Pregunta 1
Pregunta
QUESTION 1
You manage a global network extending from your base in Chicago to Tokyo, Calcutta and Dallas.
Management wants a report detailing the current software level of each Enterprise class Security Gateway.
You plan to take the opportunity to create a proposal outline, listing the most cost- effective way to upgrade
your Gateways. Which two SmartConsole applications will you use to create this report and outline?
Respuesta
-
A. SmartView Tracker and SmartView Monitor
-
B. SmartLSM and SmartUpdate
-
C. SmartDashboard and SmartView Tracker
-
D. SmartView Monitor and SmartUpdate
Pregunta 2
Pregunta
QUESTION 2
Your bank's distributed R77 installation has Security Gateways up for renewal. Which SmartConsole
application will tell you which Security Gateways have licenses that will expire within the next 30 days?
Respuesta
-
A. SmartView Tracker
-
B. SmartPortal
-
C. SmartUpdate
-
D. SmartDashboard
Pregunta 3
Pregunta
QUESTION 3
When launching SmartDashboard, what information is required to log into R77?
Respuesta
-
A. User Name, Management Server IP, certificate fingerprint file
-
B. User Name, Password, Management Server IP
-
C. Password, Management Server IP
-
D. Password, Management Server IP, LDAP Server IP
Pregunta 4
Pregunta
QUESTION 4
Message digests use which of the following?
Respuesta
-
A. DES and RC4
-
B. IDEA and RC4
-
C. SSL and MD4
-
D. SHA-1 and MD5
Pregunta 5
Pregunta
QUESTION 5
Which of the following is a hash algorithm?
Respuesta
-
A. 3DES
-
B. IDEA
-
C. DES
-
D. MD5
Pregunta 6
Pregunta
QUESTION 6
Which of the following uses the same key to decrypt as it does to encrypt?
Pregunta 7
Pregunta
QUESTION 7
You believe Phase 2 negotiations are failing while you are attempting to configure a site-to-site VPN with
one of your firm's business partners. Which SmartConsole application should you use to confirm your
suspicions?
Respuesta
-
A. SmartDashboard
-
B. SmartUpdate
-
C. SmartView Status
-
D. SmartView Tracker
Pregunta 8
Pregunta
QUESTION 8
A digital signature:
Respuesta
-
A. Guarantees the authenticity and integrity of a message.
-
B. Automatically exchanges shared keys.
-
C. Decrypts data to its original form.
-
D. Provides a secure key exchange mechanism over the Internet.
Pregunta 9
Pregunta
QUESTION 9
Which component functions as the Internal Certificate Authority for R77?
Respuesta
-
A. Security Gateway
-
B. Management Server
-
C. Policy Server
-
D. SmartLSM
Pregunta 10
Pregunta
QUESTION 10
The customer has a small Check Point installation, which includes one GAiA server working as the
SmartConsole, and a second server running Windows 2008 as both Security Management Server and
Security Gateway. This is an example of a(n):
Respuesta
-
A. Distributed Installation
-
B. Hybrid Installation
-
C. Unsupported configuration
-
D. Stand-Alone Installation
Pregunta 11
Pregunta
QUESTION 11
The customer has a small Check Point installation which includes one Windows 2008 server as the
SmartConsole and a second server running GAiA as both Security Management Server and the Security
Gateway. This is an example of a(n):
Respuesta
-
A. Distributed Installation
-
B. Unsupported configuration
-
C. Hybrid Installation
-
D. Stand-Alone Installation
Pregunta 12
Pregunta
QUESTION 12
The customer has a small Check Point installation which includes one Windows 7 workstation as the
SmartConsole, one GAiA device working as Security Management Server, and a third server running
SecurePlatform as Security Gateway. This is an example of a(n):
Respuesta
-
A. Hybrid Installation
-
B. Unsupported configuration
-
C. Stand-Alone Installation
-
D. Distributed Installation
Pregunta 13
Pregunta
QUESTION 13
The customer has a small Check Point installation which includes one Windows 2008 server as
SmartConsole and Security Management Server with a second server running GAiA as Security Gateway.
This is an example of a(n):
Respuesta
-
A. Stand-Alone Installation.
-
B. Distributed Installation.
-
C. Unsupported configuration
-
D. Hybrid Installation
Pregunta 14
Pregunta
QUESTION 14
When doing a Stand-Alone Installation, you would install the Security Management Server with which other
Check Point architecture component?
Pregunta 15
Pregunta
QUESTION 15
Tom has been tasked to install Check Point R77 in a distributed deployment. Before Tom installs the
systems this way, how many machines will he need if he does NOT include a SmartConsole machine in his
calculations?
Pregunta 16
Pregunta
QUESTION 16
Which command allows Security Policy name and install date verification on a Security Gateway?
Respuesta
-
A. fw show policy
-
B. fw stat -l
-
C. fw ctl pstat -policy
-
D. fw ver -p
Pregunta 17
Pregunta
QUESTION 17
You have two rules, ten users, and two user groups in a Security Policy. You create database version 1 for
this configuration. You then delete two existing users and add a new user group. You modify one rule and
add two new rules to the Rule Base. You save the Security Policy and create database version 2. After
awhile, you decide to roll back to version 1 to use the Rule Base, but you want to keep your user database.
How can you do this?
Respuesta
-
A. Run fwm dbexport -l filename. Restore the database. Then, run fwm dbimport -l filename to import the
users.
-
B. Run fwm_dbexport to export the user database. Select restore the entire database in the Database
Revision screen. Then, run fwm_dbimport.
-
C. Restore the entire database, except the user database, and then create the new user and user group.
-
D. Restore the entire database, except the user database.
Pregunta 18
Pregunta
QUESTION 18
Which feature or command provides the easiest path for Security Administrators to revert to earlier versions
of the same Security Policy and objects configuration?
