Independence Day Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: netdisc

Checkpoint 156-315.77 Check Point Certified Security Expert Exam Practice Test

Demo: 90 questions
Total 754 questions

Check Point Certified Security Expert Questions and Answers

Question 1

When migrating the SmartEvent data base from one server to another, the last step is to save the files on the new server. Which of the following commands should you run to save the SmartEvent data base files on the new server?

Options:

A.

cp

B.

restore

C.

migrate import

D.

eva_db_restore

Question 2

Review the cphaprob state command output from a New Mode High Availability cluster member. Which machine has the highest priority?

Exhibit:

Options:

A.

This output does not indicate which machine has the highest priority.

B.

192.168.1.1, because it is

C.

192.168.1.2, because its state is active

D.

192.168.1.1, because its number is 1

Question 3

John is configuring a new R77 Gateway cluster but he can not configure the cluster as Third Party IP Clustering because this option is not available in Gateway Cluster Properties. What’s happening?

Exhibit:

Options:

A.

ClusterXL needs to be unselected to permit third party clustering configuration.

B.

Third Party Clustering is not available for R77 Security Gateways.

C.

John has an invalid ClusterXL license.

D.

John is not using third party hardware as IP Clustering is part of Check Point’s IP Appliance.

Question 4

Review the R77 configuration. Is it correct for Management High Availability?

Exhibit:

Options:

A.

No, the Security Management Servers must reside on the same network.

B.

No, the Security Management Servers do not have the same number of NICs.

C.

No, the Security Management Servers must be installed on the same operating system.

D.

No, a R77 Security Management Server cannot run on Red Hat Linux 9.0.

Question 5

When using ClusterXL in Load Sharing, what is the default sharing method based on?

Options:

A.

IPs

B.

IPs, SPIs

C.

IPs, Ports

D.

IPs, Ports, SPIs

Question 6

A connection is said to be Sticky when:

Options:

A.

A copy of each packet in the connection sticks in the connection table until a corresponding reply packet is received from the other side.

B.

A connection is not terminated by either side by FIN or RST packet.

C.

All the connection packets are handled, in either direction, by a single cluster member.

D.

The connection information sticks in the connection table even after the connection has ended.

Question 7

Which of the following is NOT a feature of ClusterXL?

Options:

A.

Transparent upgrades

B.

Zero downtime for mission-critical environments with State Synchronization

C.

Enhanced throughput in all ClusterXL modes (2 gateway cluster compared with 1 gateway)

D.

Transparent failover in case of device failures

Question 8

The _____ contains the Events Data Base.

Options:

A.

SmartEvent Server

B.

SmartEvent DataServer

C.

SmartEvent Client

D.

SmartEvent Correlation Unit

Question 9

What is a requirement for setting up R77 Management High Availability?

Options:

A.

All Security Management Servers must reside in the same LAN.

B.

State synchronization must be enabled on the secondary Security Management Server.

C.

All Security Management Servers must have the same operating system.

D.

All Security Management Servers must have the same number of NICs.

Question 10

When migrating the SmartEvent data base from one server to another, the first step is to back up the files on the original server. Which of the following commands should you run to back up the SmartEvent data base?

Options:

A.

migrate export

B.

eva_db_backup

C.

snapshot

D.

backup

Question 11

Which is NOT a valid option when upgrading Cluster Deployments?

Options:

A.

Fast path Upgrade

B.

Minimal Effort Upgrade

C.

Full Connectivity Upgrade

D.

Zero Downtime

Question 12

What tool exports the Management Configuration into a single file?

Options:

A.

CPConfig_Export

B.

Backup

C.

Upgrade_Export

D.

migrate export

Question 13

MegaCorps' disaster recovery plan is past due for an update to the backup and restore section to enjoy the benefits of the new distributed R77 installation. You must propose a plan that meets the following required and desired objectives:

Required: Security Policy repository must be backed up no less frequently than every 24 hours.

Desired: Back up R77 components enforcing the Security Policies at least once a week.

Desired: Back up R77 logs at least once a week.

You develop a disaster recovery plan proposing the following:

The corporate IT change review committee decides your plan:

Options:

A.

meets the required objective and only one desired objective.

B.

meets the required objective and both desired objectives.

C.

meets the rquired objective but does not meet either deisred objective.

D.

does not meet the required objective.

