Checkpoint 156-315.77 Check Point Certified Security Expert Exam Practice Test

cp

restore

migrate import

eva_db_restore

This output does not indicate which machine has the highest priority.

192.168.1.1, because it is

192.168.1.2, because its state is active

192.168.1.1, because its number is 1

ClusterXL needs to be unselected to permit third party clustering configuration.

Third Party Clustering is not available for R77 Security Gateways.

John has an invalid ClusterXL license.

John is not using third party hardware as IP Clustering is part of Check Point’s IP Appliance.

No, the Security Management Servers must reside on the same network.

No, the Security Management Servers do not have the same number of NICs.

No, the Security Management Servers must be installed on the same operating system.

No, a R77 Security Management Server cannot run on Red Hat Linux 9.0.

IPs

IPs, SPIs

IPs, Ports

IPs, Ports, SPIs

A copy of each packet in the connection sticks in the connection table until a corresponding reply packet is received from the other side.

A connection is not terminated by either side by FIN or RST packet.

All the connection packets are handled, in either direction, by a single cluster member.

The connection information sticks in the connection table even after the connection has ended.

Transparent upgrades

Zero downtime for mission-critical environments with State Synchronization

Enhanced throughput in all ClusterXL modes (2 gateway cluster compared with 1 gateway)

Transparent failover in case of device failures

SmartEvent Server

SmartEvent DataServer

SmartEvent Client

SmartEvent Correlation Unit

All Security Management Servers must reside in the same LAN.

State synchronization must be enabled on the secondary Security Management Server.

All Security Management Servers must have the same operating system.

All Security Management Servers must have the same number of NICs.

migrate export

eva_db_backup

snapshot

backup

Fast path Upgrade

Minimal Effort Upgrade

Full Connectivity Upgrade

Zero Downtime

CPConfig_Export

Backup

Upgrade_Export

migrate export

meets the required objective and only one desired objective.

meets the required objective and both desired objectives.

meets the rquired objective but does not meet either deisred objective.

does not meet the required objective.

A back up cannot be restored, because the binary files are missing.

The restore is not possible because the backup file does not have the same build number (version).

Select Snapshot Management from the SecurePlatform boot menu.

Use the command restore and select the appropriate backup file.

The actual configuration contains user defined patterns in IPS that are not supported in R77. If the patterns are not fixed after upgrade, they will not be used with R77 Security Gateways.

R77 uses a new pattern matching engine. Incompatible patterns should be deleted before upgrade process to complete it successfully.

Pre-Upgrade Verification tool only shows that message but it is only informational.

Pre-Upgrade Verification process detected a problem with actual configuration and upgrade will be aborted.

The device that created it, after it has been upgraded.

A device having exactly the same Operating System and hardware as the device that created the file.

Individual members of a cluster configuration.

Windows Server class systems.

Reboot the system and call the start menu. Select option Snapshot Management, provide the Expert password and select [L] for a restore from a local file. Then, provide the correct file name.

As Expert user, type command snapshot - R to restore from a local file. Then, provide the correct file name.

As Expert user, type command revert --file MySnapshot.tgz.

As Expert user, type command snapshot -r MySnapshot.tgz.

Treats each individual cluster member as an individual gateway.

Requires breaking the cluster and upgrading members independently.

Is only supported in minor version upgrades (R70 to R71, R71 to R77).

Upgrades all cluster members except one at the same time.

No, Cluster Member 3 does not have the required memory.

No, the Security Gateway cannot be installed on the Security Management Pro Server.

No, the Security Management Server is not running the same operating system as the cluster members.

Yes, these machines are configured correctly for a ClusterXL deployment.

Identity-based enforcement for non-AD users (non-Windows and guest users)

Basic identity enforcement in the internal network

Leveraging identity in Internet application control

Identity-based auditing and logging

You must run an ADquery for every domain.

Identity Awareness can only manage one AD domain.

Only one ADquery is necessary to ask for all domains.

Only Captive Portal can be used.

AD Query

Group Policy

Identity Agent

Captive Portal

Leveraging machine name or identity

When accuracy in detecting identity is crucial

Identity based enforcement for non-AD users (non-Windows and guest users)

Protecting highly sensitive servers

pdp and lad

pdp and pdp-11

pep and lad

pdp and pep

For deployment of Identity Agents

Identity-based enforcement for non-AD users (non-Windows and guest users)

Leveraging identity in Internet application control

Basic identity enforcement in the internal network

From the Internet

Through all interfaces

Through internal interfaces

Through the Firewall policy

sglondon_1 because it the first configured object with the lowest IP.

sglondon_2 because sglondon_1 has highest IP.

sglondon_1, because it is up again, sglondon_2 took over during reboot.

sglondon_2 because it has highest priority.

IP address ranges

Large groups

Nothing slows down Event Correlation

Many objects

Global Properties

QoS Class objects

Check Point gateway object properties

$CPDIR/conf/qos_props.pf

Assign links to use Dynamic DNS.

