Exam 2 - CCSA 156-215 v7

Descripción

Exam 2 - CCSA 156-215 v7
Gustavo Gonçalves
Test por Gustavo Gonçalves, actualizado hace más de 1 año
Gustavo Gonçalves
Creado por Gustavo Gonçalves hace más de 7 años
95
0

Resumen del Recurso

Pregunta 1

Pregunta
QUESTION 1 You manage a global network extending from your base in Chicago to Tokyo, Calcutta and Dallas. Management wants a report detailing the current software level of each Enterprise class Security Gateway. You plan to take the opportunity to create a proposal outline, listing the most cost- effective way to upgrade your Gateways. Which two SmartConsole applications will you use to create this report and outline?
Respuesta
  • A. SmartView Tracker and SmartView Monitor
  • B. SmartLSM and SmartUpdate
  • C. SmartDashboard and SmartView Tracker
  • D. SmartView Monitor and SmartUpdate

Pregunta 2

Pregunta
QUESTION 2 Your bank's distributed R77 installation has Security Gateways up for renewal. Which SmartConsole application will tell you which Security Gateways have licenses that will expire within the next 30 days?
Respuesta
  • A. SmartView Tracker
  • B. SmartPortal
  • C. SmartUpdate
  • D. SmartDashboard

Pregunta 3

Pregunta
QUESTION 3 When launching SmartDashboard, what information is required to log into R77?
Respuesta
  • A. User Name, Management Server IP, certificate fingerprint file
  • B. User Name, Password, Management Server IP
  • C. Password, Management Server IP
  • D. Password, Management Server IP, LDAP Server IP

Pregunta 4

Pregunta
QUESTION 4 Message digests use which of the following?
Respuesta
  • A. DES and RC4
  • B. IDEA and RC4
  • C. SSL and MD4
  • D. SHA-1 and MD5

Pregunta 5

Pregunta
QUESTION 5 Which of the following is a hash algorithm?
Respuesta
  • A. 3DES
  • B. IDEA
  • C. DES
  • D. MD5

Pregunta 6

Pregunta
QUESTION 6 Which of the following uses the same key to decrypt as it does to encrypt?
Respuesta
  • A. Asymmetric encryption
  • B. Dynamic encryption
  • C. Certificate-based encryption
  • D. Symmetric encryption

Pregunta 7

Pregunta
QUESTION 7 You believe Phase 2 negotiations are failing while you are attempting to configure a site-to-site VPN with one of your firm's business partners. Which SmartConsole application should you use to confirm your suspicions?
Respuesta
  • A. SmartDashboard
  • B. SmartUpdate
  • C. SmartView Status
  • D. SmartView Tracker

Pregunta 8

Pregunta
QUESTION 8 A digital signature:
Respuesta
  • A. Guarantees the authenticity and integrity of a message.
  • B. Automatically exchanges shared keys.
  • C. Decrypts data to its original form.
  • D. Provides a secure key exchange mechanism over the Internet.

Pregunta 9

Pregunta
QUESTION 9 Which component functions as the Internal Certificate Authority for R77?
Respuesta
  • A. Security Gateway
  • B. Management Server
  • C. Policy Server
  • D. SmartLSM

Pregunta 10

Pregunta
QUESTION 10 The customer has a small Check Point installation, which includes one GAiA server working as the SmartConsole, and a second server running Windows 2008 as both Security Management Server and Security Gateway. This is an example of a(n):
Respuesta
  • A. Distributed Installation
  • B. Hybrid Installation
  • C. Unsupported configuration
  • D. Stand-Alone Installation

Pregunta 11

Pregunta
QUESTION 11 The customer has a small Check Point installation which includes one Windows 2008 server as the SmartConsole and a second server running GAiA as both Security Management Server and the Security Gateway. This is an example of a(n):
Respuesta
  • A. Distributed Installation
  • B. Unsupported configuration
  • C. Hybrid Installation
  • D. Stand-Alone Installation

Pregunta 12

Pregunta
QUESTION 12 The customer has a small Check Point installation which includes one Windows 7 workstation as the SmartConsole, one GAiA device working as Security Management Server, and a third server running SecurePlatform as Security Gateway. This is an example of a(n):
Respuesta
  • A. Hybrid Installation
  • B. Unsupported configuration
  • C. Stand-Alone Installation
  • D. Distributed Installation

Pregunta 13

Pregunta
QUESTION 13 The customer has a small Check Point installation which includes one Windows 2008 server as SmartConsole and Security Management Server with a second server running GAiA as Security Gateway. This is an example of a(n):
Respuesta
  • A. Stand-Alone Installation.
  • B. Distributed Installation.
  • C. Unsupported configuration
  • D. Hybrid Installation

Pregunta 14

Pregunta
QUESTION 14 When doing a Stand-Alone Installation, you would install the Security Management Server with which other Check Point architecture component?
Respuesta
  • A. None, Security Management Server would be installed by itself.
  • B. SmartConsole
  • C. SecureClient
  • D. Security Gateway

Pregunta 15

Pregunta
QUESTION 15 Tom has been tasked to install Check Point R77 in a distributed deployment. Before Tom installs the systems this way, how many machines will he need if he does NOT include a SmartConsole machine in his calculations?
Respuesta
  • A. Three machines
  • B. One machine
  • C. Two machines
  • D. One machine, but it needs to be installed using SecurePlatform for compatibility purposes

Pregunta 16

Pregunta
QUESTION 16 Which command allows Security Policy name and install date verification on a Security Gateway?
Respuesta
  • A. fw show policy
  • B. fw stat -l
  • C. fw ctl pstat -policy
  • D. fw ver -p

Pregunta 17

Pregunta
QUESTION 17 You have two rules, ten users, and two user groups in a Security Policy. You create database version 1 for this configuration. You then delete two existing users and add a new user group. You modify one rule and add two new rules to the Rule Base. You save the Security Policy and create database version 2. After awhile, you decide to roll back to version 1 to use the Rule Base, but you want to keep your user database. How can you do this?
Respuesta
  • A. Run fwm dbexport -l filename. Restore the database. Then, run fwm dbimport -l filename to import the users.
  • B. Run fwm_dbexport to export the user database. Select restore the entire database in the Database Revision screen. Then, run fwm_dbimport.
  • C. Restore the entire database, except the user database, and then create the new user and user group.
  • D. Restore the entire database, except the user database.