Question 14

An administrator has installed the latest HFA on the system for fixing traffic problems after creating a backup file. A large number of routes were added or modified, causing network problems. The Check Point configuration has not been changed. What would be the most efficient way to revert to a working configuration?

Options:

A.

A back up cannot be restored, because the binary files are missing.

B.

The restore is not possible because the backup file does not have the same build number (version).

C.

Select Snapshot Management from the SecurePlatform boot menu.

D.

Use the command restore and select the appropriate backup file.

Question 15

John is upgrading a cluster from NGX R65 to R77. John knows that you can verify the upgrade process using the pre-upgrade verifier tool. When John is running Pre-Upgrade Verification, he sees the warning message:

Title: Incompatible pattern.

What is happening?

Options:

A.

The actual configuration contains user defined patterns in IPS that are not supported in R77. If the patterns are not fixed after upgrade, they will not be used with R77 Security Gateways.

B.

R77 uses a new pattern matching engine. Incompatible patterns should be deleted before upgrade process to complete it successfully.

C.

Pre-Upgrade Verification tool only shows that message but it is only informational.

D.

Pre-Upgrade Verification process detected a problem with actual configuration and upgrade will be aborted.

Question 16

The file snapshot generates is very large, and can only be restored to:

Options:

A.

The device that created it, after it has been upgraded.

B.

A device having exactly the same Operating System and hardware as the device that created the file.

C.

Individual members of a cluster configuration.

D.

Windows Server class systems.

Question 17

A snapshot delivers a complete backup of GAiA. How do you restore a local snapshot named MySnapshot.tgz?

Options:

A.

Reboot the system and call the start menu. Select option Snapshot Management, provide the Expert password and select [L] for a restore from a local file. Then, provide the correct file name.

B.

As Expert user, type command snapshot - R to restore from a local file. Then, provide the correct file name.

C.

As Expert user, type command revert --file MySnapshot.tgz.

D.

As Expert user, type command snapshot -r MySnapshot.tgz.

Question 18

Fill in the blank with a numeric value. The default port number for Secure Sockets Layer (SSL) connections with the LDAP Server is

Options:

Question 19

A Full Connectivity Upgrade of a cluster:

Options:

A.

Treats each individual cluster member as an individual gateway.

B.

Requires breaking the cluster and upgrading members independently.

C.

Is only supported in minor version upgrades (R70 to R71, R71 to R77).

D.

Upgrades all cluster members except one at the same time.

Question 20

You are preparing computers for a new ClusterXL deployment. For your cluster, you plan to use four machines with the following configurations:

Cluster Member 1: OS - GAiA; NICs - QuadCard; Memory - 1 GB; Security Gateway only, version: R77

Cluster Member 2: OS - GAiA; NICs - 4 Intel 3Com; Memory - 1 GB; Security Gateway only, version: R77

Cluster Member 3: OS - GAiA; NICs - 4 other manufacturers; Memory: 512 MB; Security Gateway only, version: R77

Security Management Server: MS Windows 2008; NIC - Intel NIC (1); Security Gateway and primary Security Management Server installed, version: R77

Are these machines correctly configured for a ClusterXL deployment?

Options:

A.

No, Cluster Member 3 does not have the required memory.

B.

No, the Security Gateway cannot be installed on the Security Management Pro Server.

C.

No, the Security Management Server is not running the same operating system as the cluster members.

D.

Yes, these machines are configured correctly for a ClusterXL deployment.

Question 21

If using AD Query for seamless identity data reception from Microsoft Active Directory (AD), which of the following methods is NOT Check Point recommended?

Options:

A.

Identity-based enforcement for non-AD users (non-Windows and guest users)

B.

Basic identity enforcement in the internal network

C.

Leveraging identity in Internet application control

D.

Identity-based auditing and logging

Question 22

MultiCorp has bought company OmniCorp and now has two active AD domains. How would you deploy Identity Awareness in this environment?

Options:

A.

You must run an ADquery for every domain.

B.

Identity Awareness can only manage one AD domain.

C.

Only one ADquery is necessary to ask for all domains.

D.

Only Captive Portal can be used.

Question 23

Which is NOT a method through which Identity Awareness receives its identities?

Options:

A.

AD Query

B.

Group Policy

C.

Identity Agent

D.