Respuesta
-
A. Database Revision Control
-
B. Policy Package management
-
C. dbexport/dbimport
-
D. upgrade_export/upgrade_import
Pregunta 19
Pregunta
QUESTION 19
Your Security Management Server fails and does not reboot. One of your remote Security Gateways
managed by the Security Management Server reboots. What occurs with the remote Gateway after reboot?
Respuesta
-
A. Since the Security Management Server is not available, the remote Gateway cannot fetch the Security
Policy. Therefore, all traffic is allowed through the Gateway.
-
B. Since the Security Management Server is not available, the remote Gateway cannot fetch the Security
Policy. Therefore, no traffic is allowed through the Gateway.
-
C. The remote Gateway fetches the last installed Security Policy locally and passes traffic normally. The
Gateway will log locally, since the Security Management Server is not available.
-
D. Since the Security Management Server is not available, the remote Gateway uses the local Security
Policy, but does not log traffic.
Pregunta 20
Pregunta
QUESTION 20
How can you configure an application to automatically launch on the Security Management Server when
traffic is dropped or accepted by a rule in the Security Policy?
Respuesta
-
A. SNMP trap alert script
-
B. Custom scripts cannot be executed through alert scripts.
-
C. User-defined alert script
-
D. Pop-up alert script
Pregunta 21
Pregunta
QUESTION 21
Which of the following is NOT useful to verify whether or not a Security Policy is active on a Gateway?
Pregunta 22
Pregunta
QUESTION 22
Exhibit:
Of the following, what parameters will not be preserved when using Database Revision Control?
Respuesta
-
A. 2, 4, 7, 10, 11
-
B. 3, 4, 5, 6, 9, 12, 13
-
C. 5, 6, 9, 12, 13
-
D. 1, 2, 8, 10, 11
Pregunta 23
Pregunta
QUESTION 23
You are about to test some rule and object changes suggested in an R77 news group. Which backup
solution should you use to ensure the easiest restoration of your Security Policy to its previous configuration
after testing the changes?
Respuesta
-
A. Manual copies of the directory $FWDIR/conf
-
B. upgrade_export command
-
C. Database Revision Control
-
D. GAiA backup utilities
Pregunta 24
Pregunta
QUESTION 24
Exhibit:
You plan to create a backup of the rules, objects, policies, and global properties from an R77 Security
Management Server. Which of the following backup and restore solutions can you use?
Respuesta
-
A. 2, 4, and 5
-
B. 1, 2, 3, 4, and 5
-
C. 1, 2, and 3
-
D. 1, 3, and 4
Pregunta 25
Pregunta
QUESTION 25
Which R77 feature or command allows Security Administrators to revert to earlier Security Policy versions
without changing object configurations?
Respuesta
-
A. upgrade_export/upgrade_import
-
B. fwm dbexport/fwm dbimport
-
C. Database Revision Control
-
D. Policy Package management
Pregunta 26
Pregunta
QUESTION 26
What must a Security Administrator do to comply with a management requirement to log all traffic accepted
through the perimeter Security Gateway?
Respuesta
-
A. In Global Properties > Reporting Tools check the box Enable tracking all rules (including rules marked
as None in the Track column). Send these logs to a secondary log server for a complete logging history.
Use your normal log server for standard logging for troubleshooting.
-
B. Install the View Implicit Rules package using SmartUpdate.
-
C. Define two log servers on the R77 Gateway object. Enable Log Implied Rules on the first log server.
Enable Log Rule Base on the second log server. Use SmartReporter to merge the two log server
records into the same database for HIPPA log audits.
-
D. Check the Log Implied Rules Globally box on the R77 Gateway object.
Pregunta 27
Pregunta
QUESTION 27
Which utility allows you to configure the DHCP service on GAiA from the command line?
Respuesta
-
A. ifconfig
-
B. sysconfig
-
C. cpconfig
-
D. dhcp_cfg
Pregunta 28
Pregunta
QUESTION 28
The third-shift Administrator was updating Security Management Server access settings in Global
Properties and testing. He managed to lock himself out of his account. How can you unlock this account?
Respuesta
-
A. Type fwm unlock_admin from the Security Management Server command line.
-
B. Type fwm unlock_admin -u from the Security Gateway command line.
-
C. Type fwm lock_admin -u <account name> from the Security Management Server command line.
-
D. Delete the file admin.lock in the Security Management Server directory $FWDIR/tmp/.
Pregunta 29
Pregunta
QUESTION 29
The third-shift Administrator was updating Security Management Server access settings in Global
Properties. He managed to lock all administrators out of their accounts. How should you unlock these
accounts?
Respuesta
-
A. Delete the file admin.lock in the Security Management Server directory $FWDIR/tmp/.
-
B. Reinstall the Security Management Server and restore using upgrade_import.
-
C. Type fwm lock_admin -ua from the Security Management Server command line.
-
D. Login to SmartDashboard as the special cpconfig_admin user account; right-click on each administrator
object and select unlock.
Pregunta 30
Pregunta
QUESTION 30
You are the Security Administrator for ABC-Corp. A Check Point Firewall is installed and in use on GAiA.
You are concerned that the system might not be retaining your entries for the interfaces and routing
configuration. You would like to verify your entries in the corresponding file(s) on GAiA.
Where can you view them? Give the BEST answer.
Respuesta
-
A. /etc/sysconfig/netconf.C
-
B. /etc/conf/route.C
-
C. /etc/sysconfig/network-scripts/ifcfg-ethx
-
D. /etc/sysconfig/network
Pregunta 31
Pregunta
QUESTION 31
When using GAiA, it might be necessary to temporarily change the MAC address of the interface eth 0 to
00:0C:29:12:34:56. After restarting the network the old MAC address should be active.
How do you configure this change?
Respuesta
-
A. Edit the file /etc/sysconfig/netconf.C and put the new MAC address in the field
-
B. As expert user, issue these commands:
# IP link set eth0 down
# IP link set eth0 addr 00:0C:29:12:34:56
# IP link set eth0 up
-
C. As expert user, issue the command:
# IP link set eth0 addr 00:0C:29:12:34:56
-
D. Open the WebUI, select Network > Connections > eth0. Place the new MAC address in the field
Physical Address, and press Apply to save the settings.
Pregunta 32
Pregunta
QUESTION 32
Several Security Policies can be used for different installation targets. The Firewall protecting Human
Resources' servers should have its own Policy Package. These rules must be installed on this machine and
not on the Internet Firewall. How can this be accomplished?
Respuesta
-
A. A Rule Base is always installed on all possible targets. The rules to be installed on a Firewall are
defined by the selection in the Rule Base row Install On.
-
B. When selecting the correct Firewall in each line of the Rule Base row Install On, only this Firewall is
shown in the list of possible installation targets after selecting Policy > Install on Target.
-
C. In the menu of SmartDashboard, go to Policy > Policy Installation Targets and select the correct firewall
via Specific Targets.
-
D. A Rule Base can always be installed on any Check Point Firewall object. It is necessary to select the
appropriate target directly after selecting Policy > Install on Target.
Pregunta 33
Pregunta
QUESTION 33
You have a diskless appliance platform. How do you keep swap file wear to a minimum?
Respuesta
-
A. Issue FW-1 bases its package structure on the Security Management Server, dynamically loading when
the firewall is booted.
-
B. The external PCMCIA-based flash extension has the swap file mapped to it, allowing easy replacement.
-
C. Use PRAM flash devices, eliminating the longevity.
-
D. A RAM drive reduces the swap file thrashing which causes fast wear on the device.
Pregunta 34
Pregunta
QUESTION 34
Your R77 primary Security Management Server is installed on GAiA. You plan to schedule the Security
Management Server to run fw logswitch automatically every 48 hours. How do you create this schedule?
Respuesta
-
A. On a GAiA Security Management Server, this can only be accomplished by configuring the command fw
logswitch via the cron utility.
-
B. Create a time object, and add 48 hours as the interval. Open the primary Security Management Server
object's Logs and Masters window, enable Schedule log switch, and select the Time object.
-
C. Create a time object, and add 48 hours as the interval. Open the Security Gateway object's Logs and
Masters window, enable Schedule log switch, and select the Time object.
-
D. Create a time object, and add 48 hours as the interval. Select that time object's Global Properties >
Logs and Masters window, to schedule a logswitch.
Pregunta 35
Pregunta
QUESTION 35
Which of the following methods will provide the most complete backup of an R77 configuration?
Respuesta
-
A. Policy Package Management
-
B. Copying the directories $FWDIR\conf and $CPDIR\conf to another server
-
C. Execute command upgrade_export
-
D. Database Revision Control
Pregunta 36
Pregunta
QUESTION 36
Which of the following commands can provide the most complete restoration of a R77 configuration?
Pregunta 37
Pregunta
QUESTION 37
When restoring R77 using the command upgrade_import, which of the following items are NOT restored?
Respuesta
-
A. SIC Certificates
-
B. Licenses
-
C. Route tables
-
D. Global properties
Pregunta 38
Pregunta
QUESTION 38
Your organization's disaster recovery plan needs an update to the backup and restore section to reap the
new distributed R77 installation benefits. Your plan must meet the following required and desired
objectives:
Required ObjectivE.
The Security Policy repository must be backed up no less frequently than every 24 hours.
Desired ObjectivE.
The R77 components that enforce the Security Policies should be backed up at least once a week.
Desired ObjectivE.
Back up R77 logs at least once a week.
Your disaster recovery plan is as follows:
- Use the cron utility to run the command upgrade_export each night on the Security Management Servers.
- Configure the organization's routine back up software to back up the files created by the command
upgrade_export.
- Configure the GAiA back up utility to back up the Security Gateways every Saturday night.
- Use the cron utility to run the command upgrade_export each Saturday night on the log servers.
- Configure an automatic, nightly logswitch.
- Configure the organization's routine back up software to back up the switched logs every night.
Upon evaluation, your plan:
Respuesta
-
A. Meets the required objective and only one desired objective.
-
B. Meets the required objective but does not meet either desired objective.
-
C. Does not meet the required objective.
-
D. Meets the required objective and both desired objectives.
Pregunta 39
Pregunta
QUESTION 39
Your company is running Security Management Server R77 on GAiA, which has been migrated through
each version starting from Check Point 4.1. How do you add a new administrator account?
Respuesta
-
A. Using SmartDashboard, under Users, select Add New Administrator
-
B. Using SmartDashboard or cpconfig
-
C. Using the Web console on GAiA under Product configuration, select Administrators
-
D. Using cpconfig on the Security Management Server, choose Administrators
Pregunta 40
Pregunta
QUESTION 40
Peter is your new Security Administrator. On his first working day, he is very nervous and enters the wrong
password three times. His account is locked. What can be done to unlock Peter's account? Give the BEST
answer.
Respuesta
-
A. You can unlock Peter's account by using the command fwm lock_admin -u Peter on the Security
Management Server.
-
B. You can unlock Peter's account by using the command fwm unlock_admin -u Peter on the Security
Management Server
-
C. It is not possible to unlock Peter's account. You have to install the firewall once again or abstain from
Peter's help.
-
D. You can unlock Peter's account by using the command fwm unlock_admin -u Peter on the Security
Gateway.
Pregunta 41
Pregunta
QUESTION 41
Where can you find the Check Point's SNMP MIB file?
Respuesta
-
A. $CPDIR/lib/snmp/chkpt.mib
-
B. $FWDIR/conf/snmp.mib
-
C. It is obtained only by request from the TAC.
-
D. There is no specific MIB file for Check Point products.
Pregunta 42
Pregunta
QUESTION 42
You want to generate a cpinfo file via CLI on a system running GAiA. This will take about 40 minutes since
the log files are also needed. What action do you need to take regarding timeout?
Respuesta
-
A. No action is needed because cpshell has a timeout of one hour by default.
-
B. Log in as the default user expert and start cpinfo.
-
C. Log in as admin, switch to expert mode, set the timeout to one hour with the command, idle 60, then
start cpinfo.
-
D. Log in as Administrator, set the timeout to one hour with the command idle 60 and start cpinfo.
Pregunta 43
Pregunta
QUESTION 43
Many companies have defined more than one administrator. To increase security, only one administrator
should be able to install a Rule Base on a specific Firewall. How do you configure this?
Respuesta
-
A. Define a permission profile in SmartDashboard with read/write privileges, but restrict it to all other
firewalls by placing them in the Policy Targets field. Then, an administrator with this permission profile
cannot install a policy on any Firewall not listed here.
-
B. Put the one administrator in an Administrator group and configure this group in the specific Firewall
object in Advanced > Permission to Install.
-
C. In the object General Properties representing the specific Firewall, go to the Software Blades product list
and select Firewall. Right-click in the menu, select Administrator to Install to define only this
administrator.
-
D. Right-click on the object representing the specific administrator, and select that Firewall in Policy
Targets.
Pregunta 44
Pregunta
QUESTION 44
What is the officially accepted diagnostic tool for IP Appliance Support?
Respuesta
-
A. ipsoinfo
-
B. CST
-
C. uag-diag
-
D. cpinfo
Pregunta 45
Pregunta
QUESTION 45
Which of these Security Policy changes optimize Security Gateway performance?
Respuesta
-
A. Using groups within groups in the manual NAT Rule Base.
-
B. Use Automatic NAT rules instead of Manual NAT rules whenever possible.
-
C. Using domain objects in rules when possible.
-
D. Putting the least-used rule at the top of the Rule Base.
Pregunta 46
Pregunta
QUESTION 46
Your perimeter Security Gateway's external IP is 200.200.200.3. Your network diagram shows:
Required:
Allow only network 192.168.10.0 and 192.168.20.0 to go out to Internet, using 200.200.200.5.
The local network 192.168.1.0/24 needs to use 200.200.200.3 to go out to the Internet.
Assume you enable all the settings in the NAT page of Global Properties.
How do you achieve this requirement?
Respuesta
-
A. Create a network object 192.168.0.0/16. Enable Hide NAT on the NAT page. Enter 200.200.200.5 as
the hiding IP address. Add an ARP entry for 200.200.200.5 for the MAC address of 200.200.200.3.
-
B. Create network objects for 192.168.10.0/24 and 192.168.20.0/24. Enable Hide NAT on both network
objects, using 200.200.200.5 as hiding IP address. Add an ARP entry for 200.200.200.3 for the MAC
address of 200.200.200.5
-
C. Create an Address Range object, starting from 192.168.10.1 to 192.168.20.254. Enable Hide NAT on
the NAT page of the address range object. Enter Hiding IP address 200.200.200.5. Add an ARP entry
for 200.200.200.5 for the MAC address of 200.200.200.3
-
D. Create two network objects: 192.168.10.0/24 and 192.168.20.0/24. Add the two network objects to a
group object. Create a manual NAT rule like the following: Original source -groupobject; Destination -
any; Service - any; Translated source - 200.200.200.5; Destination -original; Service - original
Pregunta 47
Pregunta
QUESTION 47
Because of pre-existing design constraints, you set up manual NAT rules for your HTTP server. However,
your FTP server and SMTP server are both using automatic NAT rules. All traffic from your FTP and SMTP
servers are passing through the Security Gateway without a problem, but traffic from the Web server is
dropped on rule 0 because of anti-spoofing settings. What is causing this?
Respuesta
-
A. Manual NAT rules are not configured correctly.
-
B. Allow bi-directional NAT is not checked in Global Properties.
-
C. Routing is not configured correctly
-
D. Translate destination on client side is not checked in Global Properties under Manual NAT Rules.
Pregunta 48
Pregunta
QUESTION 48
You enable Hide NAT on the network object, 10.1.1.0 behind the Security Gateway's external interface. You
browse to the Google Website from host, 10.1.1.10 successfully. You enable a log on the rule that allows
10.1.1.0 to exit the network. How many log entries do you see for that connection in SmartView Tracker?
Respuesta
-
A. Two, one for outbound, one for inbound
-
B. Only one, outbound
-
C. Two, both outbound, one for the real IP connection and one for the NAT IP connection
-
D. Only one, inbound
Pregunta 49
Pregunta
QUESTION 49
Which of the following statements BEST describes Check Point's Hide Network Address Translation
method?
Respuesta
-
A. Translates many destination IP addresses into one destination IP address
-
B. One-to-one NAT which implements PAT (Port Address Translation) for accomplishing both Source and
Destination IP address translation
-
C. Translates many source IP addresses into one source IP address
-
D. Many-to-one NAT which implements PAT (Port Address Translation) for accomplishing both Source and
Destination IP address translation
Pregunta 50
Pregunta
QUESTION 50
Which Check Point address translation method allows an administrator to use fewer ISP-assigned IP
addresses than the number of internal hosts requiring Internet connectivity?
Respuesta
-
A. Hide
-
B. Static Destination
-
C. Static Source
-
D. Dynamic Destination
Pregunta 51
Pregunta
QUESTION 51
NAT can NOT be configured on which of the following objects?
Respuesta
-
A. HTTP Logical Server
-
B. Gateway
-
C. Address Range
-
D. Host
Pregunta 52
Pregunta
QUESTION 52
Which Check Point address translation method is necessary if you want to connect from a host on the
Internet via HTTP to a server with a reserved (RFC 1918) IP address on your DMZ?
Respuesta
-
A. Dynamic Source Address Translation
-
B. Hide Address Translation
-
C. Port Address Translation
-
D. Static Destination Address Translation
Pregunta 53
Pregunta
QUESTION 53
You want to implement Static Destination NAT in order to provide external, Internet users access to an
internal Web Server that has a reserved (RFC 1918) IP address. You have an unused valid IP address on
the network between your Security Gateway and ISP router. You control the router that sits between the
firewall external interface and the Internet.
What is an alternative configuration if proxy ARP cannot be used on your Security Gateway?
Respuesta
-
A. Publish a proxy ARP entry on the ISP router instead of the firewall for the valid IP address.
-
B. Place a static ARP entry on the ISP router for the valid IP address to the firewall's external address.
-
C. Publish a proxy ARP entry on the internal Web server instead of the firewall for the valid IP address.
-
D. Place a static host route on the firewall for the valid IP address to the internal Web server.
Pregunta 54
Pregunta
QUESTION 54
After implementing Static Address Translation to allow Internet traffic to an internal Web Server on your
DMZ, you notice that any NATed connections to that machine are being dropped by anti- spoofing
protections. Which of the following is the MOST LIKELY cause?
Respuesta
-
A. The Global Properties setting Translate destination on client side is unchecked. But the topology on the
DMZ interface is set to Internal - Network defined by IP and Mask. Check the Global Properties setting
Translate destination on client side.
-
B. The Global Properties setting Translate destination on client side is unchecked. But the topology on the
external interface is set to Others +. Change topology to External.
-
C. The Global Properties setting Translate destination on client side is checked. But the topology on the
external interface is set to External. Change topology to Others +.
-
D. The Global Properties setting Translate destination on client side is checked. But the topology on the
DMZ interface is set to Internal - Network defined by IP and Mask. Uncheck the Global Properties
setting Translate destination on client side.
Pregunta 55
Pregunta
QUESTION 55
Which NAT option applicable for Automatic NAT applies to Manual NAT as well?
Respuesta
-
A. Allow bi-directional NAT
-
B. Automatic ARP configuration
-
C. Translate destination on client-side
-
D. Enable IP Pool NAT
Pregunta 56
Pregunta
QUESTION 56
Your main internal network 10.10.10.0/24 allows all traffic to the Internet using Hide NAT. You also have a
small network 10.10.20.0/24 behind the internal router. You want to configure the kernel to translate the
source address only when network 10.10.20.0 tries to access the Internet for HTTP, SMTP, and FTP
services. Which of the following configurations will allow this network to access the Internet?
Respuesta
-
A. Configure three Manual Static NAT rules for network 10.10.20.0/24, one for each service.
-
B. Configure Automatic Static NAT on network 10.10.20.0/24.
-
C. Configure one Manual Hide NAT rule for HTTP, FTP, and SMTP services for network 10.10.20.0/24.
-
D. Configure Automatic Hide NAT on network 10.10.20.0/24 and then edit the Service column in the NAT
Rule Base on the automatic rule.
Pregunta 57
Pregunta
QUESTION 57
You have three servers located in a DMZ, using private IP addresses. You want internal users from
10.10.10.x to access the DMZ servers by public IP addresses. Internal_net 10.10.10.x is configured for
Hide NAT behind the Security Gateway's external interface.
What is the best configuration for 10.10.10.x users to access the DMZ servers, using the DMZ servers'
public IP addresses?
Respuesta
-
A. When connecting to internal network 10.10.10.x, configure Hide NAT for the DMZ network behind the
Security Gateway DMZ interface.
-
B. When the source is the internal network 10.10.10.x, configure manual static NAT rules to translate the
DMZ servers.
-
C. When connecting to the Internet, configure manual Static NAT rules to translate the DMZ servers.
-
D. When trying to access DMZ servers, configure Hide NAT for 10.10.10.x behind the DMZ's interface.
Pregunta 58
Pregunta
QUESTION 58
An internal host initiates a session to the Google.com website and is set for Hide NAT behind the Security
Gateway. The initiating traffic is an example of __________.
Respuesta
-
A. client side NAT
-
B. source NAT
-
C. destination NAT
-
D. None of these
Pregunta 59
Pregunta
QUESTION 59
A host on the Internet initiates traffic to the Static NAT IP of your Web server behind the Security Gateway.
With the default settings in place for NAT, the initiating packet will translate the _________.
Pregunta 60
Pregunta
QUESTION 60
A Web server behind the Security Gateway is set to Automatic Static NAT. Client side NAT is not checked
in the Global Properties. A client on the Internet initiates a session to the Web Server. Assuming there is a
rule allowing this traffic, what other configuration must be done to allow the traffic to reach the Web server?
Respuesta
-
A. Automatic ARP must be unchecked in the Global Properties.
-
B. Nothing else must be configured
-
C. A static route must be added on the Security Gateway to the internal host.
-
D. A static route for the NAT IP must be added to the Gateway's upstream router.
Correct Answer:
Pregunta 61
Pregunta
QUESTION 61
With deployment of SecureClient, you have defined in the policy that you allow traffic only to an encrypted
domain. But when your mobile users move outside of your company, they often cannot use SecureClient
because they have to register first (i.e. in Hotel or Conference rooms). How do you solve this problem?
Respuesta
-
A. Allow for unencrypted traffic
-
B. Allow traffic outside the encrypted domain
-
C. Enable Hot Spot/Hotel Registration
-
D. Allow your users to turn off SecureClient
Pregunta 62
Pregunta
QUESTION 62
What statement is true regarding Visitor Mode?
Respuesta
-
A. VPN authentication and encrypted traffic are tunneled through port TCP 443.
-
B. Only ESP traffic is tunneled through port TCP 443.
-
C. Only Main mode and Quick mode traffic are tunneled on TCP port 443.
-
D. All VPN traffic is tunneled through UDP port 4500.
Pregunta 63
Pregunta
QUESTION 63
When attempting to connect with SecureClient Mobile you get the following error message:
The certificate provided is invalid. Please provide the username and password.
What is the probable cause of the error?
