exam.250q

Transcription

1 exam.250q Number: Passing Score: 800 Time Limit: 120 min File Version: 1 Checkpoint Check Point Certified Security Administrator Sections 1. Volume A 2. Volume B 3. Volume C 4. Volume D

2 Exam A QUESTION 1 Which of the following statements BEST describes Check Point's Hide Network Address Translation method? A. Translates many destination IP addresses into one destination IP address B. One-to-one NAT which implements PAT (Port Address Translation) for accomplishing both Source and Destination IP address translation C. Translates many source IP addresses into one source IP address D. Many-to-one NAT which implements PAT (Port Address Translation) for accomplishing both Source and Destination IP address translation Correct Answer: C Section: Volume A /Reference: QUESTION 2 Which Check Point address translation method allows an administrator to use fewer ISP- assigned IP addresses than the number of internal hosts requiring Internet connectivity? A. Hide B. Static Destination C. Static Source D. Dynamic Destination Section: Volume A /Reference:

3 QUESTION 3 NAT can NOT be configured on which of the following objects? A. HTTP Logical Server B. Gateway C. Address Range D. Host Section: Volume A /Reference: QUESTION 4 Which Check Point address translation method is necessary if you want to connect from a host on the Internet via HTTP to a server with a reserved (RFC 1918) IP address on your DMZ? A. Dynamic Source Address Translation B. Hide Address Translation C. Port Address Translation D. Static Destination Address Translation Correct Answer: D Section: Volume A /Reference: QUESTION 5 You want to implement Static Destination NAT in order to provide external, Internet users access to an internal Web Server that has a reserved (RFC 1918) IP address. You have an unused valid IP address on the network between your Security Gateway and ISP router. You control the router that sits between the firewall external interface and the Internet. What is an alternative configuration if proxy ARP cannot be used on your Security Gateway? A. Publish a proxy ARP entry on the ISP router instead of the firewall for the valid IP address. B. Place a static ARP entry on the ISP router for the valid IP address to the firewall's external address. C. Publish a proxy ARP entry on the internal Web server instead of the firewall for the valid IP address.

4 D. Place a static host route on the firewall for the valid IP address to the internal Web server. Correct Answer: B Section: Volume A /Reference: QUESTION 6 After implementing Static Address Translation to allow Internet traffic to an internal Web Server on your DMZ, you notice that any NATed connections to that machine are being dropped by anti-spoofing protections. Which of the following is the MOST LIKELY cause? A. The Global Properties setting Translate destination on client side is unchecked. But the topology on the DMZ interface is set to Internal - Network defined by IP and Mask. Check the Global Properties setting Translate destination on client side. B. The Global Properties setting Translate destination on client side is unchecked. But the topology on the external interface is set to Others +. Change topology to External. C. The Global Properties setting Translate destination on client side is checked. But the topology on the external interface is set to External. Change topology to Others +. D. The Global Properties setting Translate destination on client side is checked. But the topology on the DMZ interface is set to Internal - Network defined by IP and Mask. Uncheck the Global Properties setting Translate destination on client side. Section: Volume A /Reference: QUESTION 7 Which NAT option applicable for Automatic NAT applies to Manual NAT as well? A. Allow bi-directional NAT

5 B. Automatic ARP configuration C. Translate destination on client-side D. Enable IP Pool NAT Correct Answer: C Section: Volume A /Reference: QUESTION 8 Your main internal network /24 allows all traffic to the Internet using Hide NAT. You also have a small network /24 behind the internal router. You want to configure the kernel to translate the source address only when network tries to access the Internet for HTTP, SMTP, and FTP services. Which of the following configurations will allow this network to access the Internet? A. Configure three Manual Static NAT rules for network /24, one for each service. B. Configure Automatic Static NAT on network /24. C. Configure one Manual Hide NAT rule for HTTP, FTP, and SMTP services for network /24. D. Configure Automatic Hide NAT on network /24 and then edit the Service column in the NAT Rule Base on the automatic rule. Correct Answer: C Section: Volume A /Reference: QUESTION 9 You have three servers located in a DMZ, using private IP addresses. You want internal users from x to access the DMZ servers by public IP addresses. Internal_net x is configured for Hide NAT behind the Security Gateway's external interface.

6 What is the best configuration for x users to access the DMZ servers, using the DMZ servers' public IP addresses? A. When connecting to internal network x, configure Hide NAT for the DMZ network behind the Security Gateway DMZ interface. B. When the source is the internal network x, configure manual static NAT rules to translate the DMZ servers. C. When connecting to the Internet, configure manual Static NAT rules to translate the DMZ servers. D. When trying to access DMZ servers, configure Hide NAT for x behind the DMZ's interface. Correct Answer: B Section: Volume A /Reference: QUESTION 10 An internal host initiates a session to the Google.com website and is set for Hide NAT behind the Security Gateway. The initiating traffic is an example of. A. client side NAT B. source NAT

7 C. destination NAT D. None of these Correct Answer: B Section: Volume A /Reference: QUESTION 11 A host on the Internet initiates traffic to the Static NAT IP of your Web server behind the Security Gateway. With the default settings in place for NAT, the initiating packet will translate the. A. destination on server side B. source on server side C. source on client side D. destination on client side Correct Answer: D Section: Volume A /Reference: QUESTION 12 A Web server behind the Security Gateway is set to Automatic Static NAT. Client side NAT is not checked in the Global Properties. A client on the Internet initiates a session to the Web Server. Assuming there is a rule allowing this traffic, what other configuration must be done to allow the traffic to reach the Web server? A. Automatic ARP must be unchecked in the Global Properties. B. Nothing else must be configured. C. A static route must be added on the Security Gateway to the internal host.

8 D. A static route for the NAT IP must be added to the Gateway's upstream router. Correct Answer: C Section: Volume A /Reference: QUESTION 13 When translation occurs using automatic Hide NAT, what also happens? A. Nothing happens. B. The destination is modified. C. The destination port is modified. D. The source port is modified. Correct Answer: D Section: Volume A /Reference: QUESTION 14 The fw monitor utility is used to troubleshoot which of the following problems? A. Phase two key negotiation B. Address translation C. Log Consolidation Engine D. User data base corruption Correct Answer: B Section: Volume A /Reference:

9 QUESTION 15 Looking at the SYN packets in the Wireshark output, select the statement that is true about NAT. Exhibit: A. This is an example of Hide NAT. B. There is not enough information provided in the Wireshark capture to determine the NAT settings. C. This is an example of Static NAT and Translate destination on client side unchecked in Global Properties. D. This is an example of Static NAT and Translate destination on client side checked in Global Properties. Correct Answer: D Section: Volume A /Reference: QUESTION 16 In SmartDashboard, Translate destination on client side is checked in Global Properties. When Network Address Translation is used: A. It is not necessary to add a static route to the Gateway's routing table. B. It is necessary to add a static route to the Gateway's routing table. C. The Security Gateway's ARP file must be modified.

10 D. VLAN tagging cannot be defined for any hosts protected by the Gateway. Section: Volume A /Reference: QUESTION 17 Secure Internal Communications (SIC) is completely NAT-tolerant because it is based on: A. IP addresses. B. SIC is not NAT-tolerant. C. SIC names. D. MAC addresses. Correct Answer: C Section: Volume A /Reference: QUESTION 18 Static NAT connections, by default, translate on which firewall kernel inspection point? A. Inbound B. Outbound C. Post-inbound D. Eitherbound Section: Volume A /Reference:

11 QUESTION 19 You are MegaCorp's Security Administrator. There are various network objects which must be NATed. Some of them use the Automatic Hide NAT method, while others use the Automatic Static NAT method. What is the rule order if both methods are used together? Give the BEST answer. A. The Administrator decides the rule order by shifting the corresponding rules up and down. B. The Static NAT rules have priority over the Hide NAT rules and the NAT on a node has priority over the NAT on a network or an address range. C. The Hide NAT rules have priority over the Static NAT rules and the NAT on a node has priority over the NAT on a network or an address range. D. The rule position depends on the time of their creation. The rules created first are placed at the top; rules created later are placed successively below the others. Correct Answer: B Section: Volume A /Reference: QUESTION 20 Which answers are TRUE? Automatic Static NAT CANNOT be used when: 1) NAT decision is based on the destination port. 2) Both Source and Destination IP's have to be translated. 3) The NAT rule should only be installed on a dedicated Gateway. 4) NAT should be performed on the server side. A. 1 and 2 B. 2 and 4 C. 1, 3, and 4 D. 2 and 3 Section: Volume A

12 /Reference: QUESTION 21 After filtering a fw monitor trace by port and IP, a packet is displayed three times; in the i, I, and o inspection points, but not in the O inspection point. Which is the likely source of the issue? A. The packet has been sent out through a VPN tunnel unencrypted. B. An IPSO ACL has blocked the packet's outbound passage. C. A SmartDefense module has blocked the packet. D. It is due to NAT. Correct Answer: D Section: Volume A /Reference: QUESTION 22 Your internal network is configured to be /24. This network is behind your perimeter R77 Gateway, which connects to your ISP provider. How do you configure the Gateway to allow this network to go out to the Internet? A. Use Hide NAT for network /24 behind the external IP address of your perimeter Gateway. B. Use Hide NAT for network /24 behind the internal interface of your perimeter Gateway. C. Use automatic Static NAT for network /24. D. Do nothing, as long as network has the correct default Gateway. Section: Volume A /Reference: QUESTION 23 You are a Security Administrator who has installed Security Gateway R77 on your network. You need to allow a specific IP address range for a partner site to access your intranet Web server. To limit the partner's access for HTTP and FTP only, you did the following: 1) Created manual Static NAT rules for the Web server.

13 2) Cleared the following settings in the Global Properties > Network Address Translation screen: - Allow bi-directional NAT - Translate destination on client side Do the above settings limit the partner's access? A. Yes. This will ensure that traffic only matches the specific rule configured for this traffic, and that the Gateway translates the traffic after accepting the packet. B. No. The first setting is not applicable. The second setting will reduce performance. C. Yes. Both of these settings are only applicable to automatic NAT rules. D. No. The first setting is only applicable to automatic NAT rules. The second setting will force translation by the kernel on the interface nearest to the client. Correct Answer: D Section: Volume A /Reference: QUESTION 24 You enable Automatic Static NAT on an internal host node object with a private IP address of , which is NATed into (You use the default settings in Global Properties / NAT.) When you run fw monitor on the R77 Security Gateway and then start a new HTTP connection from host to browse the Internet, at what point in the monitor output will you observe the HTTP SYN-ACK packet translated from back into ? A. o=outbound kernel, before the virtual machine B. I=inbound kernel, after the virtual machine C. O=outbound kernel, after the virtual machine D. i=inbound kernel, before the virtual machine Correct Answer: B Section: Volume A /Reference: QUESTION 25 You have configured Automatic Static NAT on an internal host-node object. You clear the box Translate destination on client site from Global Properties > NAT. Assuming all other NAT settings in Global Properties are selected, what else must be configured so that a host on the Internet can initiate an inbound connection to this host?