Use Load Sharing to distribute VPN traffic.

Use links based on Day/Time.

Use links based on authentication method.

VTIs are assigned only local addresses, not remote addresses

VTIs cannot share IP addresses

VTIs are only supported on IPSO

VTIs cannot use an already existing physical-interface IP address

fwm

fwd

vpnd

cvpnd

VTIs must be assigned a proxy interface.

VTIs are only supported on SecurePlatform.

VTIs can only be physical, not loopback.

Local IP addresses are not configured, remote IP addresses are configured.

localhost.localdomain(config-router-ospf)#

localhost.localdomain(config-if)#

localhost.localdomain(config)#

localhost.localdomain#

Accept, Reject, Encrypt, Drop

Accept, Hold, Reject, Proxy

Accept, Drop, Reject, Client Auth

Accept, Drop, Encrypt, Session Auth

by authentication.

via both private and public keys, without the use of digital Certificates.

by Certificate Authorities, digital certificates, and public key encryption.

by Certificate Authorities, digital certificates, and two-way symmetric-key encryption.

vpn crladmin

cpstop/cpstart

vpn crl_zap

vpn flush

10.10.0.1 is the local Gateway’s internal interface, and 10.10.0.2 is the internal interface of the remote Gateway.

The peer Security Gateway’s name is madrid.cp.

The VTI name is madrid.cp.

The local Gateway's object name is madrid.cp.

$FWDIR/VPN/route_conf.c

$FWDIR/conf/vpn_route.conf

$FWDIR/bin/vpn_route.conf

$FWDIR/conf/vpn_route.c

Enable "Put" and "Get" methods.

Disable the "Put" method globally.

Enable the "Put" method only on the Match tab.

Enable the "Get" method on the Match tab.

Disable "Get" and "Put" methods on the Match tab.

The VPN1-Gateway must be configured to work with Visitor Mode

The specific VPN-1 Security Gateway must be configured as a member of the VPN-1 Remote Access Community.

There are distinctly separate access rules required for Secure Client users vs. SSL Network Extender users.

To use Integrity Clientless Security (ICS), you must install the ICS server or configuration tool.

No, the SmartCenter Servers must be installed on the same operating system.

No, a VPN-1 NGX SmartCenter Server cannot run on Red Hat Linux 7.3.

No, the SmartCenter Servers must reside on the same network.

No, A VPN-1 NGX SmartCenter Server can only be in a Management HA configuration, if the operating system is Solaris.

No, the SmartCenter Servers do not have the same number of NICs.

Add the restricted commands to the aftpd.conf file in the Security Management Server.

Modify the desired profile in the FTP commands under Protection Details in the IPS tab.

Configure the restricted FTP commands in the Security Servers screen of the Global Properties.

Enable FTP Bounce checking / Application Intelligence / Protocol Protections from the IPS tab.

PROT_SRV.EXE

Filter

fw.d

protect.exe

Request an NGX R65 SmartCenter Server license, using the new server's IP address. Request a new central NGX R65 VPN-1 Gateway license also licensed to the new SmartCenter Server's IP address.

Leave the current license on the gateway to be upgraded during the software upgrade. Purchase a new license for the VPN-1 NGX R65 SmartCenter Server.

Request an NGX R65 SmartCenter Server license, using the existing gateway machine's IP address. Request a new local license for the NGX R65 VPN-1 Gateway using the new server's IP address.

Request an NGX R65 SmartCenter Server license, using the new server's IP address. Request a new central NGX R65 VPN-1 Gateway license for the existing gateway server's IP address.

Deployed in DMZ

SSL VPN enabled on the gateway

In front of the external interface on the gateway

Anywhere

Microsoft RDP only

AT&T VNC and Microsoft RDP

Citrix ICA and Microsoft RDP

AT&T VNC, Citrix ICA and Microsoft RDP

Edit the Canada Profile

Edit the Gateway's DNS settings from the Edit Gateway, then selecting the DNS tab

DNS settings for that Gateway cannot be changed

Edit the Europe Profile

In the same order in which the installation wrapper initially installed from.

In the opposite order in which the installation wrapper initially installed them.

In any order, CP suite must be the last package uninstalled

In any order as long as all packages are removed

Run fw monitor -e "accept src-ip=192.168.4.125;"

Run fw monitor -e "accept src=192.168.4.125;"

Run fw monitor -e "accept dst-ip=192.168.4.125;"

Run fw monitor -e "accept ip=192.168.4.125;"

PacketDebug.exe

VPNDebugger.exe

IkeView.exe

IPSECDebug.exe

The cluster link is down.

The physical interface is administratively set to DOWN.

The physical interface is down.

CCP packets couldn't be sent to or didn't arrive from neighbor member.

Run fw ctl kdebug 1024

Run fw ctl set buf 1024

Run fw ctl set int print_cons 1024

Run fw ctl debug -buf 1024

set bitrate 64

set edition default 64

configure edition 64-bit

set edition default 64-bit

Nothing, it is not a valid command

Erases all CRL’s from the gateway cache

Erases VPN certificates from cache

Erases CRL’s from the management server cache

Edit affinity.conf and change the settings

Run fw affinity and change the settings

Edit $FWDIR/conf/fwaffinity.conf and change the settings

Run sim affinity and change the settings

80%

50%

40%

100%

There is no dynamic update at reboot.

No. The revert will most probably not match to hard disk.

Yes. Everything is dynamically updated at reboot.

No. At installation the necessary hardware support is selected. The snapshot saves this state.

Open the SmartDashboard, Select Global properties, select Identity Awareness; check the boxes for Password must include an upper character, Password must include a digit, Password must include a symbol and change the password length to 8 characters.

Open the SmartDashboard, Select Global properties, select User Authority; check the boxes for Password must include an upper character, Password must include a digit and Password must include a symbol.

Open the SmartDashboard, Select Global Properties, select User Directory, check the boxes for Password must include an uppercase character, Password must include a digit, and Password must include a symbol.

Open the SmartDashboard, Select Global Properties, select User Directory, check the boxes for Password must include an uppercase character, Password must include a digit, Password must include a symbol and change the password length to 8 characters.

cpp

fwm

assld

fwd

Anti-Virus settings, Anti-Bot settings, Threat Emulation settings.

Anti-Virus settings, Anti-Bot settings, Threat Emulation settings, Intrusion-prevention settings.

Anti-Virus settings, Anti-Bot settings, Threat Emulation settings, Intrusion-prevention settings, HTTPS inspection settings.

Anti-Bot settings, Threat Emulation settings, Intrusion-prevention settings, HTTPS inspection settings

show all |grep commands

show configuration

show commands

get all commands

Login to Smart Dashboard, access Properties of the SMS, and verify whether Paul’s IP address is listed.

Type cpconfig on the Management Server and select the option “GUI client List” to see if Paul’s IP address is listed.

Login in to Smart Dashboard, access Global Properties, and select Security Management, to verify whether Paul’s IP address is listed.

Access the WEBUI on the Security Gateway, and verify whether Paul’s IP address is listed as a GUI client.

Upgrade Smartcenter to R77 first.

Upgrade R60-Gateways to R65.

Upgrade every unit directly to R77.

Check the ReleaseNotes to verify that every step is supported.

Download Migration Tool R77 for IPSO and Splat/Linux from Check Point website.

Use already installed Migration Tool.

Use Migration Tool from CD/ISO

Fetch Migration Tool R71 for IPSO and Migration Tool R77 for Splat/Linux from CheckPoint website

Malware Scan protection

Sweep Scan protection

Host Port Scan

Malicious Code Protector

fw merge

fw tab -u

fw shutdown

fwm policy_print

Traffic is filtered using controlled port scanning.

IP protocol types listed as secure are allowed by default, i.e. ICMP, TCP, UDP sessions are inspected.

All traffic is expressly permitted via explicit rules.

Traffic not explicitly permitted is dropped.

Upgrades all cluster members except one at the same time.

Treats each individual cluster member as an individual gateway.

Is not a valid upgrade method in R76.

Is only supported in major releases (R70 to R71, R75 to R76).

Firewall logging and ICA key-exchange information

RIP traffic

Outgoing traffic originating from the Security Gateway

SmartUpdate connections

The default scan detection is when more than 500 open inactive ports are open for a period of 120 seconds.

The Port Scanning feature actively blocks the scanning, and sends an alert to SmartView Monitor.

Port Scanning does not block scanning; it detects port scans with one of three levels of detection sensitivity.

When a port scan is detected, only a log is issued, never an alert.

It indicates this is for follow up

It indicates this protection is for a new 0-day vulnerability

It indicates this protection's severity level was modified from the default setting by the administrator

It indicates this protection is a critical

ifconfig -a

arping

telnet

ping

Gateway Setting

NAT Rules

Global Properties > NAT definition

Implied Rules

NAT_dst_any_list

NAT_alloc

NAT_src_any_list

fwx_alloc

set static-route default nexthop gateway address 192.168.255.1 priority 1 on

set static-route 192.168.255.0/24 nexthop gateway logical ethl on

set static-route 192.168.255.0/24 nexthop gateway address 192.168.255.1 priority 1 on

set static-route nexthop default gateway logical 192.168.255.1 priority 1 on

There is more than one cluster connected to the same VLAN

A firewall cluster is configured to use Multicast for CCP traffic

There are more than two members in a firewall cluster

A firewall cluster is configured to use Broadcast for CCP traffic

They are not secured.

They are not encrypted, but are authenticated by the Gateway

They are encrypted and authenticated using SIC.

They are secured by PPTP

fwm importusrs

fwm dbimport

fwm import

fwm importdb

ldapauth

cpauth

ldapd

cpShared

cvpnd

fwm

vpnd

fwssd

VPN Community

LDAP

Template

User