Captive Portal

Question 24

Identity Agent is a lightweight endpoint agent that authenticates securely with Single Sign-On (SSO). Which of the following is NOT a recommended use for this method?

Options:

A.

Leveraging machine name or identity

B.

When accuracy in detecting identity is crucial

C.

Identity based enforcement for non-AD users (non-Windows and guest users)

D.

Protecting highly sensitive servers

Question 25

Which two processes are responsible on handling Identity Awareness?

Options:

A.

pdp and lad

B.

pdp and pdp-11

C.

pep and lad

D.

pdp and pep

Question 26

When using Captive Portal to send unidentified users to a Web portal for authentication, which of the following is NOT a recommended use for this method?

Options:

A.

For deployment of Identity Agents

B.

Identity-based enforcement for non-AD users (non-Windows and guest users)

C.

Leveraging identity in Internet application control

D.

Basic identity enforcement in the internal network

Question 27

Which of the following access options would you NOT use when configuring Captive Portal?

Options:

A.

From the Internet

B.

Through all interfaces

C.

Through internal interfaces

D.

Through the Firewall policy

Question 28

In the following cluster configuration; if you reboot sglondon_1 which device will be active when sglondon_1 is back up and running? Why?

Options:

A.

sglondon_1 because it the first configured object with the lowest IP.

B.

sglondon_2 because sglondon_1 has highest IP.

C.

sglondon_1, because it is up again, sglondon_2 took over during reboot.

D.

sglondon_2 because it has highest priority.

Question 29

For best performance in Event Correlation, you should use:

Options:

A.

IP address ranges

B.

Large groups

C.

Nothing slows down Event Correlation

D.

Many objects

Question 30

Where can a Security Administrator adjust the unit of measurement (bps, Kbps or Bps), for Check Point QoS bandwidth?

Options:

A.

Global Properties

B.

QoS Class objects

C.

Check Point gateway object properties

D.

$CPDIR/conf/qos_props.pf

Question 31

There are times when you want to use Link Selection to manage high-traffic VPN connections. With Link Selection you can:

Options:

A.

Assign links to use Dynamic DNS.

B.

Use Load Sharing to distribute VPN traffic.

C.

Use links based on Day/Time.

D.

Use links based on authentication method.

Question 32

Which of the following is TRUE concerning numbered VPN Tunnel Interfaces (VTIs)?

Options:

A.

VTIs are assigned only local addresses, not remote addresses

B.

VTIs cannot share IP addresses

C.

VTIs are only supported on IPSO

D.

VTIs cannot use an already existing physical-interface IP address

Question 33

Remote clients are using IPSec VPN to authenticate via LDAP server to connect to the organization. Which gateway process is responsible for the authentication?

Options:

A.

fwm

B.

fwd

C.

vpnd

D.

cvpnd

Question 34

Which of the following is TRUE concerning unnumbered VPN Tunnel Interfaces (VTIs)?

Options:

A.

VTIs must be assigned a proxy interface.

B.

VTIs are only supported on SecurePlatform.

C.

VTIs can only be physical, not loopback.

D.

Local IP addresses are not configured, remote IP addresses are configured.

Question 35

At what router prompt would you save your OSPF configuration?

Options:

A.

localhost.localdomain(config-router-ospf)#

B.

localhost.localdomain(config-if)#

C.

localhost.localdomain(config)#

D.

localhost.localdomain#

Question 36

Review the following list of actions that Security Gateway R75 can take when it controls packets. The Policy Package has been configured for Simplified Mode VPN. Select the response below that includes the available actions:

Options:

A.

Accept, Reject, Encrypt, Drop

B.

Accept, Hold, Reject, Proxy

C.

Accept, Drop, Reject, Client Auth

D.

Accept, Drop, Encrypt, Session Auth

Question 37

Which statement defines Public Key Infrastructure? Security is provided:

Options:

A.

by authentication.

B.

via both private and public keys, without the use of digital Certificates.

C.

by Certificate Authorities, digital certificates, and public key encryption.

D.

by Certificate Authorities, digital certificates, and two-way symmetric-key encryption.

Question 38

Which command will erase all CRL’s?

Options:

A.

vpn crladmin

B.

cpstop/cpstart

C.

vpn crl_zap

D.

vpn flush

Question 39

A VPN Tunnel Interface (VTI) is defined on GAiA as:

vpn shell interface add numbered 10.10.0.1 10.10.0.2 madrid.cp

What do you know about this VTI?

Options:

A.

10.10.0.1 is the local Gateway’s internal interface, and 10.10.0.2 is the internal interface of the remote Gateway.

B.

The peer Security Gateway’s name is madrid.cp.

C.

The VTI name is madrid.cp.

D.

The local Gateway's object name is madrid.cp.

Question 40

VPN routing can also be configured by editing which file?

Options:

A.

$FWDIR/VPN/route_conf.c

B.

$FWDIR/conf/vpn_route.conf

C.

$FWDIR/bin/vpn_route.conf

D.

$FWDIR/conf/vpn_route.c

Question 41

The following rule contains an FTP resource object in the Service field:

Source: local_net

Destination: Any

Service: FTP-resource object

Action: Accept

How do you define the FTP Resource Properties > Match tab to prevent internal users from receiving corporate files from external FTP servers, while allowing users to send files?

Options:

A.

Enable "Put" and "Get" methods.

B.

Disable the "Put" method globally.

C.

Enable the "Put" method only on the Match tab.

D.

Enable the "Get" method on the Match tab.

E.

Disable "Get" and "Put" methods on the Match tab.

Question 42

Which of the following SSL Network Extender server-side prerequisites are correct? Select all that apply.

Options:

A.

The VPN1-Gateway must be configured to work with Visitor Mode

B.

The specific VPN-1 Security Gateway must be configured as a member of the VPN-1 Remote Access Community.

C.

There are distinctly separate access rules required for Secure Client users vs. SSL Network Extender users.

D.

To use Integrity Clientless Security (ICS), you must install the ICS server or configuration tool.

Question 43

The following configuration is for VPN-1 NGX:1s this configuration correct for Management High Availability (HA)?

Options:

A.

No, the SmartCenter Servers must be installed on the same operating system.

B.

No, a VPN-1 NGX SmartCenter Server cannot run on Red Hat Linux 7.3.

C.

No, the SmartCenter Servers must reside on the same network.

D.

No, A VPN-1 NGX SmartCenter Server can only be in a Management HA configuration, if the operating system is Solaris.

E.

No, the SmartCenter Servers do not have the same number of NICs.

Question 44

How do you block some seldom-used FTP commands, such as CWD, and FIND from passing through the Gateway?

Options:

A.

Add the restricted commands to the aftpd.conf file in the Security Management Server.

B.

Modify the desired profile in the FTP commands under Protection Details in the IPS tab.

C.

Configure the restricted FTP commands in the Security Servers screen of the Global Properties.

D.

Enable FTP Bounce checking / Application Intelligence / Protocol Protections from the IPS tab.

Question 45

In ClusterXL, which of the following are defined by default as a critical device?

Options:

A.

PROT_SRV.EXE

B.

Filter

C.

fw.d

D.

protect.exe

Question 46

Your current VPN-1 NG with Application Intelligence (AI) R55 stand-alone VPN-1 Pro Gateway and SmartCenter Server runs on SecurePlatform.

You plan to implement VPN-1 NGX R65 in a distributed environment, where the new machine will be the SmartCenter Server, and the existing machine will be the VPN-1 Pro Gateway only.

You need to migrate the NG with AI R55 SmartCenter Server configuration, including licensing.

How do you handle licensing for this NGX R65 upgrade?

Options:

A.

Request an NGX R65 SmartCenter Server license, using the new server's IP address. Request a new central NGX R65 VPN-1 Gateway license also licensed to the new SmartCenter Server's IP address.

B.

Leave the current license on the gateway to be upgraded during the software upgrade. Purchase a new license for the VPN-1 NGX R65 SmartCenter Server.

C.

Request an NGX R65 SmartCenter Server license, using the existing gateway machine's IP address. Request a new local license for the NGX R65 VPN-1 Gateway using the new server's IP address.

D.

Request an NGX R65 SmartCenter Server license, using the new server's IP address. Request a new central NGX R65 VPN-1 Gateway license for the existing gateway server's IP address.

Question 47

Where is the ideal place to deploy your SSL VPN?

Options:

A.

Deployed in DMZ

B.

SSL VPN enabled on the gateway

C.

In front of the external interface on the gateway

D.