14 A. No extra configuration is needed. B. A proxy ARP entry, to ensure packets destined for the public IP address will reach the Security Gateway's external interface. C. The NAT IP address must be added to the external Gateway interface anti-spoofing group. D. A static route, to ensure packets destined for the public NAT IP address will reach the Gateway's internal interface. Correct Answer: D Section: Volume A /Reference: QUESTION 26 You just installed a new Web server in the DMZ that must be reachable from the Internet. You create a manual Static NAT rule as follows: SourcE. Any Destination: web_public_ip ServicE. Any Translated SourcE. original Translated Destination: web_private_ip ServicE. Original "web_public_ip? is the node object that represents the new Web server's public IP address. "web_private_ip? is the node object that represents the new Web site's private IP address. You enable all settings from Global Properties > NAT. When you try to browse the Web server from the Internet you see the error "page cannot be displayed?. Which of the following is NOT a possible reason? A. There is no Security Policy defined that allows HTTP traffic to the protected Web server. B. There is no ARP table entry for the protected Web server's public IP address. C. There is no route defined on the Security Gateway for the public IP address to the Web server's private IP address. D. There is no NAT rule translating the source IP address of packets coming from the protected Web server. Section: Volume A /Reference: QUESTION 27 You are responsible for the configuration of MegaCorp's Check Point Firewall. You need to allow two NAT rules to match a connection. Is it possible? Give the BEST answer. A. No, it is not possible to have more than one NAT rule matching a connection. When the firewall receives a packet belonging to a connection, it compares it against the first rule in the Rule Base, then the second rule, and so on. When it finds a rule that matches, it stops checking and applies that rule. B. Yes, it is possible to have two NAT rules which match a connection, but only in using Manual NAT (bidirectional NAT).

15 C. Yes, there are always as many active NAT rules as there are connections. D. Yes, it is possible to have two NAT rules which match a connection, but only when using Automatic NAT (bidirectional NAT). Correct Answer: D Section: Volume A /Reference: QUESTION 28 You have created a Rule Base for firewall, websydney. Now you are going to create a new policy package with security and address translation rules for a second Gateway. What is TRUE about the new package's NAT rules? Exhibit: A. Rules 1, 2, 3 will appear in the new package. B. Only rule 1 will appear in the new package. C. NAT rules will be empty in the new package. D. Rules 4 and 5 will appear in the new package. Section: Volume A

16 /Reference: QUESTION 29 What is the default setting when you use NAT? A. Destination Translated on Server side B. Destination Translated on Client side C. Source Translated on both sides D. Source Translated on Client side Correct Answer: B Section: Volume A /Reference: QUESTION 30 Select the TRUE statements about the Rule Base shown? Exhibit:

17 1) HTTP traffic from webrome to websingapore will be encrypted. 2) HTTP traffic from websingapore to webrome will be encrypted. 3) HTTP traffic from webrome to websingapore will be authenticated. 4) HTTP traffic from websingapore to webrome will be blocked. A. 1, 2, and 3 B. 3 only C. 2 and 3 D. 3 and 4 Correct Answer: D Section: Volume A /Reference:

18 QUESTION 31 Which rule is responsible for the client authentication failure? Exhibit: A. Rule 4 B. Rule 6 C. Rule 3 D. Rule 5 Correct Answer: C Section: Volume A /Reference: QUESTION 32 You receive a notification that long-lasting Telnet connections to a mainframe are dropped after an hour of inactivity. Reviewing SmartView Tracker shows the

19 packet is dropped with the error: Unknown established connection How do you resolve this problem without causing other security issues? Choose the BEST answer. A. Increase the service-based session timeout of the default Telnet service to 24-hours. B. Ask the mainframe users to reconnect every time this error occurs. C. Increase the TCP session timeout under Global Properties > Stateful Inspection. D. Create a new TCP service object on port 23 called Telnet-mainframe. Define a service-based session timeout of 24-hours. Use this new object only in the rule that allows the Telnet connections to the mainframe. Correct Answer: D Section: Volume A /Reference: QUESTION 33 Which SmartConsole tool would you use to see the last policy pushed in the audit log? A. SmartView Tracker B. None, SmartConsole applications only communicate with the Security Management Server. C. SmartView Status D. SmartView Server Section: Volume A /Reference: QUESTION 34

20 SmartView Tracker logs the following Security Administrator activities, EXCEPT: A. Object creation, deletion, and editing B. Tracking SLA compliance C. Administrator login and logout D. Rule Base changes Correct Answer: B Section: Volume A /Reference: QUESTION 35 What happens when you select File > Export from the SmartView Tracker menu? A. Current logs are exported to a new *.log file. B. Exported log entries are not viewable in SmartView Tracker. C. Logs in fw.log are exported to a file that can be opened by Microsoft Excel. D. Exported log entries are deleted from fw.log. Correct Answer: C Section: Volume A /Reference: QUESTION 36 By default, when you click File > Switch Active File in SmartView Tracker, the Security Management Server: A. Saves the current log file, names the log file by date and time, and starts a new log file. B. Purges the current log file, and starts a new log file. C. Prompts you to enter a filename, and then saves the log file. D. Purges the current log file, and prompts you for the new log's mode.

21 Section: Volume A /Reference: QUESTION 37 You are working with three other Security Administrators. Which SmartConsole component can be used to monitor changes to rules or object properties made by the other administrators? A. Eventia Tracker B. SmartView Monitor C. Eventia Monitor D. SmartView Tracker Correct Answer: D Section: Volume A /Reference: QUESTION 38 Which SmartView Tracker mode allows you to read the SMTP body sent from the Chief Executive Officer (CEO) of a company? A. This is not a SmartView Tracker feature. B. Display Capture Action C. Network and Endpoint Tab D. Display Payload View Section: Volume A /Reference: QUESTION 39 You can include External commands in SmartView Tracker by the menu Tools > Custom Commands.

22 The Security Management Server is running under GAiA, and the GUI is on a system running Microsoft Windows. How do you run the command traceroute on an IP address? A. There is no possibility to expand the three pre-defined options Ping, Whois, and Nslookup. B. Go to the menu Tools > Custom Commands and configure the Windows command tracert.exe to the list. C. Use the program GUIdbedit to add the command traceroute to the Security Management Server properties. D. Go to the menu, Tools > Custom Commands and configure the Linux command traceroute to the list. Correct Answer: B Section: Volume A /Reference: QUESTION 40 Where is the easiest and BEST place to find information about connections between two machines? A. All options are valid. B. On a Security Gateway using the command fw log. C. On a Security Management Server, using SmartView Tracker. D. On a Security Gateway Console interface; it gives you detailed access to log files and state table information. Correct Answer: C Section: Volume A /Reference: QUESTION 41 Which of the following can be found in cpinfo from an enforcement point? A. Everything NOT contained in the file r2info B. VPN keys for all established connections to all enforcement points C. The complete file objects_5_0.c D. Policy file information specific to this enforcement point Correct Answer: D

23 Section: Volume A /Reference: QUESTION 42 Which R77 SmartConsole tool would you use to verify the installed Security Policy name on a Security Gateway? A. SmartView Tracker B. None, SmartConsole applications only communicate with the Security Management Server. C. SmartView Server D. SmartUpdate Section: Volume A /Reference: QUESTION 43 You have detected a possible intruder listed in SmartView Tracker's active pane. What is the fastest method to block this intruder from accessing your network indefinitely? A. Modify the Rule Base to drop these connections from the network. B. In SmartView Tracker, select Tools > Block Intruder. C. In SmartView Monitor, select Tools > Suspicious Activity Rules. D. In SmartDashboard, select IPS > Network Security > Denial of Service. Correct Answer: B Section: Volume A /Reference: QUESTION 44 Where can an administrator specify the notification action to be taken by the firewall in the event that available disk space drops below 15%?

24 A. SmartView Monitor > Gateway Status > Threshold Settings B. SmartView Tracker > Audit Tab > Gateway Counters C. SmartView Monitor > Gateway Status > System Information > Thresholds D. This can only be monitored by a user-defined script. Correct Answer: C Section: Volume A /Reference: QUESTION 45 Where can an administrator configure the notification action in the event of a policy install time change? A. SmartView Monitor > Gateways > Thresholds Settings B. SmartView Monitor > Gateway Status > System Information > Thresholds C. SmartDashboard > Policy Package Manager D. SmartDashboard > Security Gateway Object > Advanced Properties Tab Section: Volume A /Reference: QUESTION 46 Where are custom queries stored in R77 SmartView Tracker? A. On the SmartView Tracker PC local file system under the user's profile. B. On the Security Management Server tied to the GUI client IP.

25 C. On the Security Management Server tied to the Administrator User Database login name. D. On the SmartView Tracker PC local file system shared by all users of that local PC. Correct Answer: C Section: Volume A /Reference: QUESTION 47 How do you view a Security Administrator's activities with SmartConsole? A. Eventia Suite B. SmartView Monitor using the Administrator Activity filter C. SmartView Tracker in the Management tab D. SmartView Tracker in the Network and Endpoint tabs Correct Answer: C Section: Volume A /Reference: QUESTION 48 Which SmartView Tracker selection would most effectively show who installed a Security Policy blocking all traffic from the corporate network? A. Management tab B. Custom filter C. Network and Endpoint tab D. Active tab Section: Volume A /Reference:

26 QUESTION 49 You are reviewing the Security Administrator activity for a bank and comparing it to the change log. How do you view Security Administrator activity? A. SmartView Tracker cannot display Security Administrator activity; instead, view the system logs on the Security Management Server's Operating System. B. SmartView Tracker in Network and Endpoint Mode C. SmartView Tracker in Active Mode D. SmartView Tracker in Management Mode Correct Answer: D Section: Volume A /Reference: QUESTION 50 Which of the following R77 SmartView Tracker views will display a popup warning about performance implications on the Security Gateway? A. All Records Query B. Account Query C. Active Tab D. Audit Tab Correct Answer: C Section: Volume A /Reference: QUESTION 51 While in SmartView Tracker, Brady has noticed some very odd network traffic that he thinks could be an intrusion. He decides to block the traffic for 60 minutes, but cannot remember all the steps. What is the correct order of steps needed to set up the block? 1) Select Active Mode tab in SmartView Tracker. 2) Select Tools > Block Intruder. 3) Select Log Viewing tab in SmartView Tracker. 4) Set Blocking Timeout value to 60 minutes. 5) Highlight connection that should be blocked.

27 A. 1, 2, 5, 4 B. 3, 2, 5, 4 C. 1, 5, 2, 4 D. 3, 5, 2, 4 Correct Answer: C Section: Volume A /Reference: QUESTION 52 SmartView Tracker R77 consists of three different modes. They are: A. Log, Active, and Audit B. Log, Active, and Management C. Network and Endpoint, Active, and Management D. Log, Track, and Management Correct Answer: C Section: Volume A /Reference: QUESTION 53 You are troubleshooting NAT entries in SmartView Tracker. Which column do you check to view the new source IP? Exhibit:

28

29 A. XlateDPort B. XlateDst C. XlateSPort D. XlateSrc Correct Answer: D /Reference: QUESTION 54 You are using SmartView Tracker to troubleshoot NAT entries. Which column do you check to view the NAT'd source port if you are using Source NAT?

30

31 A. XlateDst B. XlateSPort C. XlateDPort D. XlateSrc Correct Answer: B /Reference: QUESTION 55 When you change an implicit rule's order from Last to First in Global Properties, how do you make the change take effect? A. Run fw fetch from the Security Gateway. B. Select Install Database from the Policy menu. C. Select Save from the File menu. D. Reinstall the Security Policy. Correct Answer: D /Reference: QUESTION 56 How does the button Get Address, found on the Host Node Object > General Properties page retrieve the address? A. Route Table B. SNMP Get C. Address resolution (ARP, RARP) D. Name resolution (hosts file, DNS, cache) Correct Answer: D

32 /Reference: QUESTION 57 Anti-Spoofing is typically set up on which object type? A. Security Gateway B. Host C. Security Management object D. Network /Reference: QUESTION 58 Spoofing is a method of: A. Making packets appear as if they come from an authorized IP address. B. Detecting people using false or wrong authentication logins. C. Disguising an illegal IP address behind an authorized IP address through Port Address Translation. D. Hiding your firewall from unauthorized users. /Reference:

33 QUESTION 59 How can you activate the SNMP daemon on a Check Point Security Management Server? A. Using the command line, enter snmp_install. B. From cpconfig, select SNMP extension. C. Any of these options will work. D. In SmartDashboard, right-click a Check Point object and select Activate SNMP. Correct Answer: B /Reference: QUESTION 60 Which of the following describes the default behavior of an R77 Security Gateway? A. Traffic not explicitly permitted is dropped. B. Traffic is filtered using controlled port scanning. C. All traffic is expressly permitted via explicit rules. D. IP protocol types listed as secure are allowed by default, i.e. ICMP, TCP, UDP sessions are inspected. /Reference: QUESTION 61 When you use the Global Properties' default settings on R77, which type of traffic will be dropped if NO explicit rule allows the traffic? A. SmartUpdate connections B. Outgoing traffic originating from the Security Gateway C. Firewall logging and ICA key-exchange information D. RIP traffic

34 Correct Answer: D /Reference: QUESTION 62 You have installed a R77 Security Gateway on GAiA. To manage the Gateway from the enterprise Security Management Server, you create a new Gateway object and Security Policy. When you install the new Policy from the Policy menu, the Gateway object does not appear in the Install Policy window as a target. What is the problem? A. The object was created with Node > Gateway. B. No Masters file is created for the new Gateway. C. The Gateway object is not specified in the first policy rule column Install On. D. The new Gateway's temporary license has expired. /Reference: QUESTION 63 What happens if you select Web Server in the dialog box? Exhibit:

35

36 A. An implied rule will be added allowing HTTP requests to the host. B. Anti-virus settings will be applied to the host. C. Web Intelligence will be applied to the host. D. An implied rule will be added allowing HTTP request from and to the host. Correct Answer: C /Reference: QUESTION 64 When configuring the Check Point Gateway network interfaces, you can define the direction as Internal or External. What does the option Interface leads to DMZ mean? Exhibit:

37 A. Using restricted Gateways, this option automatically turns off the counting of IP Addresses originating from this interface. B. Activating this option automatically turns this interface to External. C. It defines the DMZ Interface since this information is necessary for Content Control

38 D. Select this option to automatically configure Anti-Spoofing to this net. Correct Answer: C /Reference: QUESTION 65 A marketing firm's networking team is trying to troubleshoot user complaints regarding access to audio-streaming material from the Internet. The networking team asks you to check the object and rule configuration settings for the perimeter Security Gateway. Which SmartConsole application should you use to check these objects and rules? A. SmartView Tracker B. SmartView Monitor C. SmartView Status D. SmartDashboard Correct Answer: D /Reference: QUESTION 66 Which statement below describes the most correct strategy for implementing a Rule Base? A. Limit grouping to rules regarding specific access. B. Place the most frequently used rules at the top of the Policy and the ones that are not frequently used further down. C. Place a network-traffic rule above the administrator access rule. D. Add the Stealth Rule before the last rule. Correct Answer: B /Reference:

39 QUESTION 67 Which of the following is a viable consideration when determining Rule Base order? A. Grouping rules by date of creation B. Grouping reject and drop rules after the Cleanup Rule C. Grouping authentication rules with address-translation rules D. Grouping functionally related rules together Correct Answer: D /Reference: QUESTION 68 Which of the following is a viable consideration when determining Rule Base order? A. Placing frequently accessed rules before less frequently accessed rules B. Grouping IPS rules with dynamic drop rules C. Adding SAM rules at the top of the Rule Base D. Grouping rules by date of creation /Reference: QUESTION 69 Which of the following is a viable consideration when determining Rule Base order? A. Grouping IPS rules with dynamic drop rules B. Placing more restrictive rules before more permissive rules C. Grouping authentication rules with QOS rules D. Grouping reject and drop rules after the Cleanup Rule

40 Correct Answer: B /Reference: QUESTION 70 You would use the Hide Rule feature to: A. View only a few rules without the distraction of others. B. Hide rules from read-only administrators. C. Hide rules from a SYN/ACK attack. D. Make rules invisible to incoming packets. /Reference: QUESTION 71 You are a Security Administrator using one Security Management Server managing three different firewalls. One firewall does NOT show up in the dialog box when attempting to install a Security Policy. Which of the following is a possible cause? A. The firewall has failed to sync with the Security Management Server for 60 minutes. B. The firewall object has been created but SIC has not yet been established. C. The firewall is not listed in the Policy Installation Targets screen for this policy package. D. The license for this specific firewall has expired. Correct Answer: C

41 /Reference: QUESTION 72 Your shipping company uses a custom application to update the shipping distribution database. The custom application includes a service used only to notify remote sites that the distribution database is malfunctioning. The perimeter Security Gateway's Rule Base includes a rule to accept this traffic. Since you are responsible for multiple sites, you want notification by a text message to your cellular phone, whenever traffic is accepted on this rule. Which of the following would work BEST for your purpose? A. Logging implied rules B. User-defined alert script C. SNMP trap D. SmartView Monitor Threshold Correct Answer: B /Reference: QUESTION 73 A client has created a new Gateway object that will be managed at a remote location. When the client attempts to install the Security Policy to the new Gateway object, the object does not appear in the Install On check box. What should you look for? A. Secure Internal Communications (SIC) not configured for the object. B. A Gateway object created using the Check Point > Externally Managed VPN Gateway option from the Network Objects dialog box. C. Anti-spoofing not configured on the interfaces on the Gateway object. D. A Gateway object created using the Check Point > Security Gateway option in the network objects, dialog box, but still needs to configure the interfaces for the Security Gateway object. Correct Answer: D /Reference:

42 QUESTION 74 A Security Policy installed by another Security Administrator has blocked all SmartDashboard connections to the stand-alone installation of R77. After running the command fw unloadlocal, you are able to reconnect with SmartDashboard and view all changes. Which of the following change is the most likely cause of the block? A. The Allow Control Connections setting in Policy > Global Properties has been unchecked. B. A Stealth Rule has been configured for the R77 Gateway. C. The Security Policy installed to the Gateway had no rules in it. D. The Gateway Object representing your Gateway was configured as an Externally Managed VPN Gateway. /Reference: QUESTION 75 When configuring anti-spoofing on the Security Gateway object interfaces, which of the following is NOT a valid R77 topology configuration? A. External B. Any C. Specific D. Not Defined Correct Answer: B /Reference: QUESTION 76 You are conducting a security audit. While reviewing configuration files and logs, you notice logs accepting POP3 traffic, but you do not see a rule allowing POP3 traffic in the Rule Base. Which of the following is the most likely cause? A. The POP3 rule is disabled.

43 B. POP3 is accepted in Global Properties. C. The POP3 rule is hidden. D. POP3 is one of 3 services (POP3, IMAP, and SMTP) accepted by the default mail object in R77. Correct Answer: C /Reference: QUESTION 77 Which rule is responsible for the installation failure? Exhibit:

44 A. Rule 3 B. Rule 4 C. Rule 6 D. Rule 5 Correct Answer: C /Reference: QUESTION 78 Reviewing the Rule Base, you see that is responsible for the client authentication failure. Exhibit: Exhibit:

45 A. Rule 4 B. Rule 7 C. Rule 8 D. Rule 5 /Reference: QUESTION 79 Which rule is responsible for the installation failure? Exhibit: A. Rule 5

46 B. Rule 4 C. Rule 3 D. Rule 6 Correct Answer: B /Reference: QUESTION 80 As a Security Administrator, you must refresh the Client Authentication authorization time-out every time a new user connection is authorized. How do you do this? Enable the Refreshable Timeout setting: A. in the user object's Authentication screen. B. in the Gateway object's Authentication screen. C. in the Limit tab of the Client Authentication Action Properties screen. D. in the Global Properties Authentication screen. Correct Answer: C /Reference: QUESTION 81 The technical-support department has a requirement to access an intranet server. When configuring a User Authentication rule to achieve this, which of the following should you remember? A. You can only use the rule for Telnet, FTP, SMTP, and rlogin services. B. The Security Gateway first checks if there is any rule that does not require authentication for this type of connection before invoking the Authentication Security Server. C. Once a user is first authenticated, the user will not be prompted for authentication again until logging out. D. You can limit the authentication attempts in the User Properties' Authentication tab. Correct Answer: B

47 /Reference: QUESTION 82 Choose the BEST sequence for configuring user management in SmartDashboard, using an LDAP server. A. Configure a server object for the LDAP Account Unit, enable LDAP in Global Properties, and create an LDAP resource object. B. Configure a workstation object for the LDAP server, configure a server object for the LDAP Account Unit, and enable LDAP in Global Properties. C. Enable User Directory in Global Properties, configure a host-node object for the LDAP server, and configure a server object for the LDAP Account Unit. D. Configure a server object for the LDAP Account Unit, and create an LDAP resource object. Correct Answer: C /Reference: QUESTION 83 You cannot use SmartDashboard's User Directory features to connect to the LDAP server. What should you investigate? 1) Verify you have read-only permissions as administrator for the operating system. 2) Verify there are no restrictions blocking SmartDashboard's User Manager from connecting to the LDAP server. 3) Check that the login Distinguished Name configured has root permission (or at least write permission Administrative access) in the LDAP Server's access control configuration. A. 1, 2, and 3 B. 2 and 3 C. 1 and 2 D. 1 and 3

48 Correct Answer: B /Reference: QUESTION 84 Identify the ports to which the Client Authentication daemon listens by default. A. 259, 900 B. 256, 600 C. 80, 256 D. 8080, 529 /Reference: QUESTION 85 What is the Manual Client Authentication TELNET port? A. 23 B. 264 C. 900 D. 259 Correct Answer: D /Reference: QUESTION 86 Your company's Security Policy forces users to authenticate to the Gateway explicitly, before they can use any services. The Gateway does not allow the Telnet

