Copy and Edit

Exam 3 - CCSA 156-215 v7

Description

Exam 3 - CCSA 156-215 v7
Gustavo Gonçalves
Quiz by Gustavo Gonçalves, updated more than 1 year ago
Gustavo Gonçalves
Created by Gustavo Gonçalves over 6 years ago
23
0
0

Resource summary

Question 1

Question
QUESTION 1 When translation occurs using automatic Hide NAT, what also happens?
Answer
  • A. Nothing happens.
  • B. The destination is modified
  • C. The destination port is modified
  • D. The source port is modified.

Question 2

Question
QUESTION 2 The fw monitor utility is used to troubleshoot which of the following problems?
Answer
  • A. Phase two key negotiation
  • B. Address translation
  • C. Log Consolidation Engine
  • D. User data base corruption

Question 3

Question
QUESTION 3 Looking at the SYN packets in the Wireshark output, select the statement that is true about NAT. Exhibit:
Image:
3 (binary/octet-stream)
Answer
  • A. This is an example of Hide NAT.
  • B. There is not enough information provided in the Wireshark capture to determine the NAT settings.
  • C. This is an example of Static NAT and Translate destination on client side unchecked in Global Properties
  • D. This is an example of Static NAT and Translate destination on client side checked in Global Properties.

Question 4

Question
QUESTION 4 In SmartDashboard, Translate destination on client side is checked in Global Properties. When Network Address Translation is used:
Answer
  • A. It is not necessary to add a static route to the Gateway's routing table.
  • B. It is necessary to add a static route to the Gateway's routing table.
  • C. The Security Gateway's ARP file must be modified.
  • D. VLAN tagging cannot be defined for any hosts protected by the Gateway.

Question 5

Question
QUESTION 5 Secure Internal Communications (SIC) is completely NAT-tolerant because it is based on:
Answer
  • A. IP addresses.
  • B. SIC is not NAT-tolerant.
  • C. SIC names.
  • D. MAC addresses.

Question 6

Question
QUESTION 6 Static NAT connections, by default, translate on which firewall kernel inspection point?
Answer
  • A. Inbound
  • B. Outbound
  • C. Post-inbound
  • D. Eitherbound

Question 7

Question
QUESTION 7 You are MegaCorp's Security Administrator. There are various network objects which must be NATed. Some of them use the Automatic Hide NAT method, while others use the Automatic Static NAT method. What is the rule order if both methods are used together? Give the BEST answer.
Answer
  • A. The Administrator decides the rule order by shifting the corresponding rules up and down.
  • B. The Static NAT rules have priority over the Hide NAT rules and the NAT on a node has priority over the NAT on a network or an address range.
  • C. The Hide NAT rules have priority over the Static NAT rules and the NAT on a node has priority over the NAT on a network or an address range.
  • D. The rule position depends on the time of their creation. The rules created first are placed at the top; rules created later are placed successively below the others.

Question 8

Question
QUESTION 8 Which answers are TRUE? Automatic Static NAT CANNOT be used when: 1) NAT decision is based on the destination port. 2) Both Source and Destination IP's have to be translated. 3) The NAT rule should only be installed on a dedicated Gateway. 4) NAT should be performed on the server side.
Answer
  • A. 1 and 2
  • B. 2 and 4
  • C. 1, 3, and 4
  • D. 2 and 3

Question 9

Question
QUESTION 9 After filtering a fw monitor trace by port and IP, a packet is displayed three times; in the i, I, and o inspection points, but not in the O inspection point. Which is the likely source of the issue?
Answer
  • A. The packet has been sent out through a VPN tunnel unencrypted.
  • B. An IPSO ACL has blocked the packet's outbound passage.
  • C. A SmartDefense module has blocked the packet.
  • D. It is due to NAT.

Question 10

Question
QUESTION 10 Your internal network is configured to be 10.1.1.0/24. This network is behind your perimeter R77 Gateway, which connects to your ISP provider. How do you configure the Gateway to allow this network to go out to the Internet?
Answer
  • A. Use Hide NAT for network 10.1.1.0/24 behind the external IP address of your perimeter Gateway.
  • B. Use Hide NAT for network 10.1.1.0/24 behind the internal interface of your perimeter Gateway.
  • C. Use automatic Static NAT for network 10.1.1.0/24.
  • D. Do nothing, as long as 10.1.1.0 network has the correct default Gateway.

Question 11

Question
QUESTION 11 You are a Security Administrator who has installed Security Gateway R77 on your network. You need to allow a specific IP address range for a partner site to access your intranet Web server. To limit the partner's access for HTTP and FTP only, you did the following: 1) Created manual Static NAT rules for the Web server. 2) Cleared the following settings in the Global Properties > Network Address Translation screen: - Allow bi-directional NAT - Translate destination on client side Do the above settings limit the partner's access?
Answer
  • A. Yes. This will ensure that traffic only matches the specific rule configured for this traffic, and that the Gateway translates the traffic after accepting the packet.
  • B. No. The first setting is not applicable. The second setting will reduce performance.
  • C. Yes. Both of these settings are only applicable to automatic NAT rules.
  • D. No. The first setting is only applicable to automatic NAT rules. The second setting will force translation by the kernel on the interface nearest to the client.

Question 12

Question
QUESTION 12 You enable Automatic Static NAT on an internal host node object with a private IP address of 10.10.10.5, which is NATed into 216.216.216.5. (You use the default settings in Global Properties / NAT.) When you run fw monitor on the R77 Security Gateway and then start a new HTTP connection from host 10.10.10.5 to browse the Internet, at what point in the monitor output will you observe the HTTP SYN-ACK packet translated from 216.216.216.5 back into 10.10.10.5?
Answer
  • A. o=outbound kernel, before the virtual machine
  • B. I=inbound kernel, after the virtual machine
  • C. O=outbound kernel, after the virtual machine
  • D. i=inbound kernel, before the virtual machine

Question 13

Question
QUESTION 13 You have configured Automatic Static NAT on an internal host-node object. You clear the box Translate destination on client site from Global Properties > NAT. Assuming all other NAT settings in Global Properties are selected, what else must be configured so that a host on the Internet can initiate an inbound connection to this host?
Answer
  • A. No extra configuration is needed.
  • B. A proxy ARP entry, to ensure packets destined for the public IP address will reach the Security Gateway's external interface
  • C. The NAT IP address must be added to the external Gateway interface anti-spoofing group.
  • D. A static route, to ensure packets destined for the public NAT IP address will reach the Gateway's internal interface.

Question 14

Question
QUESTION 14 You just installed a new Web server in the DMZ that must be reachable from the Internet. You create a manual Static NAT rule as follows: "web_public_IP" is the node object that represents the new Web server's public IP address. "web_private_IP? is the node object that represents the new Web site's private IP address. You enable all settings from Global Properties > NAT. When you try to browse the Web server from the Internet you see the error "page cannot be displayed?. Which of the following is NOT a possible reason?
Image:
14 (binary/octet-stream)
Answer
  • A. There is no Security Policy defined that allows HTTP traffic to the protected Web server.
  • B. There is no ARP table entry for the protected Web server's public IP address.
  • C. There is no route defined on the Security Gateway for the public IP address to the Web server's private IP address.
  • D. There is no NAT rule translating the source IP address of packets coming from the protected Web server.

Question 15

Question
QUESTION 15 You are responsible for the configuration of MegaCorp's Check Point Firewall. You need to allow two NAT rules to match a connection. Is it possible? Give the BEST answer.
Answer
  • A. No, it is not possible to have more than one NAT rule matching a connection. When the firewall receives a packet belonging to a connection, it compares it against the first rule in the Rule Base, then the second rule, and so on. When it finds a rule that matches, it stops checking and applies that rule.
  • B. Yes, it is possible to have two NAT rules which match a connection, but only in using Manual NAT (bidirectional NAT).
  • C. Yes, there are always as many active NAT rules as there are connections
  • D. Yes, it is possible to have two NAT rules which match a connection, but only when using Automatic NAT (bidirectional NAT).

Question 16

Question
QUESTION 16 What is the default setting when you use NAT?
Answer
  • A. Destination Translated on Server side
  • B. Destination Translated on Client side
  • C. Source Translated on both sides
  • D. Source Translated on Client side

Question 17

Question
QUESTION 17 Select the TRUE statements about the Rule Base shown? Exhibit: 1) HTTP traffic from webrome to websingapore will be encrypted. 2) HTTP traffic from websingapore to webrome will be encrypted. 3) HTTP traffic from webrome to websingapore will be authenticated. 4) HTTP traffic from websingapore to webrome will be blocked.
Image:
17 (binary/octet-stream)
Answer
  • A. 1, 2, and 3
  • B. 3 only
  • C. 2 and 3
  • D. 3 and 4

Question 18

Question
QUESTION 18 You receive a notification that long-lasting Telnet connections to a mainframe are dropped after an hour of inactivity. Reviewing SmartView Tracker shows the packet is dropped with the error: Unknown established connection How do you resolve this problem without causing other security issues? Choose the BEST answer.
Answer
  • A. Increase the service-based session timeout of the default Telnet service to 24-hours.
  • B. Ask the mainframe users to reconnect every time this error occurs.
  • C. Increase the TCP session timeout under Global Properties > Stateful Inspection.
  • D. Create a new TCP service object on port 23 called Telnet-mainframe. Define a service-based session timeout of 24-hours. Use this new object only in the rule that allows the Telnet connections to the mainframe.

Question 19

Question
QUESTION 19 Which SmartConsole tool would you use to see the last policy pushed in the audit log?
Answer
  • A. SmartView Tracker
  • B. None, SmartConsole applications only communicate with the Security Management Server.
  • C. SmartView Status
  • D. SmartView Server

Question 20

Question
QUESTION 20 SmartView Tracker logs the following Security Administrator activities, EXCEPT:
Answer
  • A. Object creation, deletion, and editing
  • B. Tracking SLA compliance
  • C. Administrator login and logout
  • D. Rule Base changes

Question 21

Question
QUESTION 21 What happens when you select File > Export from the SmartView Tracker menu?
Answer
  • A. Current logs are exported to a new *.log file.
  • B. Exported log entries are not viewable in SmartView Tracker.
  • C. Logs in fw.log are exported to a file that can be opened by Microsoft Excel.
  • D. Exported log entries are deleted from fw.log.

Question 22

Question
QUESTION 22 By default, when you click File > Switch Active File in SmartView Tracker, the Security Management Server:
Answer
  • A. Saves the current log file, names the log file by date and time, and starts a new log file.
  • B. Purges the current log file, and starts a new log file.
  • C. Prompts you to enter a filename, and then saves the log file.
  • D. Purges the current log file, and prompts you for the new log's mode.

Question 23

Question
QUESTION 23 You are working with three other Security Administrators. Which SmartConsole component can be used to monitor changes to rules or object properties made by the other administrators?
Answer
  • A. Eventia Tracker
  • B. SmartView Monitor
  • C. Eventia Monitor
  • D. SmartView Tracker

Question 24

Question
QUESTION 24 Which SmartView Tracker mode allows you to read the SMTP e-mail body sent from the Chief Executive Officer (CEO) of a company?
Answer
  • A. This is not a SmartView Tracker feature.
  • B. Display Capture Action
  • C. Network and Endpoint Tab
  • D. Display Payload View

Question 25

Question
QUESTION 25 You can include External commands in SmartView Tracker by the menu Tools > Custom Commands. The Security Management Server is running under GAiA, and the GUI is on a system running Microsoft Windows. How do you run the command traceroute on an IP address?
Answer
  • A. There is no possibility to expand the three pre-defined options Ping, Whois, and Nslookup.
  • B. Go to the menu Tools > Custom Commands and configure the Windows command tracert.exe to the list.
  • C. Use the program GUIdbedit to add the command traceroute to the Security Management Server properties.
  • D. Go to the menu, Tools > Custom Commands and configure the Linux command traceroute to the list.

Question 26

Question
QUESTION 26 Where is the easiest and BEST place to find information about connections between two machines?
Answer
  • A. All options are valid.
  • B. On a Security Gateway using the command fw log.
  • C. On a Security Management Server, using SmartView Tracker.
  • D. On a Security Gateway Console interface; it gives you detailed access to log files and state table information.

Question 27

Question
QUESTION 27 Which of the following can be found in cpinfo from an enforcement point?
Answer
  • A. Everything NOT contained in the file r2info
  • B. VPN keys for all established connections to all enforcement points
  • C. The complete file objects_5_0.c
  • D. Policy file information specific to this enforcement point

Question 28

Question
QUESTION 28 Which R77 SmartConsole tool would you use to verify the installed Security Policy name on a Security Gateway?
Answer
  • A. SmartView Tracker
  • B. None, SmartConsole applications only communicate with the Security Management Server.
  • C. SmartView Server
  • D. SmartUpdate

Question 29

Question
QUESTION 29 You have detected a possible intruder listed in SmartView Tracker's active pane. What is the fastest method to block this intruder from accessing your network indefinitely?
Answer
  • A. Modify the Rule Base to drop these connections from the network.
  • B. In SmartView Tracker, select Tools > Block Intruder
  • C. In SmartView Monitor, select Tools > Suspicious Activity Rules
  • D. In SmartDashboard, select IPS > Network Security > Denial of Service.

Question 30

Question
QUESTION 30 Where can an administrator specify the notification action to be taken by the firewall in the event that available disk space drops below 15%?
Answer
  • A. SmartView Monitor > Gateway Status > Threshold Settings
  • B. SmartView Tracker > Audit Tab > Gateway Counters
  • C. SmartView Monitor > Gateway Status > System Information > Thresholds
  • D. This can only be monitored by a user-defined script.

Question 31

Question
QUESTION 31 Where can an administrator configure the notification action in the event of a policy install time change?
Answer
  • A. SmartView Monitor > Gateways > Thresholds Settings
  • B. SmartView Monitor > Gateway Status > System Information > Thresholds
  • C. SmartDashboard > Policy Package Manager
  • D. SmartDashboard > Security Gateway Object > Advanced Properties

Question 32

Question
QUESTION 32 Where are custom queries stored in R77 SmartView Tracker?
Answer
  • A. On the SmartView Tracker PC local file system under the user's profile.
  • B. On the Security Management Server tied to the GUI client IP.
  • C. On the Security Management Server tied to the Administrator User Database login name.
  • D. On the SmartView Tracker PC local file system shared by all users of that local PC.