Respuesta
-
A. Your user configuration does not have an office mode IP address so the connection failed.
-
B. Your certificate is invalid.
-
C. There is no connection to the server, and the client disconnected.
-
D. Your user credentials are invalid.
Pregunta 64
Pregunta
QUESTION 64
What port is used for communication to the User Center with SmartUpdate?
Respuesta
-
A. CPMI 200
-
B. TCP 8080
-
C. HTTP 80
-
D. HTTPS 443
Pregunta 65
Pregunta
QUESTION 65
You are a Security Administrator preparing to deploy a new HFA (Hotfix Accumulator) to ten Security
Gateways at five geographically separate locations. What is the BEST method to implement this HFA?
Respuesta
-
A. Use a SSH connection to SCP the HFA to each Security Gateway. Once copied locally, initiate a remote installation command and monitor the installation progress with SmartView Monitor.
-
B. Send a CD-ROM with the HFA to each location and have local personnel install it.
-
C. Send a Certified Security Engineer to each site to perform the update.
-
D. Use SmartUpdate to install the packages to each of the Security Gateways remotely.
Pregunta 66
Pregunta
QUESTION 66
What action can be performed from SmartUpdate R77?
Pregunta 67
Pregunta
QUESTION 67
Which tool CANNOT be launched from SmartUpdate R77?
Respuesta
-
A. IP Appliance Voyager
-
B. snapshot
-
C. GAiA WebUI
-
D. cpinfo
Pregunta 68
Pregunta
QUESTION 68
Sally has a Hot Fix Accumulator (HFA) she wants to install on her Security Gateway which operates with
GAiA, but she cannot SCP the HFA to the system. She can SSH into the Security Gateway, but she has
never been able to SCP files to it. What would be the most likely reason she cannot do so?
Respuesta
-
A. She needs to edit /etc/SSHd/SSHd_config and add the Standard Mode account.
-
B. She needs to run sysconfig and restart the SSH process.
-
C. She needs to edit /etc/scpusers and add the Standard Mode account.
-
D. She needs to run cpconfig to enable the ability to SCP files.
Pregunta 69
Pregunta
QUESTION 69
Which of the following are available SmartConsole clients which can be installed from the R77 Windows
CD? Read all answers and select the most complete and valid list.
Respuesta
-
A. SmartView Tracker, SmartDashboard, CPINFO, SmartUpdate, SmartView Status
-
B. SmartView Tracker, SmartDashboard, SmartLSM, SmartView Monitor
-
C. SmartView Tracker, CPINFO, SmartUpdate
-
D. Security Policy Editor, Log Viewer, Real Time Monitor GUI
Pregunta 70
Pregunta
QUESTION 70
What is a possible reason for the IKE failure shown in this screenshot?
Respuesta
-
A. Mismatch in VPN Domains.
-
B. Mismatch in preshared secrets.
-
C. Mismatch in Diffie-Hellman group.
-
D. Mismatch in encryption schemes.
Pregunta 71
Pregunta
QUESTION 71
When using an encryption algorithm, which is generally considered the best encryption method?
Respuesta
-
A. Triple DES
-
B. AES-256
-
C. CAST cipher
-
D. DES
Pregunta 72
Pregunta
QUESTION 72
Which do you configure to give remote access VPN users a local IP address?
Pregunta 73
Pregunta
QUESTION 73
You have a mesh VPN Community configured to create a site-to-site VPN. Given the displayed VPN
properties, what can you conclude about this community?
Exhibit:
Respuesta
-
A. The VPN Community will perform IKE Phase 1 key-exchange encryption using the longest key Security
Gateway R77 supports.
-
B. Changing the setting Perform key exchange encryption with from AES-256 to 3DES will enhance the
VPN Community's security , and reduce encryption overhead.
-
C. Change the data-integrity setting for this VPN Community because MD5 is incompatible with AES.
-
D. Changing the setting Perform IPsec data encryption with from AES-128 to 3Des will increase the
encryption overhead.
Pregunta 74
Pregunta
QUESTION 74
Certificates for Security Gateways are created during a simple initialization from _____________.
Pregunta 75
Pregunta
QUESTION 75
Which of the below is the MOST correct process to reset SIC from SmartDashboard?
Respuesta
-
A. Run cpconfig, and click Reset.
-
B. Click the Communication button for the firewall object, then click Reset. Run cpconfig and type a new
activation key.
-
C. Run cpconfig, and select Secure Internal Communication > Change One Time Password.
-
D. Click Communication > Reset on the Gateway object, and type a new activation key.
Pregunta 76
Pregunta
QUESTION 76
Exhibit:
You installed Security Management Server on a computer using GAiA in the MegaCorp home office. You
use IP address 10.1.1.1. You also installed the Security Gateway on a second GAiA computer, which you
plan to ship to another Administrator at a MegaCorp hub office. What is the correct order for pushing SIC
certificates to the Gateway before shipping it?
Respuesta
-
A. 2, 3, 4, 1, 5
-
B. 2, 1, 3, 4, 5
-
C. 1, 3, 2, 4, 5
-
D. 2, 3, 4, 5, 1
Pregunta 77
Pregunta
QUESTION 77
Although SIC was already established and running, Joe reset SIC between the Security Management
Server and a remote Gateway. He set a new activation key on the Gateway's side with the command
cpconfig and put in the same activation key in the Gateway's object on the Security Management Server.
Unfortunately, SIC can not be established. What is a possible reason for the problem?
Respuesta
-
A. The installed policy blocks the communication.
-
B. The old Gateway object should have been deleted and recreated.
-
C. Joe forgot to exit from cpconfig.
-
D. Joe forgot to reboot the Gateway.
Pregunta 78
Pregunta
QUESTION 78
You want to reset SIC between smberlin and sgosaka.
In SmartDashboard, you choose sgosaka, Communication, Reset. On sgosaka, you start cpconfig, choose
Secure Internal Communication and enter the new SIC Activation Key. The screen reads The SIC was
successfully initialized and jumps back to the cpconfig menu. When trying to establish a connection, instead
of a working connection, you receive this error message:
"Failed to connect to the module"
What is the reason for this behavior?