49 service to itself from any location. How would you configure authentication on the Gateway? With a: A. Client Authentication rule using the manual sign-on method, using HTTP on port 900 B. Client Authentication rule, using partially automatic sign on C. Client Authentication for fully automatic sign on D. Session Authentication rule /Reference: QUESTION 87 Which authentication type permits five different sign-on methods in the authentication properties window? A. Client Authentication B. Manual Authentication C. User Authentication D. Session Authentication /Reference: QUESTION 88 Which Client Authentication sign-on method requires the user to first authenticate via the User Authentication mechanism, when logging in to a remote server with Telnet? A. Manual Sign On B. Agent Automatic Sign On C. Partially Automatic Sign On D. Standard Sign On Correct Answer: C

50 /Reference: QUESTION 89 Which Security Gateway R77 configuration setting forces the Client Authentication authorization time-out to refresh, each time a new user is authenticated? The: A. Time properties, adjusted on the user objects for each user, in the Client Authentication rule Source. B. IPS > Application Intelligence > Client Authentication > Refresh User Timeout option enabled. C. Refreshable Timeout setting, in Client Authentication Action Properties > Limits. D. Global Properties > Authentication parameters, adjusted to allow for Regular Client Refreshment. Correct Answer: C /Reference: QUESTION 90 All R77 Security Servers can perform authentication with the exception of one. Which of the Security Servers can NOT perform authentication? A. FTP B. SMTP C. HTTP D. RLOGIN Correct Answer: B /Reference: QUESTION 91 Which of the following are authentication methods that Security Gateway R77 uses to validate connection attempts? Select the response below that includes the MOST complete list of valid authentication methods.

51 A. Proxied, User, Dynamic, Session B. Connection, User, Client C. User, Client, Session D. User, Proxied, Session Correct Answer: C /Reference: QUESTION 92 Security Gateway R77 supports User Authentication for which of the following services? Select the response below that contains the MOST correct list of supported services. A. SMTP, FTP, TELNET B. SMTP, FTP, HTTP, TELNET C. FTP, HTTP, TELNET D. FTP, TELNET Correct Answer: C /Reference: QUESTION 93 With the User Directory Software Blade, you can create R77 user definitions on a(n) Server. A. LDAP B. Radius C. SecureID D. NT Domain

52 /Reference: QUESTION 94 The User Directory Software Blade is used to integrate which of the following with Security Gateway R77? A. RADIUS server B. Account Management Client server C. UserAuthority server D. LDAP server Correct Answer: D /Reference: QUESTION 95 If you are experiencing LDAP issues, which of the following should you check? A. Connectivity between the R77 Gateway and LDAP server B. Secure Internal Communications (SIC) C. Overlapping VPN Domains D. Domain name resolution /Reference: QUESTION 96 Which type of R77 Security Server does not provide User Authentication?

53 A. SMTP Security Server B. HTTP Security Server C. FTP Security Server D. HTTPS Security Server /Reference: QUESTION 97 You are about to integrate RSA SecurID users into the Check Point infrastructure. What kind of users are to be defined via SmartDashboard? A. A group with generic user B. All users C. LDAP Account Unit Group D. Internal user Group /Reference: QUESTION 98 For which service is it NOT possible to configure user authentication? A. Telnet B. SSH

54 C. FTP D. HTTPS Correct Answer: B /Reference: QUESTION 99 Charles requests a Website while using a computer not in the net_singapore network. What is TRUE about his location restriction? Exhibit:

55

56 A. Source setting in Source column always takes precedence. B. Source setting in User Properties always takes precedence. C. As location restrictions add up, he would be allowed from net_singapore and net_sydney. D. It depends on how the User Auth object is configured; whether User Properties or Source Restriction takes precedence. Correct Answer: D /Reference: QUESTION 100 Which of the following is an authentication method used by Identity Awareness? A. SSL B. Captive Portal C. RSA D. PKI Correct Answer: B /Reference: QUESTION 101 What is the purpose of an Identity Agent? A. Provide user and machine identity to a gateway B. Manual entry of user credentials for LDAP authentication C. Audit a user's access, and send that data to a log server D. Disable Single Sign On

57 /Reference: QUESTION 102 What type of traffic can be re-directed to the Captive Portal? A. SMTP B. HTTP C. All of the above D. FTP Correct Answer: B /Reference: QUESTION 103 The Captive Portal tool: A. Acquires identities from unidentified users. B. Is only used for guest user authentication. C. Allows access to users already identified. D. Is deployed from the Identity Awareness page in the Global Properties settings. /Reference: QUESTION 104 Captive Portal is a that allows the gateway to request login information from the user. A. Pre-configured and customizable web-based tool

58 B. Transparent network inspection tool C. LDAP server add-on D. Separately licensed feature /Reference: QUESTION 105 Complete this statement from the options provided. Using Captive Portal, unidentified users may be either; blocked, allowed to enter required credentials, or required to download the. A. Identity Awareness Agent B. Full Endpoint Client C. ICA Certificate D. SecureClient /Reference: QUESTION 106 Users with Identity Awareness Agent installed on their machines login with, so that when the user logs into the domain, that information is also used to meet Identity Awareness credential requests. A. Key-logging B. ICA Certificates C. SecureClient D. Single Sign-On Correct Answer: D

59 /Reference: QUESTION 107 Which of the following methods is NOT used by Identity Awareness to catalog identities? A. AD Query B. Captive Portal C. Identity Agent D. GPO Correct Answer: D /Reference: QUESTION 108 When using AD Query to authenticate users for Identity Awareness, identity data is received seamlessly from the Microsoft Active Directory (AD). What is NOT a recommended usage of this method? A. Leveraging identity in the application control blade B. Basic identity enforcement in the internal network C. Identity-based auditing and logging D. Identity-based enforcement for non-ad users (non-windows and guest users) Correct Answer: D /Reference: QUESTION 109 The Identity Agent is a lightweight endpoint agent that authenticates securely with Single Sign- On (SSO). What is not a recommended usage of this method? A. When accuracy in detecting identity is crucial

60 B. Leveraging identity for Data Center protection C. Protecting highly sensitive servers D. Identity based enforcement for non-ad users (non-windows and guest users) Correct Answer: D /Reference: QUESTION 110 Which of the following is NOT a valid option when configuring access for Captive Portal? A. From the Internet B. Through internal interfaces C. Through all interfaces D. According to the Firewall Policy /Reference: QUESTION 111 If you were NOT using IKE aggressive mode for your IPsec tunnel, how many packets would you see for normal Phase 1 exchange? A. 9 B. 2 C. 3

61 D. 6 Correct Answer: D /Reference: QUESTION 112 How many packets does the IKE exchange use for Phase 1 Main Mode? A. 12 B. 1 C. 3 D. 6 Correct Answer: D /Reference: QUESTION 113 How many packets does the IKE exchange use for Phase 1 Aggressive Mode? A. 12 B. 6 C. 3 D. 1 Correct Answer: C /Reference:

62 QUESTION 114 Which of the following actions take place in IKE Phase 2 with Perfect Forward Secrecy disabled? A. Symmetric IPsec keys are generated. B. Each Security Gateway generates a private Diffie-Hellman (DH) key from random pools. C. The DH public keys are exchanged. D. Peers authenticate using certificates or preshared secrets. Correct Answer: B /Reference: QUESTION 115 Which of the following commands can be used to remove site-to-site IPsec Security Association (SA)? A. vpn debug ipsec B. vpn ipsec C. fw ipsec tu D. vpn tu Correct Answer: D /Reference: QUESTION 116 How many packets are required for IKE Phase 2? A. 12 B. 2 C. 6 D. 3

63 Correct Answer: D /Reference: QUESTION 117 Which of the following actions do NOT take place in IKE Phase 1? A. Peers agree on encryption method. B. Diffie-Hellman key is combined with the key material to produce the symmetrical IPsec key. C. Peers agree on integrity method. D. Each side generates a session key from its private key and the peer's public key. Correct Answer: B /Reference: QUESTION 118 When using vpn tu, which option must you choose if you only want to clear phase 2 for a specific IP (gateway)? Exhibit:

64 A. (5) Delete all IPsec SAs for a given peer (GW) B. (7) Delete all IPsec+IKE SAs for a given peer (GW) C. (6) Delete all IPsec SAs for a given User (Client) D. (8) Delete all IPsec+IKE SAs for a given User (Client) /Reference: QUESTION 119 When using vpn tu, which option must you choose if you want to rebuild your VPN for a specific IP (gateway)? Exhibit: A. (6) Delete all IPsec SAs for a given User (Client) B. (5) Delete all IPsec SAs for a given peer (GW) C. (8) Delete all IPsec+IKE SAs for a given User (Client) D. Delete all IPsec+IKE SAs for a given peer (GW) Correct Answer: D

65 /Reference: QUESTION 120 A rule is used to prevent all traffic going to the R77 Security Gateway. A. IPS B. Cleanup C. Reject D. Stealth Correct Answer: D /Reference: QUESTION 121 In a distributed management environment, the administrator has removed the default check from Accept Control Connections under the Policy > Global Properties > FireWall tab. In order for the Security Management Server to install a policy to the Firewall, an explicit rule must be created to allow the server to communicate to the Security Gateway on port. A. 259 B. 900 C. 256 D. 80 Correct Answer: C /Reference: QUESTION 122

66 To check the Rule Base, some rules can be hidden so they do not distract the administrator from the unhidden rules. Assume that only rules accepting HTTP or SSH will be shown. How do you accomplish this? A. Ask your reseller to get a ticket for Check Point SmartUse and deliver him the Security Management Server cpinfo file. B. In SmartDashboard, right-click in the column field Service > Query Column. Then, put the services HTTP and SSH in the list. Do the same in the field Action and select Accept here. C. In SmartDashboard menu, select Search > Rule Base Queries. In the window that opens, create a new Query, give it a name (e.g. "HTTP_SSH?) and define a clause regarding the two services HTTP and SSH. When having applied this, define a second clause for the action Accept and combine them with the Boolean operator AND. D. This cannot be configured since two selections (Service, Action) are not possible. Correct Answer: C /Reference: QUESTION 123 What CANNOT be configured for existing connections during a policy install? A. Keep all connections B. Keep data connections C. Re-match connections D. Reset all connections Correct Answer: D /Reference: QUESTION 124 What is the purpose of a Stealth Rule? A. To prevent users from connecting directly to the gateway. B. To permit management traffic. C. To drop all traffic to the management server that is not explicitly permitted.

67 D. To permit implied rules. /Reference: QUESTION 125 As you review this Security Policy, what changes could you make to accommodate Rule 4? Exhibit: A. Remove the service HTTP from the column Service in Rule 4. B. Modify the column VPN in Rule 2 to limit access to specific traffic. C. Nothing at all D. Modify the columns Source or Destination in Rule 4.

68 Correct Answer: B /Reference: QUESTION 126 You review this Security Policy because Rule 4 is inhibited. Which Rule is responsible? Exhibit: A. No rule inhibits Rule 4. B. Rule 1 C. Rule 2 D. Rule 3 Correct Answer: C

69 /Reference: QUESTION 127 MegaCorp's security infrastructure separates Security Gateways geographically. You must request a central license for one remote Security Gateway. How do you apply the license? A. Using the remote Gateway's IP address, and attaching the license to the remote Gateway via SmartUpdate. B. Using your Security Management Server's IP address, and attaching the license to the remote Gateway via SmartUpdate. C. Using the remote Gateway's IP address, and applying the license locally with the command cplic put. D. Using each of the Gateways' IP addresses, and applying the licenses on the Security Management Server with the command cprlic put. Correct Answer: B /Reference: QUESTION 128 Identify the correct step performed by SmartUpdate to upgrade a remote Security Gateway. After selecting Packages > Distribute Only and choosing the target Gateway, the: A. selected package is copied from the CD-ROM of the SmartUpdate PC directly to the Security Gateway and the installation IS performed. B. selected package is copied from the Package Repository on the Security Management Server to the Security Gateway and the installation IS performed. C. SmartUpdate wizard walks the Administrator through a distributed installation. D. selected package is copied from the Package Repository on the Security Management Server to the Security Gateway but the installation IS NOT performed.

70 Correct Answer: D /Reference: QUESTION 129 Identify the correct step performed by SmartUpdate to upgrade a remote Security Gateway. After selecting Packages > Distribute and Install Selected Package and choosing the target Gateway, the: A. selected package is copied from the Package Repository on the Security Management Server to the Security Gateway and the installation IS performed. B. SmartUpdate wizard walks the Administrator through a distributed installation. C. selected package is copied from the Package Repository on the Security Management Server to the Security Gateway but the installation IS NOT performed. D. selected package is copied from the SmartUpdate PC CD-ROM directly to the Security Gateway and the installation IS performed. /Reference: QUESTION 130 What physical machine must have access to the User Center public IP address when checking for new packages with SmartUpdate? A. A Security Gateway retrieving the new upgrade package B. SmartUpdate installed Security Management Server PC C. SmartUpdate GUI PC D. SmartUpdate Repository SQL database Server Correct Answer: C

71 /Reference: QUESTION 131 What action CANNOT be run from SmartUpdate R77? A. Fetch sync status B. Reboot Gateway C. Preinstall verifier D. Get all Gateway Data /Reference: QUESTION 132 What mechanism does a gateway configured with Identity Awareness and LDAP initially use to communicate with a Windows 2003 or 2008 server? A. WMI B. CIFS C. RCP D. LDAP /Reference: QUESTION 133 Which of the following items should be configured for the Security Management Server to authenticate via LDAP?

72 A. Check Point Password B. Active Directory Server object C. Windows logon password D. WMI object Correct Answer: B /Reference: QUESTION 134 Which of the following items should be configured for the Security Management Server to authenticate using LDAP? A. Login Distinguished Name and password B. Windows logon password C. Check Point Password D. WMI object /Reference: QUESTION 135 Which of the following items should be configured for the Security Management Server to authenticate using LDAP? A. Check Point Password B. WMI object C. Domain Admin username D. Windows logon password

73 /Reference: QUESTION 136 Where does the security administrator activate Identity Awareness within SmartDashboard? A. Gateway Object > General Properties B. Security Management Server > Identity Awareness C. Policy > Global Properties > Identity Awareness D. LDAP Server Object > General Properties /Reference: QUESTION 137 How do you configure the Security Policy to provide user access to the Captive Portal through an external (Internet) interface? A. Change the gateway settings to allow Captive Portal access via an external interface. B. No action is necessary. This access is available by default. C. Change the Identity Awareness settings under Global Properties to allow Captive Portal access on all interfaces. D. Change the Identity Awareness settings under Global Properties to allow Captive Portal access for an external interface. /Reference: QUESTION 138 To qualify as an Identity Awareness enabled rule, which column MAY include an Access Role? A. Action B. Source

74 C. User D. Track Correct Answer: B /Reference: QUESTION 139 What command with appropriate switches would you use to test Identity Awareness connectivity? A. test_ldap B. test_ad_connectivity C. test_ldap_connectivity D. test_ad Correct Answer: B /Reference: QUESTION 140 What command syntax would you use to see accounts the gateway suspects are service accounts? A. pdp check_log B. pdp show service C. adlog check_accounts D. adlog a service_accounts Correct Answer: D /Reference:

75 QUESTION 141 What command syntax would you use to turn on PDP logging in a distributed environment? A. pdp track=1 B. pdp tracker on C. pdp logging on D. pdp log=1 Correct Answer: B /Reference: QUESTION 142 Which of the following authentication methods can be configured in the Identity Awareness setup wizard? A. TACACS B. Captive Portal C. Check Point Password D. Windows password Correct Answer: B /Reference: QUESTION 143 Which of the following authentication methods can be configured in the Identity Awareness setup wizard? A. Check Point Password B. TACACS C. LDAP D. Windows password

76 Correct Answer: C /Reference: QUESTION 144 What gives administrators more flexibility when configuring Captive Portal instead of LDAP query for Identity Awareness authentication? A. Captive Portal is more secure than standard LDAP B. Nothing, LDAP query is required when configuring Captive Portal C. Captive Portal works with both configured users and guests D. Captive Portal is more transparent to the user Correct Answer: C /Reference: QUESTION 145 How granular may an administrator filter an Access Role with identity awareness? Per: A. Specific ICA Certificate B. AD User C. Radius Group D. Windows Domain Correct Answer: B /Reference: QUESTION 146 Can you use Captive Portal with HTTPS?

77 A. No, it only works with FTP B. No, it only works with FTP and HTTP C. Yes D. No, it only works with HTTP Correct Answer: C /Reference: QUESTION 147 Which of the following is NOT defined by an Access Role object? A. Source Network B. Source Machine C. Source User D. Source Server Correct Answer: D /Reference: QUESTION 148 In which Rule Base can you implement an Access Role? A. DLP B. Mobile Access C. IPS D. Firewall Correct Answer: D

78 /Reference: QUESTION 149 Access Role objects define users, machines, and network locations as: A. Credentialed objects B. Linked objects C. One object D. Separate objects Correct Answer: C /Reference: QUESTION 150 Where do you verify that UserDirectory is enabled? A. Verify that Security Gateway > General Properties > Authentication > Use UserDirectory (LDAP) for Security Gateways is checked B. Verify that Global Properties > Authentication > Use UserDirectory (LDAP) for Security Gateways is checked C. Verify that Security Gateway > General Properties > UserDirectory (LDAP) > Use UserDirectory (LDAP) for Security Gateways is checked D. Verify that Global Properties > UserDirectory (LDAP) > Use UserDirectory (LDAP) for Security Gateways is checked Correct Answer: D /Reference: QUESTION 151 Which of the following statements is TRUE about management plug-ins? A. A management plug-in interacts with a Security Management Server to provide new features and support for new products.

79 B. Installing a management plug-in is just like an upgrade process. C. Using a plug-in offers full central management only if special licensing is applied to specific features of the plug-in. D. The plug-in is a package installed on the Security Gateway. /Reference: QUESTION 152 You are installing a Security Management Server. Your security plan calls for three administrators for this particular server. How many can you create during installation? A. One B. Only one with full access and one with read-only access C. As many as you want D. Depends on the license installed on the Security Management Server /Reference: QUESTION 153 During which step in the installation process is it necessary to note the fingerprint for first-time verification? A. When configuring the Gateway in the WebUI B. When configuring the Security Management Server using cpconfig C. When establishing SIC between the Security Management Server and the Gateway D. When configuring the Security Gateway object in SmartDashboard Correct Answer: B

80 /Reference: QUESTION 154 How can you most quickly reset Secure Internal Communications (SIC) between a Security Management Server and Security Gateway? A. From cpconfig on the Gateway, choose the Secure Internal Communication option and retype the activation key. Next, retype the same key in the Gateway object in SmartDashboard and reinitialize Secure Internal Communications (SIC). B. Use SmartUpdate to retype the Security Gateway activation key. This will automatically sync SIC to both the Security Management Server and Gateway. C. From the Security Management Server's command line, type fw putkey -p <shared key> <IP Address of Security Gateway>. D. Run the command fwm sic_reset to reinitialize the Security Management Server Internal Certificate Authority (ICA). Then retype the activation key on the Security Gateway from SmartDashboard. /Reference: QUESTION 155 How can you recreate the Security Administrator account, which was created during initial Management Server installation on GAiA? A. Export the user database into an ASCII file with fwm dbexport. Open this file with an editor, and delete the Administrator Account portion of the file. You will be prompted to create a new account. B. Type cpm -a, and provide the existing Administrator's account name. Reset the Security Administrator's password. C. Launch cpconfig and delete the Administrator's account. Recreate the account with the same name. D. Launch SmartDashboard in the User Management screen, and delete the cpconfig administrator. Correct Answer: C /Reference: QUESTION 156 The London Security Gateway Administrator has just installed the Security Gateway and Management Server. He has not changed any default settings. As he tries to configure the Gateway, he is unable to connect.

81 Which troubleshooting suggestion will NOT help him? A. Check if some intermediate network device has a wrong routing table entry, VLAN assignment, duplex-mismatch, or trunk issue. B. Test the IP address assignment and routing settings of the Security Management Server, Gateway, and console client. C. Verify the SIC initialization. D. Verify that the Rule Base explicitly allows management connections. Correct Answer: D

82 /Reference: QUESTION 157 You need to completely reboot the Operating System after making which of the following changes on the Security Gateway? (i.e. the command cprestart is not sufficient.) 1. Adding a hot-swappable NIC to the Operating System for the first time. 2. Uninstalling the R77 Power/UTM package. 3. Installing the R77 Power/UTM package. 4. Re-establishing SIC to the Security Management Server. 5. Doubling the maximum number of connections accepted by the Security Gateway. A. 3 only B. 1, 2, 3, 4, and 5 C. 2, 3 only D. 3, 4, and 5 only Correct Answer: C /Reference: QUESTION 158 The Security Gateway is installed on GAiA R77 The default port for the Web User Interface is. A. TCP B. TCP 443 C. TCP 4433 D. TCP 257 Correct Answer: B /Reference:

83 QUESTION 159 Over the weekend, an Administrator without access to SmartDashboard installed a new R77 Security Gateway using GAiA. You want to confirm communication between the Gateway and the Management Server by installing the Security Policy. What might prevent you from installing the Policy? A. You have not established Secure Internal Communications (SIC) between the Security Gateway and Management Server. You must initialize SIC on both the Security Gateway and the Management Server. B. You first need to run the command fw unloadlocal on the new Security Gateway. C. You first need to initialize SIC in SmartUpdate. D. You have not established Secure Internal Communications (SIC) between the Security Gateway and Management Server. You must initialize SIC on the Security Management Server. Correct Answer: D /Reference: QUESTION 160 An Administrator without access to SmartDashboard installed a new IPSO-based R77 Security Gateway over the weekend. He ed you the SIC activation key. You want to confirm communication between the Security Gateway and the Management Server by installing the Policy. What might prevent you from installing the Policy? A. An intermediate local Security Gateway does not allow a policy install through it to the remote new Security Gateway appliance. Resolve by running the command fw unloadlocal on the local Security Gateway. B. You first need to run the command fw unloadlocal on the R77 Security Gateway appliance in order to remove the restrictive default policy. C. You first need to create a new Gateway object in SmartDashboard, establish SIC via the Communication button, and define the Gateway's topology. D. You have not established Secure Internal Communications (SIC) between the Security Gateway and Management Server. You must initialize SIC on the Security Management Server. Correct Answer: C /Reference: QUESTION 161

84 How can you reset the Security Administrator password that was created during initial Security Management Server installation on GAiA? A. Launch SmartDashboard in the User Management screen, and edit the cpconfig administrator. B. As expert user Type fwm -a, and provide the existing administrator's account name. Reset the Security Administrator's password. C. Type cpm -a, and provide the existing administrator's account name. Reset the Security Administrator's password. D. Export the user database into an ASCII file with fwm dbexport. Open this file with an editor, and delete the Password portion of the file. Then log in to the account without a password. You will be prompted to assign a new password. Correct Answer: B /Reference: QUESTION 162 You have configured SNX on the Security Gateway. The client connects to the Security Gateway and the user enters the authentication credentials. What must happen after authentication that allows the client to connect to the Security Gateway's VPN domain? A. SNX modifies the routing table to forward VPN traffic to the Security Gateway. B. An office mode address must be obtained by the client. C. The SNX client application must be installed on the client. D. Active-X must be allowed on the client. /Reference: QUESTION 163 The Tokyo Security Management Server Administrator cannot connect from his workstation in Osaka.

85 Which of the following lists the BEST sequence of steps to troubleshoot this issue? A. Check for matching OS and product versions of the Security Management Server and the client. Then, ping the Gateways to verify connectivity. If successful, scan the log files for any denied management packets. B. Verify basic network connectivity to the local Gateway, service provider, remote Gateway, remote network and target machine. Then, test for firewall rules that deny management access to the target. If successful, verify that pcosaka is a valid client IP address. C. Check the allowed clients and users on the Security Management Server. If pcosaka and your user account are valid, check for network problems. If there are no network related issues, this is likely to be a problem with the server itself. Check for any patches and upgrades. If still unsuccessful, open a case with Technical Support. D. Call Tokyo to check if they can ping the Security Management Server locally. If so, login to sgtokyo, verify management connectivity and Rule Base. If this looks okay, ask your provider if they have some firewall rules that filters out your management traffic. Correct Answer: B /Reference:

86 QUESTION 164 Where is the fingerprint generated, based on the output display? Exhibit: A. SmartConsole B. SmartUpdate C. Security Management Server D. SmartDashboard Correct Answer: C

87 /Reference: QUESTION 165 Match the following commands to their correct function. Each command has one function only listed. Exhibit: A. C1>F6; C2>F4; C3>F2; C4>F5 B. C1>F2; C2>F1; C3>F6; C4>F4 C. C1>F2; C2>F4; C3>F1; C4>F5 D. C1>F4; C2>F6; C3>F3; C4>F2 /Reference: QUESTION 166 Which command displays the installed Security Gateway version?

88 A. fw ver B. fw stat C. fw printver D. cpstat gw /Reference: QUESTION 167 Which command line interface utility allows the administrator to verify the Security Policy name and timestamp currently installed on a firewall module? A. cpstat fwd B. fw ver C. fw stat D. fw ctl pstat Correct Answer: C /Reference: QUESTION 168 Suppose the Security Gateway hard drive fails and you are forced to rebuild it. You have a snapshot file stored to a TFTP server and backups of your Security Management Server. What is the correct procedure for rebuilding the Gateway quickly? A. Reinstall the base operating system (i.e., GAiA). Configure the Gateway interface so that the Gateway can communicate with the TFTP server. Revert to the stored snapshot image, and install the Security Policy.

89 B. Run the command revert to restore the snapshot, establish SIC, and install the Policy. C. Run the command revert to restore the snapshot. Reinstall any necessary Check Point products. Establish SIC and install the Policy. D. Reinstall the base operating system (i.e., GAia). Configure the Gateway interface so that the Gateway can communicate with the TFTP server. Reinstall any necessary Check Point products and previously applied hotfixes. Revert to the stored snapshot image, and install the Policy. /Reference: QUESTION 169 Which of the following statements accurately describes the command upgrade_export? A. upgrade_export stores network-configuration data, objects, global properties, and the database revisions prior to upgrading the Security Management Server. B. Used primarily when upgrading the Security Management Server, upgrade_export stores all object databases and the /conf directories for importing to a newer Security Gateway version. C. upgrade_export is used when upgrading the Security Gateway, and allows certain files to be included or excluded before exporting. D. This command is no longer supported in GAiA. Correct Answer: B /Reference: QUESTION 170 What are you required to do before running the command upgrade_export? A. Run a cpstop on the Security Gateway. B. Run a cpstop on the Security Management Server. C. Close all GUI clients. D. Run cpconfig and set yourself up as a GUI client. Correct Answer: C

90 /Reference: QUESTION 171 A snapshot delivers a complete GAiA backup. The resulting file can be stored on servers or as a local file in /var/cpsnapshot/snapshots. How do you restore a local snapshot named MySnapshot.tgz? A. Reboot the system and call the start menu. Select the option Snapshot Management, provide the Expert password and select [L] for a restore from a local file. Then, provide the correct file name. B. As expert user, type the command snapshot -r MySnapshot.tgz. C. As expert user, type the command revert --file MySnapshot.tgz. D. As expert user, type the command snapshot - R to restore from a local file. Then, provide the correct file name. Correct Answer: C /Reference: QUESTION 172 What is the primary benefit of using the command upgrade_export over either backup or snapshot? A. upgrade_export is operating system independent and can be used when backup or snapshot is not available. B. upgrade_export will back up routing tables, hosts files, and manual ARP configurations, where backup and snapshot will not. C. The commands backup and snapshot can take a long time to run whereas upgrade_export will take a much shorter amount of time. D. upgrade_export has an option to back up the system and SmartView Tracker logs while backup and snapshot will not. /Reference: QUESTION 173 What is the syntax for uninstalling a package using newpkg?

91 A. -u <pathname of package> B. -i <full pathname of package> C. -S <pathname of package> D. newpkg CANNOT be used to uninstall a package Correct Answer: D /Reference: QUESTION 174 Your primary Security Gateway runs on GAiA. What is the easiest way to back up your Security Gateway R77 configuration, including routing and network configuration files? A. Copying the directories $FWDIR/conf and $FWDIR/lib to another location. B. Using the native GAiA backup utility from command line or in the Web based user interface. C. Using the command upgrade_export. D. Run the pre_upgrade_verifier and save the.tgz file to the directory /temp. Correct Answer: B /Reference: QUESTION 175 You need to back up the routing, interface, and DNS configuration information from your R77 GAiA Security Gateway. Which backup-and-restore solution do you use? A. Manual copies of the directory $FWDIR/conf B. GAiA back up utilities C. upgrade_export and upgrade_import commands D. Database Revision Control Correct Answer: B

92 /Reference: QUESTION 176 You are running a R77 Security Gateway on GAiA. In case of a hardware failure, you have a server with the exact same hardware and firewall version installed. What back up method could be used to quickly put the secondary firewall into production? A. manual backup B. upgrade_export C. backup D. snapshot Correct Answer: D /Reference: QUESTION 177 Before upgrading SecurePlatform to GAiA, you should create a backup. To save time, many administrators use the command backup. This creates a backup of the Check Point configuration as well as the system configuration. An administrator has installed the latest HFA on the system for fixing traffic problem after creating a backup file. There is a mistake in the very complex static routing configuration. The Check Point configuration has not been changed. Can the administrator use a restore to fix the errors in static routing? A. The restore is not possible because the backup file does not have the same build number (version). B. The restore is done by selecting Snapshot Management from the boot menu of GAiA. C. The restore can be done easily by the command restore and copying netconf.c from the production environment. D. A backup cannot be restored, because the binary files are missing. Correct Answer: C /Reference: QUESTION 178

93 Which operating systems are supported by a Check Point Security Gateway on an open server? Select MOST complete list. A. Sun Solaris, Red Hat Enterprise Linux, Check Point SecurePlatform, IPSO, Microsoft Windows B. Check Point GAiA and SecurePlatform, and Microsoft Windows C. Check Point GAiA, Microsoft Windows, Red Hat Enterprise Linux, Sun Solaris, IPSO D. Check Point GAiA and SecurePlatform, IPSO, Sun Solaris, Microsoft Windows Correct Answer: B /Reference: QUESTION 179 You intend to upgrade a Check Point Gateway from R71 to R77. Prior to upgrading, you want to back up the Gateway should there be any problems with the upgrade. Which of the following allows for the Gateway configuration to be completely backed up into a manageable size in the least amount of time? A. database revision B. snapshot C. upgrade_export D. backup Correct Answer: D /Reference: QUESTION 180 An advantage of using central instead of local licensing is: A. A license can be taken from one Security Management Server and given to another Security Management Server. B. Only one IP address is used for all licenses. C. The license must be renewed when changing the IP address of a Security Gateway. Each module's license has a unique IP address. D. Licenses are automatically attached to their respective Security Gateways. Correct Answer: B

94 /Reference: QUESTION 181 You are running the license_upgrade tool on your GAiA Gateway. Which of the following can you NOT do with the upgrade tool? A. Perform the actual license-upgrade process B. Simulate the license-upgrade process C. View the licenses in the SmartUpdate License Repository D. View the status of currently installed licenses Correct Answer: C /Reference: QUESTION 182 If a SmartUpdate upgrade or distribution operation fails on GAiA, how is the system recovered? A. The Administrator can only revert to a previously created snapshot (if there is one) with the command cprinstall snapshot <object name> <filename>. B. The Administrator must reinstall the last version via the command cprinstall revert <object name> <file name>. C. The Administrator must remove the rpm packages manually, and re-attempt the upgrade. D. GAiA will reboot and automatically revert to the last snapshot version prior to upgrade. Correct Answer: D /Reference: QUESTION 183 Why should the upgrade_export configuration file (.tgz) be deleted after you complete the import process?

