select the response below that includes the available actions:


Options are :

  • Accept, Reject, Encrypt, Drop
  • Accept, Hold, Reject, Proxy
  • Accept, Drop, Encrypt, Session Auth
  • Accept, Drop, Reject, Client Auth (Correct)

Answer : Accept, Drop, Reject, Client Auth

You are about to integrate RSA SecurID users into the Check Point infrastructure. What kind of users are to be defined via SmartDashboard?


Options are :

  • .LDAP Account Unit Group
  • All users
  • A group with generic user (Correct)
  • Internal user Group

Answer : A group with generic user

Which authentication type permits five different sign-on methods in the authentication properties window?


Options are :

  • Manual Authentication
  • Session Authentication
  • User Authentication
  • Client Authentication (Correct)

Answer : Client Authentication

What is the size of a hash produced by SHA-1?


Options are :

  • 40
  • 56
  • 128
  • 160 (Correct)

Answer : 160

Which column in the Rule Base is used to define authentication parameters?


Options are :

  • Track
  • Service
  • Source
  • Action (Correct)

Answer : Action

The User Directory Software Blade is used to integrate which of the following with Security Gateway R70?


Options are :

  • LDAP server (Correct)
  • UserAuthority server
  • RADIUS server
  • Account Management Client server

Answer : LDAP server

Which set of objects have an Authentication tab?


Options are :

  • Users, User Groups
  • Networks, Hosts
  • Templates, Users (Correct)
  • .Users, Networks

Answer : Templates, Users

What is the Manual Client Authentication TELNET port?


Options are :

  • 259 (Correct)
  • 900
  • 23
  • 264

Answer : 259

What is the bit size of a DES key?


Options are :

  • 112
  • 64
  • 56 (Correct)
  • 168

Answer : 56

You wish to configure an IKE VPN between two R70 Security Gateways, to protect two networks. The network behind one Gateway is 10.15.0.0/16, and network 192.168.9.0/24 is behind the peer's Gateway. Which type of address translation should you use to ensure the two networks access each other through the VPN tunnel?


Options are :

  • None (Correct)
  • Static NAT
  • Manual NAT
  • Hide NAT

Answer : None

For information to pass securely between a Security Management Server and another Check Point component, what would NOT be required?


Options are :

  • The communication must use two-factor or biometric authentication. (Correct)
  • The communication must be encrypted.
  • The communication must be authenticated.
  • The component must be time-and-date synchronized with the Security Management Server.

Answer : The communication must use two-factor or biometric authentication.

If you need strong protection for the encryption of user data, what option would be the BEST choice?


Options are :

  • Use Diffie Hellman for key construction and pre-shared keys for Quick Mode. Choose SHA in Quick Mode and encrypt with AES. Use AH protocol. Switch to Aggressive Mode
  • Disable Diffie Hellman by using stronger certificate based key-derivation. Use AES-256 bit on all encrypted channels and add PFS to QuickMode. Use double encryption by implementing AH and ESP as protocols.
  • When you need strong encryption, IPsec is not the best choice. SSL VPNs are a better choice
  • Use certificates for Phase 1, SHA for all hashes, AES for all encryption and PFS, and use ESP protocol. (Correct)

Answer : Use certificates for Phase 1, SHA for all hashes, AES for all encryption and PFS, and use ESP protocol.

Which of the following objects is a valid source in an authentication rule?


Options are :

  • User@Network
  • Host@Any
  • .User_group@Network (Correct)
  • User@Any

Answer : .User_group@Network

Your manager requires you to setup a VPN to a new business partner site. The administrator from the partner site gives you his VPN settings and you notice that he setup AES 128 for IKE phase 1 and AES 256 for IKE phase 2. Why is this a problematic setup?


Options are :

  • All is fine and can be used as is.
  • All is fine as the longest key length has been chosen for encrypting the data and a shorter key length for higher performance for setting up the tunnel.
  • The 2 algorithms do not have the same key length and so don’t work together. You will get the error “…. No proposal chosen….”
  • Only 128 bit keys are used for phase 1 keys which are protecting phase 2, so the longer key length in phase 2 only costs performance and does not add security due to a shorter key in phase 1. (Correct)

Answer : Only 128 bit keys are used for phase 1 keys which are protecting phase 2, so the longer key length in phase 2 only costs performance and does not add security due to a shorter key in phase 1.

You install and deploy SecurePlatform with default settings. You allow Visitor Mode in the Remote Access properties of the Gateway object and install policy, but SecureClient refuses to connect. What is the cause of this?


Options are :

  • You need to start SSL Network Extender first, than use Visitor Mode
  • The WebUI on SecurePlatform runs on port 443 (HTTPS). When you configure Visitor Mode it cannot bind to default port 443, because it's used by another program (WebUI). You need to change the WebUI port, or run Visitor Mode on a different port. (Correct)
  • Set Visitor Mode in Policy > Global Properties > Remote-Access > VPN - Advanced.
  • Office mode is not configured.

Answer : The WebUI on SecurePlatform runs on port 443 (HTTPS). When you configure Visitor Mode it cannot bind to default port 443, because it's used by another program (WebUI). You need to change the WebUI port, or run Visitor Mode on a different port.

Phase 1 uses ___________.


Options are :

  • Conditional
  • Asymmetric (Correct)
  • Sequential
  • Symmetric

Answer : Asymmetric

Users are not prompted for authentication when they access their Web servers, even though you have created an HTTP rule via User Authentication. Why?


Options are :

  • Users must use the SecuRemote Client, to use the User Authentication Rule.
  • You checked the cache password on desktop option in Global Properties.
  • Another rule that accepts HTTP without authentication exists in the Rule Base. (Correct)
  • You have forgotten to place the User Authentication Rule before the Stealth Rule.

Answer : Another rule that accepts HTTP without authentication exists in the Rule Base.

You are concerned that a message may have been intercepted and retransmitted, thus compromising the security of the communication. You attach a code to the electronically transmitted message that uniquely identifies the sender. This code is known as a(n):


Options are :

  • igital signature (Correct)
  • Private key
  • Diffie-Helman verification
  • AES flag

Answer : igital signature

Which of the following provides confidentiality services for data and messages in a Check Point VPN?


Options are :

  • Symmetric Encryption (Correct)
  • Asymmetric Encryption
  • Cryptographic checksums
  • Digital signatures

Answer : Symmetric Encryption

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions