Exam Code:

Transcription

1 Exam Code: Number: Passing Score: 800 Time Limit: 120 min File Version: Exam Code: Exam Name: Check Point Certified Security Administrator GAiA

2 Selftestengine QUESTION 1 Which of the following are available SmartConsole clients which can be installed from the R76 Windows CD? Read all answers and select the most complete and valid list. A. SmartView Tracker, CPINFO, SmartUpdate B. SmartView Tracker, SmartDashboard, SmartLSM, SmartView Monitor C. SmartView Tracker, SmartDashboard, CPINFO, SmartUpdate, SmartView Status D. Security Policy Editor, Log Viewer, Real Time Monitor GUI /Reference: QUESTION 2 When launching SmartDashboard, what information is required to log into R76? A. User Name, Management Server IP, certificate fingerprint file B. User Name, Password, Management Server IP C. Password, Management Server IP D. Password, Management Server IP, LDAP Server IP /Reference: QUESTION 3 Which of the following is a hash algorithm? A. DES B. IDEA C. MD5 D. 3DES /Reference: QUESTION 4 Which component functions as the Internal Certificate Authority for R76? A. Security Gateway B. Management Server C. Policy Server D. SmartLSM

3 /Reference: QUESTION 5 Which SmartConsole component can Administrators use to track changes to the Rule Base? A. SmartView Monitor B. SmartReporter C. WebUI D. SmartView Tracker /Reference: QUESTION 6 UDP packets are delivered if they are. A. referenced in the SAM related dynamic tables B. a valid response to an allowed request on the inverse UDP ports and IP C. a stateful ACK to a valid SYN-SYN/ACK on the inverse UDP ports and IP D. bypassing the kernel by the forwarding layer of ClusterXL /Reference: QUESTION 7 The INSPECT engine inserts itself into the kernel between which two OSI model layers? A. Physical and Data B. Session and Transport C. Data link and Network D. Presentation and Application /Reference: QUESTION 8 The customer has a small Check Point installation which includes one Windows 2008 server as SmartConsole and Security Management Server with a second server running SecurePlatform as Security

4 Gateway. This is an example of a(n): A. Stand-Alone Installation. B. Distributed Installation. C. Hybrid Installation. D. Unsupported configuration. /Reference: QUESTION 9 Tom has been tasked to install Check Point R76 in a distributed deployment. Before Tom installs the systems this way, how many machines will he need if he does not include a SmartConsole machine in his calculations? A. Three machines B. One machine C. One machine, but it needs to be installed using SecurePlatform for compatibility purposes D. Two machines /Reference: QUESTION 10 During which step in the installation process is it necessary to note the fingerprint for first-time verification? A. When configuring the Security Gateway object in SmartDashboard B. When configuring the Security Management Server using cpconfig C. When establishing SIC between the Security Management Server and the Gateway D. When configuring the Gateway in the WebUI /Reference: QUESTION 11 When Jon first installed his new security system, he forgot to configure DNS servers on his Security Gateway. How could Jon configure DNS servers now that his Security Gateway is in production? A. Login to the SmartDashboard, edit the firewall Gateway object, select the tab Interfaces > Domain Name Servers. B. Login to the firewall using SSH and run cpconfig, then select Domain Name Servers. C. Login to the firewall using SSH and run fwm, then select System Configuration > Domain Name Servers. D. Login to the firewall using SSH and run sysconfig, then select Domain Name Servers.

5 /Reference: QUESTION 12 Over the weekend, an Administrator without access to SmartDashboard installed a new R76 Security Gateway using GAiA. You want to confirm communication between the Gateway and the Management Server by installing the Security Policy. What might prevent you from installing the Policy? A. You first need to run the command fw unloadlocal on the new Security Gateway. B. You have not established Secure Internal Communications (SIC) between the Security Gateway and Management Server. You must initialize SIC on both the Security Gateway and the Management Server. C. You first need to initialize SIC in SmartUpdate. D. You have not established Secure Internal Communications (SIC) between the Security Gateway and Management Server. You must initialize SIC on the Security Management Server. /Reference: QUESTION 13 You have configured SNX on the Security Gateway. The client connects to the Security Gateway and the user enters the authentication credentials. What must happen after authentication that allows the client to connect to the Security Gateway's VPN domain? A. Active-X must be allowed on the client. B. The SNX client application must be installed on the client. C. SNX modifies the routing table to forward VPN traffic to the Security Gateway. D. An office mode address must be obtained by the client. /Reference: QUESTION 14 Match the following commands to their correct function.

6 Each command has one function only listed. A. C1>F2; C2>F1; C3>F6; C4>F4 B. C1>F4; C2>F6; C3>F3; C4>F2 C. C1>F2; C2>F4; C3>F1; C4>F5 D. C1>F6; C2>F4; C3>F2; C4>F5 /Reference: QUESTION 15 Which command displays the installed Security Gateway version? A. fw ver B. fw stat C. fw printver D. cpstat -gw /Reference: QUESTION 16 Which command line interface utility allows the administrator to verify the Security Policy name and timestamp currently installed on a firewall module? A. fw stat B. fw ctl pstat C. fw ver D. cpstat fwd /Reference: QUESTION 17 Suppose the Security Gateway hard drive fails and you are forced to rebuild it. You have a snapshot file stored to a TFTP server and backups of your Security Management Server. What is the correct procedure for rebuilding the Gateway quickly? A. Run the command revert to restore the snapshot. Reinstall any necessary Check Point products. Establish SIC and install the Policy. B. Reinstall the base operating system (i.e., SecurePlatform). Configure the Gateway interface so that the Gateway can communicate with the TFTP server. Revert to the stored snapshot image, and install the Security Policy. C. Run the command revert to restore the snapshot, establish SIC, and install the Policy. D. Reinstall the base operating system (i.e., SecurePlatform). Configure the Gateway interface so that the Gateway can communicate with the TFTP server. Reinstall any necessary Check Point products and previously applied hotfixes. Revert to the stored snapshot image, and install the Policy.

7 /Reference: QUESTION 18 What are you required to do before running the command upgrade_export? A. Run a cpstop on the Security Management Server. B. Run a cpstop on the Security Gateway. C. Close all GUI clients. D. Run cpconfig and set yourself up as a GUI client. /Reference: QUESTION 19 A snapshot delivers a complete SecurePlatform backup. The resulting file can be stored on servers or as a local file in /var/cpsnapshot/snapshots. How do you restore a local snapshot named MySnapshot.tgz? A. As expert user, type the command revert --file MySnapshot.tgz. B. As expert user, type the command snapshot -r MySnapshot.tgz. C. As expert user, type the command snapshot - R to restore from a local file. Then, provide the correct file name. D. Reboot the system and call the start menu. Select the option Snapshot Management, provide the Expert password and select [L] for a restore from a local file. Then, provide the correct file name. /Reference: QUESTION 20 What is the primary benefit of using the command upgrade_export over either backup or snapshot? A. The commands backup and snapshot can take a long time to run whereas upgrade_export will take a much shorter amount of time. B. upgrade_export will back up routing tables, hosts files, and manual ARP configurations, where backup and snapshot will not. C. upgrade_export has an option to back up the system and SmartView Tracker logs while backup and snapshot will not. D. upgrade_export is operating system independent and can be used when backup or snapshot is not available. /Reference:

8 QUESTION 21 What is the syntax for uninstalling a package using newpkg? A. -u <pathname of package> B. newpkg CANNOT be used to uninstall a package C. -i <full pathname of package> D. -S <pathname of package> /Reference: QUESTION 22 Your primary Security Gateway runs on SecurePlatform. What is the easiest way to back up your Security Gateway R76 configuration, including routing and network configuration files? A. Using the native SecurePlatform backup utility from command line or in the Web based user interface. B. Copying the directories $FWDIR/conf and $FWDIR/lib to another location. C. Using the command upgrade_export. D. Run the pre_upgrade_verifier and save the.tgz file to the directory /temp. /Reference: QUESTION 23 You are running a R76 Security Gateway on SecurePlatform. In case of a hardware failure, you have a server with the exact same hardware and firewall version installed. What back up method could be used to quickly put the secondary firewall into production? A. manual backup B. snapshot C. upgrade_export D. backup /Reference: QUESTION 24 Before upgrading SecurePlatform, you should create a backup. To save time, many administrators use the command backup. This creates a backup of the Check Point configuration as well as the system configuration. An administrator has installed the latest HFA on the system for fixing traffic problem after creating a backup file. There is a mistake in the very complex static routing configuration. The Check Point configuration has not been changed. Can the administrator use a restore to fix the errors in static routing? A. The restore is done by selecting Snapshot Management from the boot menu of GAiA. B. A backup cannot be restored, because the binary files are missing. C. The restore can be done easily by the command restore and selecting the file netconf.c. D. The restore is not possible because the backup file does not have the same build number (version).

9 /Reference: QUESTION 25 Which operating systems are supported by a Check Point Security Gateway on an open server? Select MOST complete list. A. Check Point GAiA and SecurePlatform, and Microsoft Windows B. Check Point GAiA and SecurePlatform, IPSO, Sun Solaris, Microsoft Windows C. Check Point GAiA, Microsoft Windows, Red Hat Enterprise Linux, Sun Solaris, IPSO D. Sun Solaris, Red Hat Enterprise Linux, Check Point SecurePlatform, IPSO, Microsoft Windows /Reference: QUESTION 26 Your network is experiencing connectivity problems and you want to verify if routing problems are present. You need to disable the firewall process but still allow routing to pass through the Gateway running on an IP Appliance running IPSO. What command do you need to run after stopping the firewall service? A. ipsofwd on admin B. ipsofwd slowpath C. fw fwd routing D. fw load routed /Reference: QUESTION 27 Which utility allows you to configure the DHCP service on SecurePlatform from the command line? A. cpconfig B. ifconfig C. dhcp_cfg D. sysconfig /Reference: QUESTION 28 The third-shift Administrator was updating Security Management Server access settings in Global Properties and testing. He managed to lock himself out of his account. How can you unlock this account?

10 A. Delete the file admin.lock in the Security Management Server directory $FWDIR/tmp/. B. Type fwm lock_admin -u <account name> from the Security Management Server command line. C. Type fwm unlock_admin -u from the Security Gateway command line. D. Type fwm unlock_admin from the Security Management Server command line. /Reference: QUESTION 29 The third-shift Administrator was updating Security Management Server access settings in Global Properties. He managed to lock all administrators out of their accounts. How should you unlock these accounts? A. Reinstall the Security Management Server and restore using upgrade_import. B. Delete the file admin.lock in the Security Management Server directory $FWDIR/tmp/. C. Type fwm lock_admin -ua from the Security Management Server command line. D. Login to SmartDashboard as the special cpconfig_admin user account; right-click on each administrator object and select unlock. /Reference: QUESTION 30 You are the Security Administrator for ABC-Corp. A Check Point Firewall is installed and in use on SecurePlatform. You are concerned that the system might not be retaining your entries for the interfaces and routing configuration. You would like to verify your entries in the corresponding file(s) on SecurePlatform. Where can you view them? Give the BEST answer. A. /etc/conf/route.c B. /etc/sysconfig/network-scripts/ifcfg-ethx C. /etc/sysconfig/netconf.c D. /etc/sysconfig/network /Reference: QUESTION 31 When using SecurePlatform, it might be necessary to temporarily change the MAC address of the interface eth 0 to 00:0C:29:12:34:56. After restarting the network the old MAC address should be active. How do you configure this change? A. Edit the file /etc/sysconfig/netconf.c and put the new MAC address in the field B. As expert user, issue these commands: # IP link set eth0 down # IP link set eth0 addr 00:0C:29:12:34:56 # IP link set eth0 up C. Open the WebUI, select Network > Connections > eth0. Place the new MAC address in the field Physical Address, and press Apply to save the settings.