95 A. SmartUpdate will start a new installation process if the machine is rebooted. B. It will prevent a future successful upgrade_export since the.tgz file cannot be overwritten. C. It contains your security configuration, which could be exploited. D. It will conflict with any future upgrades when using SmartUpdate. Correct Answer: C /Reference: QUESTION 184 Which of these components does NOT require a Security Gateway R77 license? A. Security Management Server B. Check Point Gateway C. SmartConsole D. SmartUpdate upgrading/patching Correct Answer: C /Reference: QUESTION 185 If a Security Gateway enforces three protections, LDAP Injection, Malicious Code Protector, and Header Rejection, which Check Point license is required in SmartUpdate? A. IPS B. SSL: VPN

96 C. SmartEvent Intro D. Data Loss Prevention /Reference: QUESTION 186 Central license management allows a Security Administrator to perform which of the following functions? 1. Check for expired licenses. 2. Sort licenses and view license properties. 3. Attach both R77 Central and Local licesnes to a remote module. 4. Delete both R77 Local Licenses and Central licenses from a remote module. 5. Add or remove a license to or from the license repository. 6. Attach and/or delete only R77 Central licenses to a remote module (not Local licenses). A. 1, 2, 5, & 6 B. 2, 3, 4, & 5 C. 2, 5, & 6 D. 1, 2, 3, 4, & 5 Correct Answer: D /Reference: QUESTION 187 Which command gives an overview of your installed licenses? A. cplicense B. showlic C. fw lic print D. cplic print

97 Correct Answer: D /Reference: QUESTION 188 Where are SmartEvent licenses installed? A. SmartEvent server B. Log Server C. Security Management Server D. Security Gateway /Reference: QUESTION 189 ALL of the following options are provided by the GAiA sysconfig utility, EXCEPT: A. Export setup B. DHCP Server configuration C. Time & Date D. GUI Clients Correct Answer: D /Reference: QUESTION 190

98 Which of the following options is available with the GAiA cpconfig utility on a Management Server? A. Export setup B. DHCP Server configuration C. GUI Clients D. Time & Date Correct Answer: C /Reference: QUESTION 191 Which command would provide the most comprehensive diagnostic information to Check Point Technical Support? A. fw cpinfo B. cpinfo -o date.cpinfo.txt C. diag D. cpstat - date.cpstat.txt Correct Answer: B /Reference: QUESTION 192 Which of the following statements accurately describes the command snapshot? A. snapshot creates a full OS-level backup, including network-interface data, Check Point product information, and configuration settings during an upgrade of a GAiA Security Gateway. B. snapshot creates a Security Management Server full system-level backup on any OS. C. snapshot stores only the system-configuration settings on the Gateway. D. A Gateway snapshot includes configuration settings and Check Point product information from the remote Security Management Server.

99 /Reference: QUESTION 193 How do you recover communications between your Security Management Server and Security Gateway if you lock yourself out through a rule or policy misconfiguration? A. fw unload policy B. fw unloadlocal C. fw delete all.all@localhost D. fwm unloadlocal Correct Answer: B /Reference: QUESTION 194 How can you check whether IP forwarding is enabled on an IP Security Appliance? A. clish -c show routing active enable B. cat /proc/sys/net/ipv4/ip_forward C. echo 1 > /proc/sys/net/ipv4/ip_forward D. ipsofwd list Correct Answer: D /Reference: QUESTION 195 Which command allows you to view the contents of an R77 table?

100 A. fw tab -a <tablename> B. fw tab -t <tablename> C. fw tab -s <tablename> D. fw tab -x <tablename> Correct Answer: B /Reference: QUESTION 196 Which of the following tools is used to generate a Security Gateway R77 configuration report? A. fw cpinfo B. infocp C. cpinfo D. infoview Correct Answer: C /Reference: QUESTION 197 Which of the following is a CLI command for Security Gateway R77? A. fw tab -u B. fw shutdown C. fw merge D. fwm policy_print <policyname>

101 /Reference: QUESTION 198 You are the Security Administrator for MegaCorp. A Check Point firewall is installed and in use on a platform using GAiA. You have trouble configuring the speed and duplex settings of your Ethernet interfaces. Which of the following commands can be used in CLISH to configure the speed and duplex settings of an Ethernet interface and will survive a reboot? Give the BEST answer. A. ethtool B. set interface <options> C. mii_tool D. ifconfig -a Correct Answer: B /Reference: QUESTION 199 Which command enables IP forwarding on IPSO? A. ipsofwd on admin B. echo 0 > /proc/sys/net/ipv4/ip_forward C. clish -c set routing active enable D. echo 1 > /proc/sys/net/ipv4/ip_forward /Reference: QUESTION 200 Which of the following objects is a valid source in an authentication rule?

102 A. B. C. D. Correct Answer: C /Reference: QUESTION 201 You find that Users are not prompted for authentication when they access their Web servers, even though you have created an HTTP rule via User Authentication. Choose the BEST reason why. A. You checked the cache password on desktop option in Global Properties. B. Another rule that accepts HTTP without authentication exists in the Rule Base. C. You have forgotten to place the User Authentication Rule before the Stealth Rule. D. Users must use the SecuRemote Client, to use the User Authentication Rule. Correct Answer: B /Reference: QUESTION 202 Which authentication type requires specifying a contact agent in the Rule Base? A. Client Authentication with Partially Automatic Sign On

103 B. Client Authentication with Manual Sign On C. User Authentication D. Session Authentication Correct Answer: D Section: Volume D /Reference: QUESTION 203 What is the difference between Standard and Specific Sign On methods? A. Standard Sign On allows the user to be automatically authorized for all services that the rule allows. Specific Sign On requires that the user re-authenticate for each service specifically defined in the window Specific Action Properties. B. Standard Sign On allows the user to be automatically authorized for all services that the rule allows, but re-authenticate for each host to which he is trying to connect. Specific Sign On requires that the user re-authenticate for each service. C. Standard Sign On allows the user to be automatically authorized for all services that the rule allows. Specific Sign On requires that the user re-authenticate for each service and each host to which he is trying to connect. D. Standard Sign On requires the user to re-authenticate for each service and each host to which he is trying to connect. Specific Sign On allows the user to sign on only to a specific IP address. Correct Answer: C Section: Volume D /Reference: QUESTION 204 Which set of objects have an Authentication tab? A. Templates, Users B. Users, Networks C. Users, User Groups D. Networks, Hosts

104 Section: Volume D /Reference: QUESTION 205 How are cached usernames and passwords cleared from the memory of a R77 Security Gateway? A. By using the Clear User Cache button in SmartDashboard. B. Usernames and passwords only clear from memory after they time out. C. By retrieving LDAP user information using the command fw fetchldap. D. By installing a Security Policy. Correct Answer: D Section: Volume D /Reference: QUESTION 206 Your users are defined in a Windows 2008 R2 Active Directory server. You must add LDAP users to a Client Authentication rule. Which kind of user group do you need in the Client Authentication rule in R77? A. External-user group B. LDAP group C. A group with a generic user D. All Users Correct Answer: B Section: Volume D /Reference: QUESTION 207 Assume you are a Security Administrator for ABCTech. You have allowed authenticated access to users from Mkting_net to Finance_net. But in the user's

105 properties, connections are only permitted within Mkting_net. What is the BEST way to resolve this conflict? A. Select Ignore Database in the Action Properties window. B. Permit access to Finance_net. C. Select Intersect with user database in the Action Properties window. D. Select Intersect with user database or Ignore Database in the Action Properties window. Correct Answer: D Section: Volume D /Reference: QUESTION 208 For remote user authentication, which authentication scheme is NOT supported? A. Check Point Password B. RADIUS C. TACACS D. SecurID Correct Answer: C Section: Volume D /Reference: QUESTION 209 Review the rules.

106 Assume domain UDP is enabled in the impled rules. What happens when a user from the internal network tries to browse to the internet using HTTP? The user: A. can connect to the Internet successfully after being authenticated. B. is prompted three times before connecting to the Internet successfully. C. can go to the Internet after Telnetting to the client authentication daemon port 259. D. can go to the Internet, without being prompted for authentication. Correct Answer: D Section: Volume D /Reference: QUESTION 210 Study the Rule base and Client Authentication Action properties screen -

107 After being authenticated by the Security Gateway, when a user starts an HTTP connection to a Web site, the user tries to FTP to another site using the command

108 line. What happens to the user? A. user is prompted for authentication by the Security Gateway again. B. FTP data connection is dropped after the user is authenticated successfully. C. user is prompted to authenticate from that FTP site only, and does not need to enter his username and password for Client Authentication. D. FTP connection is dropped by Rule 2. Correct Answer: C Section: Volume D /Reference: Manual Users must use either telnet to port 259 on the firewall, or use a Web browser to connect to port 900 on the firewall to authenticate before being granted access. # Partially Automatic If user authentication is configured for the service the user is attempting to access and they pass this authentication, then no further client authentication is required. For example, if HTTP is permitted on a client authentication rule, the user will be able to transparently authenticate since FireWall-1 has a security server for HTTP.Then, if this setting is chosen, users will not have to manually authenticate for this connection. Note that this applies to all services for which FireWall-1 has built-in security servers (HTTP, FTP, telnet, and rlogin). # Fully Automatic If the client has the session authentication agent installed, then no further client authentication is required (see session authentication below). For HTTP, FTP, telnet, or rlogin, the firewall will authenticate via user authentication, and then session authentication will be used to authenticate all other services. Figure 6.19 Client Authentication Action Properties 278 Chapter 6 Authenticating Users # Agent Automatic Sign On Uses session authentication agent to provide transparent authentication (see session authentication below). # Single Sign-On System Used in conjunction with UserAuthority servers to provide enhanced application level security. Discussion of UserAuthority is beyond the scope of this book. QUESTION 211 One of your remote Security Gateway's suddenly stops sending logs, and you cannot install the Security Policy on the Gateway. All other remote Security Gateways are logging normally to the Security Management Server, and Policy installation is not affected. When you click the Test SIC status button in the problematic Gateway object, you receive an error message. What is the problem? A. The remote Gateway's IP address has changed, which invalidates the SIC Certificate. B. The time on the Security Management Server's clock has changed, which invalidates the remote Gateway's Certificate. C. The Internal Certificate Authority for the Security Management Server object has been removed from objects_5_0.c. D. There is no connection between the Security Management Server and the remote Gateway. Rules or routing may block the connection. Correct Answer: D Section: Volume D

109 /Reference: QUESTION 212 What information is found in the SmartView Tracker Management log? A. SIC revoke certificate event B. Destination IP address C. Most accessed Rule Base rule D. Number of concurrent IKE negotiations Section: Volume D /Reference: QUESTION 213 What information is found in the SmartView Tracker Management log? A. Historical reports log B. Policy rule modification date/time stamp C. Destination IP address D. Most accessed Rule Base rule Correct Answer: B Section: Volume D /Reference: QUESTION 214 What information is found in the SmartView Tracker Management log? A. Creation of an administrator using cpconfig B. GAiA expert login event