Question 33

Question
QUESTION 33 How do you view a Security Administrator's activities with SmartConsole?
Answer
  • A. Eventia Suite
  • B. SmartView Monitor using the Administrator Activity filter
  • C. SmartView Tracker in the Management tab
  • D. SmartView Tracker in the Network and Endpoint tabs

Question 34

Question
QUESTION 34 Which SmartView Tracker selection would most effectively show who installed a Security Policy blocking all traffic from the corporate network?
Answer
  • A. Management tab
  • B. Custom filter
  • C. Network and Endpoint tab
  • D. Active tab

Question 35

Question
QUESTION 35 You are reviewing the Security Administrator activity for a bank and comparing it to the change log. How do you view Security Administrator activity?
Answer
  • A. SmartView Tracker cannot display Security Administrator activity; instead, view the system logs on the Security Management Server's Operating System.
  • B. SmartView Tracker in Network and Endpoint Mode
  • C. SmartView Tracker in Active Mode
  • D. SmartView Tracker in Management Mode

Question 36

Question
QUESTION 36 Which of the following R77 SmartView Tracker views will display a popup warning about performance implications on the Security Gateway?
Answer
  • A. All Records Query
  • B. Account Query
  • C. Active Tab
  • D. Audit Tab

Question 37

Question
QUESTION 37 While in SmartView Tracker, Brady has noticed some very odd network traffic that he thinks could be an intrusion. He decides to block the traffic for 60 minutes, but cannot remember all the steps. What is the correct order of steps needed to set up the block? 1) Select Active Mode tab in SmartView Tracker. 2) Select Tools > Block Intruder. 3) Select Log Viewing tab in SmartView Tracker. 4) Set Blocking Timeout value to 60 minutes. 5) Highlight connection that should be blocked.
Answer
  • A. 1, 2, 5, 4
  • B. 3, 2, 5, 4
  • C. 1, 5, 2, 4
  • D. 3, 5, 2, 4

Question 38

Question
QUESTION 38 SmartView Tracker R77 consists of three different modes. They are:
Answer
  • A. Log, Active, and Audit
  • B. Log, Active, and Management
  • C. Network and Endpoint, Active, and Management
  • D. Log, Track, and Management

Question 39

Question
QUESTION 39 You are troubleshooting NAT entries in SmartView Tracker. Which column do you check to view the new source IP? Exhibit:
Answer
  • A. XlateDPort
  • B. XlateDst
  • C. XlateSPort
  • D. XlateSrc

Question 40

Question
QUESTION 40 You are using SmartView Tracker to troubleshoot NAT entries. Which column do you check to view the NAT'd source port if you are using Source NAT?
Answer
  • A. XlateDst
  • B. XlateSPort
  • C. XlateDPort
  • D. XlateSrc

Question 41

Question
QUESTION 41 When you change an implicit rule's order from Last to First in Global Properties, how do you make the change take effect?
Answer
  • A. Run fw fetch from the Security Gateway.
  • B. Select Install Database from the Policy menu
  • C. Select Save from the File menu.
  • D. Reinstall the Security Policy

Question 42

Question
QUESTION 42 How does the button Get Address, found on the Host Node Object > General Properties page retrieve the address?
Answer
  • A. Route Table
  • B. SNMP Get
  • C. Address resolution (ARP, RARP)
  • D. Name resolution (hosts file, DNS, cache)

Question 43

Question
QUESTION 43 Anti-Spoofing is typically set up on which object type?
Answer
  • A. Security Gateway
  • B. Host
  • C. Security Management object
  • D. Network

Question 44

Question
QUESTION 44 Spoofing is a method of:
Answer
  • A. Making packets appear as if they come from an authorized IP address.
  • B. Detecting people using false or wrong authentication logins
  • C. Disguising an illegal IP address behind an authorized IP address through Port Address Translation.
  • D. Hiding your firewall from unauthorized users

Question 45

Question
QUESTION 45 How can you activate the SNMP daemon on a Check Point Security Management Server?
Answer
  • A. Using the command line, enter snmp_install.
  • B. From cpconfig, select SNMP extension.
  • C. Any of these options will work.
  • D. In SmartDashboard, right-click a Check Point object and select Activate SNMP.

Question 46

Question
QUESTION 46 Which of the following describes the default behavior of an R77 Security Gateway?
Answer
  • A. Traffic not explicitly permitted is dropped
  • B. Traffic is filtered using controlled port scanning.
  • C. All traffic is expressly permitted via explicit rules
  • D. IP protocol types listed as secure are allowed by default, i.e. ICMP, TCP, UDP sessions are inspected

Question 47

Question
QUESTION 47 When you use the Global Properties' default settings on R77, which type of traffic will be dropped if NO explicit rule allows the traffic?
Answer
  • A. SmartUpdate connections
  • B. Outgoing traffic originating from the Security Gateway
  • C. Firewall logging and ICA key-exchange information
  • D. RIP traffic

Question 48

Question
QUESTION 48 You have installed a R77 Security Gateway on GAiA. To manage the Gateway from the enterprise Security Management Server, you create a new Gateway object and Security Policy. When you install the new Policy from the Policy menu, the Gateway object does not appear in the Install Policy window as a target. What is the problem?
Answer
  • A. The object was created with Node > Gateway.
  • B. No Masters file is created for the new Gateway.
  • C. The Gateway object is not specified in the first policy rule column Install On.
  • D. The new Gateway's temporary license has expired.