Anywhere

Question 48

Which Remote Desktop protocols are supported natively in SSL VPN?

Options:

A.

Microsoft RDP only

B.

AT&T VNC and Microsoft RDP

C.

Citrix ICA and Microsoft RDP

D.

AT&T VNC, Citrix ICA and Microsoft RDP

Question 49

The London office just upgraded their DNS servers so their Gateway needs to be updated with the new settings. What would be the BEST way for Henry to change the DNS settings for London's Gateway?

Options:

A.

Edit the Canada Profile

B.

Edit the Gateway's DNS settings from the Edit Gateway, then selecting the DNS tab

C.

DNS settings for that Gateway cannot be changed

D.

Edit the Europe Profile

Question 50

How should Check Point packages be uninstalled?

Options:

A.

In the same order in which the installation wrapper initially installed from.

B.

In the opposite order in which the installation wrapper initially installed them.

C.

In any order, CP suite must be the last package uninstalled

D.

In any order as long as all packages are removed

Question 51

Fill in the blank.

Type the full cphaprob command and syntax that will show full synchronization status.

Options:

Question 52

Fill in the blank.

Type the command and syntax to view critical devices on a cluster member in a ClusterXL environment.

Options:

Question 53

Steve is troubleshooting a connection problem with an internal application. If he knows the source IP address is 192.168.4.125, how could he filter this traffic?

Options:

A.

Run fw monitor -e "accept src-ip=192.168.4.125;"

B.

Run fw monitor -e "accept src=192.168.4.125;"

C.

Run fw monitor -e "accept dst-ip=192.168.4.125;"

D.

Run fw monitor -e "accept ip=192.168.4.125;"

Question 54

Which Check Point tool allows you to open a debug file and see the VPN packet exchange details.

Options:

A.

PacketDebug.exe

B.

VPNDebugger.exe

C.

IkeView.exe

D.

IPSECDebug.exe

Question 55

Fill in the blank.

To view the number of concurrent connections going through core 0 on the firewall, you would use the command and syntax _____ _____ _____ _____ _____ _____ _____.

Options:

Question 56

You run cphaprob -a if. When you review the output, you find the word DOWN. What does DOWN mean?

Options:

A.

The cluster link is down.

B.

The physical interface is administratively set to DOWN.

C.

The physical interface is down.

D.

CCP packets couldn't be sent to or didn't arrive from neighbor member.

Question 57

How would you set the debug buffer size to 1024?

Options:

A.

Run fw ctl kdebug 1024

B.

Run fw ctl set buf 1024

C.

Run fw ctl set int print_cons 1024

D.

Run fw ctl debug -buf 1024

Question 58

Fill in the blank.

Type the command and syntax that you would use to view the virtual cluster interfaces of a ClusterXL environment.

Options:

Question 59

Fill in the blank.

To enter the router shell, use command _____.

Options:

Question 60

Fill in the blank.

To verify the SecureXL status, you would enter command _____.

Options:

Question 61

In Gaia, the operating system can be changed to 32-bit or 64-bit, provided the processor supports 64-bit. What command toggles to 64-bit.

Options:

A.

set bitrate 64

B.

set edition default 64

C.

configure edition 64-bit

D.

set edition default 64-bit

Question 62

What does the command vpn crl_zap do?

Options:

A.

Nothing, it is not a valid command

B.

Erases all CRL’s from the gateway cache

C.

Erases VPN certificates from cache

D.

Erases CRL’s from the management server cache

Question 63

Frank is concerned with performance and wants to configure the affinities settings. His gateway does not have the Performance pack running. What would Frank need to perform in order configure those settings?

Options:

A.

Edit affinity.conf and change the settings

B.

Run fw affinity and change the settings

C.

Edit $FWDIR/conf/fwaffinity.conf and change the settings

D.

Run sim affinity and change the settings

Question 64

You configure a Check Point QoS Rule Base with two rules: an HTTP rule with a weight of 40, and the Default Rule with a weight of 10. If the only traffic passing through your QoS Module is HTTP traffic, what percent of bandwidth will be allocated to the HTTP traffic?

Options:

A.

80%

B.

50%

C.

40%

D.

100%

Question 65

MicroCorp experienced a security appliance failure. (LEDs of all NICs are off.) The age of the unit required that the RMA-unit be a different model. Will a revert to an existing snapshot bring the new unit up and running?