Pregunta 18

Pregunta
QUESTION 18 Which feature or command provides the easiest path for Security Administrators to revert to earlier versions of the same Security Policy and objects configuration?
Respuesta
  • A. Database Revision Control
  • B. Policy Package management
  • C. dbexport/dbimport
  • D. upgrade_export/upgrade_import

Pregunta 19

Pregunta
QUESTION 19 Your Security Management Server fails and does not reboot. One of your remote Security Gateways managed by the Security Management Server reboots. What occurs with the remote Gateway after reboot?
Respuesta
  • A. Since the Security Management Server is not available, the remote Gateway cannot fetch the Security Policy. Therefore, all traffic is allowed through the Gateway.
  • B. Since the Security Management Server is not available, the remote Gateway cannot fetch the Security Policy. Therefore, no traffic is allowed through the Gateway.
  • C. The remote Gateway fetches the last installed Security Policy locally and passes traffic normally. The Gateway will log locally, since the Security Management Server is not available.
  • D. Since the Security Management Server is not available, the remote Gateway uses the local Security Policy, but does not log traffic.

Pregunta 20

Pregunta
QUESTION 20 How can you configure an application to automatically launch on the Security Management Server when traffic is dropped or accepted by a rule in the Security Policy?
Respuesta
  • A. SNMP trap alert script
  • B. Custom scripts cannot be executed through alert scripts.
  • C. User-defined alert script
  • D. Pop-up alert script

Pregunta 21

Pregunta
QUESTION 21 Which of the following is NOT useful to verify whether or not a Security Policy is active on a Gateway?
Respuesta
  • A. fw ctl get string active_secpol
  • B. fw stat
  • C. cpstat fw -f policy
  • D. Check the Security Policy name of the appropriate Gateway in SmartView Monitor.

Pregunta 22

Pregunta
QUESTION 22 Exhibit: Of the following, what parameters will not be preserved when using Database Revision Control?
Respuesta
  • A. 2, 4, 7, 10, 11
  • B. 3, 4, 5, 6, 9, 12, 13
  • C. 5, 6, 9, 12, 13
  • D. 1, 2, 8, 10, 11

Pregunta 23

Pregunta
QUESTION 23 You are about to test some rule and object changes suggested in an R77 news group. Which backup solution should you use to ensure the easiest restoration of your Security Policy to its previous configuration after testing the changes?
Respuesta
  • A. Manual copies of the directory $FWDIR/conf
  • B. upgrade_export command
  • C. Database Revision Control
  • D. GAiA backup utilities

Pregunta 24

Pregunta
QUESTION 24 Exhibit: You plan to create a backup of the rules, objects, policies, and global properties from an R77 Security Management Server. Which of the following backup and restore solutions can you use?
Respuesta
  • A. 2, 4, and 5
  • B. 1, 2, 3, 4, and 5
  • C. 1, 2, and 3
  • D. 1, 3, and 4

Pregunta 25

Pregunta
QUESTION 25 Which R77 feature or command allows Security Administrators to revert to earlier Security Policy versions without changing object configurations?
Respuesta
  • A. upgrade_export/upgrade_import
  • B. fwm dbexport/fwm dbimport
  • C. Database Revision Control
  • D. Policy Package management

Pregunta 26

Pregunta
QUESTION 26 What must a Security Administrator do to comply with a management requirement to log all traffic accepted through the perimeter Security Gateway?
Respuesta
  • A. In Global Properties > Reporting Tools check the box Enable tracking all rules (including rules marked as None in the Track column). Send these logs to a secondary log server for a complete logging history. Use your normal log server for standard logging for troubleshooting.
  • B. Install the View Implicit Rules package using SmartUpdate.
  • C. Define two log servers on the R77 Gateway object. Enable Log Implied Rules on the first log server. Enable Log Rule Base on the second log server. Use SmartReporter to merge the two log server records into the same database for HIPPA log audits.
  • D. Check the Log Implied Rules Globally box on the R77 Gateway object.

Pregunta 27

Pregunta
QUESTION 27 Which utility allows you to configure the DHCP service on GAiA from the command line?
Respuesta
  • A. ifconfig
  • B. sysconfig
  • C. cpconfig
  • D. dhcp_cfg

Pregunta 28

Pregunta
QUESTION 28 The third-shift Administrator was updating Security Management Server access settings in Global Properties and testing. He managed to lock himself out of his account. How can you unlock this account?
Respuesta
  • A. Type fwm unlock_admin from the Security Management Server command line.
  • B. Type fwm unlock_admin -u from the Security Gateway command line.
  • C. Type fwm lock_admin -u <account name> from the Security Management Server command line.
  • D. Delete the file admin.lock in the Security Management Server directory $FWDIR/tmp/.

Pregunta 29

Pregunta
QUESTION 29 The third-shift Administrator was updating Security Management Server access settings in Global Properties. He managed to lock all administrators out of their accounts. How should you unlock these accounts?
Respuesta
  • A. Delete the file admin.lock in the Security Management Server directory $FWDIR/tmp/.
  • B. Reinstall the Security Management Server and restore using upgrade_import.
  • C. Type fwm lock_admin -ua from the Security Management Server command line.
  • D. Login to SmartDashboard as the special cpconfig_admin user account; right-click on each administrator object and select unlock.

Pregunta 30

Pregunta
QUESTION 30 You are the Security Administrator for ABC-Corp. A Check Point Firewall is installed and in use on GAiA. You are concerned that the system might not be retaining your entries for the interfaces and routing configuration. You would like to verify your entries in the corresponding file(s) on GAiA. Where can you view them? Give the BEST answer.
Respuesta
  • A. /etc/sysconfig/netconf.C
  • B. /etc/conf/route.C
  • C. /etc/sysconfig/network-scripts/ifcfg-ethx
  • D. /etc/sysconfig/network

Pregunta 31

Pregunta
QUESTION 31 When using GAiA, it might be necessary to temporarily change the MAC address of the interface eth 0 to 00:0C:29:12:34:56. After restarting the network the old MAC address should be active. How do you configure this change?
Respuesta
  • A. Edit the file /etc/sysconfig/netconf.C and put the new MAC address in the field
  • B. As expert user, issue these commands: # IP link set eth0 down # IP link set eth0 addr 00:0C:29:12:34:56 # IP link set eth0 up
  • C. As expert user, issue the command: # IP link set eth0 addr 00:0C:29:12:34:56
  • D. Open the WebUI, select Network > Connections > eth0. Place the new MAC address in the field Physical Address, and press Apply to save the settings.

Pregunta 32

Pregunta
QUESTION 32 Several Security Policies can be used for different installation targets. The Firewall protecting Human Resources' servers should have its own Policy Package. These rules must be installed on this machine and not on the Internet Firewall. How can this be accomplished?
Respuesta
  • A. A Rule Base is always installed on all possible targets. The rules to be installed on a Firewall are defined by the selection in the Rule Base row Install On.
  • B. When selecting the correct Firewall in each line of the Rule Base row Install On, only this Firewall is shown in the list of possible installation targets after selecting Policy > Install on Target.
  • C. In the menu of SmartDashboard, go to Policy > Policy Installation Targets and select the correct firewall via Specific Targets.
  • D. A Rule Base can always be installed on any Check Point Firewall object. It is necessary to select the appropriate target directly after selecting Policy > Install on Target.

Pregunta 33

Pregunta
QUESTION 33 You have a diskless appliance platform. How do you keep swap file wear to a minimum?
Respuesta
  • A. Issue FW-1 bases its package structure on the Security Management Server, dynamically loading when the firewall is booted.
  • B. The external PCMCIA-based flash extension has the swap file mapped to it, allowing easy replacement.
  • C. Use PRAM flash devices, eliminating the longevity.
  • D. A RAM drive reduces the swap file thrashing which causes fast wear on the device.

Pregunta 34

Pregunta
QUESTION 34 Your R77 primary Security Management Server is installed on GAiA. You plan to schedule the Security Management Server to run fw logswitch automatically every 48 hours. How do you create this schedule?
Respuesta
  • A. On a GAiA Security Management Server, this can only be accomplished by configuring the command fw logswitch via the cron utility.
  • B. Create a time object, and add 48 hours as the interval. Open the primary Security Management Server object's Logs and Masters window, enable Schedule log switch, and select the Time object.
  • C. Create a time object, and add 48 hours as the interval. Open the Security Gateway object's Logs and Masters window, enable Schedule log switch, and select the Time object.
  • D. Create a time object, and add 48 hours as the interval. Select that time object's Global Properties > Logs and Masters window, to schedule a logswitch.

Pregunta 35

Pregunta
QUESTION 35 Which of the following methods will provide the most complete backup of an R77 configuration?
Respuesta
  • A. Policy Package Management
  • B. Copying the directories $FWDIR\conf and $CPDIR\conf to another server
  • C. Execute command upgrade_export
  • D. Database Revision Control

Pregunta 36

Pregunta
QUESTION 36 Which of the following commands can provide the most complete restoration of a R77 configuration?
Respuesta
  • A. upgrade_import
  • B. cpinfo -recover
  • C. cpconfig
  • D. fwm dbimport -p <export file>

Pregunta 37

Pregunta
QUESTION 37 When restoring R77 using the command upgrade_import, which of the following items are NOT restored?
Respuesta
  • A. SIC Certificates
  • B. Licenses
  • C. Route tables
  • D. Global properties

Pregunta 38

Pregunta
QUESTION 38 Your organization's disaster recovery plan needs an update to the backup and restore section to reap the new distributed R77 installation benefits. Your plan must meet the following required and desired objectives: Required ObjectivE. The Security Policy repository must be backed up no less frequently than every 24 hours. Desired ObjectivE. The R77 components that enforce the Security Policies should be backed up at least once a week. Desired ObjectivE. Back up R77 logs at least once a week. Your disaster recovery plan is as follows: - Use the cron utility to run the command upgrade_export each night on the Security Management Servers. - Configure the organization's routine back up software to back up the files created by the command upgrade_export. - Configure the GAiA back up utility to back up the Security Gateways every Saturday night. - Use the cron utility to run the command upgrade_export each Saturday night on the log servers. - Configure an automatic, nightly logswitch. - Configure the organization's routine back up software to back up the switched logs every night. Upon evaluation, your plan:
Respuesta
  • A. Meets the required objective and only one desired objective.
  • B. Meets the required objective but does not meet either desired objective.
  • C. Does not meet the required objective.
  • D. Meets the required objective and both desired objectives.

Pregunta 39

Pregunta
QUESTION 39 Your company is running Security Management Server R77 on GAiA, which has been migrated through each version starting from Check Point 4.1. How do you add a new administrator account?
Respuesta
  • A. Using SmartDashboard, under Users, select Add New Administrator
  • B. Using SmartDashboard or cpconfig
  • C. Using the Web console on GAiA under Product configuration, select Administrators
  • D. Using cpconfig on the Security Management Server, choose Administrators

Pregunta 40

Pregunta
QUESTION 40 Peter is your new Security Administrator. On his first working day, he is very nervous and enters the wrong password three times. His account is locked. What can be done to unlock Peter's account? Give the BEST answer.
Respuesta
  • A. You can unlock Peter's account by using the command fwm lock_admin -u Peter on the Security Management Server.
  • B. You can unlock Peter's account by using the command fwm unlock_admin -u Peter on the Security Management Server
  • C. It is not possible to unlock Peter's account. You have to install the firewall once again or abstain from Peter's help.
  • D. You can unlock Peter's account by using the command fwm unlock_admin -u Peter on the Security Gateway.

Pregunta 41

Pregunta
QUESTION 41 Where can you find the Check Point's SNMP MIB file?
Respuesta
  • A. $CPDIR/lib/snmp/chkpt.mib
  • B. $FWDIR/conf/snmp.mib
  • C. It is obtained only by request from the TAC.
  • D. There is no specific MIB file for Check Point products.

Pregunta 42

Pregunta
QUESTION 42 You want to generate a cpinfo file via CLI on a system running GAiA. This will take about 40 minutes since the log files are also needed. What action do you need to take regarding timeout?
Respuesta
  • A. No action is needed because cpshell has a timeout of one hour by default.
  • B. Log in as the default user expert and start cpinfo.
  • C. Log in as admin, switch to expert mode, set the timeout to one hour with the command, idle 60, then start cpinfo.
  • D. Log in as Administrator, set the timeout to one hour with the command idle 60 and start cpinfo.

Pregunta 43

Pregunta
QUESTION 43 Many companies have defined more than one administrator. To increase security, only one administrator should be able to install a Rule Base on a specific Firewall. How do you configure this?
Respuesta
  • A. Define a permission profile in SmartDashboard with read/write privileges, but restrict it to all other firewalls by placing them in the Policy Targets field. Then, an administrator with this permission profile cannot install a policy on any Firewall not listed here.
  • B. Put the one administrator in an Administrator group and configure this group in the specific Firewall object in Advanced > Permission to Install.
  • C. In the object General Properties representing the specific Firewall, go to the Software Blades product list and select Firewall. Right-click in the menu, select Administrator to Install to define only this administrator.
  • D. Right-click on the object representing the specific administrator, and select that Firewall in Policy Targets.

Pregunta 44

Pregunta
QUESTION 44 What is the officially accepted diagnostic tool for IP Appliance Support?
Respuesta
  • A. ipsoinfo
  • B. CST
  • C. uag-diag
  • D. cpinfo

Pregunta 45

Pregunta
QUESTION 45 Which of these Security Policy changes optimize Security Gateway performance?
Respuesta
  • A. Using groups within groups in the manual NAT Rule Base.
  • B. Use Automatic NAT rules instead of Manual NAT rules whenever possible.
  • C. Using domain objects in rules when possible.
  • D. Putting the least-used rule at the top of the Rule Base.

Pregunta 46

Pregunta
QUESTION 46 Your perimeter Security Gateway's external IP is 200.200.200.3. Your network diagram shows: Required: Allow only network 192.168.10.0 and 192.168.20.0 to go out to Internet, using 200.200.200.5. The local network 192.168.1.0/24 needs to use 200.200.200.3 to go out to the Internet. Assume you enable all the settings in the NAT page of Global Properties. How do you achieve this requirement?
Respuesta
  • A. Create a network object 192.168.0.0/16. Enable Hide NAT on the NAT page. Enter 200.200.200.5 as the hiding IP address. Add an ARP entry for 200.200.200.5 for the MAC address of 200.200.200.3.
  • B. Create network objects for 192.168.10.0/24 and 192.168.20.0/24. Enable Hide NAT on both network objects, using 200.200.200.5 as hiding IP address. Add an ARP entry for 200.200.200.3 for the MAC address of 200.200.200.5
  • C. Create an Address Range object, starting from 192.168.10.1 to 192.168.20.254. Enable Hide NAT on the NAT page of the address range object. Enter Hiding IP address 200.200.200.5. Add an ARP entry for 200.200.200.5 for the MAC address of 200.200.200.3
  • D. Create two network objects: 192.168.10.0/24 and 192.168.20.0/24. Add the two network objects to a group object. Create a manual NAT rule like the following: Original source -groupobject; Destination - any; Service - any; Translated source - 200.200.200.5; Destination -original; Service - original

Pregunta 47

Pregunta
QUESTION 47 Because of pre-existing design constraints, you set up manual NAT rules for your HTTP server. However, your FTP server and SMTP server are both using automatic NAT rules. All traffic from your FTP and SMTP servers are passing through the Security Gateway without a problem, but traffic from the Web server is dropped on rule 0 because of anti-spoofing settings. What is causing this?
Respuesta
  • A. Manual NAT rules are not configured correctly.
  • B. Allow bi-directional NAT is not checked in Global Properties.
  • C. Routing is not configured correctly
  • D. Translate destination on client side is not checked in Global Properties under Manual NAT Rules.

Pregunta 48

Pregunta
QUESTION 48 You enable Hide NAT on the network object, 10.1.1.0 behind the Security Gateway's external interface. You browse to the Google Website from host, 10.1.1.10 successfully. You enable a log on the rule that allows 10.1.1.0 to exit the network. How many log entries do you see for that connection in SmartView Tracker?
Respuesta
  • A. Two, one for outbound, one for inbound
  • B. Only one, outbound
  • C. Two, both outbound, one for the real IP connection and one for the NAT IP connection
  • D. Only one, inbound

Pregunta 49

Pregunta
QUESTION 49 Which of the following statements BEST describes Check Point's Hide Network Address Translation method?
Respuesta
  • A. Translates many destination IP addresses into one destination IP address
  • B. One-to-one NAT which implements PAT (Port Address Translation) for accomplishing both Source and Destination IP address translation
  • C. Translates many source IP addresses into one source IP address
  • D. Many-to-one NAT which implements PAT (Port Address Translation) for accomplishing both Source and Destination IP address translation

Pregunta 50

Pregunta
QUESTION 50 Which Check Point address translation method allows an administrator to use fewer ISP-assigned IP addresses than the number of internal hosts requiring Internet connectivity?
Respuesta
  • A. Hide
  • B. Static Destination
  • C. Static Source
  • D. Dynamic Destination

Pregunta 51

Pregunta
QUESTION 51 NAT can NOT be configured on which of the following objects?
Respuesta
  • A. HTTP Logical Server
  • B. Gateway
  • C. Address Range
  • D. Host

Pregunta 52

Pregunta
QUESTION 52 Which Check Point address translation method is necessary if you want to connect from a host on the Internet via HTTP to a server with a reserved (RFC 1918) IP address on your DMZ?
Respuesta
  • A. Dynamic Source Address Translation
  • B. Hide Address Translation
  • C. Port Address Translation
  • D. Static Destination Address Translation

Pregunta 53

Pregunta
QUESTION 53 You want to implement Static Destination NAT in order to provide external, Internet users access to an internal Web Server that has a reserved (RFC 1918) IP address. You have an unused valid IP address on the network between your Security Gateway and ISP router. You control the router that sits between the firewall external interface and the Internet. What is an alternative configuration if proxy ARP cannot be used on your Security Gateway?
Respuesta
  • A. Publish a proxy ARP entry on the ISP router instead of the firewall for the valid IP address.
  • B. Place a static ARP entry on the ISP router for the valid IP address to the firewall's external address.
  • C. Publish a proxy ARP entry on the internal Web server instead of the firewall for the valid IP address.
  • D. Place a static host route on the firewall for the valid IP address to the internal Web server.

Pregunta 54

Pregunta
QUESTION 54 After implementing Static Address Translation to allow Internet traffic to an internal Web Server on your DMZ, you notice that any NATed connections to that machine are being dropped by anti- spoofing protections. Which of the following is the MOST LIKELY cause?
Respuesta
  • A. The Global Properties setting Translate destination on client side is unchecked. But the topology on the DMZ interface is set to Internal - Network defined by IP and Mask. Check the Global Properties setting Translate destination on client side.
  • B. The Global Properties setting Translate destination on client side is unchecked. But the topology on the external interface is set to Others +. Change topology to External.
  • C. The Global Properties setting Translate destination on client side is checked. But the topology on the external interface is set to External. Change topology to Others +.
  • D. The Global Properties setting Translate destination on client side is checked. But the topology on the DMZ interface is set to Internal - Network defined by IP and Mask. Uncheck the Global Properties setting Translate destination on client side.

Pregunta 55

Pregunta
QUESTION 55 Which NAT option applicable for Automatic NAT applies to Manual NAT as well?
Respuesta
  • A. Allow bi-directional NAT
  • B. Automatic ARP configuration
  • C. Translate destination on client-side
  • D. Enable IP Pool NAT

Pregunta 56

Pregunta
QUESTION 56 Your main internal network 10.10.10.0/24 allows all traffic to the Internet using Hide NAT. You also have a small network 10.10.20.0/24 behind the internal router. You want to configure the kernel to translate the source address only when network 10.10.20.0 tries to access the Internet for HTTP, SMTP, and FTP services. Which of the following configurations will allow this network to access the Internet?
Respuesta
  • A. Configure three Manual Static NAT rules for network 10.10.20.0/24, one for each service.
  • B. Configure Automatic Static NAT on network 10.10.20.0/24.
  • C. Configure one Manual Hide NAT rule for HTTP, FTP, and SMTP services for network 10.10.20.0/24.
  • D. Configure Automatic Hide NAT on network 10.10.20.0/24 and then edit the Service column in the NAT Rule Base on the automatic rule.

Pregunta 57

Pregunta
QUESTION 57 You have three servers located in a DMZ, using private IP addresses. You want internal users from 10.10.10.x to access the DMZ servers by public IP addresses. Internal_net 10.10.10.x is configured for Hide NAT behind the Security Gateway's external interface. What is the best configuration for 10.10.10.x users to access the DMZ servers, using the DMZ servers' public IP addresses?
Respuesta
  • A. When connecting to internal network 10.10.10.x, configure Hide NAT for the DMZ network behind the Security Gateway DMZ interface.
  • B. When the source is the internal network 10.10.10.x, configure manual static NAT rules to translate the DMZ servers.
  • C. When connecting to the Internet, configure manual Static NAT rules to translate the DMZ servers.
  • D. When trying to access DMZ servers, configure Hide NAT for 10.10.10.x behind the DMZ's interface.

Pregunta 58

Pregunta
QUESTION 58 An internal host initiates a session to the Google.com website and is set for Hide NAT behind the Security Gateway. The initiating traffic is an example of __________.
Respuesta
  • A. client side NAT
  • B. source NAT
  • C. destination NAT
  • D. None of these

Pregunta 59

Pregunta
QUESTION 59 A host on the Internet initiates traffic to the Static NAT IP of your Web server behind the Security Gateway. With the default settings in place for NAT, the initiating packet will translate the _________.
Respuesta
  • A. destination on server side
  • B. source on server side
  • C. source on client side
  • D. destination on client side

Pregunta 60

Pregunta
QUESTION 60 A Web server behind the Security Gateway is set to Automatic Static NAT. Client side NAT is not checked in the Global Properties. A client on the Internet initiates a session to the Web Server. Assuming there is a rule allowing this traffic, what other configuration must be done to allow the traffic to reach the Web server?
Respuesta
  • A. Automatic ARP must be unchecked in the Global Properties.
  • B. Nothing else must be configured
  • C. A static route must be added on the Security Gateway to the internal host.
  • D. A static route for the NAT IP must be added to the Gateway's upstream router. Correct Answer:

Pregunta 61

Pregunta
QUESTION 61 With deployment of SecureClient, you have defined in the policy that you allow traffic only to an encrypted domain. But when your mobile users move outside of your company, they often cannot use SecureClient because they have to register first (i.e. in Hotel or Conference rooms). How do you solve this problem?
Respuesta
  • A. Allow for unencrypted traffic
  • B. Allow traffic outside the encrypted domain
  • C. Enable Hot Spot/Hotel Registration
  • D. Allow your users to turn off SecureClient

Pregunta 62

Pregunta
QUESTION 62 What statement is true regarding Visitor Mode?
Respuesta
  • A. VPN authentication and encrypted traffic are tunneled through port TCP 443.
  • B. Only ESP traffic is tunneled through port TCP 443.
  • C. Only Main mode and Quick mode traffic are tunneled on TCP port 443.
  • D. All VPN traffic is tunneled through UDP port 4500.

Pregunta 63

Pregunta
QUESTION 63 When attempting to connect with SecureClient Mobile you get the following error message: The certificate provided is invalid. Please provide the username and password. What is the probable cause of the error?
Respuesta
  • A. Your user configuration does not have an office mode IP address so the connection failed.
  • B. Your certificate is invalid.
  • C. There is no connection to the server, and the client disconnected.
  • D. Your user credentials are invalid.

Pregunta 64

Pregunta
QUESTION 64 What port is used for communication to the User Center with SmartUpdate?
Respuesta
  • A. CPMI 200
  • B. TCP 8080
  • C. HTTP 80
  • D. HTTPS 443

Pregunta 65

Pregunta
QUESTION 65 You are a Security Administrator preparing to deploy a new HFA (Hotfix Accumulator) to ten Security Gateways at five geographically separate locations. What is the BEST method to implement this HFA?
Respuesta
  • A. Use a SSH connection to SCP the HFA to each Security Gateway. Once copied locally, initiate a remote installation command and monitor the installation progress with SmartView Monitor.
  • B. Send a CD-ROM with the HFA to each location and have local personnel install it.
  • C. Send a Certified Security Engineer to each site to perform the update.
  • D. Use SmartUpdate to install the packages to each of the Security Gateways remotely.

Pregunta 66

Pregunta
QUESTION 66 What action can be performed from SmartUpdate R77?
Respuesta
  • A. upgrade_export
  • B. fw stat -l
  • C. cpinfo
  • D. remote_uninstall_verifier

Pregunta 67

Pregunta
QUESTION 67 Which tool CANNOT be launched from SmartUpdate R77?
Respuesta
  • A. IP Appliance Voyager
  • B. snapshot
  • C. GAiA WebUI
  • D. cpinfo

Pregunta 68

Pregunta
QUESTION 68 Sally has a Hot Fix Accumulator (HFA) she wants to install on her Security Gateway which operates with GAiA, but she cannot SCP the HFA to the system. She can SSH into the Security Gateway, but she has never been able to SCP files to it. What would be the most likely reason she cannot do so?
Respuesta
  • A. She needs to edit /etc/SSHd/SSHd_config and add the Standard Mode account.
  • B. She needs to run sysconfig and restart the SSH process.
  • C. She needs to edit /etc/scpusers and add the Standard Mode account.
  • D. She needs to run cpconfig to enable the ability to SCP files.

Pregunta 69

Pregunta
QUESTION 69 Which of the following are available SmartConsole clients which can be installed from the R77 Windows CD? Read all answers and select the most complete and valid list.
Respuesta
  • A. SmartView Tracker, SmartDashboard, CPINFO, SmartUpdate, SmartView Status
  • B. SmartView Tracker, SmartDashboard, SmartLSM, SmartView Monitor
  • C. SmartView Tracker, CPINFO, SmartUpdate
  • D. Security Policy Editor, Log Viewer, Real Time Monitor GUI

Pregunta 70

Pregunta
QUESTION 70 What is a possible reason for the IKE failure shown in this screenshot?
Respuesta
  • A. Mismatch in VPN Domains.
  • B. Mismatch in preshared secrets.
  • C. Mismatch in Diffie-Hellman group.
  • D. Mismatch in encryption schemes.

Pregunta 71

Pregunta
QUESTION 71 When using an encryption algorithm, which is generally considered the best encryption method?
Respuesta
  • A. Triple DES
  • B. AES-256
  • C. CAST cipher
  • D. DES

Pregunta 72

Pregunta
QUESTION 72 Which do you configure to give remote access VPN users a local IP address?
Respuesta
  • A. Encryption domain pool
  • B. NAT pool
  • C. Office mode IP pool
  • D. Authentication pool

Pregunta 73

Pregunta
QUESTION 73 You have a mesh VPN Community configured to create a site-to-site VPN. Given the displayed VPN properties, what can you conclude about this community? Exhibit:
Respuesta
  • A. The VPN Community will perform IKE Phase 1 key-exchange encryption using the longest key Security Gateway R77 supports.
  • B. Changing the setting Perform key exchange encryption with from AES-256 to 3DES will enhance the VPN Community's security , and reduce encryption overhead.
  • C. Change the data-integrity setting for this VPN Community because MD5 is incompatible with AES.
  • D. Changing the setting Perform IPsec data encryption with from AES-128 to 3Des will increase the encryption overhead.

Pregunta 74

Pregunta
QUESTION 74 Certificates for Security Gateways are created during a simple initialization from _____________.
Respuesta
  • A. sysconfig
  • B. The ICA management tool
  • C. SmartUpdate
  • D. SmartDashboard

Pregunta 75

Pregunta
QUESTION 75 Which of the below is the MOST correct process to reset SIC from SmartDashboard?
Respuesta
  • A. Run cpconfig, and click Reset.
  • B. Click the Communication button for the firewall object, then click Reset. Run cpconfig and type a new activation key.
  • C. Run cpconfig, and select Secure Internal Communication > Change One Time Password.
  • D. Click Communication > Reset on the Gateway object, and type a new activation key.

Pregunta 76

Pregunta
QUESTION 76 Exhibit: You installed Security Management Server on a computer using GAiA in the MegaCorp home office. You use IP address 10.1.1.1. You also installed the Security Gateway on a second GAiA computer, which you plan to ship to another Administrator at a MegaCorp hub office. What is the correct order for pushing SIC certificates to the Gateway before shipping it?
Respuesta
  • A. 2, 3, 4, 1, 5
  • B. 2, 1, 3, 4, 5
  • C. 1, 3, 2, 4, 5
  • D. 2, 3, 4, 5, 1

Pregunta 77

Pregunta
QUESTION 77 Although SIC was already established and running, Joe reset SIC between the Security Management Server and a remote Gateway. He set a new activation key on the Gateway's side with the command cpconfig and put in the same activation key in the Gateway's object on the Security Management Server. Unfortunately, SIC can not be established. What is a possible reason for the problem?
Respuesta
  • A. The installed policy blocks the communication.
  • B. The old Gateway object should have been deleted and recreated.
  • C. Joe forgot to exit from cpconfig.
  • D. Joe forgot to reboot the Gateway.

Pregunta 78

Pregunta
QUESTION 78 You want to reset SIC between smberlin and sgosaka. In SmartDashboard, you choose sgosaka, Communication, Reset. On sgosaka, you start cpconfig, choose Secure Internal Communication and enter the new SIC Activation Key. The screen reads The SIC was successfully initialized and jumps back to the cpconfig menu. When trying to establish a connection, instead of a working connection, you receive this error message: "Failed to connect to the module" What is the reason for this behavior?
Respuesta
  • A. The Gateway was not rebooted, which is necessary to change the SIC key.
  • B. You must first initialize the Gateway object in SmartDashboard (i.e., right-click on the object, choose Basic Setup > Initialize).
  • C. The Check Point services on the Gateway were not restarted because you are still in the cpconfig utility.
  • D. The activation key contains letters that are on different keys on localized keyboards. Therefore, the activation can not be typed in a matching fashion.