Question 49

Question
QUESTION 49 What happens if you select Web Server in the dialog box? Exhibit:
Image:
49 (binary/octet-stream)
Answer
  • A. An implied rule will be added allowing HTTP requests to the host.
  • B. Anti-virus settings will be applied to the host.
  • C. Web Intelligence will be applied to the host.
  • D. An implied rule will be added allowing HTTP request from and to the host.

Question 50

Question
QUESTION 50 When configuring the Check Point Gateway network interfaces, you can define the direction as Internal or External. What does the option Interface leads to DMZ mean? Exhibit:
Answer
  • A. Using restricted Gateways, this option automatically turns off the counting of IP Addresses originating from this interface.
  • B. Activating this option automatically turns this interface to External.
  • C. It defines the DMZ Interface since this information is necessary for Content Control
  • D. Select this option to automatically configure Anti-Spoofing to this net.

Question 51

Question
QUESTION 51 A marketing firm's networking team is trying to troubleshoot user complaints regarding access to audiostreaming material from the Internet. The networking team asks you to check the object and rule configuration settings for the perimeter Security Gateway. Which SmartConsole application should you use to check these objects and rules?
Answer
  • A. SmartView Tracker
  • B. SmartView Monitor
  • C. SmartView Status
  • D. SmartDashboard

Question 52

Question
QUESTION 52 Which statement below describes the most correct strategy for implementing a Rule Base?
Answer
  • A. Limit grouping to rules regarding specific access.
  • B. Place the most frequently used rules at the top of the Policy and the ones that are not frequently used further down.
  • C. Place a network-traffic rule above the administrator access rule.
  • D. Add the Stealth Rule before the last rule.

Question 53

Question
QUESTION 53 Which of the following is a viable consideration when determining Rule Base order?
Answer
  • A. Grouping rules by date of creation
  • B. Grouping reject and drop rules after the Cleanup Rule
  • C. Grouping authentication rules with address-translation rules
  • D. Grouping functionally related rules together

Question 54

Question
QUESTION 54 Which of the following is a viable consideration when determining Rule Base order?
Answer
  • A. Placing frequently accessed rules before less frequently accessed rules
  • B. Grouping IPS rules with dynamic drop rules
  • C. Adding SAM rules at the top of the Rule Base
  • D. Grouping rules by date of creation

Question 55

Question
QUESTION 55 Which of the following is a viable consideration when determining Rule Base order?
Answer
  • A. Grouping IPS rules with dynamic drop rules
  • B. Placing more restrictive rules before more permissive rules
  • C. Grouping authentication rules with QOS rules
  • D. Grouping reject and drop rules after the Cleanup Rule

Question 56

Question
QUESTION 56 You would use the Hide Rule feature to:
Answer
  • A. View only a few rules without the distraction of others.
  • B. Hide rules from read-only administrators.
  • C. Hide rules from a SYN/ACK attack.
  • D. Make rules invisible to incoming packets.

Question 57

Question
QUESTION 57 You are a Security Administrator using one Security Management Server managing three different firewalls. One firewall does NOT show up in the dialog box when attempting to install a Security Policy. Which of the following is a possible cause?
Answer
  • A. The firewall has failed to sync with the Security Management Server for 60 minutes.
  • B. The firewall object has been created but SIC has not yet been established.
  • C. The firewall is not listed in the Policy Installation Targets screen for this policy package.
  • D. The license for this specific firewall has expired.

Question 58

Question
QUESTION 58 Your shipping company uses a custom application to update the shipping distribution database. The custom application includes a service used only to notify remote sites that the distribution database is malfunctioning. The perimeter Security Gateway's Rule Base includes a rule to accept this traffic. Since you are responsible for multiple sites, you want notification by a text message to your cellular phone, whenever traffic is accepted on this rule. Which of the following would work BEST for your purpose?
Answer
  • A. Logging implied rules
  • B. User-defined alert script
  • C. SNMP trap
  • D. SmartView Monitor Threshold

Question 59

Question
QUESTION 59 In a distributed management environment, the administrator has removed all default check boxes from the Policy > Global Properties > Firewall tab. In order for the Security Gateway to send logs to the Security Management Server, an explicit rule must be created to allow the Security Gateway to communicate to the Security Management Server on port ______.
Answer
  • A. 259
  • B. 900
  • C. 256
  • D. 257

Question 60

Question
QUESTION 60 A Security Policy has several database versions. What configuration remains the same no matter which version is used?
Answer
  • A. Objects_5_0.C
  • B. Internal Certificate Authority (ICA) certificate
  • C. Rule Bases_5_0.fws
  • D. fwauth.NDB

Question 61

Question
QUESTION 61 You are working with multiple Security Gateways that enforce an extensive number of rules. To simplify security administration, which one of the following would you choose to do?
Answer
  • A. Eliminate all possible contradictory rules such as the Stealth or Cleanup rules.
  • B. Run separate SmartConsole instances to login and configure each Security Gateway directly.
  • C. Create network objects that restrict all applicable rules to only certain networks.
  • D. Create a separate Security Policy package for each remote Security Gateway.

