Number: Passing Score: 800 Time Limit: 120 min Check Point Certified Security Master

Transcription

1 Number: Passing Score: 800 Time Limit: 120 min Check Point Certified Security Master Sections 1. Chain Modules 2. NAT 3. ClusterXL 4. VPN Troubleshooting 5. SecureXL Acceleration debugging 6. Hardware Optimization 7. Software Tuning 8. Enable CoreXL 9. IPS 10. IPV6 11.Advanced VPN

2 Exam A QUESTION 1 What command would give you a summary of all the tables available to the firewall kernel? A. fw tab B. fw tab -s C. fw tab -h D. fw tab -o Section: Chain Modules /Reference: QUESTION 2 What flag option(s) must be used to dump the complete table in friendly format, assuming there are more than one hundred connections in the table? A. fw tab -t connections -f B. fw tab -t connect -f -u C. fw tab -t connections -s D. fw tab -t connections -f u Section: Chain Modules /Reference: QUESTION 3

3 Which directory below contains the URL Filtering engine update info? Here you can also go to see the status of the URL Filtering and Application Control updates. A. $FWDIR/urlf/update B. $FWDIR/appi/update C. $FWDIR/appi/urlf D. $FWDIR/update/appi Section: Chain Modules /Reference: QUESTION 4 For URL Filtering in the Cloud in R75 and above, what table is used to contain the URL Filtering cache values? A. urlf_blade_on_gw B. urlf_cache_tbl C. urlf_cache_table D. url_scheme_tab Correct Answer: C Section: Chain Modules /Reference: QUESTION 5 You are troubleshooting a Security Gateway, attempting to determine which chain is causing a problem. What command would you use to show all the chains through which traffic passed? A. [Expert@HostName]# fw ctl chain B. [Expert@HostName]# fw monitor -e "accept;" -p all C. [Expert@HostName]# fw ctl debug m D. [Expert@HostName]# fw ctl zdebug all

4 Section: Chain Modules /Reference: QUESTION 6 True or False: Software blades perform their inspection primarily through the kernel chain modules. A. False. Software blades do not pass through the chain modules. B. True. Many software blades have their own dedicated kernel chain module for inspection. C. True. All software blades are inspected by the IP Options chain module. D. True. Most software blades are inspected by the TCP streaming or Passive Streaming chain module. Section: Chain Modules /Reference: QUESTION 7 When using the command fw monitor, what command ensures the capture is accurate? A. export TDERROR_ALL_ALL=5 B. fwaccel off C. fwaccel on D. fw accel off Section: Chain Modules /Reference: C1O2 - Chain Modules QUESTION 8 You are running a debugging session and you have set the debug environment to TDERROR_ALL_ALL=5 using the command export TDERROR_ALL_ALL=5. How do you return the debug value to defaults?

5 A. fw ctl debug 0x1ffffe0 B. fw debug 0x1ffffe0 C. export TDERROR_ALL_ALL D. unset TDERROR_ALL_ALL Section: Chain Modules /Reference: QUESTION 9 What command would you use to view which debugs are set in your current working environment? A. "env" and "fw ctl debug" B. "cat /proc/etc" C. "fw ctl debug all" D. "export" Section: Chain Modules /Reference: QUESTION 10 What causes the SIP Early NAT chain module to appear in the chain? A. The SIP traffic is trying to pass through the firewall. B. SIP is configured in IPS. C. A VOIP domain is configured. D. The default SIP service is used in the Rule Base. Section: Chain Modules

6 /Reference: QUESTION 11 When you perform an install database, the status window is filled with large amounts of text. What could be the cause? A. There is an active fw monitor running. B. There is an environment variable of TDERROR_ALL_ALL set on the gateway. C. There is an active debug on the SmartConsole. D. There is an active debug on the FWM process. Section: Chain Modules /Reference: QUESTION 12 When finished running a debug on the Management Server using the command fw debug fwm on how do you turn this debug off? A. fwm debug off B. fw ctl debug off C. fw debug off D. fw debug fwm off Section: Chain Modules /Reference: QUESTION 13

7 Which commands will properly set the debug level to maximum and then run a policy install in debug mode for the policy Standard on gateway A-GW from an R77 GAiA Management Server? A. setenv TDERROR_ALL_ALL=5 fwm d load A-GW Standard B. setenv TDERROR_ALL_ALL=5 fwm d load Standard A-GW C. export TDERROR_ALL_ALL=5 fwm d load Standard A-GW D. export TDERROR_ALL_ALL=5 fwm d load A-GW Standard Correct Answer: C Section: Chain Modules /Reference: QUESTION 14 Which of the following items is NOT part of the columns of the chain modules? A. Inbound/Outbound chain B. Function Pointer C. Chain position D. Module location Section: Chain Modules /Reference: QUESTION 15 John is a Security Administrator of a Check Point platform. He has a mis-configuration issue that points to the Rule Base. To obtain information about the issue, John runs the command: A. fw debug fw on and checks the file fwm.elg. B. fw kdebug fwm on and checks the file fwm.elg.

8 C. fw debug fwm on and checks the file fwm.elg. D. fw kdebug fwm on and checks the file fw.elg. Correct Answer: C Section: Chain Modules /Reference: QUESTION 16 The user tried to connect in SmartDashboard and did not work. You started a FWM debug and receive the logs below: What is the error cause? A. IP not defined in $FWDIR/conf/gui-clients B. Wrong user and password C. Wrong password D. Wrong user

9 Section: Chain Modules /Reference: QUESTION 17 When troubleshooting and trying to understand which chain is causing a problem on the Security Gateway, you should use the command: A. fw ctl zdebug drop B. fw tab t connections C. fw monitor -e "accept;" -p all D. fw ctl chain Correct Answer: C Section: Chain Modules /Reference: QUESTION 18 Which process should you debug when SmartDashboard authentication is rejected? A. fwm B. cpd C. fwd D. DAService Section: Chain Modules /Reference: QUESTION 19 When performing a fwm debug, to which directory are the logs written?

10 A. $FWDIR/log B. $FWDIR/log/fwm.elg C. $FWDIR/conf/fwm.elg D. $CPDIR/log/fwm.elg Section: Chain Modules /Reference: QUESTION 20 You are attempting to establish an FTP session between your computer and a remote server, but it is not being completed successfully. You think the issue may be due to IPS. Viewing SmartView Tracker shows no drops. How would you confirm if the traffic is actually being dropped by the gateway? A. Search the connections table for that connection. B. Run a fw monitor packet capture on the gateway. C. Look in SmartView Monitor for that connection to see why it's being dropped. D. Run fw ctl zdebug drop on the gateway. Section: NAT /Reference: QUESTION 21 The fw tab t command displays the NAT table. A. loglist B. tablist C. fwx_alloc D. conns Correct Answer: C Section: NAT

11 /Reference: QUESTION 22 Where in a fw monitor output would you see destination address translation occur in cases of inbound automatic static NAT? A. Static NAT does not adjust the destination IP B. Between the "i" and "I" C. Between the "I" and "o" D. Between the "o" and "O" Section: NAT /Reference: QUESTION 23 Which flag in the fw monitor command is used to print the position of the kernel chain? A. -all B. -k C. -c D. -p Section: NAT /Reference: QUESTION 24 Server A is subject to automatically static NAT and also resides on a network which is subject to automatic Hide NAT. With regards to address translation what will happen when Server A initiates outbound communication?

12 A. This will cause a policy verification error. B. This is called hairpin NAT, the traffic will return to the server. C. The static NAT will take precedence. D. The Hide NAT will take precedence. Correct Answer: C Section: NAT /Reference: QUESTION 25 In your SecurePlatform configuration you need to set up a manual static NAT entry. After creating the proper NAT rule what step needs to be completed? A. Edit or create the file local.arp. B. No further actions are required. C. Edit or create the file discntd.if. D. Edit the file netconf.conf. Section: NAT /Reference: QUESTION 26 How do you set up Port Address Translation? A. Since Hide NAT changes to random high ports it is by definition PAT (Port Address Translation). B. Create a manual NAT rule and specify the source and destination ports.

13 C. Edit the service in SmartDashboard, click on the NAT tab and specify the translated port. D. Port Address Translation is not support in Check Point environment Section: NAT /Reference: QUESTION 27 You have set up a manual NAT rule, however fw monitor shows you that the device still uses the automatic Hide NAT rule. How should you correct this? A. Move your manual NAT rule above the automatic NAT rule. B. In Global Properties > NAT ensure that server side NAT is enabled. C. Set the following fwx_alloc_man kernel parameter to 1. D. In Global Properties > NAT ensure that Merge Automatic to Manual NAT is selected. Section: NAT /Reference: QUESTION 28 Since R76 GAiA, what is the method for configuring proxy ARP entries for manual NAT rules? A. WebUI or add proxy ARP... commands via CLISH B. SmartView Tracker C. local.arp file D. SmartDashboard Section: NAT /Reference:

14 QUESTION 29 Tom is troubleshooting NAT issues using fw monitor and Wireshark. He tries to initiate a connection from the external network to a DMZ server using the public IP which the firewall translates to the actual IP of the server. He analyzes the captured packets using Wireshark and observes that the destination IP is being changed as required by the firewall but does not see the packet leave the external interface. What could be the reason? A. The translation might be happening on the client side and the packet is being routed by the OS back to the external interface. B. The translation might be happening on the server side and the packet is being routed by OS back to the external interface. C. Packet is dropped by the firewall. D. After the translation, the packet is dropped by the Anti-Spoofing Protection. Section: NAT /Reference: QUESTION 30 Tom has a Web server for which he has created a manual NAT rule. The rule is not working. He tries to initiate a connection from the external network to a DMZ server using the public IP which the firewall translates to the actual IP of the server. He analyzes the captured packets using Wireshark and observes that the destination IP is being changed as required by the firewall but does not see the packet leave the internal interface. Which box in Global Properties should be checked?

15 A. Automatic NAT rules > Allow bi-directional NAT B. Automatic NAT rules > Automatic ARP Configuration

16 C. Automatic NAT rules > Translate destination on client side D. Manual NAT rules > Translate destination on client side Section: NAT /Reference: QUESTION 31 Which FW-1 kernel flags should be used to properly debug and troubleshoot NAT issues? A. nat, route, conn, fwd, zeco, err B. nat, xlate, fwd, vm, ld, chain C. nat, xltrc, xlate, drop, conn, vm D. nat, drop, conn, xlate, filter, ioctl Correct Answer: C Section: NAT /Reference: QUESTION 32 Which file should be edited to modify ClusterXL VIP Hide NAT rules, and where? A. $FWDIR/lib/base.def on the cluster members B. $FWDIR/lib/table.def on the SMC C. $FWDIR/lib/table.def on the cluster members D. $FWDIR/lib/base.def on the SMC Section: NAT /Reference:

17 QUESTION 33 When viewing a NAT Table, What represents the second hexadecimal number of the 6-tuple: A. Source port B. Protocol C. Source IP D. Destination port Correct Answer: C Section: NAT /Reference: QUESTION 34 By default, the size of the fwx_alloc table is: A B C D Correct Answer: C Section: NAT /Reference: QUESTION 35 Ann wants to hide FTP traffic behind the virtual IP of her cluster. Where is the relevant file table.def located to make this modification? A. $FWDIR/log/table.def B. $FWDIR/conf/table.def C. $FWDIR/bin/table.def D. $FWDIR/lib/table.def

18 Section: NAT /Reference: QUESTION 36 While troubleshooting a connectivity issue with an internal web server, you know that packets are getting to the upstream router, but when you run a tcpdump on the external interface of the gateway, the only traffic you observe is ARP requests coming from the upstream router. Does the problem lie on the Check Point Gateway? A. Yes This could be due to a misconfigured route on the firewall. B. No This is a layer 2 connectivity issue and has nothing to do with the firewall. C. No The firewall is not dropping the traffic, therefore the problem does not lie with the firewall. D. Yes This could be due to a misconfigured Static NAT in the firewall policy. Section: NAT /Reference: QUESTION 37 In a production environment, your gateway is configured to apply a Hide NAT for all internal traffic destined to the Internet. However, you are setting up a VPN tunnel with a remote gateway, and you are concerned about the encryption domain that you need to define on the remote gateway. Does the remote gateway need to include your production gateway's external IP in its encryption domain? A. No all packets destined through a VPN will leave with original source and destination packets without translation. B. No all packets destined to go through the VPN tunnel will have the payload encapsulated in an ESP packet and after decryption at the remote site, will have the same internal source and destination IP addresses. C. Yes all packets destined to go through the VPN tunnel will have the payload encapsulated in an ESP packet and after decryption at the remote site, the packet will contain the source IP of the Gateway because of Hide NAT. D. Yes The gateway will apply the Hide NAT for this VPN traffic.

19 Section: NAT /Reference: QUESTION 38 The "Hide internal networks behind the Gateway's external IP" option is selected. What defines what traffic will be NATted? A. The Firewall policy of the gateway B. The network objects configured for the network C. The VPN encryption domain of the gateway object D. The topology configuration of the gateway object Section: NAT /Reference: QUESTION 39 With the default ClusterXL settings what will be the state of an active gateway upon using the command ClusterXL_admin up? A. Ready B. Down C. Standby D. Active Correct Answer: C Section: ClusterXL /Reference: QUESTION 40 Which command should you use to stop kernel module debugging (excluding SecureXL)?

20 A. fw ctl debug 0 B. fw ctl zdebug - all C. fw debug fwd off; vpn debug off D. fw debug fwd off Section: ClusterXL /Reference: QUESTION 41 Which command should you run to debug the VPN-1 kernel module? A. fw debug vpn on B. vpn debug on TDERROR_ALL_ALL=5 C. fw ctl zdebug crypt kbuf D. fw ctl debug -m VPN all Section: ClusterXL /Reference: QUESTION 42 When you have edited the local.arp configuration, to support a manual NAT, what must be done to ensure proxy arps for both manual and automatic NAT rules function? A. In Global Properties > NAT tree select Merge manual proxy ARP configuration check box B. Run the command fw ctl ARP a on the gateway C. In Global Properties > NAT tree select Translate on client side check box D. Create and run a script to forward changes to the local.arp tables of your gateway Section: ClusterXL

21 /Reference: QUESTION 43 Which command clears all the connection table entries on a Security Gateway? A. fw tab t connetion u B. fw ctl tab t connetions u C. fw tab t connetion -s D. fw tab t connections -x Section: ClusterXL /Reference: QUESTION 44 How can you see a dropped connection and the cause from the kernel? A. fw zdebug drop B. fw ctl debug drop on C. fw debug drop on D. fw ctl zdebug drop Section: ClusterXL /Reference: QUESTION 45 After creating and pushing out a new policy, Joe finds that an old connection is still being allowed that should have been closed after his changes. He wants to delete the connection on the gateway, and looks it up with fw tab t connections u. Joe finds the connection he is looking for. What command should Joe use to remove this connection?

22 <0,a128c22,89,a158508,89,11;10001,2281,25,15b,a1,4ecdfeee,ac,691400ac,7b6,3e,ffffffff,3c,3c,0,0,0,0, 0,0,0,0,0,0,0,0,0,0> A. fw tab t connections x d "0,a128c22,89,0a158508,89,11" B. fw tab t connections x e "0,a128c22, ,0a158508, , " C. fw tab t connections x d " ,a128c22, ,0a158508, , " D. fw tab t connections x e "0,a128c22,89,0a158508,89,11" Section: ClusterXL /Reference: QUESTION 46 Using the default values in R77 how many kernel instances will there be on a 16-core gateway? A. 16 B. 8 C. 12 D. 14 Section: ClusterXL /Reference: QUESTION 47 When viewing connections using the command fw tab -t connections, all entries are displayed with a 6- tuple key, the elements of the 6-tuple include the following EXCEPT: A. destination port number B. source port number C. direction (inbound / outbound) D. interface id

23 Section: ClusterXL /Reference: QUESTION 48 Each connection allowed by a Security Gateway, will have a real entry and some symbolic link entries in the connections state table. The symbolic link entries point back to the real entry using this: A. serial number of the real entry. B. 6-tuple. C. memory pointer. D. date and time of the connection establishment. Section: ClusterXL /Reference: C3O3 - ClusterXL QUESTION 49 Extended Cluster Anti-Spoofing checks what value to determine if a packet with the source IP of a gateway in the cluster is being spoofed? A. The source IP of the packet. B. The packet has a TTL value of less than 255. C. The source MAC address of the packet. D. The destination IP of the packet. Section: ClusterXL /Reference: QUESTION 50 How do you clear the connections table?

24 A. Run the command fw tab t connections x B. In Gateway Properties > Optimizations click Clear connections table C. Run the command fw tab t conns c D. Run the command fw tab t connections c Section: ClusterXL /Reference: QUESTION 51 In order to prevent outgoing NTP traffic from being hidden behind a Cluster IP you should? A. Edit the relevant table.def on the Management Server and add the line no_hide_services_ports = { <17, 123> }; and then push policy. B. Edit the relevant table.def on the gateway and add the line no_hide_services_ports = { <17, 123> };. C. Edit the relevant table.def on the Management Server and add the line no_hide_services_ports = { <123, 17> }; and then push policy. D. Edit the relevant table.def on the gateway and add the line no_hide_services_ports = { <123, 17> }. Correct Answer: C Section: ClusterXL /Reference: QUESTION 52 Which command would a troubleshooter use to verify table connection info (peak, concurrent) and verify information about cluster synchronization state? A. fw tab t connections s B. fw ctl pstat C. fw ctl multik stat

25 D. Show info all Section: ClusterXL /Reference: QUESTION 53 Which definition best describes the file table.def function? It is a placeholder for: A. definitions of various kernel tables for Security Gateways. B. definitions of various kernel tables for Management Servers. C. user defined implied rules for Security Gateways. D. user defined implied rules for Management Servers. Section: ClusterXL /Reference: QUESTION 54 Your customer receives an alert from their network operation center, they are seeing ARP and Ping scans of their network originating from the firewall. What could be the reason for the behaviour? A. Check Point firewalls probe adjacent networking devices during normal operation. B. IPS is disabled on the firewalls and there is a known OpenSSL vulnerability that allows a hacker to cause a network scan to originate from the firewall. C. One or both of the firewalls in a cluster have stopped receiving CCP packets on an interface. D. Check Point's Antibot blade performs anti-bot scans of the surrounding network. Correct Answer: C Section: ClusterXL /Reference:

26 QUESTION 55 Your cluster member is showing a state of "Ready". Which of the following is NOT a reason one would expect for this behaviour? A. One cluster member is configured for 32 bit and the other is configured for 64 bit B. CoreXL is configured differently on the two machines C. The firewall that is showing "Ready" has been upgraded but the other firewall has not yet been upgraded D. Firewall policy has not yet been installed to the firewall Section: ClusterXL /Reference: QUESTION 56 Which of the following is NOT a cphaprob status? A. "Standby" B. "Active" C. "Backup" D. "Down Attention" (or "Down!" in VSX mode) Section: ClusterXL /Reference: QUESTION 57 What would be a reason for changing the "Magic MAC"? A. To allow for automatic upgrades. B. To allow two or more cluster members to exist on the same network. C. To allow two or more clusters to exist on the same network. D. To allow the two cluster members to use the same virtual IP address. Correct Answer: C

27 Section: ClusterXL /Reference: QUESTION 58 How many sync interfaces are supported on Check Point R77 GAiA? A. 3 B. 4 C. 2 D. 1 Section: ClusterXL /Reference: QUESTION 59 What would be a reason to use the command cphaosu stat? A. To determine the number of connections from OPSEC software using Open Source Licenses. B. To decide when to fail over traffic to a new cluster member. C. This is not a valid command. D. To see the policy install dates on each of the members in the cluster. Section: ClusterXL /Reference: QUESTION 60 You run the commands: fw ctl debug 0

28 fw ctl debug -buf Which of the following commands would be best to troubleshoot a clustering issue? A. fw ctl zdebug -m cluster + all B. fw ctl debug -m CLUSTER + conf stat C. fw ctl debug -m cluster + pnote stat if D. fw ctl kdebug -m CLUSTER all Correct Answer: C Section: ClusterXL /Reference: QUESTION 61 You run the command fw tab -t connections -s on both members in the cluster. Both members report differing values for "vals" and "peaks". Which may NOT be a reason for this difference? A. Synchronization is not working between the two members B. SGMs in a 61k environment only sync selective parts of the connections table. C. Heavily used short-lived services have had synchronization disabled for performance improvement. D. Standby member does not synchronize until a failover is needed. Section: ClusterXL /Reference: QUESTION 62 Your customer reports that the time on the standby cluster member is not correct. After failing over and making it active, the time is now correct. NTP has been configured on both machines, so it is expected that both machines be in sync with the NTP server. Upon investigating, it was found that the standby member was never able to communicate with the NTP server while it was in standby configuration. What could be the problem? A. You should be syncing your backup to the primary for time settings. B. NTP is not supported in active-passive mode.

29 C. Traffic from the standby member was hidden behind the cluster IP address and was therefore returning to the active member. D. Routing prevents the standby member from performing functions such as peering with dynamic routing and obtaining NTP updates. Correct Answer: C Section: ClusterXL /Reference: QUESTION 63 Your customer has an R77 Multi-domain Management Server managing a mix of firewalls of R70 and R77 versions. A change was made to the file $FWDIR/lib/ tables.def on one of the domains. However, it was found that the change was not applied to the R70 firewalls. What could be the problem? A. Changes to the table.def can only be applied to firewalls matching the Management Server version. The customer needs to upgrade the firewalls to the same version as the firewall. B. R70 is end of life and is not supported. Most functions will work, but modifying the table.def will not. C. In order to make changes on R70 machines you need work within GuiDBedit D. To support R70, the file in the compatibility directory should have been modified. Section: ClusterXL /Reference: QUESTION 64 What is the function of the setting "no_hide_services_ports" in the tables.def files? A. Preventing the secondary member from hiding its presence by not forwarding any packets. B. Allowing management traffic to be accepted in an applied rule ahead of the stealth rule. C. Hiding the particular tables from being synchronized to the other cluster member. D. Preventing outbound traffic from being hidden behind the cluster IP address. Section: ClusterXL

30 /Reference: QUESTION 65 Which command will you run to list established VPN tunnels? A. fw tab -t vpn_active B. vpn compstat C. fw tab -t vpn_routing D. vpn tu Section: VPN Troubleshooting /Reference: QUESTION 66 You are in VPN troubleshooting with a Partner and you suspect a mismatch configuration in Diffie- Hellman (DH) group to Phase1. After starting a vpn debug, in which packet would you look to analyze this option in your debug file? A. Packet3 B. Packet4 C. Packet5 D. Packet1 Section: VPN Troubleshooting /Reference: QUESTION 67 The file ike.elg is a log file used to log IKE negotiations during VPN tunnel establishment. Where is this file located? A. /opt/cpshrd-r77/log B. /opt/cpsuite-r77/fw1/log

31 C. /var/log/opt/cpsuite-r77/fg1/log D. /opt/cpsuite-r77/fg1/log Section: VPN Troubleshooting /Reference: QUESTION 68 Which command displays compression/decompression statistics? A. vpn ver k B. vpn compstat C. vpn compreset D. vpn crlview Section: VPN Troubleshooting /Reference: QUESTION 69 Which program could you use to analyze Phase I and Phase II packet exchanges? A. vpnview B. Check PointView C. IKEView D. vpndebugview

32 Correct Answer: C Section: VPN Troubleshooting /Reference: QUESTION 70 Check Point Best Practices suggest that when you finish a kernel debug, you should run the command. A. fw debug 0 B. fw debug off C. fw ctl debug default D. fw ctl debug 0 Section: VPN Troubleshooting /Reference: QUESTION 71 Given the following IKEView output, what do we know about QuickMode Packet 1?

33 A. Packet 1 proposes a symmetrical key B. Packet 1 proposes a subnet and host ID, an encryption and hash algorithm C. Packet 1 Proposes SA life Type, Sa Life Duration, Authentication and Encapsulation Algorithm

34 D. Packet 1 proposes either a subnet or host ID, an encryption and hash algorithm, and ID data Section: VPN Troubleshooting /Reference: QUESTION 72 You are attempting to establish a VPN tunnel between a Check Point gateway and a 3rd party vendor. When attempting to send traffic to the peer gateway it is failing. You look in SmartView Tracker and see that the failure is due to "Encryption failure: no response from peer". After running a VPN debug on the problematic gateway, what is one of the files you would want to analyze? A. $FWDIR/log/fw.log B. $FWDIR/log/fwd.elg C. $FWDIR/log/ike.elg D. /var/log/fw_debug.txt Correct Answer: C Section: VPN Troubleshooting /Reference: QUESTION 73 You want to run VPN debug that will generate both ike.elg and vpn.elg files. What is the best command that can be used to achieve this goal? A. vpn debug ikeon B. vpn debug on TDERR_ALL_ALL=5 C. vpn debug trunc D. vpn debug trunc Section: VPN Troubleshooting /Reference:

35 QUESTION 74 In IKEView while troubleshooting a VPN issue between your gateway and a partner site you see an entry that states "Invalid ID". Which of the following is the most likely cause? A. IKEv1 is not supported by the peer. B. Time is not matching between two members. C. The encryption parameters (hash, encryption type, etc.) do not match. D. Wrong subnets are being negotiated. Section: VPN Troubleshooting /Reference: QUESTION 75 While troubleshooting a VPN issue between your gateway and a partner site you see an entry in Smartview Tracker that states "Info: encryption failure: Different community ID: possible NAT problem". Which of the following is the most likely cause? A. You have an encryption method mismatch. B. Implied rules in global properties such as ICMP and DNS are set to first instead of before last. C. You have not created a specific rule allowing VPN traffic. D. You have the wrong encryption domains configured. Section: VPN Troubleshooting /Reference: QUESTION 76 You are troubleshooting a VPN issue between your gateway and a partner site and you get a drop log on your gateway that states "Clear text packet should be encrypted". Which of the following would be the best troubleshooting step? A. Use the excluded services in the VPN community to exclude this traffic from the VPN or determine why the traffic is leaving the initiating (partner) gateway as clear text.

36 B. Use the excluded services in the VPN community to exclude this traffic from the VPN or determine why the traffic is leaving local (your) gateway as clear text. C. Your phase one algorithms are mismatched between gateways. D. This is management traffic and we need to enable implied rule to address this issue. Section: VPN Troubleshooting /Reference: QUESTION 77 Your company has recently decided to allow remote access for clients. You find that no one is able to connect, although you are confident that your rule set and remote access community has been defined correctly. What is the most likely cause, based on the options below? You have the following debug file:

37 A. RDP is being blocked upstream. B. You have selected IKEv2 only in Global Properties > Remote Access > VPN Authentication and Encryption. C. Remote access clients are all behind NAT devices. D. Implied rule is not set to accept control connections. Section: VPN Troubleshooting /Reference: QUESTION 78

38 You are experiencing an issue where Endpoint Connect client connects successfully however, it disconnects every 20 seconds. What is the most likely cause of this issue? A. The Accept Remote Access control connections is not enabled in Global Properties > FireWall Implied Rules. B. You have selected IKEv2 only in Global Properties > Remote Access > VPN Authentication and Encryption. C. You are not licensed for Endpoint Connect client. D. Your remote access community is not configured. Section: VPN Troubleshooting /Reference: QUESTION 79 In a VPN configuration, the following mode can be used to increase throughput by bypassing firewall enforcement. A. Virtual Tunnel Interface (VTI) Mode can bypass firewall for all encrypted traffic B. Hub Mode can be used to bypass stateful inspection C. There is no such mode that can bypass firewall enforcement D. Wire mode can be used to bypass stateful inspection Section: VPN Troubleshooting /Reference: QUESTION 80 When VPN user-based authentication fails, which of the following debug logs is essential to understanding the issue?

39 A. VPN-1 kernel debug logs B. IKE.elg C. Vpnd.elg D. fw monitor trace Section: VPN Troubleshooting /Reference: QUESTION 81 In Tracker you are troubleshooting a VPN issue between your gateway and a partner site and you get a drop log that states "No proposal chosen" what is the most likely cause? A. There is a time mismatch B. The peer machine is not accepting multicast packets C. A mismatch in the settings between the two peers D. Using IKEv1 when peer uses IKEv2 Correct Answer: C Section: VPN Troubleshooting /Reference: QUESTION 82 Which of the following is NEVER affected by incorrect OS time and date configuration? A. VPN PSK authentication B. VPN certificate authentication C. SIC D. Identity Awareness Kerberos authentication Section: VPN Troubleshooting

40 /Reference: QUESTION 83 You are troubleshooting your VPN and are reviewing the output of your command fw monitor, shown below. What can you determine from the following output? A. The fw monitor command cannot display the relevant information since it is encrypted traffic B. NAT is not being applied to the IP address C. There is no issue, since the traffic is being seen at all points in the inspection kernel D. Traffic is not being encrypted Section: VPN Troubleshooting

41 /Reference: QUESTION 84 What would the following command fw monitor tell you? A. Only OSPF and FTP traffic between and B. Only traffic between and on port 21 or port 89 C. Only accepted traffic between and , or any accepted FTP traffic, or any accepted OSPF traffic D. Any communication between and , or any FTP traffic, or any OSPF traffic Section: VPN Troubleshooting /Reference: QUESTION 85 After disabling SecureXL you ran command fw monitor to help troubleshoot a VPN issue. In your review you note that you only see pre-inbound traffic ("i") and no other traffic after this. Which of the following reasons could explain this output? A. You don't have an "encrypt" rule B. Traffic is not destined to the correct MAC address because you failed to set up proxy ARP C. You have overlapping encryption domains with the remote site D. Routes are set up incorrectly Correct Answer: C Section: VPN Troubleshooting

42 /Reference: QUESTION 86 You are setting up VPN between two gateways Local-GW and New-GW and want to use shared secret. For some reason New-GW is not showing up in the shared secret properties under mesh community properties. What is the most likely reason why the New-GW is not displayed?

43 A. Gateway is locally managed by the same management station as Local-GW and shared secret is not supported for this configuration B. New-GW has to have Advanced properties > shared secret enabled. C. You need to install database by selecting Policy > Install database before gateway can be added.

44 D. Gateway is 600 appliance and does not support "shared secret" option. Section: VPN Troubleshooting /Reference: QUESTION 87 SecureXL uses templating to accelerate traffic passing through the gateway. What command should you run to determine if Accept, Drop and NAT templating is enabled? A. fwaccel stat B. fw ctl pstat C. cphaprob -a if D. cpconfig Section: SecureXL Acceleration debugging /Reference: QUESTION 88 Certain rules will disable connection rate acceleration (templates) in the Rule Base. What command should be used to determine on what rule templates are disabled? A. cpconfig B. cphaprob -a if C. fw ctl pstat D. fwaccel stat Section: SecureXL Acceleration debugging /Reference:

45 QUESTION 89 Look at the follow Rule Base display. Rule 5 contains a TIME object. What is the effect on the following rules? A. Rule 6 will be eligible but Rule 7 will not. B. All subsequent rules below Rule 5 will not be templated, regardless of the rule C. No effect. Rules 6 and 7 will be eligible for templating. D. The restriction on one rule does not affect later rules with regards to templates. Section: SecureXL Acceleration debugging /Reference: QUESTION 90 The command fwaccel stat displays what information?

46 A. Accelerator status, accept templates, drop templates B. Accelerated packets, accept templates, dropped packets C. Accelerator status, accelerated rules, drop templates D. Accelerator status, CoreXL state, drop templates Section: SecureXL Acceleration debugging /Reference: QUESTION 91 How to check the overall SecureXL statistics: A. fwaccel on B. fwaccel stat C. cat /proc/ppk/statistics D. fwaccel conns Correct Answer: C Section: SecureXL Acceleration debugging /Reference: QUESTION 92 When are rules that include identity awareness access roles accelerated through SecureXL? A. Rules using Identity Awareness are always accelerated. B. Only when `Unauthenticated Guests' is included in the access role. C. They have no bearing on whether the connection for the rule is accelerated. D. Rules using Identity Awareness are never accelerated. Correct Answer: C Section: SecureXL Acceleration debugging

47 /Reference: QUESTION 93 What command show the same information as fwaccel stats l? A. cat /proc/ppk/cpls B. cat /proc/ppk/statistics C. cphaprob a hconf D. fwaccell stats s u -k Section: SecureXL Acceleration debugging /Reference: QUESTION 94 In order to perform some connection troubleshooting, you run the command fw monitor e accept dport = 443. You do NOT see the TCP ACK packet. Why is this? A. The connection is encrypted. B. The connection is NATted. C. The connection is dropped. D. The connection is accelerated. Section: SecureXL Acceleration debugging /Reference: QUESTION 95

48 What is the corresponding connection template entered into the SecureXL connection table from the connection: " :1024 > :80" A. " :1024 > :80" B. " :1024 > :*" C. " :* > :*" D. " :* > :80" Section: SecureXL Acceleration debugging /Reference: QUESTION 96 When are rules that include Identity Awareness Access (IDA) roles accelerated through SecureXL? A. Only when `Unauthenticated Guests' is included in the access role. B. Never, the inclusion of an IDA role disables SecureXL. C. The inclusion of an IDA role has no bearing on whether the connection for the rule is accelerated. D. Always, the inclusion of an IDA role guarantees the connection for the rule is accelerated. Correct Answer: C Section: SecureXL Acceleration debugging /Reference: QUESTION 97 In the policy below, which rule disables SecureXL?

49 A. 5 B. 1 C. 4 D. 3 Section: SecureXL Acceleration debugging /Reference: QUESTION 98 When optimizing a customer firewall Rule Base, what is the BEST way to start the analysis? A. With the command fwaccel stat followed by the command fwaccel stats. B. At the top of the Rule Base. C. Using the hit count column. D. Using the Compliance Software Blade.

50 Section: SecureXL Acceleration debugging /Reference: QUESTION 99 What do the `F' flags mean in the output of fwaccel conns? A. Forward to firewall B. Flag set for debug C. Fast path packets D. Flow established Section: SecureXL Acceleration debugging /Reference: QUESTION 100 What command should a firewall administrator use to begin debugging SecureXL? A. fwaccel dbg api + verbose add B. fwaccel debug m <module name> <flag> C. fwaccel dbg -m <module name> <flag> D. SecureXL cannot be dubugged and the kernel debug will give enough output to help the firewall administrator to understand the firewalls behaviour. The right command to use is fw ctl debug m fw. Correct Answer: C Section: SecureXL Acceleration debugging /Reference: QUESTION 101 A firewall administrator knows the details of the packet header for an already established connection going through a firewall. What command will show if SecureXL will accelerate that packet?

51 A. fw ctl zdebug + sxl error warning asm B. fwaccel conns C. fwaccel templates D. fw tab t connections f grep `dest. port #' grep `source port #' grep `dest. IP address' Correct Answer: C Section: SecureXL Acceleration debugging /Reference: QUESTION 102 What is the command to check how many connections the firewall has detected for the SecureXL device? A. fw tab t connections s B. fw tab -t cphwd_db s C. fw tab t connection s grep template D. fwaccel conns Section: SecureXL Acceleration debugging /Reference: QUESTION 103 While troubleshooting high CPU usage on cores 3 and 4 on a cluster, you notice the following output of fwaccel stats -s:

52 What could be a possible cause of the high CPU usage? A. Connections are being partially accelerated by SecureXL, but too many packets are still being processed by the firewall kernel. B. The Secure Network Dispatcher (SND) is having to process too much inbound traffic from the NICs. C. Connections are not being accelerated by SecureXL, and all packets are being forwarded to firewall kernel instances for inspection. D. The Secure Network Dispatcher (SND) is working too hard to distribute the traffic to the acceleration layer. Correct Answer: C Section: SecureXL Acceleration debugging /Reference: QUESTION 104 Which of the following statements are TRUE about SecureXL? I. SecureXL is able to accelerate all connections through the firewall. II. Medium path acceleration will still cause some CPU utilization of CoreXL cores. III. F2F connections represent "forwarded to firewall" connections that are not accelerated and fully processed through the firewall kernel. IV. Packets going through SecureXL must be inspected by the firewall kernel before being accelerated. A. II and III B. I, II, and III

53 C. III and IV D. I and IV Section: SecureXL Acceleration debugging /Reference: QUESTION 105 Consider the following Rule Base; What can be concluded in regards to SecureXL Accept Templates?

54 A. Accept Templates will be disabled on Rule #4 B. Accept Templates will be fully functional C. Accept Templates will be disabled on Rule #6 D. Accept Templates do not function with VPN communities in the Rule Base Section: SecureXL Acceleration debugging /Reference: QUESTION 106 In an HA cluster, you modify the number of cores given to CoreXL on only one member using cpconfig and then issue a reboot. What is the expected ClusterXL status of this member when it comes up? A. Standby B. Ready C. Active D. Down Section: Hardware Optimization /Reference: QUESTION 107 Which information CANNOT be displayed by issuing the command cat /proc/cpuinfo? A. CPU family B. NFS_Unstable C. fpu D. vendor_id Section: Hardware Optimization

55 /Reference: QUESTION 108 You find that your open server SecurePlatform system is lagging although you know you have plenty of memory and the complexity of the Rule Base has not changed significantly. You think that upgrading the CPU frequency speed could help your performance. Which command could help you see what speed and model of CPU you are using? A. top B. sysconfig C. cat /proc/cpuinfo D. fw tab Correct Answer: C Section: Hardware Optimization /Reference: QUESTION 109 Where would you find CPU information like model, number of cores, vendor and architecture? A. In the file cpuinfo in the directory /proc. B. Right click the gateway object in Smart Dashboard and view properties C. WebUI D. sysconfig Section: Hardware Optimization /Reference:

56 QUESTION 110 From which version can you add Proxy ARP entries through the GAiA portal? A. R77.10 B. R77 C. R75.40 D. R76 Correct Answer: C Section: Hardware Optimization /Reference: QUESTION 111 What happens to manual changes in the file $FWDIR/conf/local.arp when adding Proxy ARP entries through the GAiA portal or Clish? A. Nothing. B. If the file $FWDIR/conf/local.arp has been edited manually, you are not able to add Proxy ARP entries through the GAiA portal or Clish. C. They are merged with the new entries added from the GAiA Portal / Clish. D. They are overwritten. Section: Hardware Optimization /Reference: QUESTION 112 You are analyzing your firewall logs, /var/log/messages, and repeatedly see the following kernel message: 'kernel: neighbor table overflow' What is the cause? A. Arp cache overflow

57 B. OSPF neighbor down C. Nothing, you can disconsider it. D. Cluster member table overflow Section: Hardware Optimization /Reference: QUESTION 113 The 'Maximum Entries' value in the GAiA Portal corresponds to the 'gc_thresh3' parameter in the Linux kernel and has value of Knowing this, you know that gc_thresh2 and gc_thresh1 if are automatically set to the values: A. gc_thresh2=256 and gc_thresh1=128 B. gc_thresh2=512 and gc_thresh1=256 C. gc_thresh2=1024 and gc_thresh1=1024 D. gc_thresh1=256 and gc_thresh2=128 Section: Hardware Optimization /Reference: QUESTION 114 Your ARP cache is overflowing negatively impacting users experience on your network. Which command can you issue to increase the ARP cache on the fly? You do not need this to survive reboot. A. Modify the /etc/sysctl.conf: net.ipv4.neigh.default.gc_thresh3 = B. echo 1024 > /proc/sys/net/ipv4/neigh/default/gc_thresh3 C. arp cache table > 1024 D. You cannot increase the size of the ARP cache on the fly. Section: Hardware Optimization

58 /Reference: QUESTION 115 Your gateway object is currently defined with a max connection count of 25k connections in Smart Dashboard. Which of the following commands would show you the current and peak connection counts? A. show connections all B. fw ctl conn C. fw ctl chain D. fw ctl pstat Section: Hardware Optimization /Reference: QUESTION 116 Which command will NOT display information related to memory usage? A. free B. fw ctl pstat C. cat /proc/meminfo D. memoryinfo.conf Section: Hardware Optimization /Reference: QUESTION 117 What does the command fwaccel templates do? A. Starts firewall acceleration after fwaccel off was run or SecureXL was enabled by using the command cpconfig. B. That SecureXL has been enabled in the cpconfig command menu.

59 C. Shows templates existing in the SecureXL device. This is so that an administrator can look for the template that matches the specific traffic. D. The Rule Base mapping between actual rules and the template built up in Layer 2. Correct Answer: C Section: Hardware Optimization /Reference: QUESTION 118 Running the command fw ctl pstat l would return what information? A. Additional hmem details B. General Security Gateway statistics C. Additional kmem details D. Additional smem details Section: Hardware Optimization /Reference: QUESTION 119 You have a user-defined SMTP trap configured to send an alert to your mail server, and you also have SmartView Monitor configured to trigger the alert whenever policy is pushed to your gateway. However, you are not getting any mails even when you test for pushing policy. What process should you troubleshoot on the Management Server? A. fwd B. fwm C. cpwd_admin D. cpstat_monitor Section: Hardware Optimization

60 /Reference: QUESTION 120 what command other than fw ctl pstat, will display your peak concurrent connections? A. fw ctl get int fw_peak_connections B. netstat -ni C. fw tab -t connections -s D. top Correct Answer: C Section: Hardware Optimization /Reference: QUESTION 121 You have just configured HA and find that connections are not being synced. When you have a failover, users complain that they are losing their connections. What command could you run to see the state synchronization statistics? A. fw ctl pstat B. fw sync stats C. cphaprob stat D. fw ctl get int fw_state_sync_stats Section: Hardware Optimization /Reference:

61 QUESTION 122 Which of the following is a valid synchronization status as an output to fw ctl pstat? A. Unable to receive sync packets B. Sync member down C. Synchronized D. Communicating Section: Hardware Optimization /Reference: QUESTION 123 You are running some diagnostics on your GAIA gateway. You are reviewing the number of fragmented packets; you notice that there are a lot of large and duplicate packets. Which command did you issue to get this information? A. sysconfig B. fw ctl pstat C. fw ctl get int fw_frag_stats D. cat /proc/cpuinfo Section: Hardware Optimization /Reference: QUESTION 124 Your company has grown significantly over the past few months. You are seeing that new connections are being dropped but note that the connections table is not full. You suspect that the kernel memory allocated to the firewall has reached its full capacity. To check the "Machine Capacity Summary" statistics, you use command: A. ps -aux B. top C. cat /proc/net/capacity

62 D. fw ctl pstat Section: Hardware Optimization /Reference: C6O4 - Hardware Optimization QUESTION 125 Under which scenario would you most likely consider the use of Multi-Queue? A. When IPS is heavily used. B. When most of the traffic is accelerated. C. When most of the processing is done in CoreXL. D. When trying to increase session rate. Section: Hardware Optimization /Reference: QUESTION 126 If you need to use a Domain object in the Rule Base, where should this rule be located? A. No higher than the 2nd rule. B. The first rule in the Rule Base. C. The last rule before the clean up rule. D. The last rule after the clean up rule. Correct Answer: C Section: Hardware Optimization /Reference: QUESTION 127

63 You have a requirement to implement a strict security policy. With this in mind, you must create a stealth rule. How will this impact your packet acceleration? A. Using a stealth rule disables SecureXL. B. There will be no impact as long as the rule is not logged. C. NAT templates will not work. D. There will be no impact, since stealth rules do not affect SecureXL. Section: Hardware Optimization /Reference: QUESTION 128 What will be the outcome if you set the kernel parameters cphwd_nat_templates_enabled and cphwd_nat_templates_support? A. This would enable Hide NAT support. B. These parameters are mutually exclusive and cannot be used at the same time. C. This would enable SecureXL NAT templates. D. These are not valid parameters. Correct Answer: C Section: Hardware Optimization /Reference: QUESTION 129 You are finding that some users are complaining about slow connection speed. You would like to review a summary of your connections, including which connections are accelerated and those that are not. What command could you use? A. fw ctl pstat B. fwaccel perf C. fw tab -t connections -s D. fwaccel stats -s

64 Section: Hardware Optimization /Reference: QUESTION 130 You want to verify that the majority of your connections are being optimized by SecureXL. What command would you run to establish this information? A. fw ctl pstat B. fw tab -t connections -s C. fwaccel conns -s D. sim_dbg -s Correct Answer: C Section: Hardware Optimization /Reference: QUESTION 131 What is the difference between "connection establishment acceleration" (templating) and "traffic acceleration"? A. These are the same technologies with different names. B. "Connection establishment acceleration" only accelerates a single connection, while "traffic acceleration" accelerates similar traffic. C. "Traffic acceleration" is accelerated through hardware, and "connection establishment acceleration" is accelerated in software. D. "Traffic acceleration" only accelerates a single connection, while "connection establishment acceleration" accelerates similar traffic. Section: Hardware Optimization /Reference: QUESTION 132 What type of connections cannot be templated?

65 A. Any connections that contain Hide NAT B. Complex connections such as FTP, H323, SQL, ETC C. UDP because it is not connection oriented D. TCP Section: Hardware Optimization /Reference: QUESTION 133 You issue the command fwaccel stat and see the following:

66 What is a possible reason that the "accept templates" is disabled? A. Rule one is a drop rule. B. Rule one uses static NAT. C. Rule one contains a time object. D. Your administrator has not enabled templating. Correct Answer: C

67 Section: Hardware Optimization /Reference: QUESTION 134 PXL is considered to be what type of acceleration? A. Fast Path B. Slow Path C. Medium Path D. PXL is not related to acceleration Correct Answer: C Section: Hardware Optimization /Reference: QUESTION 135 You are running an inventory process within your corporate environment (R77) and need to find out CPU, memory, disk space, and information regarding the software blades enabled. What command could you use to easily gather this information? A. cpconfig B. fw ctl pstat C. SmartView Tracker D. cpview Section: Hardware Optimization /Reference: QUESTION 136 A Rule Base has been improperly configured with a rule which disables templating at the top of the Rule Base. How will this impact traffic acceleration?

68 A. SecureXL is disabled. B. Templates are disabled, and throughput acceleration only functions for rules above this one. C. Templates are disabled for this rule but it does not impact the rest of the Rule Base. D. Templates are disabled but throughput acceleration is still taking place. Section: Hardware Optimization /Reference: QUESTION 137 You run the command fwaccel conns and notice in the output that all the connections have "F" in the "flags" column, see below: What does this mean? A. Connections are being "forward to firewall" ("f2f"). B. Connections are being "forwarded" to the accelerating engine. C. Connections are accelerated ("fastpath"). D. Connections have the fragment flag set.

69 Section: Hardware Optimization /Reference: QUESTION 138 From a Best Practices perspective, what percentage of your packets should be accelerated? A. 65% B. 90% C. 100% D. 75% Section: Hardware Optimization /Reference: QUESTION 139 How does the Check Point Security Administrator enable NAT Templates? A. Run commands with syntax fw ctl set int cphwd_nat_templates_support 1 and fw ctl set int cphwd_nat_templates_enabled 1. B. Edit file $FWDIR/boot/modules/fwkern.conf with the lines "cphwd_nat_templates_support=1" and "cphwd_nat_templates_enabled=1". C. Set Firewall object > NAT > Advanced D. Set Global properties > NAT-Network address translation Section: Software Tuning

70 /Reference: QUESTION 140 What should you do after editing fwkern.conf to enable NAT templates? A. Install database B. Reboot C. Install policy D. Make sure the change shows up in Smartview Monitor Section: Software Tuning /Reference: QUESTION 141 How would you determine the value of 'Maximum concurrent connections' of the NAT Table? A. fwx_alloc B. fwx_max_conns C. fwx_auth D. objects_5_0.c Section: Software Tuning /Reference: QUESTION 142 What does "cphwd_nat_templates_enabled=1" do when entered into fwkern.conf? A. Disables NAT templates when SecureXL is turned on. B. Enables NAT templates when SecureXL is turned on. C. Enables NAT templates at all times.

71 D. Disables NAT templates at all times. Section: Software Tuning /Reference: QUESTION 143 You are a system administrator and you are working with Support. Support asked you to enable kernel core dumps on the files. You are unsure if this has already been set. You run the command chkconfig -list kdump. Does the screen capture tell you if kernel dumps are enabled on this gateway? A. There is not enough information to determine if kernel core files will be generated. B. Yes kernel dump has been enabled and kernel files should be captured. C. Kdump has nothing to do with kernel core file generation. D. All values should be set to "on". A kernel core dump will not be created. Section: Software Tuning /Reference: QUESTION 144 When a cluster member is completely powered down, how will the other member identify if there is network connectivity? A. The working member will ARP for the default gateway. B. The working member will look for replies to traffic sent from internal hosts.

72 C. The working member will automatically assume connectivity. D. The working member will Ping IPs in the subnet until it gets a response. Section: Software Tuning /Reference: QUESTION 145 If the number of Firewall Workers for CoreXL is set higher on one member of a cluster than the other, the cluster will be in what state? A. Active/Standby B. Active/Ready C. Active Attention/Down D. Active/Down Section: Software Tuning /Reference: QUESTION 146 To check what is currently set in the Firewall kernel debug input the command: A. fw ctl multistate B. fw ctl debug x C. fw ctl pstat D. fw ctl debug Section: Software Tuning /Reference:

73 QUESTION 147 Misha is working on a stand-by firewall and deletes the connections table in error. He finds that now the table is out of sync with the Active member. to get them completely synced again, Mish should run the command pair and. A. fw ctl sync stop, fw ctl sync start B. fw ctl setsync off, fw ctl setsync start C. fw ctl setsync stop, fw ctl setsync on D. fw ctl setsync off, fw ctl setsync on Section: Software Tuning /Reference: QUESTION 148 In a ClusterXL cluster with delayed synchronization, which of the following is not true? A. The length of time for the delay can be edited. B. It applies only to TCP services whose Protocol Type is set to HTTP or None. C. Delayed Synchronization is disabled if the Track option in the rule is set to Log or Account. D. Delayed Synchronization is performed only for connections matching a SecureXL Connection Template. Section: Software Tuning /Reference: QUESTION 149 What is the best way to see how a firewall is performing while processing packets in the firewall path, including resource usage? A. fw getperf B. SecureXL stat C. fwaccel stats D. fw ctl pstat

74 Section: Software Tuning /Reference: QUESTION 150 What is the best way to see how much traffic went through the firewall that was TCP, UDP and ICMP? A. fwaccel conns B. fw tab t connections p C. fwaccel stats D. fw ctl pstat Section: Software Tuning /Reference: QUESTION 151 Which file holds global Kernel values to survive reboot in a Check Point R77 gateway? A. $FWDIR/conf/fwkern.conf B. $FWDIR/boot/modules/fwkern.conf C. $FWDIR/boot/confwkern.conf D. $FWDIR/boot/fwkern.conf Section: Software Tuning /Reference: QUESTION 152 ACME Corp has a cluster consisting of two appliances. As the Firewall Administrator, you notice that on an output of top, you are seeing high CPU usage of

75 the cores assigned as SNDs, but low CPU usage on cores assigned to individual fw_worker_x processes. What command should you run next to performance tune your cluster? A. fw ctl debug m cluster + all this will show you all the connections being processed by ClusterXL and explain the high CPU usage on your appliance. B. fwaccel off this will turn off SecureXL, which is causing your SNDs to be running high in the first place. C. fwaccel stats s this will show you the acceleration profile of your connections and potentially why your SNDs are running high while other cores are running low. D. fw tab t connections s this will show you a summary of your connections table, and allow you to determine whether there is too much traffic traversing your firewall. Correct Answer: C Section: Software Tuning /Reference: QUESTION 153 Your customer has a well optimized Rule Base with most traffic accelerated by SecureXL. They are still seeing slow performance. They are using an 8 core machine. They see the following output from fw ctl affinity -l. What could be done to improve performance with this deployment?

76 A. Increase the number of cores dedicated to logging. B. Increase the number of Secure Network Dispatchers as the accelerated traffic is not passed to a worker core. C. Add more CPU resources to the hardware. D. Upgrade to SAM hardware. Section: Enable CoreXL /Reference: QUESTION 154 A Security Administrator wants to increase the amount of processing cores on a Check Point Security Gateway. He starts by increasing the number of cores,