Respuesta
-
A. The Gateway was not rebooted, which is necessary to change the SIC key.
-
B. You must first initialize the Gateway object in SmartDashboard (i.e., right-click on the object, choose
Basic Setup > Initialize).
-
C. The Check Point services on the Gateway were not restarted because you are still in the cpconfig utility.
-
D. The activation key contains letters that are on different keys on localized keyboards. Therefore, the
activation can not be typed in a matching fashion.
Pregunta 79
Pregunta
QUESTION 79
John is the Security Administrator in his company. He installs a new R77 Security Management Server and
a new R77 Gateway. He now wants to establish SIC between them. After entering the activation key, he
gets the following message in SmartDashboard -
"Trust established"
SIC still does not seem to work because the policy won't install and interface fetching does not work. What
might be a reason for this?
Respuesta
-
A. SIC does not function over the network.
-
B. It always works when the trust is established
-
C. The Gateway's time is several days or weeks in the future and the SIC certificate is not yet valid.
-
D. This must be a human error.
Pregunta 80
Pregunta
QUESTION 80
The SIC certificate is stored in the directory _______________.
Respuesta
-
A. $CPDIR/registry
-
B. $CPDIR/conf
-
C. $FWDIR/database
-
D. $FWDIR/conf
Pregunta 81
Pregunta
QUESTION 81
You run cpconfig to reset SIC on the Security Gateway. After the SIC reset operation is complete, the policy
that will be installed is the:
Pregunta 82
Pregunta
QUESTION 82
Exhibit:
Chris has lost SIC communication with his Security Gateway and he needs to re-establish SIC. What would
be the correct order of steps needed to perform this task?
Respuesta
-
A. 5, 1, 2, 4
-
B. 5, 1, 4, 2
-
C. 3, 1, 4, 2
-
D. 2, 3, 1, 4
Pregunta 83
Pregunta
QUESTION 83
What happens when you open the Gateway object window Trusted Communication and press and confirm
Reset?
Respuesta
-
A. Sic will be reset on the Gateway only.
-
B. The Gateway certificate will be revoked on the Gateway only.
-
C. The Gateway certificate will be revoked on the Security Managment Server only.
-
D. The Gateway certificate will be revoked on the Security Management Server and SIC will be reset on
the Gateway.
Pregunta 84
Pregunta
QUESTION 84
Identity Awareness is implemented to manage access to protected resources based on a user's
_____________.
Pregunta 85
Pregunta
QUESTION 85
Which of the following allows administrators to allow or deny traffic to or from a specific network based on
the user's credentials?
Respuesta
-
A. Access Policy
-
B. Access Role
-
C. Access Rule
-
D. Access Certificate
Pregunta 86
Pregunta
QUESTION 86
John Adams is an HR partner in the ACME organization. ACME IT wants to limit access to HR servers to a
set of designated IP addresses to minimize malware infection and unauthorized access risks. Thus, the
gateway policy permits access only from John's desktop which is assigned a static IP address 10.0.0.19.
He has received a new laptop and wants to access the HR Web Server from anywhere in the organization.
The IT department gave the laptop a static IP address, but that limits him to operating it only from his desk.
The current Rule Base contains a rule that lets John Adams access the HR Web Server from his laptop
with a static IP (10.0.0.19).
He wants to move around the organization and continue to have access to the HR Web Server. To make
this scenario work, the IT administrator:
1) Enables Identity Awareness on a gateway, selects AD Query as one of the Identity Sources, and installs
the policy.
2) Adds an access role object to the Firewall Rule Base that lets John Adams access the HR Web Server
from any machine and from any location and installs policy.
John plugged in his laptop to the network on a different network segment and was not able to connect to
the HR Web server. What is the next BEST troubleshooting step?
Respuesta
-
A. Investigate this as a network connectivity issue
-
B. Install the Identity Awareness Agent
-
C. Set static IP to DHCP
-
D. After enabling Identity Awareness, reboot the gateway
Pregunta 87
Pregunta
QUESTION 87
John Adams is an HR partner in the ACME organization. ACME IT wants to limit access to HR servers to
designated IP addresses to minimize malware infection and unauthorized access risks. Thus, the gateway
policy permits access only from John's desktop which is assigned an IP address 10.0.0.19 via DHCP.
John received a laptop and wants to access the HR Web Server from anywhere in the organization. The IT
department gave the laptop a static IP address, but that limits him to operating it only from his desk. The
current Rule Base contains a rule that lets John Adams access the HR Web Server from his laptop. He
wants to move around the organization and continue to have access to the HR Web Server.
To make this scenario work, the IT administrator:
1) Enables Identity Awareness on a gateway, selects AD Query as one of the Identity Sources installs the
policy.
2) Adds an access role object to the Firewall Rule Base that lets John Adams PC access the HR Web
Server from any machine and from any location.
John plugged in his laptop to the network on a different network segment and he is not able to connect.
How does he solve this problem?
Respuesta
-
A. John should install the Identity Awareness Agent
-
B. The firewall admin should install the Security Policy
-
C. John should lock and unlock the computer
-
D. Investigate this as a network connectivity issue
Pregunta 88
Pregunta
QUESTION 88
John Adams is an HR partner in the ACME organization. ACME IT wants to limit access to HR servers to
designated IP addresses to minimize malware infection and unauthorized access risks. Thus, the gateway
policy permits access only from John's desktop which is assigned a static IP address 10.0.0.19.
John received a laptop and wants to access the HR Web Server from anywhere in the organization. The IT
department gave the laptop a static IP address, but that limits him to operating it only from his desk. The
current Rule Base contains a rule that lets John Adams access the HR Web Server from his laptop with a
static IP (10.0.0.19). He wants to move around the organization and continue to have access to the HR
Web Server.