Question 62

Question
QUESTION 62 Which rules are not applied on a first-match basis?
Answer
  • A. User Authentication
  • B. Client Authentication
  • C. Session Authentication
  • D. Cleanup

Question 63

Question
QUESTION 63 Installing a policy usually has no impact on currently existing connections. Which statement is TRUE?
Answer
  • A. Users being authenticated by Client Authentication have to re-authenticate.
  • B. All connections are reset, so a policy install is recommended during announced downtime only
  • C. All FTP downloads are reset; users have to start their downloads again.
  • D. Site-to-Site VPNs need to re-authenticate, so Phase 1 is passed again after installing the Security Policy

Question 64

Question
QUESTION 64 Several Security Policies can be used for different installation targets. The firewall protecting Human Resources' servers should have a unique Policy Package. These rules may only be installed on this machine and not accidentally on the Internet firewall. How can this be configured?
Answer
  • A. When selecting the correct firewall in each line of the row Install On of the Rule Base, only this firewall is shown in the list of possible installation targets after selecting Policy > Install.
  • B. A Rule Base can always be installed on any Check Point firewall object. It is necessary to select the appropriate target directly after selecting Policy > Install.
  • C. In the SmartDashboard policy, select the correct firewall to be the Specific Target of the rule.
  • D. A Rule Base is always installed on all possible targets. The rules to be installed on a firewall are defined by the selection in the row Install On of the Rule Base.

Question 65

Question
QUESTION 65 A _______ rule is used to prevent all traffic going to the R77 Security Gateway
Answer
  • A. IPS
  • B. Cleanup
  • C. Reject
  • D. Stealth

Question 66

Question
QUESTION 66 In a distributed management environment, the administrator has removed the default check from Accept Control Connections under the Policy > Global Properties > FireWall tab. In order for the Security Management Server to install a policy to the Firewall, an explicit rule must be created to allow the server to communicate to the Security Gateway on port ______.
Answer
  • A. 259
  • B. 900
  • C. 256
  • D. 80

Question 67

Question
QUESTION 67 To check the Rule Base, some rules can be hidden so they do not distract the administrator from the unhidden rules. Assume that only rules accepting HTTP or SSH will be shown. How do you accomplish this?
Answer
  • A. Ask your reseller to get a ticket for Check Point SmartUse and deliver him the Security Management Server cpinfo file.
  • B. In SmartDashboard, right-click in the column field Service > Query Column. Then, put the services HTTP and SSH in the list. Do the same in the field Action and select Accept here.
  • C. In SmartDashboard menu, select Search > Rule Base Queries. In the window that opens, create a new Query, give it a name (e.g. "HTTP_SSH?) and define a clause regarding the two services HTTP and SSH. When having applied this, define a second clause for the action Accept and combine them with the Boolean operator AND.
  • D. This cannot be configured since two selections (Service, Action) are not possible.

Question 68

Question
QUESTION 68 What CANNOT be configured for existing connections during a policy install?
Answer
  • A. Keep all connections
  • B. Keep data connections
  • C. Re-match connections
  • D. Reset all connections

Question 69

Question
QUESTION 69 What is the purpose of a Stealth Rule?
Answer
  • A. To prevent users from connecting directly to the gateway.
  • B. To permit management traffic.
  • C. To drop all traffic to the management server that is not explicitly permitted.
  • D. To permit implied rules.

Question 70

Question
QUESTION 70 You review this Security Policy because Rule 4 is inhibited. Which Rule is responsible? Exhibit:
Image:
70 (binary/octet-stream)
Answer
  • A. No rule inhibits Rule 4.
  • B. Rule 1
  • C. Rule 2
  • D. Rule 3

Question 71

Question
QUESTION 71 MegaCorp's security infrastructure separates Security Gateways geographically. You must request a central license for one remote Security Gateway. How do you apply the license?
Answer
  • A. Using the remote Gateway's IP address, and attaching the license to the remote Gateway via SmartUpdate.
  • B. Using your Security Management Server's IP address, and attaching the license to the remote Gateway via SmartUpdate.
  • C. Using the remote Gateway's IP address, and applying the license locally with the command cplic put.
  • D. Using each of the Gateways' IP addresses, and applying the licenses on the Security Management Server with the command cprlic put.