110 C. FTP username authentication failure D. Administrator SmartDashboard logout event Correct Answer: D Section: Volume D /Reference: QUESTION 215 How do you use SmartView Monitor to compile traffic statistics for your company's Internet Web activity during production hours? A. Select Tunnels view, and generate a report on the statistics. B. Configure a Suspicious Activity Rule which triggers an alert when HTTP traffic passes through the Gateway. C. Use Traffic settings and SmartView Monitor to generate a graph showing the total HTTP traffic for the day. D. View total packets passed through the Security Gateway. Correct Answer: C Section: Volume D /Reference: QUESTION 216 What happens when you run the command. fw sam -J src [Source IP Address]? A. Connections from the specified source are blocked without the need to change the Security Policy. B. Connections to the specified target are blocked without the need to change the Security Policy. C. Connections to and from the specified target are blocked without the need to change the Security Policy. D. Connections to and from the specified target are blocked with the need to change the Security Policy. Section: Volume D /Reference:

111 QUESTION 217 An internal router is sending UDP keep-alive packets that are being encapsulated with GRE and sent through your R77 Security Gateway to a partner site. A rule for GRE traffic is configured for ACCEPT/LOG. Although the keep-alive packets are being sent every minute, a search through the SmartView Tracker logs for GRE traffic only shows one entry for the whole day (early in the morning after a Policy install). Your partner site indicates they are successfully receiving the GRE encapsulated keep-alive packets on the 1-minute interval. If GRE encapsulation is turned off on the router, SmartView Tracker shows a log entry for the UDP keep-alive packet every minute. Which of the following is the BEST explanation for this behavior? A. The setting Log does not capture this level of detail for GRE. Set the rule tracking action to Audit since certain types of traffic can only be tracked this way. B. The log unification process is using a LUUID (Log Unification Unique Identification) that has become corrupt. Because it is encrypted, the R77 Security Gateway cannot distinguish between GRE sessions. This is a known issue with GRE. Use IPSEC instead of the non-standard GRE protocol for encapsulation. C. The Log Server log unification process unifies all log entries from the Security Gateway on a specific connection into only one log entry in the SmartView Tracker. GRE traffic has a 10 minute session timeout, thus each keep-alive packet is considered part of the original logged connection at the beginning of the day. D. The Log Server is failing to log GRE traffic properly because it is VPN traffic. Disable all VPN configuration to the partner site to enable proper logging. Correct Answer: C Section: Volume D /Reference: QUESTION 218 Which port must be allowed to pass through enforcement points in order to allow packet logging to operate correctly? A. 514 B. 257 C. 256 D. 258 Correct Answer: B Section: Volume D /Reference: QUESTION 219

112 You are the Security Administrator for MegaCorp and would like to view network activity using SmartReporter. You select a standard predefined report. As you can see here, you can select the london Gateway. When you attempt to configure the Express Report, you are unable to select this Gateway.

113 What is the reason for this behavior? Give the BEST answer. A. You must enable the Eventia Express Mode on the london Gateway. B. You have the license for Eventia Reporter in Standard mode only. C. You must enable the Express Mode inside Eventia Reporter. D. You must enable Monitoring in the london Gateway object's General Properties. Correct Answer: D Section: Volume D /Reference: QUESTION 220

114 In SmartView Tracker, which rule shows when a packet is dropped due to anti-spoofing? A. Rule 0 B. Blank field under Rule Number C. Rule 1 D. Cleanup Rule Section: Volume D /Reference: QUESTION 221 A third-shift Security Administrator configured and installed a new Security Policy early this morning. When you arrive, he tells you that he has been receiving complaints that Internet access is very slow. You suspect the Security Gateway virtual memory might be the problem. Which SmartConsole component would you use to verify this? A. Eventia Analyzer B. SmartView Tracker C. SmartView Monitor D. This information can only be viewed with the command fw ctl pstat from the CLI. Correct Answer: C Section: Volume D /Reference: QUESTION 222 You find a suspicious connection from a problematic host. You decide that you want to block everything from that whole network, not just the problematic host. You

115 want to block this for an hour while you investigate further, but you do not want to add any rules to the Rule Base. How do you achieve this? A. Use dbedit to script the addition of a rule directly into the Rule Bases_5_0.fws configuration file. B. Select Block intruder from the Tools menu in SmartView Tracker. C. Create a Suspicious Activity Rule in SmartView Monitor. D. Add a temporary rule using SmartDashboard and select hide rule. Correct Answer: C Section: Volume D /Reference: QUESTION 223 In SmartDashboard, you configure 45 MB as the required free hard-disk space to accommodate logs. What can you do to keep old log files, when free space falls below 45 MB? A. Do nothing. Old logs are deleted, until free space is restored. B. Use the command fwm logexport to export the old log files to another location. C. Configure a script to run fw logswitch and SCP the output file to a separate file server. D. Do nothing. The Security Management Server automatically copies old logs to a backup server before purging. Correct Answer: C Section: Volume D /Reference: QUESTION 224 How do you configure an alert in SmartView Monitor? A. An alert cannot be configured in SmartView Monitor. B. By choosing the Gateway, and Configure Thresholds. C. By right-clicking on the Gateway, and selecting Properties. D. By right-clicking on the Gateway, and selecting System Information. Correct Answer: B

116 Section: Volume D /Reference: QUESTION 225 True or FalsE. SmartView Monitor can be used to create alerts on a specified Gateway. A. True, by right-clicking on the Gateway and selecting Configure Thresholds. B. True, by choosing the Gateway and selecting System Information. C. False, an alert cannot be created for a specified Gateway. D. False, alerts can only be set in SmartDashboard Global Properties. Section: Volume D /Reference: QUESTION 226 Which R77 SmartConsole tool would you use to verify the installed Security Policy name on a Security Gateway? A. SmartView Monitor B. SmartUpdate C. SmartView Status D. None, SmartConsole applications only communicate with the Security Management Server. Section: Volume D /Reference: QUESTION 227 Which R77 GUI would you use to see the number of packets accepted since the last policy install?

117 A. SmartView Monitor B. SmartView Tracker C. SmartDashboard D. SmartView Status Section: Volume D /Reference: QUESTION 228 You are trying to save a custom log query in R77 SmartView Tracker, but getting the following error: Could not save <query-name> (Error: Database is Read Only) Which of the following is a likely explanation for this? A. Another administrator is currently connected to the Security Management Server with read/write permissions which impacts your ability to save custom log queries to the Security Management Server. B. You do not have OS write permissions on the local SmartView Tracker PC in order to save the custom query locally. C. You have read-only rights to the Security Management Server database. D. You do not have the explicit right to save a custom query in your administrator permission profile under SmartConsole customization. Correct Answer: C Section: Volume D /Reference: QUESTION 229 The R77 fw monitor utility is used to troubleshoot which of the following problems? A. Traffic issues B. Log Consolidation Engine C. User data base corruption D. Phase two key negotiation

118 Section: Volume D /Reference: QUESTION 230 You are the Security Administrator for MegaCorp. In order to see how efficient your firewall Rule Base is, you would like to see how often the particular rules match. Where can you see it? Give the BEST answer. A. In the SmartView Tracker, if you activate the column Matching Rate. B. In SmartReporter, in the section Firewall Blade - Activity > Network Activity with information concerning Top Matched Logged Rules. C. SmartReporter provides this information in the section Firewall Blade - Security > Rule Base Analysis with information concerning Top Matched Logged Rules. D. It is not possible to see it directly. You can open SmartDashboard and select UserDefined in the Track column. Afterwards, you need to create your own program with an external counter. Correct Answer: C Section: Volume D /Reference: QUESTION 231 A company has disabled logging for some of the most commonly used Policy rules. This was to decrease load on the Security Management Server and to make tracking dropped connections easier. What action would you recommend to get reliable statistics about the network traffic using SmartReporter? A. SmartReporter analyzes all network traffic, logged or not. B. Network traffic cannot be analyzed when the Security Management Server has a high load. C. Turn the field Track of each rule to LOG. D. Configure Additional Logging on an additional log server. Correct Answer: D Section: Volume D /Reference:

119 QUESTION 232 What is a Consolidation Policy? A. The collective name of the Security Policy, Address Translation, and IPS Policies. B. The specific Policy written in SmartDashboard to configure which log data is stored in the SmartReporter database. C. The collective name of the logs generated by SmartReporter. D. A global Policy used to share a common enforcement policy for multiple Security Gateways. Correct Answer: B Section: Volume D /Reference: QUESTION 233 Which feature in R77 permits blocking specific IP addresses for a specified time period? A. Suspicious Activity Monitoring B. HTTP Methods C. Local Interface Spoofing D. Block Port Overflow Section: Volume D /Reference: QUESTION 234 You find a suspicious FTP site trying to connect to one of your internal hosts. How do you block it in real time and verify it is successfully blocked? Highlight the suspicious connection in SmartView Tracker: A. Log mode. Block it using Tools > Block Intruder menu. Observe in the Log mode that the suspicious connection does not appear again in this SmartView Tracker view. B. Log mode. Block it using Tools > Block Intruder menu. Observe in the Log mode that the suspicious connection is listed in this SmartView Tracker view as

120 "dropped?. C. Active mode. Block it using Tools > Block Intruder menu. Observe in the Active mode that the suspicious connection does not appear again in this SmartView Tracker view. D. Active mode. Block it using Tools > Block Intruder menu. Observe in the Active mode that the suspicious connection is listed in this SmartView Tracker view as "dropped?. Correct Answer: C Section: Volume D /Reference: QUESTION 235 Your Security Gateways are running near performance capacity and will get upgraded hardware next week. Which of the following would be MOST effective for quickly dropping all connections from a specific attacker's IP at a peak time of day? A. Intrusion Detection System (IDS) Policy install B. Change the Rule Base and install the Policy to all Security Gateways C. SAM - Block Intruder feature of SmartView Tracker D. SAM - Suspicious Activity Rules feature of SmartView Monitor Correct Answer: D Section: Volume D /Reference: QUESTION 236 Your company enforces a strict change control policy. Which of the following would be MOST effective for quickly dropping an attacker's specific active connection? A. Change the Rule Base and install the Policy to all Security Gateways B. Block Intruder feature of SmartView Tracker C. Intrusion Detection System (IDS) Policy install D. SAM - Suspicious Activity Rules feature of SmartView Monitor Correct Answer: B Section: Volume D

121 /Reference: QUESTION 237 is an R77 component that displays the number of packets accepted, rejected, and dropped on a specific Security Gateway, in real time. A. SmartEvent B. SmartView Status C. SmartUpdate D. SmartView Monitor Correct Answer: D Section: Volume D /Reference: QUESTION 238 You have just installed your Gateway and want to analyze the packet size distribution of your traffic with SmartView Monitor.

122 Unfortunately, you get the message. "There are no machines that contain Firewall Blade and SmartView Monitor."

123 What should you do to analyze the packet size distribution of your traffic? Give the BEST answer. A. Purchase the SmartView Monitor license for your Security Management Server. B. Enable Monitoring on your Security Management Server. C. Purchase the SmartView Monitor license for your Security Gateway. D. Enable Monitoring on your Security Gateway. Correct Answer: D Section: Volume D /Reference: QUESTION 239 You want to configure a mail alert for every time the policy is installed to a specific Gateway. Where would you configure this alert?