To make this scenario work, the IT administrator:
1) Enables Identity Awareness on a gateway, selects AD Query as one of the Identity Sources installs the
policy.
2) Adds an access role object to the Firewall Rule Base that lets John Adams PC access the HR Web
Server from any machine and from any location.
What should John do when he cannot access the web server from a different personal computer?
Respuesta
-
A. John should lock and unlock his computer
-
B. Investigate this as a network connectivity issue
-
C. The access should be changed to authenticate the user instead of the PC
-
D. John should install the Identity Awareness Agent
Pregunta 89
Pregunta
QUESTION 89
Jennifer McHanry is CEO of ACME. She recently bought her own personal iPad. She wants use her iPad to
access the internal Finance Web server. Because the iPad is not a member of the
Active Directory domain, she cannot identify seamlessly with AD Query. However, she can enter her AD
credentials in the Captive Portal and then get the same access as on her office computer. Her access to
resources is based on rules in the R77 Firewall Rule Base.
To make this scenario work, the IT administrator must:
1) Enable Identity Awareness on a gateway and select Captive Portal as one of the Identity Sources.
2) In the Portal Settings window in the User Access section, make sure that Name and password login is
selected.
3) Create a new rule in the Firewall Rule Base to let Jennifer McHanry access network destinations. Select accept as the Action.
Ms. McHanry tries to access the resource but is unable. What should she do?
Respuesta
-
A. Have the security administrator select the Action field of the Firewall Rule "Redirect HTTP connections
to an authentication (captive) portal"
-
B. Have the security administrator reboot the firewall
-
C. Have the security administrator select Any for the Machines tab in the appropriate Access Role
-
D. Install the Identity Awareness agent on her iPad
Pregunta 90
Pregunta
QUESTION 90
When using LDAP as an authentication method for Identity Awareness, the query:
Respuesta
-
A. Requires client and server side software.
-
B. Prompts the user to enter credentials
-
C. Requires administrators to specifically allow LDAP traffic to and from the LDAP Server and the Security
Gateway.
-
D. Is transparent, requiring no client or server side software, or client intervention.
Pregunta 91
Pregunta
QUESTION 91
Which of the following firewall modes DOES NOT allow for Identity Awareness to be deployed?
Respuesta
-
A. Bridge
-
B. Load Sharing
-
C. High Availability
-
D. Fail Open
Pregunta 92
Pregunta
QUESTION 92
What happens if the identity of a user is known?
Respuesta
-
A. If the user credentials do not match an Access Role, the traffic is automatically dropped.
-
B. If the user credentials do not match an Access Role, the system displays a sandbox.
-
C. If the user credentials do not match an Access Role, the gateway moves onto the next rule.
-
D. If the user credentials do not match an Access Role, the system displays the Captive Portal.
Pregunta 93
Pregunta
QUESTION 93
What happens if the identity of a user is known?
Respuesta
-
A. If the user credentials do not match an Access Role, the system displays the Captive Portal.
-
B. If the user credentials do not match an Access Role, the system displays a sandbox.
-
C. If the user credentials do not match an Access Role, the traffic is automatically dropped.
-
D. If the user credentials match an Access Role, the rule is applied and traffic is accepted or dropped
based on the defined action.
Pregunta 94
Pregunta
QUESTION 94
Which rule position in the Rule Base should hold the Cleanup Rule? Why?
Respuesta
-
A. First. It explicitly accepts otherwise dropped traffic.
-
B. Last. It explicitly drops otherwise accepted traffic.
-
C. Last. It serves a logging function before the implicit drop.
-
D. Before last followed by the Stealth Rule.
Pregunta 95
Pregunta
QUESTION 95
Which item below in a Security Policy would be enforced first?
Respuesta
-
A. IP spoofing/IP options
-
B. Security Policy First rule
-
C. Administrator-defined Rule Base
-
D. Network Address Translation
Pregunta 96
Pregunta
QUESTION 96
When you hide a rule in a Rule Base, how can you then disable the rule?
Respuesta
-
A. Hidden rules are already effectively disabled from Security Gateway enforcement.
-
B. Right-click on the hidden rule place-holder bar and select Disable Rule(s).
-
C. Right-click on the hidden rule place-holder bar and uncheck Hide, then right-click and select Disable
Rule(s); re-hide the rule.
-
D. Use the search utility in SmartDashboard to view all hidden rules. Select the relevant rule and click
Disable Rule(s).
Pregunta 97
Pregunta
QUESTION 97
A Cleanup rule:
Respuesta
-
A. logs connections that would otherwise be dropped without logging by default.
-
B. drops packets without logging connections that would otherwise be dropped and logged by default.
-
C. logs connections that would otherwise be accepted without logging by default.
-
D. drops packets without logging connections that would otherwise be accepted and logged by default.
Pregunta 98
Pregunta
QUESTION 98
Which statement is TRUE about implicit rules?
Respuesta
-
A. You create them in SmartDashboard.
-
B. The Gateway enforces implicit rules that enable outgoing packets only.
-
C. Changes to the Security Gateway's default settings do not affect implicit rules.
-
D. They are derived from Global Properties and explicit object properties.
Pregunta 99
Pregunta
QUESTION 99
You have included the Cleanup Rule in your Rule Base. Where in the Rule Base should the Accept ICMP
Requests implied rule have no effect?
Respuesta
-
A. Last
-
B. After Stealth Rule
-
C. First
-
D. Before Last
Pregunta 100
Pregunta
QUESTION 100
All of the following are Security Gateway control connections defined by default implied rules, EXCEPT:
Respuesta
-
A. Exclusion of specific services for reporting purposes.
-
B. Acceptance of IKE and RDP traffic for communication and encryption purposes.
-
C. Communication with server types, such as RADIUS, CVP, UFP, TACACS, and LDAP
-
D. Specific traffic that facilitates functionality, such as logging, management, and key exchange.