Question 72

Question
QUESTION 72 Identify the correct step performed by SmartUpdate to upgrade a remote Security Gateway. After selecting Packages > Distribute Only and choosing the target Gateway, the:
Answer
  • A. selected package is copied from the CD-ROM of the SmartUpdate PC directly to the Security Gateway and the installation IS performed.
  • B. selected package is copied from the Package Repository on the Security Management Server to the Security Gateway and the installation IS performed.
  • C. SmartUpdate wizard walks the Administrator through a distributed installation.
  • D. selected package is copied from the Package Repository on the Security Management Server to the Security Gateway but the installation IS NOT performed.

Question 73

Question
QUESTION 73 Identify the correct step performed by SmartUpdate to upgrade a remote Security Gateway. After selecting Packages > Distribute and Install Selected Package and choosing the target Gateway, the:
Answer
  • A. selected package is copied from the Package Repository on the Security Management Server to the Security Gateway and the installation IS performed.
  • B. SmartUpdate wizard walks the Administrator through a distributed installation.
  • C. selected package is copied from the Package Repository on the Security Management Server to the Security Gateway but the installation IS NOT performed.
  • D. selected package is copied from the SmartUpdate PC CD-ROM directly to the Security Gateway and the installation IS performed.

Question 74

Question
QUESTION 74 What physical machine must have access to the User Center public IP address when checking for new packages with SmartUpdate?
Answer
  • A. A Security Gateway retrieving the new upgrade package
  • B. SmartUpdate installed Security Management Server PC
  • C. SmartUpdate GUI PC
  • D. SmartUpdate Repository SQL database Server

Question 75

Question
QUESTION 75 What action CANNOT be run from SmartUpdate R77?
Answer
  • A. Fetch sync status
  • B. Reboot Gateway
  • C. Preinstall verifier
  • D. Get all Gateway Data

Question 76

Question
QUESTION 76 What mechanism does a gateway configured with Identity Awareness and LDAP initially use to communicate with a Windows 2003 or 2008 server?
Answer
  • A. WMI
  • B. CIFS
  • C. RCP
  • D. LDAP

Question 77

Question
QUESTION 77 Which of the following items should be configured for the Security Management Server to authenticate via LDAP?
Answer
  • A. Check Point Password
  • B. Active Directory Server object
  • C. Windows logon password
  • D. WMI object

Question 78

Question
QUESTION 78 Which of the following items should be configured for the Security Management Server to authenticate using LDAP?
Answer
  • A. Login Distinguished Name and password
  • B. Windows logon password
  • C. Check Point Password
  • D. WMI object

Question 79

Question
QUESTION 79 Which of the following items should be configured for the Security Management Server to authenticate using LDAP?
Answer
  • A. Check Point Password
  • B. WMI object
  • C. Domain Admin username
  • D. Windows logon password

Question 80

Question
QUESTION 80 Where does the security administrator activate Identity Awareness within SmartDashboard?
Answer
  • A. Gateway Object > General Properties
  • B. Security Management Server > Identity Awareness
  • C. Policy > Global Properties > Identity Awareness
  • D. LDAP Server Object > General Properties

Question 81

Question
QUESTION 81 How do you configure the Security Policy to provide user access to the Captive Portal through an external (Internet) interface?
Answer
  • A. Change the gateway settings to allow Captive Portal access via an external interface.
  • B. No action is necessary. This access is available by default.
  • C. Change the Identity Awareness settings under Global Properties to allow Captive Portal access on all interfaces.
  • D. Change the Identity Awareness settings under Global Properties to allow Captive Portal access for an external interface.

Question 82

Question
QUESTION 82 To qualify as an Identity Awareness enabled rule, which column MAY include an Access Role?
Answer
  • A. Action
  • B. Source
  • C. User
  • D. Track

Question 83

Question
QUESTION 83 To qualify as an Identity Awareness enabled rule, which column MAY include an Access Role?
Answer
  • A. Source
  • B. Track
  • C. User
  • D. Action

Question 84

Question
QUESTION 84 What command with appropriate switches would you use to test Identity Awareness connectivity?
Answer
  • A. test_ldap
  • B. test_ad_connectivity
  • C. test_ldap_connectivity
  • D. test_ad

Question 85

Question
QUESTION 85 What command syntax would you use to see accounts the gateway suspects are service accounts?
Answer
  • A. pdp check_log
  • B. pdp show service
  • C. adlog check_accounts
  • D. adlog a service_accounts

Question 86

Question
QUESTION 86 What command syntax would you use to turn on PDP logging in a distributed environment?
Answer
  • A. pdp track=1
  • B. pdp tracker on
  • C. pdp logging on
  • D. pdp log=1

Question 87

Question
QUESTION 87 A client has created a new Gateway object that will be managed at a remote location. When the client attempts to install the Security Policy to the new Gateway object, the object does not appear in the Install On check box. What should you look for?
Answer
  • A. Secure Internal Communications (SIC) not configured for the object.
  • B. A Gateway object created using the Check Point > Externally Managed VPN Gateway option from the Network Objects dialog box.
  • C. Anti-spoofing not configured on the interfaces on the Gateway object.
  • D. A Gateway object created using the Check Point > Security Gateway option in the network objects, dialog box, but still needs to configure the interfaces for the Security Gateway object.