Pregunta 79

Pregunta
QUESTION 79 John is the Security Administrator in his company. He installs a new R77 Security Management Server and a new R77 Gateway. He now wants to establish SIC between them. After entering the activation key, he gets the following message in SmartDashboard - "Trust established" SIC still does not seem to work because the policy won't install and interface fetching does not work. What might be a reason for this?
Respuesta
  • A. SIC does not function over the network.
  • B. It always works when the trust is established
  • C. The Gateway's time is several days or weeks in the future and the SIC certificate is not yet valid.
  • D. This must be a human error.

Pregunta 80

Pregunta
QUESTION 80 The SIC certificate is stored in the directory _______________.
Respuesta
  • A. $CPDIR/registry
  • B. $CPDIR/conf
  • C. $FWDIR/database
  • D. $FWDIR/conf

Pregunta 81

Pregunta
QUESTION 81 You run cpconfig to reset SIC on the Security Gateway. After the SIC reset operation is complete, the policy that will be installed is the:
Respuesta
  • A. Standard policy.
  • B. Initial policy.
  • C. Last policy that was installed.
  • D. Default filter.

Pregunta 82

Pregunta
QUESTION 82 Exhibit: Chris has lost SIC communication with his Security Gateway and he needs to re-establish SIC. What would be the correct order of steps needed to perform this task?
Respuesta
  • A. 5, 1, 2, 4
  • B. 5, 1, 4, 2
  • C. 3, 1, 4, 2
  • D. 2, 3, 1, 4

Pregunta 83

Pregunta
QUESTION 83 What happens when you open the Gateway object window Trusted Communication and press and confirm Reset?
Respuesta
  • A. Sic will be reset on the Gateway only.
  • B. The Gateway certificate will be revoked on the Gateway only.
  • C. The Gateway certificate will be revoked on the Security Managment Server only.
  • D. The Gateway certificate will be revoked on the Security Management Server and SIC will be reset on the Gateway.

Pregunta 84

Pregunta
QUESTION 84 Identity Awareness is implemented to manage access to protected resources based on a user's _____________.
Respuesta
  • A. Application requirement
  • B. Computer MAC address
  • C. Identity
  • D. Time of connection

Pregunta 85

Pregunta
QUESTION 85 Which of the following allows administrators to allow or deny traffic to or from a specific network based on the user's credentials?
Respuesta
  • A. Access Policy
  • B. Access Role
  • C. Access Rule
  • D. Access Certificate

Pregunta 86

Pregunta
QUESTION 86 John Adams is an HR partner in the ACME organization. ACME IT wants to limit access to HR servers to a set of designated IP addresses to minimize malware infection and unauthorized access risks. Thus, the gateway policy permits access only from John's desktop which is assigned a static IP address 10.0.0.19. He has received a new laptop and wants to access the HR Web Server from anywhere in the organization. The IT department gave the laptop a static IP address, but that limits him to operating it only from his desk. The current Rule Base contains a rule that lets John Adams access the HR Web Server from his laptop with a static IP (10.0.0.19). He wants to move around the organization and continue to have access to the HR Web Server. To make this scenario work, the IT administrator: 1) Enables Identity Awareness on a gateway, selects AD Query as one of the Identity Sources, and installs the policy. 2) Adds an access role object to the Firewall Rule Base that lets John Adams access the HR Web Server from any machine and from any location and installs policy. John plugged in his laptop to the network on a different network segment and was not able to connect to the HR Web server. What is the next BEST troubleshooting step?
Respuesta
  • A. Investigate this as a network connectivity issue
  • B. Install the Identity Awareness Agent
  • C. Set static IP to DHCP
  • D. After enabling Identity Awareness, reboot the gateway

Pregunta 87

Pregunta
QUESTION 87 John Adams is an HR partner in the ACME organization. ACME IT wants to limit access to HR servers to designated IP addresses to minimize malware infection and unauthorized access risks. Thus, the gateway policy permits access only from John's desktop which is assigned an IP address 10.0.0.19 via DHCP. John received a laptop and wants to access the HR Web Server from anywhere in the organization. The IT department gave the laptop a static IP address, but that limits him to operating it only from his desk. The current Rule Base contains a rule that lets John Adams access the HR Web Server from his laptop. He wants to move around the organization and continue to have access to the HR Web Server. To make this scenario work, the IT administrator: 1) Enables Identity Awareness on a gateway, selects AD Query as one of the Identity Sources installs the policy. 2) Adds an access role object to the Firewall Rule Base that lets John Adams PC access the HR Web Server from any machine and from any location. John plugged in his laptop to the network on a different network segment and he is not able to connect. How does he solve this problem?
Respuesta
  • A. John should install the Identity Awareness Agent
  • B. The firewall admin should install the Security Policy
  • C. John should lock and unlock the computer
  • D. Investigate this as a network connectivity issue

Pregunta 88

Pregunta
QUESTION 88 John Adams is an HR partner in the ACME organization. ACME IT wants to limit access to HR servers to designated IP addresses to minimize malware infection and unauthorized access risks. Thus, the gateway policy permits access only from John's desktop which is assigned a static IP address 10.0.0.19. John received a laptop and wants to access the HR Web Server from anywhere in the organization. The IT department gave the laptop a static IP address, but that limits him to operating it only from his desk. The current Rule Base contains a rule that lets John Adams access the HR Web Server from his laptop with a static IP (10.0.0.19). He wants to move around the organization and continue to have access to the HR Web Server. To make this scenario work, the IT administrator: 1) Enables Identity Awareness on a gateway, selects AD Query as one of the Identity Sources installs the policy. 2) Adds an access role object to the Firewall Rule Base that lets John Adams PC access the HR Web Server from any machine and from any location. What should John do when he cannot access the web server from a different personal computer?
Respuesta
  • A. John should lock and unlock his computer
  • B. Investigate this as a network connectivity issue
  • C. The access should be changed to authenticate the user instead of the PC
  • D. John should install the Identity Awareness Agent