Options:

A.

There is no dynamic update at reboot.

B.

No. The revert will most probably not match to hard disk.

C.

Yes. Everything is dynamically updated at reboot.

D.

No. At installation the necessary hardware support is selected. The snapshot saves this state.

Question 66

Katie has enabled User Directory and applied the license to Security Management Server, Green. Her supervisor has asked her to configure the Password Strength options of the least one digit, one symbol, 8 characters long and include an uppercase character. How should she accomplish this?

Options:

A.

Open the SmartDashboard, Select Global properties, select Identity Awareness; check the boxes for Password must include an upper character, Password must include a digit, Password must include a symbol and change the password length to 8 characters.

B.

Open the SmartDashboard, Select Global properties, select User Authority; check the boxes for Password must include an upper character, Password must include a digit and Password must include a symbol.

C.

Open the SmartDashboard, Select Global Properties, select User Directory, check the boxes for Password must include an uppercase character, Password must include a digit, and Password must include a symbol.

D.

Open the SmartDashboard, Select Global Properties, select User Directory, check the boxes for Password must include an uppercase character, Password must include a digit, Password must include a symbol and change the password length to 8 characters.

Question 67

Choose the ClusterXL process that is defined be default as a critical device?

Options:

A.

cpp

B.

fwm

C.

assld

D.

fwd

Question 68

A Threat Prevention profile is a set of configurations based on the following. Select the right answer.

Options:

A.

Anti-Virus settings, Anti-Bot settings, Threat Emulation settings.

B.

Anti-Virus settings, Anti-Bot settings, Threat Emulation settings, Intrusion-prevention settings.

C.

Anti-Virus settings, Anti-Bot settings, Threat Emulation settings, Intrusion-prevention settings, HTTPS inspection settings.

D.

Anti-Bot settings, Threat Emulation settings, Intrusion-prevention settings, HTTPS inspection settings

Question 69

Fill in the blank.

You can set Acceleration to ON or OFF using command syntax _____.

Options:

Question 70

In GAiA, if one is unsure about a possible command, what command lists all possible commands.

Options:

A.

show all |grep commands

B.

show configuration

C.

show commands

D.

get all commands

Question 71

Paul has just joined the MegaCorp security administration team. Natalie, the administrator, creates a new administrator account for Paul in SmartDashboard and installs the policy. When Paul tries to login it fails. How can Natalie verify whether Paul’s IP address is predefined on the security management server?

Options:

A.

Login to Smart Dashboard, access Properties of the SMS, and verify whether Paul’s IP address is listed.

B.

Type cpconfig on the Management Server and select the option “GUI client List” to see if Paul’s IP address is listed.

C.

Login in to Smart Dashboard, access Global Properties, and select Security Management, to verify whether Paul’s IP address is listed.

D.

Access the WEBUI on the Security Gateway, and verify whether Paul’s IP address is listed as a GUI client.

Question 72

MegaCorp is running Smartcenter R70, some Gateways at R65 and some other Gateways with R60. Management wants to upgrade to the most comprehensive IPv6 support. What should the administrator do first?

Options:

A.

Upgrade Smartcenter to R77 first.

B.

Upgrade R60-Gateways to R65.

C.

Upgrade every unit directly to R77.

D.

Check the ReleaseNotes to verify that every step is supported.

Question 73

MultiCorp is running Smartcenter R71 on an IPSO platform and wants to upgrade to a new Appliance with R77. Which migration tool is recommended?

Options:

A.

Download Migration Tool R77 for IPSO and Splat/Linux from Check Point website.

B.

Use already installed Migration Tool.

C.

Use Migration Tool from CD/ISO

D.

Fetch Migration Tool R71 for IPSO and Migration Tool R77 for Splat/Linux from CheckPoint website

Question 74

Using IPS, how do you notify the Security Administrator that malware is scanning specific ports? By enabling:

Options:

A.

Malware Scan protection

B.

Sweep Scan protection

C.

Host Port Scan

D.

Malicious Code Protector

Question 75

Which of the following is a CLI command for Security Gateway R77?

Options:

A.

fw merge

B.

fw tab -u

C.

fw shutdown

D.

fwm policy_print

Question 76

Which of the following describes the default behavior of an R77 Security Gateway?