Question 88

Question
QUESTION 88 A Security Policy installed by another Security Administrator has blocked all SmartDashboard connections to the stand-alone installation of R77. After running the command fw unloadlocal, you are able to reconnect with SmartDashboard and view all changes. Which of the following change is the most likely cause of the block?
Answer
  • A. The Allow Control Connections setting in Policy > Global Properties has been unchecked.
  • B. A Stealth Rule has been configured for the R77 Gateway.
  • C. The Security Policy installed to the Gateway had no rules in it.
  • D. The Gateway Object representing your Gateway was configured as an Externally Managed VPN Gateway.

Question 89

Question
QUESTION 89 When configuring anti-spoofing on the Security Gateway object interfaces, which of the following is NOT a valid R77 topology configuration?
Answer
  • A. External
  • B. Any
  • C. Specific
  • D. Not Defined

Question 90

Question
QUESTION 90 You are conducting a security audit. While reviewing configuration files and logs, you notice logs accepting POP3 traffic, but you do not see a rule allowing POP3 traffic in the Rule Base. Which of the following is the most likely cause?
Answer
  • A. The POP3 rule is disabled.
  • B. POP3 is accepted in Global Properties.
  • C. The POP3 rule is hidden.
  • D. POP3 is one of 3 services (POP3, IMAP, and SMTP) accepted by the default mail object in R77.

Question 91

Question
QUESTION 91 Which rule is responsible for the installation failure? Exhibit:
Image:
91 (binary/octet-stream)
Answer
  • A. Rule 3
  • B. Rule 4
  • C. Rule 6
  • D. Rule 5

Question 92

Question
QUESTION 92 Reviewing the Rule Base, you see that ________ is responsible for the client authentication failure.
Image:
92 (binary/octet-stream)
Answer
  • A. Rule 4
  • B. Rule 7
  • C. Rule 8
  • D. Rule 5

Question 93

Question
QUESTION 93 Which rule is responsible for the installation failure? Exhibit:
Answer
  • A. Rule 5
  • B. Rule 4
  • C. Rule 3
  • D. Rule 6

Question 94

Question
QUESTION 94 As a Security Administrator, you must refresh the Client Authentication authorization time-out every time a new user connection is authorized. How do you do this? Enable the Refreshable Timeout setting:
Answer
  • A. in the user object's Authentication screen.
  • B. in the Gateway object's Authentication screen.
  • C. in the Limit tab of the Client Authentication Action Properties screen.
  • D. in the Global Properties Authentication screen.

Question 95

Question
QUESTION 95 The technical-support department has a requirement to access an intranet server. When configuring a User Authentication rule to achieve this, which of the following should you remember?
Answer
  • A. You can only use the rule for Telnet, FTP, SMTP, and rlogin services.
  • B. The Security Gateway first checks if there is any rule that does not require authentication for this type of connection before invoking the Authentication Security Server.
  • C. Once a user is first authenticated, the user will not be prompted for authentication again until logging out.
  • D. You can limit the authentication attempts in the User Properties' Authentication tab.

Question 96

Question
QUESTION 96 Choose the BEST sequence for configuring user management in SmartDashboard, using an LDAP server.
Answer
  • A. Configure a server object for the LDAP Account Unit, enable LDAP in Global Properties, and create an LDAP resource object.
  • B. Configure a workstation object for the LDAP server, configure a server object for the LDAP Account Unit, and enable LDAP in Global Properties.
  • C. Enable User Directory in Global Properties, configure a host-node object for the LDAP server, and configure a server object for the LDAP Account Unit.
  • D. Configure a server object for the LDAP Account Unit, and create an LDAP resource object.

Question 97

Question
QUESTION 97 You cannot use SmartDashboard's User Directory features to connect to the LDAP server. What should you investigate? 1) Verify you have read-only permissions as administrator for the operating system. 2) Verify there are no restrictions blocking SmartDashboard's User Manager from connecting to the LDAP server. 3) Check that the login Distinguished Name configured has root permission (or at least write permission Administrative access) in the LDAP Server's access control configuration.
Answer
  • A. 1, 2, and 3
  • B. 2 and 3
  • C. 1 and 2
  • D. 1 and 3
Show full summary Hide full summary

Want to create your own Quizzes for free with GoConqr? Learn more.

Similar

ExamTime's Getting Started Guide
PatrickNoonan
Nouns & Definite Articles Notes
Selam H
Plano de Revisão Geral
miminoma
Practice For First Certificate Grammar I
Alice McClean
French diet and health vocab
caitlindavies8
An Inspector Calls: Mr Arthur Birling
Rattan Bhorjee
Contract Law
sherhui94
Writing successful GCSE English essays
Sarah Holmes
2PR101 1.test - 1. část
Nikola Truong
2PR101 1. test - 2. část
Nikola Truong
OP doplnovaci otazky
Helen Phamova
Browse Library