Pregunta 89

Pregunta
QUESTION 89 Jennifer McHanry is CEO of ACME. She recently bought her own personal iPad. She wants use her iPad to access the internal Finance Web server. Because the iPad is not a member of the Active Directory domain, she cannot identify seamlessly with AD Query. However, she can enter her AD credentials in the Captive Portal and then get the same access as on her office computer. Her access to resources is based on rules in the R77 Firewall Rule Base. To make this scenario work, the IT administrator must: 1) Enable Identity Awareness on a gateway and select Captive Portal as one of the Identity Sources. 2) In the Portal Settings window in the User Access section, make sure that Name and password login is selected. 3) Create a new rule in the Firewall Rule Base to let Jennifer McHanry access network destinations. Select accept as the Action. Ms. McHanry tries to access the resource but is unable. What should she do?
Respuesta
  • A. Have the security administrator select the Action field of the Firewall Rule "Redirect HTTP connections to an authentication (captive) portal"
  • B. Have the security administrator reboot the firewall
  • C. Have the security administrator select Any for the Machines tab in the appropriate Access Role
  • D. Install the Identity Awareness agent on her iPad

Pregunta 90

Pregunta
QUESTION 90 When using LDAP as an authentication method for Identity Awareness, the query:
Respuesta
  • A. Requires client and server side software.
  • B. Prompts the user to enter credentials
  • C. Requires administrators to specifically allow LDAP traffic to and from the LDAP Server and the Security Gateway.
  • D. Is transparent, requiring no client or server side software, or client intervention.

Pregunta 91

Pregunta
QUESTION 91 Which of the following firewall modes DOES NOT allow for Identity Awareness to be deployed?
Respuesta
  • A. Bridge
  • B. Load Sharing
  • C. High Availability
  • D. Fail Open

Pregunta 92

Pregunta
QUESTION 92 What happens if the identity of a user is known?
Respuesta
  • A. If the user credentials do not match an Access Role, the traffic is automatically dropped.
  • B. If the user credentials do not match an Access Role, the system displays a sandbox.
  • C. If the user credentials do not match an Access Role, the gateway moves onto the next rule.
  • D. If the user credentials do not match an Access Role, the system displays the Captive Portal.

Pregunta 93

Pregunta
QUESTION 93 What happens if the identity of a user is known?
Respuesta
  • A. If the user credentials do not match an Access Role, the system displays the Captive Portal.
  • B. If the user credentials do not match an Access Role, the system displays a sandbox.
  • C. If the user credentials do not match an Access Role, the traffic is automatically dropped.
  • D. If the user credentials match an Access Role, the rule is applied and traffic is accepted or dropped based on the defined action.

Pregunta 94

Pregunta
QUESTION 94 Which rule position in the Rule Base should hold the Cleanup Rule? Why?
Respuesta
  • A. First. It explicitly accepts otherwise dropped traffic.
  • B. Last. It explicitly drops otherwise accepted traffic.
  • C. Last. It serves a logging function before the implicit drop.
  • D. Before last followed by the Stealth Rule.

Pregunta 95

Pregunta
QUESTION 95 Which item below in a Security Policy would be enforced first?
Respuesta
  • A. IP spoofing/IP options
  • B. Security Policy First rule
  • C. Administrator-defined Rule Base
  • D. Network Address Translation

Pregunta 96

Pregunta
QUESTION 96 When you hide a rule in a Rule Base, how can you then disable the rule?
Respuesta
  • A. Hidden rules are already effectively disabled from Security Gateway enforcement.
  • B. Right-click on the hidden rule place-holder bar and select Disable Rule(s).
  • C. Right-click on the hidden rule place-holder bar and uncheck Hide, then right-click and select Disable Rule(s); re-hide the rule.
  • D. Use the search utility in SmartDashboard to view all hidden rules. Select the relevant rule and click Disable Rule(s).

Pregunta 97

Pregunta
QUESTION 97 A Cleanup rule:
Respuesta
  • A. logs connections that would otherwise be dropped without logging by default.
  • B. drops packets without logging connections that would otherwise be dropped and logged by default.
  • C. logs connections that would otherwise be accepted without logging by default.
  • D. drops packets without logging connections that would otherwise be accepted and logged by default.

Pregunta 98

Pregunta
QUESTION 98 Which statement is TRUE about implicit rules?
Respuesta
  • A. You create them in SmartDashboard.
  • B. The Gateway enforces implicit rules that enable outgoing packets only.
  • C. Changes to the Security Gateway's default settings do not affect implicit rules.
  • D. They are derived from Global Properties and explicit object properties.

Pregunta 99

Pregunta
QUESTION 99 You have included the Cleanup Rule in your Rule Base. Where in the Rule Base should the Accept ICMP Requests implied rule have no effect?
Respuesta
  • A. Last
  • B. After Stealth Rule
  • C. First
  • D. Before Last

Pregunta 100

Pregunta
QUESTION 100 All of the following are Security Gateway control connections defined by default implied rules, EXCEPT:
Respuesta
  • A. Exclusion of specific services for reporting purposes.
  • B. Acceptance of IKE and RDP traffic for communication and encryption purposes.
  • C. Communication with server types, such as RADIUS, CVP, UFP, TACACS, and LDAP
  • D. Specific traffic that facilitates functionality, such as logging, management, and key exchange.
Mostrar resumen completo Ocultar resumen completo

Similar

Compositores del Barroco
delfunkyweb20
Examen Metabolismo
Diego Santos
Test de Inglés para la Prepa Abierta 3
Raúl Fox
Campo magnético
Diego Santos
Comentario De Texto 1ºBachillerato
Karo Poghosyan
Test 1 Biología Celular
fanitatou
Mapa Mental Epistemología
leliogamada .
MICROECONOMÍA
ingrinati
Herencia Genética básica
Catalina Ramos
PENSAMIENTO CRÍTICO
carandpoveda
Estrategias para mejorar la lectura.
Hellen Daniela Arias Arévalo