Options:

A.

Traffic is filtered using controlled port scanning.

B.

IP protocol types listed as secure are allowed by default, i.e. ICMP, TCP, UDP sessions are inspected.

C.

All traffic is expressly permitted via explicit rules.

D.

Traffic not explicitly permitted is dropped.

Question 77

A Fast Path Upgrade of a cluster:

Options:

A.

Upgrades all cluster members except one at the same time.

B.

Treats each individual cluster member as an individual gateway.

C.

Is not a valid upgrade method in R76.

D.

Is only supported in major releases (R70 to R71, R75 to R76).

Question 78

When you use the Global Properties' default settings on R77, which type of traffic will be dropped if NO explicit rule allows the traffic?

Options:

A.

Firewall logging and ICA key-exchange information

B.

RIP traffic

C.

Outgoing traffic originating from the Security Gateway

D.

SmartUpdate connections

Question 79

Which of the following statements about the Port Scanning feature of IPS is TRUE?

Options:

A.

The default scan detection is when more than 500 open inactive ports are open for a period of 120 seconds.

B.

The Port Scanning feature actively blocks the scanning, and sends an alert to SmartView Monitor.

C.

Port Scanning does not block scanning; it detects port scans with one of three levels of detection sensitivity.

D.

When a port scan is detected, only a log is issued, never an alert.

Question 80

Using the output below, what does the red flag indicate for the MS08-067 Protection?

Options:

A.

It indicates this is for follow up

B.

It indicates this protection is for a new 0-day vulnerability

C.

It indicates this protection's severity level was modified from the default setting by the administrator

D.

It indicates this protection is a critical

Question 81

You are the MegaCorp Security Administrator. This company uses a firewall cluster, consisting of two cluster members. The cluster generally works well but one day you find that the cluster is behaving strangely. You assume that there is a connectivity problem with the cluster synchronization link (cross-over cable). Which of the following commands is the BEST for testing the connectivity of the crossover cable?

Options:

A.

ifconfig -a

B.

arping

C.

telnet

D.

ping

Question 82

Where do you define NAT properties so that NAT is performed either client side or server side? In SmartDashboard under:

Options:

A.

Gateway Setting

B.

NAT Rules

C.

Global Properties > NAT definition

D.

Implied Rules

Question 83

What firewall kernel table stores information about port allocations for Hide NAT connections?

Options:

A.

NAT_dst_any_list

B.

NAT_alloc

C.

NAT_src_any_list

D.

fwx_alloc

Question 84

What is the proper CLISH syntax to configure a default route via 192.168.255.1 in GAiA?

Options:

A.

set static-route default nexthop gateway address 192.168.255.1 priority 1 on

B.

set static-route 192.168.255.0/24 nexthop gateway logical ethl on

C.

set static-route 192.168.255.0/24 nexthop gateway address 192.168.255.1 priority 1 on

D.

set static-route nexthop default gateway logical 192.168.255.1 priority 1 on

Question 85

The “MAC Magic” value must be modified under the following condition:

Options:

A.

There is more than one cluster connected to the same VLAN

B.

A firewall cluster is configured to use Multicast for CCP traffic

C.

There are more than two members in a firewall cluster

D.

A firewall cluster is configured to use Broadcast for CCP traffic

Question 86

Control connections between the Security Management Server and the Gateway are not encrypted by the VPN Community. How are these connections secured?

Options:

A.

They are not secured.

B.

They are not encrypted, but are authenticated by the Gateway

C.

They are encrypted and authenticated using SIC.

D.

They are secured by PPTP

Question 87

What is the proper command for importing users into the R77 User Database?

Options:

A.

fwm importusrs

B.

fwm dbimport

C.

fwm import

D.

fwm importdb

Question 88

While authorization for users managed by SmartDirectory is performed by the gateway, the authentication mostly occurs in _____.

Options:

A.

ldapauth

B.

cpauth

C.

ldapd

D.

cpShared

Question 89

The process that performs the authentication for legacy session authentication is:

Options:

A.

cvpnd

B.

fwm

C.

vpnd

D.

fwssd

Question 90

When using a template to define a user in SmartDirectory, the user’s password should be defined in the _____ object.

Options:

A.

VPN Community

B.

LDAP

C.

Template

D.

User

Demo: 90 questions
Total 754 questions