11 D. As expert user, issue the command: # IP link set eth0 addr 00:0C:29:12:34:56 /Reference: QUESTION 32 Several Security Policies can be used for different installation targets. The Firewall protecting Human Resources' servers should have its own Policy Package. These rules must be installed on this machine and not on the Internet Firewall. How can this be accomplished? A. A Rule Base is always installed on all possible targets. The rules to be installed on a Firewall are defined by the selection in the Rule Base row Install On. B. A Rule Base can always be installed on any Check Point Firewall object. It is necessary to select the appropriate target directly after selecting Policy > Install on Target. C. When selecting the correct Firewall in each line of the Rule Base row Install On, only this Firewall is shown in the list of possible installation targets after selecting Policy > Install on Target. D. In the menu of SmartDashboard, go to Policy > Policy Installation Targets and select the correct firewall via Specific Targets. /Reference: QUESTION 33 Where is the IPSO Boot Manager physically located on an IP Appliance? A. On the platform's BIOS B. In the directory /nvram C. On an external jump drive D. On built-in compact Flash memory /Reference: QUESTION 34 Your R76 primary Security Management Server is installed on GAiA. You plan to schedule the Security Management Server to run fw logswitch automatically every 48 hours. How do you create this schedule? A. Create a time object, and add 48 hours as the interval. Select that time object's Global Properties > Logs and Masters window, to schedule a logswitch. B. Create a time object, and add 48 hours as the interval. Open the primary Security Management Server object's Logs and Masters window, enable Schedule log switch, and select the Time object. C. On a SecurePlatform Security Management Server, this can only be accomplished by configuring the command fw logswitch via the cron utility. D. Create a time object, and add 48 hours as the interval. Open the Security Gateway object's Logs and Masters window, enable Schedule log switch, and select the Time object.

12 /Reference: QUESTION 35 Which of the following methods will provide the most complete backup of an R75 configuration? A. Execute command upgrade_export B. Database Revision Control C. Policy Package Management D. Copying the directories $FWDIR\conf and $CPDIR\conf to another server /Reference: QUESTION 36 Which of the following commands can provide the most complete restoration of a R76 configuration? A. cpinfo -recover B. fwm dbimport -p <export file> C. upgrade_import D. cpconfig /Reference: QUESTION 37 When restoring R76 using the command upgrade_import, which of the following items are NOT restored? A. Licenses B. SIC Certificates C. Global properties D. Route tables /Reference: QUESTION 38 Your organization's disaster recovery plan needs an update to the backup and restore section to reap the new distributed R76 installation benefits. Your plan must meet the following required and desired objectives: Required ObjectivE. The Security Policy repository must be backed up no less frequently than every 24 hours. Desired ObjectivE. The R76 components that enforce the Security Policies should be backed up at least once a week. Desired ObjectivE. Back up R76 logs at least once a week.

13 Your disaster recovery plan is as follows: - Use the cron utility to run the command upgrade_export each night on the Security Management Servers. - Configure the organization's routine back up software to back up the files created by the command upgrade_export. - Configure the GAiA back up utility to back up the Security Gateways every Saturday night. - Use the cron utility to run the command upgrade_export each Saturday night on the log servers. - Configure an automatic, nightly logswitch. - Configure the organization's routine back up software to back up the switched logs every night. Upon evaluation, your plan: A. Meets the required objective and only one desired objective. B. Meets the required objective but does not meet either desired objective. C. Meets the required objective and both desired objectives. D. Does not meet the required objective. /Reference: QUESTION 39 Peter is your new Security Administrator. On his first working day, he is very nervous and enters the wrong password three times. His account is locked. What can be done to unlock Peter's account? Give the BEST answer. A. It is not possible to unlock Peter's account. You have to install the firewall once again or abstain from Peter's help. B. You can unlock Peter's account by using the command fwm unlock_admin -u Peter on the Security Gateway. C. You can unlock Peter's account by using the command fwm lock_admin -u Peter on the Security Management Server. D. You can unlock Peter's account by using the command fwm unlock_admin -u Peter on the Security Management Server /Reference: QUESTION 40 Where can you find the Check Point's SNMP MIB file? A. $CPDIR/lib/snmp/chkpt.mib B. There is no specific MIB file for Check Point products. C. $FWDIR/conf/snmp.mib D. It is obtained only by request from the TAC. /Reference: QUESTION 41

14 You want to generate a cpinfo file via CLI on a system running GAiA. This will take about 40 minutes since the log files are also needed. What action do you need to take regarding timeout? A. Log in as Administrator, set the timeout to one hour with the command idle 60 and start cpinfo. B. Log in as the default user expert and start cpinfo. C. No action is needed because cpshell has a timeout of one hour by default. D. Log in as admin, switch to expert mode, set the timeout to one hour with the command, idle 60, then start cpinfo. /Reference: QUESTION 42 Many companies have defined more than one administrator. To increase security, only one administrator should be able to install a Rule Base on a specific Firewall. How do you configure this? A. Define a permission profile in SmartDashboard with read/write privileges, but restrict it to all other firewalls by placing them in the Policy Targets field. Then, an administrator with this permission profile cannot install a policy on any Firewall not listed here. B. Put the one administrator in an Administrator group and configure this group in the specific Firewall object in Advanced > Permission to Install. C. Right-click on the object representing the specific administrator, and select that Firewall in Policy Targets. D. In the object General Properties representing the specific Firewall, go to the Software Blades product list and select Firewall. Right-click in the menu, select Administrator to Install to define only this administrator. /Reference: QUESTION 43 ALL of the following options are provided by the SecurePlatform sysconfig utility, EXCEPT: A. Export setup B. Time & Date C. DHCP Server configuration D. GUI Clients /Reference: QUESTION 44 Which of the following options is available with the SecurePlatform cpconfig utility? A. Time & Date B. GUI Clients C. DHCP Server configuration D. Export setup

15 /Reference: QUESTION 45 Which command would provide the most comprehensive diagnostic information to Check Point Technical Support? A. cpstat - date.cpstat.txt B. fw cpinfo C. cpinfo -o date.cpinfo.txt D. diag /Reference: QUESTION 46 How do you recover communications between your Security Management Server and Security Gateway if you lock yourself out through a rule or policy mis-configuration? A. fw delete all.all@localhost B. fw unload policy C. fwm unloadlocal D. fw unloadlocal /Reference: QUESTION 47 How can you check whether IP forwarding is enabled on an IP Security Appliance? A. clish -c show routing active enable B. ipsofwd list C. cat /proc/sys/net/ipv4/ip_forward D. echo 1 > /proc/sys/net/ipv4/ip_forward /Reference: QUESTION 48 Which command allows you to view the contents of an R76 table? A. fw tab -s <tablename> B. fw tab -t <tablename>

16 C. fw tab -x <tablename> D. fw tab -a <tablename> /Reference: QUESTION 49 Which of the following tools is used to generate a Security Gateway R76 configuration report? A. infocp B. cpinfo C. infoview D. fw cpinfo /Reference: QUESTION 50 Which of the following is a CLI command for Security Gateway R76? A. fw merge B. fw tab -u C. fw shutdown D. fwm policy_print <policyname> /Reference: QUESTION 51 You are the Security Administrator for MegaCorp. A Check Point firewall is installed and in use on a platform using GAiA. You have trouble configuring the speed and duplex settings of your Ethernet interfaces. Which of the following commands can be used in Expert Mode to configure the speed and duplex settings of an Ethernet interface and will survive a reboot? Give the BEST answer. A. eth_set B. mii_tool C. ifconfig -a D. ethtool /Reference: QUESTION 52 Which command enables IP forwarding on IPSO?

17 A. echo 1 > /proc/sys/net/ipv4/ip_forward B. ipsofwd on admin C. echo 0 > /proc/sys/net/ipv4/ip_forward D. clish -c set routing active enable /Reference: QUESTION 53 When you change an implicit rule's order from Last to First in Global Properties, how do you make the change take effect? A. Run fw fetch from the Security Gateway. B. Select Install Database from the Policy menu. C. Reinstall the Security Policy. D. Select Save from the File menu. /Reference: QUESTION 54 How does the button Get Address, found on the Host Node Object > General Properties page retrieve the address? A. Route Table B. Address resolution (ARP, RARP) C. Name resolution (hosts file, DNS, cache) D. SNMP Get /Reference: QUESTION 55 Anti-Spoofing is typically set up on which object type? A. Network B. Security Management object C. Host D. Security Gateway /Reference:

18 QUESTION 56 Spoofing is a method of: A. Disguising an illegal IP address behind an authorized IP address through Port Address Translation. B. Making packets appear as if they come from an authorized IP address. C. Detecting people using false or wrong authentication logins. D. Hiding your firewall from unauthorized users. /Reference: QUESTION 57 How can you activate the SNMP daemon on a Check Point Security Management Server? A. Using the command line, enter snmp_install. B. Any of these options will work. C. In SmartDashboard, right-click a Check Point object and select Activate SNMP. D. From cpconfig, select SNMP extension. /Reference: QUESTION 58 Which of the following describes the default behavior of an R76 Security Gateway? A. Traffic is filtered using controlled port scanning. B. IP protocol types listed as secure are allowed by default, i.e. ICMP, TCP, UDP sessions are inspected. C. All traffic is expressly permitted via explicit rules. D. Traffic not explicitly permitted is dropped. /Reference: QUESTION 59 When you use the Global Properties' default settings on R76, which type of traffic will be dropped if NO explicit rule allows the traffic? A. Firewall logging and ICA key-exchange information B. RIP traffic C. Outgoing traffic originating from the Security Gateway D. SmartUpdate connections

19 /Reference: QUESTION 60 You have installed a R76 Security Gateway on GAiA. To manage the Gateway from the enterprise Security Management Server, you create a new Gateway object and Security Policy. When you install the new Policy from the Policy menu, the Gateway object does not appear in the Install Policy window as a target. What is the problem? A. The new Gateway's temporary license has expired. B. The object was created with Node > Gateway. C. The Gateway object is not specified in the first policy rule column Install On. D. No Masters file is created for the new Gateway. /Reference: QUESTION 61 Certificates for Security Gateways are created during a simple initialization from. A. The ICA management tool B. SmartUpdate C. sysconfig D. SmartDashboard /Reference: QUESTION 62 Which of the below is the MOST correct process to reset SIC from SmartDashboard? A. Run cpconfig, and click Reset. B. Click the Communication button for the firewall object, then click Reset. Run cpconfig and type a new activation key. C. Click Communication > Reset on the Gateway object, and type a new activation key. D. Run cpconfig, and select Secure Internal Communication > Change One Time Password. /Reference:

20 QUESTION 63 You installed Security Management Server on a computer using GAiA in the MegaCorp home office. You use IP address You also installed the Security Gateway on a second SecurePlatform computer, which you plan to ship to another Administrator at a MegaCorp hub office. What is the correct order for pushing SIC certificates to the Gateway before shipping it? A. 2, 1, 3, 4, 5 B. 2, 3, 4, 5, 1 C. 1, 3, 2, 4, 5 D. 2, 3, 4, 1, 5 /Reference: QUESTION 64 Although SIC was already established and running, Joe reset SIC between the Security Management Server and a remote Gateway. He set a new activation key on the Gateway's side with the command cpconfig and put in the same activation key in the Gateway's object on the Security Management Server. Unfortunately, SIC cannot be established. What is a possible reason for the problem? A. Joe forgot to exit from cpconfig. B. The installed policy blocks the communication. C. The old Gateway object should have been deleted and recreated. D. Joe forgot to reboot the Gateway. /Reference: QUESTION 65 You want to reset SIC between smberlin and sgosaka.

21 In SmartDashboard, you choose sgosaka, Communication, Reset. On sgosaka, you start cpconfig, choose Secure Internal Communication and enter the new SIC Activation Key. The screen reads The SIC was successfully initialized and jumps back to the cpconfig menu. When trying to establish a connection, instead of a working connection, you receive this error message: What is the reason for this behavior? A. The Gateway was not rebooted, which is necessary to change the SIC key. B. The Check Point services on the Gateway were not restarted because you are still in the cpconfig utility. C. You must first initialize the Gateway object in SmartDashboard (i.e., right-click on the object, choose Basic Setup > Initialize). D. The activation key contains letters that are on different keys on localized keyboards. Therefore, the activation can not be typed in a matching fashion. /Reference: QUESTION 66 John is the Security Administrator in his company. He installs a new R76 Security Management Server and a new R76 Gateway. He now wants to establish SIC between them. After entering the activation key, he

22 gets the following message in SmartDashboard - "Trust established" SIC still does not seem to work because the policy won't install and interface fetching does not work. What might be a reason for this? A. It always works when the trust is established B. This must be a human error. C. SIC does not function over the network. D. The Gateway's time is several days or weeks in the future and the SIC certificate is not yet valid. /Reference: QUESTION 67 The SIC certificate is stored in the directory. A. $CPDIR/conf B. $FWDIR/database C. $CPDIR/registry D. $FWDIR/conf /Reference: QUESTION 68 You run cpconfig to reset SIC on the Security Gateway. After the SIC reset operation is complete, the policy that will be installed is the: A. Default filter. B. Last policy that was installed. C. Standard policy. D. Initial policy. /Reference: QUESTION 69 Chris has lost SIC communication with his Security Gateway and he needs to re-establish SIC.

23 What would be the correct order of steps needed to perform this task? A. 3, 1, 4, 2 B. 2, 3, 1, 4 C. 5, 1, 2, 4 D. 5, 1, 4, 2 /Reference: QUESTION 70 The and rules are the two basic rules which should be used by all Security Administrators. A. Cleanup; Stealth B. Administrator Access; Stealth C. Cleanup; Administrator Access D. Network Traffic; Stealth /Reference: QUESTION 71 Which item below in a Security Policy would be enforced first? A. Network Address Translation B. Security Policy First rule C. Administrator-defined Rule Base D. IP spoofing/ip options /Reference: QUESTION 72 When you hide a rule in a Rule Base, how can you then disable the rule? A. Right-click on the hidden rule place-holder bar and uncheck Hide, then right-click and select Disable

24 Rule(s); re-hide the rule. B. Right-click on the hidden rule place-holder bar and select Disable Rule(s). C. Use the search utility in SmartDashboard to view all hidden rules. Select the relevant rule and click Disable Rule(s). D. Hidden rules are already effectively disabled from Security Gateway enforcement. /Reference: QUESTION 73 Which statement is TRUE about implicit rules? A. You create them in SmartDashboard. B. The Gateway enforces implicit rules that enable outgoing packets only. C. Changes to the Security Gateway's default settings do not affect implicit rules. D. They are derived from Global Properties and explicit object properties. /Reference: QUESTION 74 All of the following are Security Gateway control connections defined by default implied rules, EXCEPT: A. Exclusion of specific services for reporting purposes. B. Specific traffic that facilitates functionality, such as logging, management, and key exchange. C. Acceptance of IKE and RDP traffic for communication and encryption purposes. D. Communication with server types, such as RADIUS, CVP, UFP, TACACS, and LDAP. /Reference: QUESTION 75 In a distributed management environment, the administrator has removed all default check boxes from the Policy > Global Properties > Firewall tab. In order for the Security Gateway to send logs to the Security Management Server, an explicit rule must be created to allow the Security Gateway to communicate to the Security Management Server on port. A. 257 B. 256 C. 259 D. 900 /Reference:

25 QUESTION 76 A Security Policy has several database versions. What configuration remains the same no matter which version is used? A. Objects_5_0.C B. fwauth.ndb C. Rule Bases_5_0.fws D. Internal Certificate Authority (ICA) certificate /Reference: QUESTION 77 You are working with multiple Security Gateways that enforce an extensive number of rules. To simplify security administration, which one of the following would you choose to do? A. Create network objects that restrict all applicable rules to only certain networks. B. Run separate SmartConsole instances to login and configure each Security Gateway directly. C. Create a separate Security Policy package for each remote Security Gateway. D. Eliminate all possible contradictory rules such as the Stealth or Cleanup rules. /Reference: QUESTION 78 Installing a policy usually has no impact on currently existing connections. Which statement is TRUE? A. All connections are reset, so a policy install is recommended during announced downtime only. B. Users being authenticated by Client Authentication have to re-authenticate. C. Site-to-Site VPNs need to re-authenticate, so Phase 1 is passed again after installing the Security Policy. D. All FTP downloads are reset; users have to start their downloads again. /Reference: QUESTION 79 Several Security Policies can be used for different installation targets. The firewall protecting Human Resources' servers should have a unique Policy Package. These rules may only be installed on this machine and not accidentally on the Internet firewall. How can this be configured? A. A Rule Base is always installed on all possible targets. The rules to be installed on a firewall are defined by the selection in the row Install On of the Rule Base. B. When selecting the correct firewall in each line of the row Install On of the Rule Base, only this firewall is shown in the list of possible installation targets after selecting Policy > Install. C. In the SmartDashboard policy, select the correct firewall to be the Specific Target of the rule.

26 D. A Rule Base can always be installed on any Check Point firewall object. It is necessary to select the appropriate target directly after selecting Policy > Install. /Reference: QUESTION 80 A rule is used to prevent all traffic going to the R75 Security Gateway. A. Cleanup B. Stealth C. Reject D. IPS /Reference: QUESTION 81 In a distributed management environment, the administrator has removed the default check from Accept Control Connections under the Policy > Global Properties > FireWall tab. In order for the Security Management Server to install a policy to the Firewall, an explicit rule must be created to allow the server to communicate to the Security Gateway on port. A. 259 B. 256 C. 80 D. 900 /Reference: QUESTION 82 To check the Rule Base, some rules can be hidden so they do not distract the administrator from the unhidden rules. Assume that only rules accepting HTTP or SSH will be shown. How do you accomplish this? A. This cannot be configured since two selections (Service, Action) are not possible. B. Ask your reseller to get a ticket for Check Point SmartUse and deliver him the Security Management Server cpinfo file. C. In SmartDashboard menu, select Search > Rule Base Queries. In the window that opens, create a new Query, give it a name (e.g. "HTTP_SSH") and define a clause regarding the two services HTTP and SSH. When having applied this, define a second clause for the action Accept and combine them with the Boolean operator AND. D. In SmartDashboard, right-click in the column field Service > Query Column. Then, put the services HTTP and SSH in the list. Do the same in the field Action and select Accept here.

27 /Reference: QUESTION 83 What is the purpose of a Stealth Rule? A. To permit implied rules. B. To drop all traffic to the management server that is not explicitly permitted. C. To prevent users from connecting directly to the gateway. D. To permit management traffic. /Reference: QUESTION 84 Which of these Security Policy changes optimize Security Gateway performance? A. Use Automatic NAT rules instead of Manual NAT rules whenever possible. B. Using domain objects in rules when possible. C. Using groups within groups in the manual NAT Rule Base. D. Putting the least-used rule at the top of the Rule Base. /Reference: QUESTION 85 Your perimeter Security Gateway's external IP is Your network diagram shows: RequireD. Allow only network and to go out to the Internet, using The local network /24 needs to use to go out to the Internet. Assuming you

28 enable all the settings in the NAT page of Global Properties, how could you achieve these requirements? A. Create a network object /16. Enable Hide NAT on the NAT page. Enter as the hiding IP address. Add an ARP entry for for the MAC address of B. Create network objects for /24 and /24. Enable Hide NAT on both network objects, using as hiding IP address. Add an ARP entry for for the MAC address of C. Create an Address Range object, starting from to Enable Hide NAT on the NAT page of the address range object. Enter Hiding IP address Add an ARP entry for for the MAC address of D. Create two network objects: /24 and /24. Add the two network objects to a group object. Create a manual NAT rule like the following: Original source - group object; Destination - any; Service - any; Translated source ; Destination - original; Service - original. /Reference: QUESTION 86 Because of pre-existing design constraints, you set up manual NAT rules for your HTTP server. However, your FTP server and SMTP server are both using automatic NAT rules. All traffic from your FTP and SMTP servers are passing through the Security Gateway without a problem, but traffic from the Web server is dropped on rule 0 because of anti-spoofing settings. What is causing this? A. Allow bi-directional NAT is not checked in Global Properties. B. Translate destination on client side is not checked in Global Properties under Manual NAT Rules. C. Manual NAT rules are not configured correctly. D. Routing is not configured correctly. /Reference: QUESTION 87 You enable Hide NAT on the network object, behind the Security Gateway's external interface. You browse to from host, successfully. You enable a log on the rule that allows to exit the network. How many log entries do you see for that connection in SmartView Tracker? A. Two, one for outbound, one for inbound B. Only one, inbound C. Only one, outbound D. Two, both outbound, one for the real IP connection and one for the NAT IP connection /Reference: QUESTION 88 Which of the following statements BEST describes Check Point's Hide Network Address Translation method?

29 A. Translates many source IP addresses into one source IP address B. Many-to-one NAT which implements PAT (Port Address Translation) for accomplishing both Source and Destination IP address translation C. Translates many destination IP addresses into one destination IP address D. One-to-one NAT which implements PAT (Port Address Translation) for accomplishing both Source and Destination IP address translation /Reference: QUESTION 89 Which Check Point address translation method allows an administrator to use fewer ISP- assigned IP addresses than the number of internal hosts requiring Internet connectivity? A. Static Source B. Static Destination C. Dynamic Destination D. Hide /Reference: QUESTION 90 NAT can NOT be configured on which of the following objects? A. Host B. HTTP Logical Server C. Address Range D. Gateway /Reference: QUESTION 91 Which Check Point address translation method is necessary if you want to connect from a host on the Internet via HTTP to a server with a reserved (RFC 1918) IP address on your DMZ? A. Hide Address Translation B. Static Destination Address Translation C. Port Address Translation D. Dynamic Source Address Translation /Reference:

30 QUESTION 92 You want to implement Static Destination NAT in order to provide external, Internet users access to an internal Web Server that has a reserved (RFC 1918) IP address. You have an unused valid IP address on the network between your Security Gateway and ISP router. You control the router that sits between the firewall external interface and the Internet. What is an alternative configuration if proxy ARP cannot be used on your Security Gateway? A. Publish a proxy ARP entry on the ISP router instead of the firewall for the valid IP address. B. Publish a proxy ARP entry on the internal Web server instead of the firewall for the valid IP address. C. Place a static host route on the firewall for the valid IP address to the internal Web server. D. Place a static ARP entry on the ISP router for the valid IP address to the firewall's external address. /Reference: QUESTION 93 After implementing Static Address Translation to allow Internet traffic to an internal Web Server on your DMZ, you notice that any NATed connections to that machine are being dropped by anti-spoofing protections. Which of the following is the MOST LIKELY cause? A. The Global Properties setting Translate destination on client side is checked. But the topology on the DMZ interface is set to Internal - Network defined by IP and Mask. Uncheck the Global Properties setting Translate destination on client side. B. The Global Properties setting Translate destination on client side is unchecked. But the topology on the external interface is set to Others +. Change topology to External. C. The Global Properties setting Translate destination on client side is checked. But the topology on the external interface is set to External. Change topology to Others +. D. The Global Properties setting Translate destination on client side is unchecked. But the topology on the DMZ interface is set to Internal - Network defined by IP and Mask. Check the Global Properties setting Translate destination on client side. /Reference: QUESTION 94 Which NAT option applicable for Automatic NAT applies to Manual NAT as well? A. Translate destination on client-side B. Enable IP Pool NAT C. Allow bi-directional NAT D. Automatic ARP configuration /Reference: QUESTION 95 You have three servers located in a DMZ, using private IP addresses. You want internal users from

31 x to access the DMZ servers by public IP addresses. Internal_net x is configured for Hide NAT behind the Security Gateway's external interface. What is the best configuration for x users to access the DMZ servers, using the DMZ servers' public IP addresses? A. When connecting to the Internet, configure manual Static NAT rules to translate the DMZ servers. B. When connecting to internal network x, configure Hide NAT for the DMZ network behind the Security Gateway DMZ interface. C. When the source is the internal network x, configure manual static NAT rules to translate the DMZ servers. D. When trying to access DMZ servers, configure Hide NAT for x behind the DMZ's interface. /Reference: QUESTION 96 An internal host initiates a session to and is set for Hide NAT behind the Security Gateway. The initiating traffic is an example of. A. None of these B. source NAT C. destination NAT D. client side NAT /Reference: QUESTION 97 A host on the Internet initiates traffic to the Static NAT IP of your Web server behind the Security Gateway. With the default settings in place for NAT, the initiating packet will translate the. A. source on client side

32 B. source on server side C. destination on client side D. destination on server side /Reference: QUESTION 98 When translation occurs using automatic Hide NAT, what also happens? A. The destination port is modified. B. Nothing happens. C. The destination is modified. D. The source port is modified. /Reference: QUESTION 99 The fw monitor utility is used to troubleshoot which of the following problems? A. Address translation B. Log Consolidation Engine C. User data base corruption D. Phase two key negotiation /Reference: QUESTION 100 In SmartDashboard, Translate destination on client side is checked in Global Properties. When Network Address Translation is used: A. VLAN tagging cannot be defined for any hosts protected by the Gateway. B. The Security Gateway's ARP file must be modified. C. It is not necessary to add a static route to the Gateway's routing table. D. It is necessary to add a static route to the Gateway's routing table. /Reference: QUESTION 101 Secure Internal Communications (SIC) is completely NAT-tolerant because it is based on:

33 A. SIC names. B. MAC addresses. C. IP addresses. D. SIC is not NAT-tolerant. /Reference: QUESTION 102 You are MegaCorp's Security Administrator. There are various network objects which must be NATed. Some of them use the Automatic Hide NAT method, while others use the Automatic Static NAT method. What is the rule order if both methods are used together? Give the best answer. A. The Administrator decides the rule order by shifting the corresponding rules up and down. B. The Hide NAT rules have priority over the Static NAT rules and the NAT on a node has priority over the NAT on a network or an address range. C. The Static NAT rules have priority over the Hide NAT rules and the NAT on a node has priority over the NAT on a network or an address range. D. The rule position depends on the time of their creation. The rules created first are placed at the top; rules created later are placed successively below the others. /Reference: QUESTION 103 Which answers are TRUE? Automatic Static NAT CANNOT be used when: 1) NAT decision is based on the destination port. 2) Both Source and Destination IP's have to be translated. 3) The NAT rule should only be installed on a dedicated Gateway. 4) NAT should be performed on the server side. A. 2 and 3 B. 1, 3, and 4 C. 1 and 2 D. 2 and 4 /Reference: QUESTION 104 In order to have full control, you decide to use Manual NAT entries instead of Automatic NAT rules. Which of the following is NOT true? A. When using Static NAT, you must enter ARP entries for the Gateway on all hosts that are using the NAT Gateway with that Gateway's internal interface IP address. B. When using Static NAT, you must add proxy ARP entries to the Gateway for all hiding addresses. C. If you chose Automatic NAT instead, all necessary entries are done for you.

34 D. When using Dynamic Hide NAT with an address that is not configured on a Gateway interface, you need to add a proxy ARP entry for that address. /Reference: QUESTION 105 After filtering a fw monitor trace by port and IP, a packet is displayed three times; in the i, I, and o inspection points, but not in the O inspection point. Which is the likely source of the issue? A. A SmartDefense module has blocked the packet. B. It is due to NAT. C. An IPSO ACL has blocked the packet's outbound passage. D. The packet has been sent out through a VPN tunnel unencrypted. /Reference: QUESTION 106 Your internal network is configured to be /24. This network is behind your perimeter R76 Gateway, which connects to your ISP provider. How do you configure the Gateway to allow this network to go out to the Internet? A. Do nothing, as long as network has the correct default Gateway. B. Use Hide NAT for network /24 behind the internal interface of your perimeter Gateway. C. Use automatic Static NAT for network /24. D. Use Hide NAT for network /24 behind the external IP address of your perimeter Gateway. /Reference: QUESTION 107 You are a Security Administrator who has installed Security Gateway R76 on your network. You need to allow a specific IP address range for a partner site to access your intranet Web server. To limit the partner's access for HTTP and FTP only, you did the following: 1) Created manual Static NAT rules for the Web server. 2) Cleared the following settings in the Global Properties > Network Address Translation screen: - Allow bi-directional NAT - Translate destination on client side Do the above settings limit the partner's access? A. No. The first setting is not applicable. The second setting will reduce performance. B. Yes. This will ensure that traffic only matches the specific rule configured for this traffic, and that the Gateway translates the traffic after accepting the packet. C. Yes. Both of these settings are only applicable to automatic NAT rules. D. No. The first setting is only applicable to automatic NAT rules. The second setting will force translation by the kernel on the interface nearest to the client.

35 /Reference: QUESTION 108 You enable Automatic Static NAT on an internal host node object with a private IP address of , which is NATed into (You use the default settings in Global Properties / NAT.) When you run fw monitor on the R76 Security Gateway and then start a new HTTP connection from host to browse the Internet, at what point in the monitor output will you observe the HTTP SYN-ACK packet translated from back into ? A. O=outbound kernel, after the virtual machine B. i=inbound kernel, before the virtual machine C. I=inbound kernel, after the virtual machine D. o=outbound kernel, before the virtual machine /Reference: QUESTION 109 You have configured Automatic Static NAT on an internal host-node object. You clear the box Translate destination on client site from Global Properties > NAT. Assuming all other NAT settings in Global Properties are selected, what else must be configured so that a host on the Internet can initiate an inbound connection to this host? A. A proxy ARP entry, to ensure packets destined for the public IP address will reach the Security Gateway's external interface. B. No extra configuration is needed. C. The NAT IP address must be added to the external Gateway interface anti-spoofing group. D. A static route, to ensure packets destined for the public NAT IP address will reach the Gateway's internal interface. /Reference: QUESTION 110 You are responsible for the configuration of MegaCorp's Check Point Firewall. You need to allow two NAT rules to match a connection. Is it possible? Give the BEST answer. A. Yes, it is possible to have two NAT rules which match a connection, but only when using Automatic NAT (bidirectional NAT). B. Yes, it is possible to have two NAT rules which match a connection, but only in using Manual NAT (bidirectional NAT). C. Yes, there are always as many active NAT rules as there are connections. D. No, it is not possible to have more than one NAT rule matching a connection. When the firewall receives a packet belonging to a connection, it compares it against the first rule in the Rule Base, then the second rule, and so on. When it finds a rule that matches, it stops checking and applies that rule.

36 /Reference: QUESTION 111 You have created a Rule Base for firewall, websydney. Now you are going to create a new policy package with security and address translation rules for a second Gateway. What is TRUE about the new package's NAT rules?

37 A. NAT rules will be empty in the new package. B. Rules 4 and 5 will appear in the new package. C. Rules 1, 2, 3 will appear in the new package. D. Only rule 1 will appear in the new package. /Reference: QUESTION 112 A marketing firm's networking team is trying to troubleshoot user complaints regarding access to audiostreaming material from the Internet. The networking team asks you to check the object and rule configuration settings for the perimeter Security Gateway. Which SmartConsole application should you use to check these objects and rules? A. SmartView Tracker B. SmartView Monitor C. SmartDashboard D. SmartView Status /Reference: QUESTION 113 Which statement below describes the most correct strategy for implementing a Rule Base? A. Place a network-traffic rule above the administrator access rule. B. Limit grouping to rules regarding specific access. C. Place the most frequently used rules at the top of the Policy and the ones that are not frequently used further down. D. Add the Stealth Rule before the last rule. /Reference: QUESTION 114 Which of the following is a viable consideration when determining Rule Base order? A. Grouping authentication rules with address-translation rules B. Grouping rules by date of creation C. Grouping reject and drop rules after the Cleanup Rule D. Grouping functionally related rules together /Reference:

38 QUESTION 115 Which of the following is a viable consideration when determining Rule Base order? A. Adding SAM rules at the top of the Rule Base B. Placing frequently accessed rules before less frequently accessed rules C. Grouping rules by date of creation D. Grouping IPS rules with dynamic drop rules /Reference: QUESTION 116 You would use the Hide Rule feature to: A. View only a few rules without the distraction of others. B. Hide rules from read-only administrators. C. Hide rules from a SYN/ACK attack. D. Make rules invisible to incoming packets. /Reference: QUESTION 117 You are a Security Administrator using one Security Management Server managing three different firewalls. One firewall does NOT show up in the dialog box when attempting to install a Security Policy. Which of the following is a possible cause? A. The firewall has failed to sync with the Security Management Server for 60 minutes. B. The firewall object has been created but SIC has not yet been established. C. The firewall is not listed in the Policy Installation Targets screen for this policy package. D. The license for this specific firewall has expired. /Reference: QUESTION 118 A client has created a new Gateway object that will be managed at a remote location. When the client attempts to install the Security Policy to the new Gateway object, the object does not appear in the Install

39 On check box. What should you look for? A. Secure Internal Communications (SIC) not configured for the object. B. A Gateway object created using the Check Point > Security Gateway option in the network objects, dialog box, but still needs to configure the interfaces for the Security Gateway object. C. A Gateway object created using the Check Point > Externally Managed VPN Gateway option from the Network Objects dialog box. D. Anti-spoofing not configured on the interfaces on the Gateway object. /Reference: QUESTION 119 A Security Policy installed by another Security Administrator has blocked all SmartDashboard connections to the stand-alone installation of R76. After running the command fw unloadlocal, you are able to reconnect with SmartDashboard and view all changes. Which of the following change is the most likely cause of the block? A. A Stealth Rule has been configured for the R76 Gateway. B. The Gateway Object representing your Gateway was configured as an Externally Managed VPN Gateway. C. The Security Policy installed to the Gateway had no rules in it. D. The Allow Control Connections setting in Policy > Global Properties has been unchecked. /Reference: QUESTION 120 When configuring anti-spoofing on the Security Gateway object interfaces, which of the following is NOT a valid R76 topology configuration? A. Specific B. External C. Not Defined D. Any /Reference: QUESTION 121 Which rule is responsible for the installation failure? A. Rule 3 B. Rule 5 C. Rule 6 D. Rule 4

40 /Reference: QUESTION 122 Which command allows Security Policy name and install date verification on a Security Gateway? A. fw ver -p B. fw stat -l C. fw show policy D. fw ctl pstat -policy /Reference: QUESTION 123 Which feature or command provides the easiest path for Security Administrators to revert to earlier versions of the same Security Policy and objects configuration? A. upgrade_export/upgrade_import B. dbexport/dbimport C. Database Revision Control D. Policy Package management /Reference: QUESTION 124 How can you configure an application to automatically launch on the Security Management Server when traffic is dropped or accepted by a rule in the Security Policy? A. Custom scripts cannot be executed through alert scripts. B. Pop-up alert script C. SNMP trap alert script D. User-defined alert script /Reference: QUESTION 125 Which of the following is NOT useful to verify whether or not a Security Policy is active on a Gateway? A. fw ctl get string active_secpol B. cpstat fw -f policy C. Check the Security Policy name of the appropriate Gateway in SmartView Monitor.

41 D. fw stat /Reference: QUESTION 126 Of the following, what parameters will not be preserved when using Database Revision Control? A. 3, 4, 5, 6, 9, 12, 13 B. 1, 2, 8, 10, 11 C. 5, 6, 9, 12, 13 D. 2, 4, 7, 10, 11 /Reference: QUESTION 127 You plan to create a backup of the rules, objects, policies, and global properties from an R76 Security Management Server. Which of the following backup and restore solutions can you use? 1) Upgrade_export and upgrade_import utilities 2) Database revision control 3) SecurePlatform backup utilities 4) Policy package management 5) Manual copies of the $CPDIR/conf directory

42 A. 2, 4, and 5 B. 1, 3, and 4 C. 1, 2, and 3 D. 1, 2, 3, 4, and 5 /Reference: QUESTION 128 Which R76 feature or command allows Security Administrators to revert to earlier Security Policy versions without changing object configurations? A. Policy Package management B. Database Revision Control C. upgrade_export/upgrade_import D. fwm dbexport/fwm dbimport /Reference: QUESTION 129 What must a Security Administrator do to comply with a management requirement to log all traffic accepted through the perimeter Security Gateway? A. Install the View Implicit Rules package using SmartUpdate. B. Define two log servers on the R76 Gateway object. Enable Log Implied Rules on the first log server. Enable Log Rule Base on the second log server. Use SmartReporter to merge the two log server records into the same database for HIPPA log audits. C. In Global Properties > Reporting Tools check the box Enable tracking all rules (including rules marked as None in the Track column). Send these logs to a secondary log server for a complete logging history. Use your normal log server for standard logging for troubleshooting. D. Check the Log Implied Rules Globally box on the R76 Gateway object. /Reference: QUESTION 130 You receive a notification that long-lasting Telnet connections to a mainframe are dropped after an hour of inactivity. Reviewing SmartView Tracker shows the packet is dropped with the error: "Unknown established connection" How do you resolve this problem without causing other security issues? Choose the BEST answer. A. Increase the service-based session timeout of the default Telnet service to 24-hours. B. Increase the TCP session timeout under Global Properties > Stateful Inspection. C. Create a new TCP service object on port 23 called Telnet-mainframe. Define a service-based session timeout of 24-hours. Use this new object only in the rule that allows the Telnet connections to the mainframe. D. Ask the mainframe users to reconnect every time this error occurs.

43 /Reference: QUESTION 131 SmartView Tracker logs the following Security Administrator activities, EXCEPT: A. Object creation, deletion, and editing B. Rule Base changes C. Administrator login and logout D. Tracking SLA compliance /Reference: QUESTION 132 What happens when you select File > Export from the SmartView Tracker menu? A. Exported log entries are not viewable in SmartView Tracker. B. Logs in fw.log are exported to a file that can be opened by Microsoft Excel. C. Exported log entries are deleted from fw.log. D. Current logs are exported to a new *.log file. /Reference: QUESTION 133 By default, when you click File > Switch Active File in SmartView Tracker, the Security Management Server: A. Purges the current log file, and prompts you for the new log's mode. B. Purges the current log file, and starts a new log file. C. Saves the current log file, names the log file by date and time, and starts a new log file. D. Prompts you to enter a filename, and then saves the log file. /Reference: QUESTION 134 You are working with three other Security Administrators. Which SmartConsole component can be used to monitor changes to rules or object properties made by the other administrators? A. Eventia Tracker B. SmartView Monitor C. Eventia Monitor

44 D. SmartView Tracker /Reference: QUESTION 135 Which SmartView Tracker mode allows you to read the SMTP body sent from the Chief Executive Officer (CEO) of a company? A. Display Capture Action B. This is not a SmartView Tracker feature. C. Display Payload View D. Network and Endpoint Tab /Reference: QUESTION 136 You can include External commands in SmartView Tracker by the menu Tools > Custom Commands. The Security Management Server is running under SecurePlatform, and the GUI is on a system running Microsoft Windows. How do you run the command traceroute on an IP address? A. There is no possibility to expand the three pre-defined options Ping, Whois, and Nslookup. B. Go to the menu Tools > Custom Commands and configure the Windows command tracert.exe to the list. C. Use the program GUIdbedit to add the command traceroute to the Security Management Server properties. D. Go to the menu, Tools > Custom Commands and configure the Linux command traceroute to the list. /Reference: QUESTION 137 To reduce the information given to you in SmartView Tracker, what can you do to find information about data being sent between pcosaka and pctokyo? A. Apply a source filter by adding both endpoint IP addresses with the equal option set. B. Use a regular expression to filter out relevant logging entries. C. Double-click an entry representing a connection between both endpoints. D. Press CTRL+F in order to open the find dialog, and then search the corresponding IP addresses. /Reference:

45 QUESTION 138 Which of the following can be found in cpinfo from an enforcement point? A. Policy file information specific to this enforcement point B. The complete file objects_5_0.c C. VPN keys for all established connections to all enforcement points D. Everything NOT contained in the file r2info /Reference: QUESTION 139 Which R76 SmartConsole tool would you use to verify the installed Security Policy name on a Security Gateway? A. SmartView Server B. SmartView Tracker C. None, SmartConsole applications only communicate with the Security Management Server. D. SmartUpdate /Reference: QUESTION 140 You have detected a possible intruder listed in SmartView Tracker's active pane. What is the fastest method to block this intruder from accessing your network indefinitely? A. In SmartView Monitor, select Tools > Suspicious Activity Rules. B. Modify the Rule Base to drop these connections from the network. C. In SmartView Tracker, select Tools > Block Intruder. D. In SmartDashboard, select IPS > Network Security > Denial of Service. /Reference: QUESTION 141 Where are custom queries stored in R76 SmartView Tracker? A. On the Security Management Server tied to the GUI client IP. B. On the SmartView Tracker PC local file system shared by all users of that local PC. C. On the Security Management Server tied to the Administrator User Database login name. D. On the SmartView Tracker PC local file system under the user's profile.

46 /Reference: QUESTION 142 How do you view a Security Administrator's activities with SmartConsole? A. SmartView Tracker in the Network and Endpoint tabs B. Eventia Suite C. SmartView Tracker in the Management tab D. SmartView Monitor using the Administrator Activity filter /Reference: QUESTION 143 Which SmartView Tracker selection would most effectively show who installed a Security Policy blocking all traffic from the corporate network? A. Network and Endpoint tab B. Custom filter C. Management tab D. Active tab /Reference: QUESTION 144 You are reviewing the Security Administrator activity for a bank and comparing it to the change log. How do you view Security Administrator activity? A. SmartView Tracker in Network and Endpoint Mode B. SmartView Tracker in Management Mode C. SmartView Tracker cannot display Security Administrator activity; instead, view the system logs on the Security Management Server's Operating System. D. SmartView Tracker in Active Mode /Reference: QUESTION 145 Which of the following R76 SmartView Tracker views will display a popup warning about performance implications on the Security Gateway? A. Audit Tab B. All Records Query C. Active Tab D. Account Query

47 /Reference: QUESTION 146 SmartView Tracker R76 consists of three different modes. They are: A. Log, Track, and Management B. Log, Active, and Management C. Network and Endpoint, Active, and Management D. Log, Active, and Audit /Reference: QUESTION 147 One of your remote Security Gateway's suddenly stops sending logs, and you cannot install the Security Policy on the Gateway. All other remote Security Gateways are logging normally to the Security Management Server, and Policy installation is not affected. When you click the Test SIC status button in the problematic Gateway object, you receive an error message. What is the problem? A. There is no connection between the Security Management Server and the remote Gateway. Rules or routing may block the connection. B. The time on the Security Management Server's clock has changed, which invalidates the remote Gateway's Certificate. C. The Internal Certificate Authority for the Security Management Server object has been removed from objects_5_0.c. D. The remote Gateway's IP address has changed, which invalidates the SIC Certificate. /Reference: QUESTION 148 What information is found in the SmartView Tracker Management log? A. Destination IP address B. SIC revoke certificate event C. Number of concurrent IKE negotiations D. Most accessed Rule Base rule /Reference: QUESTION 149

48 What information is found in the SmartView Tracker Management log? A. Administrator SmartDashboard logout event B. SecurePlatform expert login event C. Creation of an administrator using cpconfig D. FTP username authentication failure /Reference: QUESTION 150 How do you use SmartView Monitor to compile traffic statistics for your company's Internet Web activity during production hours? A. View total packets passed through the Security Gateway. B. Configure a Suspicious Activity Rule which triggers an alert when HTTP traffic passes through the Gateway. C. Use Traffic settings and SmartView Monitor to generate a graph showing the total HTTP traffic for the day. D. Select Tunnels view, and generate a report on the statistics. /Reference: QUESTION 151 What happens when you run the command. fw sam -J src [Source IP Address]? A. Connections to and from the specified target are blocked without the need to change the Security Policy. B. Connections to and from the specified target are blocked with the need to change the Security Policy. C. Connections from the specified source are blocked without the need to change the Security Policy. D. Connections to the specified target are blocked without the need to change the Security Policy. /Reference: QUESTION 152 An internal router is sending UDP keep-alive packets that are being encapsulated with GRE and sent through your R76 Security Gateway to a partner site. A rule for GRE traffic is configured for ACCEPT/LOG. Although the keep-alive packets are being sent every minute, a search through the SmartView Tracker logs for GRE traffic only shows one entry for the whole day (early in the morning after a Policy install). Your partner site indicates they are successfully receiving the GRE encapsulated keep-alive packets on the 1-minute interval. If GRE encapsulation is turned off on the router, SmartView Tracker shows a log entry for the UDP keepalive packet every minute. Which of the following is the BEST explanation for this behavior? A. The Log Server log unification process unifies all log entries from the Security Gateway on a specific

49 connection into only one log entry in the SmartView Tracker. GRE traffic has a 10 minute session timeout, thus each keep-alive packet is considered part of the original logged connection at the beginning of the day. B. The log unification process is using a LUUID (Log Unification Unique Identification) that has become corrupt. Because it is encrypted, the R75 Security Gateway cannot distinguish between GRE sessions. This is a known issue with GRE. Use IPSEC instead of the non-standard GRE protocol for encapsulation. C. The setting Log does not capture this level of detail for GRE. Set the rule tracking action to Audit since certain types of traffic can only be tracked this way. D. The Log Server is failing to log GRE traffic properly because it is VPN traffic. Disable all VPN configuration to the partner site to enable proper logging. /Reference: QUESTION 153 You are the Security Administrator for MegaCorp and would like to view network activity using SmartReporter. You select a standard predefined report. As you can see here, you can select the london Gateway. When you attempt to configure the Express Report, you are unable to select this Gateway.

50 What is the reason for this behavior? Give the BEST answer. A. You must enable the Eventia Express Mode on the london Gateway. B. You must enable Monitoring in the london Gateway object's General Properties. C. You have the license for Eventia Reporter in Standard mode only. D. You must enable the Express Mode inside Eventia Reporter. /Reference: QUESTION 154 In SmartView Tracker, which rule shows when a packet is dropped due to anti-spoofing? A. Rule 0 B. Blank field under Rule Number C. Cleanup Rule D. Rule 1 /Reference: QUESTION 155 A third-shift Security Administrator configured and installed a new Security Policy early this morning. When you arrive, he tells you that he has been receiving complaints that Internet access is very slow. You suspect the Security Gateway virtual memory might be the problem. Which SmartConsole component would you use to verify this? A. SmartView Tracker

51 B. This information can only be viewed with the command fw ctl pstat from the CLI. C. SmartView Monitor D. Eventia Analyzer /Reference: QUESTION 156 You find a suspicious connection from a problematic host. You decide that you want to block everything from that whole network, not just the problematic host. You want to block this for an hour while you investigate further, but you do not want to add any rules to the Rule Base. How do you achieve this? A. Create a Suspicious Activity Rule in SmartView Monitor. B. Select Block intruder from the Tools menu in SmartView Tracker. C. Use dbedit to script the addition of a rule directly into the Rule Bases_5_0.fws configuration file. D. Add a temporary rule using SmartDashboard and select hide rule. /Reference: QUESTION 157 In SmartDashboard, you configure 45 MB as the required free hard-disk space to accommodate logs. What can you do to keep old log files, when free space falls below 45 MB? A. Do nothing. The Security Management Server automatically copies old logs to a backup server before purging. B. Use the command fwm logexport to export the old log files to another location. C. Configure a script to run fw logswitch and SCP the output file to a separate file server. D. Do nothing. Old logs are deleted, until free space is restored. /Reference: QUESTION 158 How do you configure an alert in SmartView Monitor? A. By right-clicking on the Gateway, and selecting Properties. B. By choosing the Gateway, and Configure Thresholds. C. An alert cannot be configured in SmartView Monitor. D. By right-clicking on the Gateway, and selecting System Information. /Reference:

52 QUESTION 159 True or False? SmartView Monitor can be used to create alerts on a specified Gateway. A. False, alerts can only be set in SmartDashboard Global Properties. B. True, by choosing the Gateway and selecting System Information. C. False, an alert cannot be created for a specified Gateway. D. True, by right-clicking on the Gateway and selecting Configure Thresholds. /Reference: QUESTION 160 Which R76 SmartConsole tool would you use to verify the installed Security Policy name on a Security Gateway? A. SmartUpdate B. SmartView Status C. SmartView Monitor D. None, SmartConsole applications only communicate with the Security Management Server. /Reference: QUESTION 161 Which R76 GUI would you use to see the number of packets accepted since the last policy install? A. SmartView Monitor B. SmartView Status C. SmartView Tracker D. SmartDashboard /Reference: QUESTION 162 You are trying to save a custom log query in R76 SmartView Tracker, but getting the following error: Could not save <query-name> (Error: Database is Read Only) Which of the following is a likely explanation for this? A. You do not have OS write permissions on the local SmartView Tracker PC in order to save the custom query locally. B. You do not have the explicit right to save a custom query in your administrator permission profile under SmartConsole customization. C. Another administrator is currently connected to the Security Management Server with read/write permissions which impacts your ability to save custom log queries to the Security Management Server. D. You have read-only rights to the Security Management Server database.

53 /Reference: QUESTION 163 The R76 fw monitor utility is used to troubleshoot which of the following problems? A. User data base corruption B. Traffic issues C. Phase two key negotiation D. Log Consolidation Engine /Reference: QUESTION 164 You are the Security Administrator for MegaCorp. In order to see how efficient your firewall Rule Base is, you would like to see how often the particular rules match. Where can you see it? Give the BEST answer. A. In the SmartView Tracker, if you activate the column Matching Rate. B. It is not possible to see it directly. You can open SmartDashboard and select UserDefined in the Track column. Afterwards, you need to create your own program with an external counter. C. In SmartReporter, in the section Firewall Blade - Activity > Network Activity with information concerning Top Matched Logged Rules. D. SmartReporter provides this information in the section Firewall Blade - Security > Rule Base Analysis with information concerning Top Matched Logged Rules. /Reference: QUESTION 165 A company has disabled logging for some of the most commonly used Policy rules. This was to decrease load on the Security Management Server and to make tracking dropped connections easier. What action would you recommend to get reliable statistics about the network traffic using SmartReporter? A. Configure Additional Logging on an additional log server. B. Turn the field Track of each rule to LOG. C. Network traffic cannot be analyzed when the Security Management Server has a high load. D. SmartReporter analyzes all network traffic, logged or not. /Reference: QUESTION 166

54 What is a Consolidation Policy? A. A global Policy used to share a common enforcement policy for multiple Security Gateways. B. The collective name of the logs generated by SmartReporter. C. The collective name of the Security Policy, Address Translation, and IPS Policies. D. The specific Policy written in SmartDashboard to configure which log data is stored in the SmartReporter database. /Reference: QUESTION 167 Which feature in R76 permits blocking specific IP addresses for a specified time period? A. Block Port Overflow B. Suspicious Activity Monitoring C. HTTP Methods D. Local Interface Spoofing /Reference: QUESTION 168 You find a suspicious FTP site trying to connect to one of your internal hosts. How do you block it in real time and verify it is successfully blocked? Highlight the suspicious connection in SmartView Tracker: A. Log mode. Block it using Tools > Block Intruder menu. Observe in the Log mode that the suspicious connection does not appear again in this SmartView Tracker view. B. Active mode. Block it using Tools > Block Intruder menu. Observe in the Active mode that the suspicious connection is listed in this SmartView Tracker view as "dropped". C. Log mode. Block it using Tools > Block Intruder menu. Observe in the Log mode that the suspicious connection is listed in this SmartView Tracker view as "dropped". D. Active mode. Block it using Tools > Block Intruder menu. Observe in the Active mode that the suspicious connection does not appear again in this SmartView Tracker view. /Reference: QUESTION 169 Your Security Gateways are running near performance capacity and will get upgraded hardware next week. Which of the following would be MOST effective for quickly dropping all connections from a specific attacker's IP at a peak time of day? A. Change the Rule Base and install the Policy to all Security Gateways B. SAM - Suspicious Activity Rules feature of SmartView Monitor C. SAM - Block Intruder feature of SmartView Tracker D. Intrusion Detection System (IDS) Policy install

55 /Reference: QUESTION 170 Your company enforces a strict change control policy. Which of the following would be MOST effective for quickly dropping an attacker's specific active connection? A. Intrusion Detection System (IDS) Policy install B. SAM - Suspicious Activity Rules feature of SmartView Monitor C. Block Intruder feature of SmartView Tracker D. Change the Rule Base and install the Policy to all Security Gateways /Reference: QUESTION 171 Which R75 component displays the number of packets accepted, rejected, and dropped on a specific Security Gateway, in real time? A. SmartView Monitor B. SmartView Status C. SmartEvent D. SmartUpdate /Reference: QUESTION 172 You have just installed your Gateway and want to analyze the packet size distribution of your traffic with SmartView Monitor. Unfortunately, you get the message.

56 "There are no machines that contain Firewall Blade and SmartView Monitor." What should you do to analyze the packet size distribution of your traffic?

57 Give the BEST answer. A. Enable Monitoring on your Security Management Server. B. Purchase the SmartView Monitor license for your Security Gateway. C. Purchase the SmartView Monitor license for your Security Management Server. D. Enable Monitoring on your Security Gateway. /Reference: QUESTION 173 You want to configure a mail alert for every time the policy is installed to a specific Gateway. Where would you configure this alert? A. In SmartView Monitor, select Gateway > Configure Thresholds and in SmartDashboard select Global Properties > Log and Alerts > Alert Commands. B. In SmartView Monitor, select Gateway > Configure Thresholds. C. In SmartDashboard, select Global Properties > Log and Alerts > Alert Commands. D. You cannot create a mail alert for Policy installation. /Reference: QUESTION 174 Your boss wants you to closely monitor an employee suspected of transferring company secrets to the competition. The IT department discovered the suspect installed a WinSCP client in order to use encrypted communication. Which of the following methods is BEST to accomplish this task? A. Use SmartView Tracker to follow his actions by filtering log entries that feature the WinSCP destination port. Then, export the corresponding entries to a separate log file for documentation. B. Watch his IP in SmartView Monitor by setting an alert action to any packet that matches your Rule Base and his IP address for inbound and outbound traffic. C. Send the suspect an with a keylogging Trojan attached, to get direct information about his wrongdoings. D. Use SmartDashboard to add a rule in the firewall Rule Base that matches his IP address, and those of potential targets and suspicious protocols. Apply the alert action or customized messaging. /Reference: QUESTION 175 MegaCorp's security infrastructure separates Security Gateways geographically. You must request a central license for one remote Security Gateway. How do you apply the license? A. Using each of the Gateways' IP addresses, and applying the licenses on the Security Management Server with the command cprlic put. B. Using the remote Gateway's IP address, and applying the license locally with the command cplic put.

58 C. Using your Security Management Server's IP address, and attaching the license to the remote Gateway via SmartUpdate. D. Using the remote Gateway's IP address, and attaching the license to the remote Gateway via SmartUpdate. /Reference: QUESTION 176 Identify the correct step performed by SmartUpdate to upgrade a remote Security Gateway. After selecting Packages > Distribute Only and choosing the target Gateway, the: A. selected package is copied from the Package Repository on the Security Management Server to the Security Gateway and the installation IS performed. B. selected package is copied from the CD-ROM of the SmartUpdate PC directly to the Security Gateway and the installation IS performed. C. SmartUpdate wizard walks the Administrator through a distributed installation. D. selected package is copied from the Package Repository on the Security Management Server to the Security Gateway but the installation IS NOT performed. /Reference: QUESTION 177 Identify the correct step performed by SmartUpdate to upgrade a remote Security Gateway. After selecting Packages > Distribute and Install Selected Package and choosing the target Gateway, the: A. SmartUpdate wizard walks the Administrator through a distributed installation. B. selected package is copied from the Package Repository on the Security Management Server to the Security Gateway but the installation IS NOT performed. C. selected package is copied from the Package Repository on the Security Management Server to the Security Gateway and the installation IS performed. D. selected package is copied from the SmartUpdate PC CD-ROM directly to the Security Gateway and the installation IS performed. /Reference: QUESTION 178 What physical machine must have access to the User Center public IP address when checking for new packages with SmartUpdate? A. SmartUpdate Repository SQL database Server B. A Security Gateway retrieving the new upgrade package C. SmartUpdate installed Security Management Server PC D. SmartUpdate GUI PC

59 /Reference: QUESTION 179 What action CANNOT be run from SmartUpdate R76? A. Reboot Gateway B. Fetch sync status C. Get all Gateway Data D. Preinstall verifier /Reference: QUESTION 180 What port is used for communication to the User Center with SmartUpdate? A. TCP 8080 B. HTTPS 443 C. HTTP 80 D. CPMI 200 /Reference: QUESTION 181 You are a Security Administrator preparing to deploy a new HFA (Hotfix Accumulator) to ten Security Gateways at five geographically separate locations. What is the BEST method to implement this HFA? A. Send a CD-ROM with the HFA to each location and have local personnel install it. B. Use SmartUpdate to install the packages to each of the Security Gateways remotely. C. Send a Certified Security Engineer to each site to perform the update. D. Use a SSH connection to SCP the HFA to each Security Gateway. Once copied locally, initiate a remote installation command and monitor the installation progress with SmartView Monitor. /Reference: QUESTION 182 What action can be performed from SmartUpdate R76?

60 A. cpinfo B. fw stat -l C. upgrade_export D. remote_uninstall_verifier /Reference: QUESTION 183 Which tool CANNOT be launched from SmartUpdate R76? A. SecurePlatform WebUI B. cpinfo C. IP Appliance Voyager D. snapshot /Reference: QUESTION 184 Sally has a Hot Fix Accumulator (HFA) she wants to install on her Security Gateway which operates with GAiA, but she cannot SCP the HFA to the system. She can SSH into the Security Gateway, but she has never been able to SCP files to it. What would be the most likely reason she cannot do so? A. She needs to edit /etc/scpusers and add the Standard Mode account. B. She needs to run sysconfig and restart the SSH process. C. She needs to run cpconfig to enable the ability to SCP files. D. She needs to edit /etc/sshd/sshd_config and add the Standard Mode account. /Reference: QUESTION 185 An advantage of using central instead of local licensing is: A. The license must be renewed when changing the IP address of a Security Gateway. Each module's license has a unique IP address. B. A license can be taken from one Security Management Server and given to another Security

61 Management Server. C. Licenses are automatically attached to their respective Security Gateways. D. Only one IP address is used for all licenses. /Reference: QUESTION 186 You are running the license_upgrade tool on your SecurePlatform Gateway. Which of the following can you NOT do with the upgrade tool? A. Perform the actual license-upgrade process B. View the status of currently installed licenses C. Simulate the license-upgrade process D. View the licenses in the SmartUpdate License Repository /Reference: QUESTION 187 If a SmartUpdate upgrade or distribution operation fails on GAiA, how is the system recovered? A. The Administrator must remove the rpm packages manually, and re-attempt the upgrade. B. GAiA will reboot and automatically revert to the last snapshot version prior to upgrade. C. The Administrator can only revert to a previously created snapshot (if there is one) with the command cprinstall snapshot <object name> <filename>. D. The Administrator must reinstall the last version via the command cprinstall revert <object name> <file name>. /Reference: QUESTION 188 Why should the upgrade_export configuration file (.tgz) be deleted after you complete the import process? A. It contains your security configuration, which could be exploited. B. It will prevent a future successful upgrade_export since the.tgz file cannot be overwritten. C. SmartUpdate will start a new installation process if the machine is rebooted. D. It will conflict with any future upgrades when using SmartUpdate. /Reference: QUESTION 189

62 Which of these components does NOT require a Security Gateway R76 license? A. SmartConsole B. SmartUpdate upgrading/patching C. Check Point Gateway D. Security Management Server /Reference: QUESTION 190 If a Security Gateway enforces three protections, LDAP Injection, Malicious Code Protector, and Header Rejection, which Check Point license is required in SmartUpdate? A. SmartEvent Intro B. IPS C. SSL: VPN D. Data Loss Prevention /Reference: QUESTION 191 Central license management allows a Security Administrator to perform which of the following functions? 1. Check for expired licenses. 2. Sort licenses and view license properties. 3. Attach both R76 Central and Local licesnes to a remote module. 4. Delete both R76 Local Licenses and Central licenses from a remote module. 5. Add or remove a license to or from the license repository. 6. Attach and/or delete only R76 Central licenses to a remote module (not Local licenses). A. 1, 2, 3, 4, & 5 B. 2, 3, 4, & 5 C. 2, 5, & 6 D. 1, 2, 5, & 6 /Reference: QUESTION 192 Which command gives an overview of your installed licenses? A. cplic print B. cplicense C. fw lic print D. showlic

63 /Reference: QUESTION 193 Where are SmartEvent licenses installed? A. Security Gateway B. Log Server C. Security Management Server D. SmartEvent server /Reference: QUESTION 194 As a Security Administrator, you must refresh the Client Authentication authorization time-out every time a new user connection is authorized. How do you do this? Enable the Refreshable Timeout setting: A. in the user object's Authentication screen. B. in the Gateway object's Authentication screen. C. in the Global Properties Authentication screen. D. in the Limit tab of the Client Authentication Action Properties screen. /Reference: QUESTION 195 The technical-support department has a requirement to access an intranet server. When configuring a User Authentication rule to achieve this, which of the following should you remember? A. You can limit the authentication attempts in the User Properties' Authentication tab. B. Once a user is first authenticated, the user will not be prompted for authentication again until logging out. C. You can only use the rule for Telnet, FTP, SMTP, and rlogin services. D. The Security Gateway first checks if there is any rule that does not require authentication for this type of connection before invoking the Authentication Security Server. /Reference: QUESTION 196 Choose the BEST sequence for configuring user management in SmartDashboard, using an LDAP server. A. Configure a server object for the LDAP Account Unit, and create an LDAP resource object.

64 B. Enable User Directory in Global Properties, configure a host-node object for the LDAP server, and configure a server object for the LDAP Account Unit. C. Configure a workstation object for the LDAP server, configure a server object for the LDAP Account Unit, and enable LDAP in Global Properties. D. Configure a server object for the LDAP Account Unit, enable LDAP in Global Properties, and create an LDAP resource object. /Reference: QUESTION 197 You cannot use SmartDashboard's User Directory features to connect to the LDAP server. What should you investigate? 1) Verify you have read-only permissions as administrator for the operating system. 2) Verify there are no restrictions blocking SmartDashboard's User Manager from connecting to the LDAP server. 3) Check that the login Distinguished Name configured has root permission (or at least write permission Administrative access) in the LDAP Server's access control configuration. A. 2 and 3 B. 1 and 3 C. 1 and 2 D. 1, 2, and 3 /Reference: QUESTION 198 Identify the ports to which the Client Authentication daemon listens by default. A. 80, 256 B. 8080, 529 C. 259, 900 D. 256, 600 /Reference: QUESTION 199 What is the Manual Client Authentication TELNET port? A. 264 B. 259 C. 900 D. 23

65 /Reference: QUESTION 200 Your company's Security Policy forces users to authenticate to the Gateway explicitly, before they can use any services. The Gateway does not allow the Telnet service to itself from any location. How would you configure authentication on the Gateway? With a: A. Client Authentication rule using the manual sign-on method, using HTTP on port 900 B. Client Authentication rule, using partially automatic sign on C. Client Authentication for fully automatic sign on D. Session Authentication rule /Reference: QUESTION 201 Which authentication type permits five different sign-on methods in the authentication properties window? A. Manual Authentication B. Client Authentication C. Session Authentication D. User Authentication /Reference: QUESTION 202 Which Client Authentication sign-on method requires the user to first authenticate via the User Authentication mechanism, when logging in to a remote server with Telnet? A. Agent Automatic Sign On B. Partially Automatic Sign On C. Standard Sign On D. Manual Sign On /Reference: QUESTION 203 Which Security Gateway R76 configuration setting forces the Client Authentication authorization time-out to refresh, each time a new user is authenticated? The: A. Time properties, adjusted on the user objects for each user, in the Client Authentication rule Source. B. Refreshable Timeout setting, in Client Authentication Action Properties > Limits.

66 C. IPS > Application Intelligence > Client Authentication > Refresh User Timeout option enabled. D. Global Properties > Authentication parameters, adjusted to allow for Regular Client Refreshment. /Reference: QUESTION 204 All R76 Security Servers can perform authentication with the exception of one. Which of the Security Servers can NOT perform authentication? A. RLOGIN B. HTTP C. SMTP D. FTP /Reference: QUESTION 205 Which of the following are authentication methods that Security Gateway R76 uses to validate connection attempts? Select the response below that includes the MOST complete list of valid authentication methods. A. User, Client, Session B. Proxied, User, Dynamic, Session C. Connection, User, Client D. User, Proxied, Session /Reference: QUESTION 206 Security Gateway R76 supports User Authentication for which of the following services? Select the response below that contains the MOST correct list of supported services. A. FTP, HTTP, TELNET B. SMTP, FTP, TELNET C. SMTP, FTP, HTTP, TELNET D. FTP, TELNET /Reference: QUESTION 207 With the User Directory Software Blade, you can create R76 user definitions on a(n) Server.

67 A. NT Domain B. SecureID C. Radius D. LDAP /Reference: QUESTION 208 The User Directory Software Blade is used to integrate which of the following with Security Gateway R76? A. Account Management Client server B. RADIUS server C. LDAP server D. UserAuthority server /Reference: QUESTION 209 If you are experiencing LDAP issues, which of the following should you check? A. Domain name resolution B. Overlapping VPN Domains C. Connectivity between the R76 Gateway and LDAP server D. Secure Internal Communications (SIC) /Reference: QUESTION 210 Which type of R76 Security Server does not provide User Authentication? A. FTP Security Server B. SMTP Security Server C. HTTPS Security Server D. HTTP Security Server /Reference: QUESTION 211

68 You are about to integrate RSA SecurID users into the Check Point infrastructure. What kind of users are to be defined via SmartDashboard? A. All users B. Internal user Group C. A group with generic user D. LDAP Account Unit Group /Reference: QUESTION 212 For which service is it NOT possible to configure user authentication? A. FTP B. Telnet C. HTTPS D. SSH /Reference: QUESTION 213 Which of the following objects is a valid source in an authentication rule? A. User@Network B. Host@Any C. User@Any D. User_group@Network /Reference: QUESTION 214 You find that Users are not prompted for authentication when they access their Web servers, even though you have created an HTTP rule via User Authentication. Choose the BEST reason why. A. Users must use the SecuRemote Client, to use the User Authentication Rule. B. You checked the cache password on desktop option in Global Properties. C. Another rule that accepts HTTP without authentication exists in the Rule Base. D. You have forgotten to place the User Authentication Rule before the Stealth Rule. /Reference:

69 QUESTION 215 Which authentication type requires specifying a contact agent in the Rule Base? A. Session Authentication B. User Authentication C. Client Authentication with Partially Automatic Sign On D. Client Authentication with Manual Sign On /Reference: QUESTION 216 What is the difference between Standard and Specific Sign On methods? A. Standard Sign On allows the user to be automatically authorized for all services that the rule allows. Specific Sign On requires that the user re-authenticate for each service and each host to which he is trying to connect. B. Standard Sign On allows the user to be automatically authorized for all services that the rule allows. Specific Sign On requires that the user re-authenticate for each service specifically defined in the window Specific Action Properties. C. Standard Sign On requires the user to re-authenticate for each service and each host to which he is trying to connect. Specific Sign On allows the user to sign on only to a specific IP address. D. Standard Sign On allows the user to be automatically authorized for all services that the rule allows, but re-authenticate for each host to which he is trying to connect. Specific Sign On requires that the user reauthenticate for each service. /Reference: QUESTION 217 How are cached usernames and passwords cleared from the memory of a R76 Security Gateway? A. By retrieving LDAP user information using the command fw fetchldap. B. By installing a Security Policy. C. By using the Clear User Cache button in SmartDashboard. D. Usernames and passwords only clear from memory after they time out. /Reference: QUESTION 218 Assume you are a Security Administrator for ABCTech. You have allowed authenticated access to users from Mkting_net to Finance_net. But in the user's properties, connections are only permitted within Mkting_net. What is the BEST way to resolve this conflict? A. Select Intersect with user database or Ignore Database in the Action Properties window.

70 B. Permit access to Finance_net. C. Select Ignore Database in the Action Properties window. D. Select Intersect with user database in the Action Properties window. /Reference: QUESTION 219 For remote user authentication, which authentication scheme is NOT supported? A. Check Point Password B. TACACS C. SecurID D. RADIUS /Reference: QUESTION 220 Which of the following allows administrators to allow or deny traffic to or from a specific network based on the user's credentials? A. Access Role B. Access Rule C. Access Policy D. Access Certificate /Reference: QUESTION 221 John Adams is an HR partner in the ACME organization. ACME IT wants to limit access to HR servers to a set of designated IP addresses to minimize malware infection and unauthorized access risks. Thus, the gateway policy permits access only from John's desktop which is assigned a static IP address He has received a new laptop and wants to access the HR Web Server from anywhere in the organization. The IT department gave the laptop a static IP address, but that limits him to operating it only from his desk. The current Rule Base contains a rule that lets John Adams access the HR Web Server from his laptop with a static IP ( ). He wants to move around the organization and continue to have access to the HR Web Server. To make this scenario work, the IT administrator: 1) Enables Identity Awareness on a gateway, selects AD Query as one of the Identity Sources, and installs the policy. 2) Adds an access role object to the Firewall Rule Base that lets John Adams access the HR Web Server from any machine and from any location and installs policy. John plugged in his laptop to the network on a different network segment and was not able to connect to the HR Web server. What is the next BEST troubleshooting step? A. John should install the Identity Awareness Agent

71 B. Investigate this as a network connectivity issue C. After enabling Identity Awareness, reboot the gateway D. He should lock and unlock the computer /Reference: QUESTION 222 John Adams is an HR partner in the ACME organization. ACME IT wants to limit access to HR servers to designated IP addresses to minimize malware infection and unauthorized access risks. Thus, the gateway policy permits access only from John's desktop which is assigned a static IP address John received a laptop and wants to access the HR Web Server from anywhere in the organization. The IT department gave the laptop a static IP address, but that limits him to operating it only from his desk. The current Rule Base contains a rule that lets John Adams access the HR Web Server from his laptop with a static IP ( ). He wants to move around the organization and continue to have access to the HR Web Server. To make this scenario work, the IT administrator: 1) Enables Identity Awareness on a gateway, selects AD Query as one of the Identity Sources installs the policy. 2) Adds an access role object to the Firewall Rule Base that lets John Adams PC access the HR Web Server from any machine and from any location. John plugged in his laptop to the network on a different network segment and he is not able to connect. How does he solve this problem? A. John should lock and unlock the computer B. Investigate this as a network connectivity issue C. John should install the Identity Awareness Agent D. The firewall admin should install the Security Policy /Reference: QUESTION 223 Jennifer McHanry is CEO of ACME. She recently bought her own personal ipad. She wants use her ipad to access the internal Finance Web server. Because the ipad is not a member of the Active Directory domain, she cannot identify seamlessly with AD Query. However, she can enter her AD credentials in the Captive Portal and then get the same access as on her office computer. Her access to resources is based on rules in the R76 Firewall Rule Base. To make this scenario work, the IT administrator must: 1) Enable Identity Awareness on a gateway and select Captive Portal as one of the Identity Sources. 2) In the Portal Settings window in the User Access section, make sure that Name and password login is selected. 3) Create a new rule in the Firewall Rule Base to let Jennifer McHanry access network destinations. Select accept as the Action. Ms. McHanry tries to access the resource but is unable. What should she do? A. Have the security administrator select the Action field of the Firewall Rule "Redirect HTTP connections to an authentication (captive) portal" B. Install the Identity Awareness agent on her ipad C. Have the security administrator reboot the firewall D. Have the security administrator select Any for the Machines tab in the appropriate Access Role

72 /Reference: QUESTION 224 When using LDAP as an authentication method for Identity Awareness, the query: A. Prompts the user to enter credentials. B. Requires administrators to specifically allow LDAP traffic to and from the LDAP Server and the Security Gateway. C. Requires client and server side software. D. Is transparent, requiring no client or server side software. /Reference: QUESTION 225 Identity Awareness can be deployed in which of the following modes? A. Router B. Detect C. Load Sharing D. High Availability /Reference: QUESTION 226 What happens if the identity of a user is known? A. If the user credentials do not match an Access Role, the gateway moves onto the next rule. B. If the user credentials do not match an Access Role, the system displays the Captive Portal. C. If the user credentials do not match an Access Role, the traffic is automatically dropped. D. If the user credentials do not match an Access Role, the system displays a sandbox. /Reference: QUESTION 227 What happens if the identity of a user is known? A. If the user credentials do not match an Access Role, the system displays the Captive Portal. B. If the user credentials do not match an Access Role, the system displays a sandbox. C. If the user credentials do not match an Access Role, the traffic is automatically dropped. D. If the user credentials match an Access Role, the rule is applied and traffic is accepted or dropped

73 based on the defined action. /Reference: QUESTION 228 Which of the following is an authentication method used by Identity Awareness? A. Captive Portal B. PKI C. SSL D. RSA /Reference: QUESTION 229 What is the purpose of an Identity Agent? A. Manual entry of user credentials for LDAP authentication B. Audit a user's access, and send that data to a log server C. Disable Single Sign On D. Provide user and machine identity to a gateway /Reference: QUESTION 230 Users with Identity Awareness Agent installed on their machines login with, so that when the user logs into the domain, that information is also used to meet Identity Awareness credential requests. A. ICA Certificates B. Key-logging C. SecureClient D. Single Sign-On /Reference: QUESTION 231 Which of the following methods is NOT used by Identity Awareness to catalog identities? A. AD Query B. GPO

74 C. Captive Portal D. Identity Agent /Reference: QUESTION 232 When using AD Query to authenticate users for Identity Awareness, identity data is received seamlessly from the Microsoft Active Directory (AD). What is NOT a recommended usage of this method? A. Leveraging identity in the application control blade B. Identity-based enforcement for non-ad users (non-windows and guest users) C. Identity-based auditing and logging D. Basic identity enforcement in the internal network /Reference: QUESTION 233 How granular may an administrator filter an Access Role with identity awareness? A. Windows Domain B. AD User C. Radius Group D. Specific ICA Certificate /Reference: QUESTION 234 Can you use Captive Portal with HTTPS? A. No, it only works with FTP B. Yes C. No, it only works with FTP and HTTP D. No, it only works with HTTP /Reference: QUESTION 235 In which Rule Base can you implement a configured Access Role? A. DLP

75 B. Mobile Access C. Firewall D. IPS /Reference: QUESTION 236 What mechanism does a gateway configured with Identity Awareness and LDAP initially use to communicate with a Windows 2003 or 2008 server? A. RCP B. LDAP C. WMI D. CIFS /Reference: QUESTION 237 Which of the following items should be configured for the Security Management Server to authenticate using LDAP? A. WMI object B. Check Point Password C. Domain Admin username D. Windows logon password /Reference: QUESTION 238 How do you configure the Security Policy to provide user access to the Captive Portal through an external (Internet) interface? A. Change the Identity Awareness settings under Global Properties to allow Captive Portal access on all interfaces. B. Change the Identity Awareness settings under Global Properties to allow Captive Portal access for an external interface. C. Change the gateway settings to allow Captive Portal access via an external interface. D. No action is necessary. This access is available by default. /Reference:

76 QUESTION 239 To qualify as an Identity Awareness enabled rule, which column MAY include an Access Role? A. Track B. User C. Destination D. Action /Reference: QUESTION 240 What command syntax would you use to see accounts the gateway suspects are service accounts? A. pdp check_log B. adlog check_accounts C. pdp show service D. adlog a service_accounts /Reference: QUESTION 241 What gives administrators more flexibility when configuring Captive Portal instead of LDAP query for Identity Awareness authentication? A. Captive Portal is more secure than standard LDAP B. Captive Portal is more transparent to the user C. Nothing, LDAP query is required when configuring Captive Portal D. Captive Portal works with both configured users and guests /Reference: QUESTION 242 Your company has two headquarters, one in London, one in New York. Each of the headquarters includes several branch offices. The branch offices only need to communicate with the headquarters in their country, not with each other, and the headquarters need to communicate directly. What is the BEST configuration for establishing VPN Communities among the branch offices and their headquarters, and between the two headquarters? VPN Communities comprised of: A. Three star Communities: The first one is between New York headquarters and its branches. The second star Community is between London headquarters and its branches. The third star Community is between New York and London headquarters but it is irrelevant which site is "center" and which "satellite". B. One star Community with the option to mesh the center of the star: New York and London Gateways

77 added to the center of the star with the "mesh center Gateways" option checked; all London branch offices defined in one satellite window; but, all New York branch offices defined in another satellite window. C. Two mesh and one star Community: Each mesh Community is set up for each site between headquarters their branches. The star Community has New York as the center and London as its satellite. D. Three mesh Communities: one for London headquarters and its branches; one for New York headquarters and its branches; and one for London and New York headquarters. /Reference: QUESTION 243 Match the terms with their definitions: A. A-3, B-4, C-1, D-2 B. A-2, B-3, C-4, D-1 C. A-3, B-2, C-1, D-4 D. A-3, B-2, C-4, D-1 /Reference: QUESTION 244 Which of the following is NOT true for Clientless VPN? A. User Authentication is supported. B. Secure communication is provided between clients and servers that support HTTP. C. The Gateway accepts any encryption method that is proposed by the client and supported in the VPN. D. The Gateway can enforce the use of strong encryption. /Reference: QUESTION 245 Why are certificates preferred over pre-shared keys in an IPsec VPN?

78 A. Weak security: PSKs can only have 112 bit length. B. Weak Security: PSK are static and can be brute-forced. C. Weak scalability: PSKs need to be set on each and every Gateway. D. Weak performance. PSK takes more time to encrypt than Diffie-Hellman. /Reference: QUESTION 246 When using an encryption algorithm, which is generally considered the best encryption method? A. DES B. CAST cipher C. AES D. Triple DES /Reference: QUESTION 247 You install and deploy GAiA with default settings. You allow Visitor Mode in the Gateway object's Remote Access properties and install policy; but SecureClient refuses to connect. What is the cause of this? A. Set Visitor Mode in Policy > Global Properties > Remote-Access > VPN - Advanced. B. Office mode is not configured. C. You need to start SSL Network Extender first, then use Visitor Mode. D. The WebUI on GAiA runs on port 443 (HTTPS). When you configure Visitor Mode it cannot bind to default port 443, because it's used by another program (WebUI). You need to change the WebUI port, or run Visitor Mode on a different port. /Reference: QUESTION 248 What statement is true regarding Visitor Mode? A. All VPN traffic is tunneled through UDP port B. VPN authentication and encrypted traffic are tunneled through port TCP 443. C. Only ESP traffic is tunneled through port TCP 443. D. Only Main mode and Quick mode traffic are tunneled on TCP port 443. /Reference:

79 QUESTION 249 Which rule is responsible for the installation failure? A. Rule 3 B. Rule 4 C. Rule 5 D. Rule 6 /Reference: QUESTION 250 Which rule is responsible for the installation failure?