Exam 2 - CCSA 156-215 v7

QUESTION 1 You manage a global network extending from your base in Chicago to Tokyo, Calcutta and Dallas. Management wants a report detailing the current software level of each Enterprise class Security Gateway. You plan to take the opportunity to create a proposal outline, listing the most cost- effective way to upgrade your Gateways. Which two SmartConsole applications will you use to create this report and outline?

QUESTION 2 Your bank's distributed R77 installation has Security Gateways up for renewal. Which SmartConsole application will tell you which Security Gateways have licenses that will expire within the next 30 days?

QUESTION 3 When launching SmartDashboard, what information is required to log into R77?

QUESTION 4 Message digests use which of the following?

QUESTION 5 Which of the following is a hash algorithm?

QUESTION 6 Which of the following uses the same key to decrypt as it does to encrypt?

QUESTION 7 You believe Phase 2 negotiations are failing while you are attempting to configure a site-to-site VPN with one of your firm's business partners. Which SmartConsole application should you use to confirm your suspicions?

QUESTION 8 A digital signature:

QUESTION 9 Which component functions as the Internal Certificate Authority for R77?

QUESTION 10 The customer has a small Check Point installation, which includes one GAiA server working as the SmartConsole, and a second server running Windows 2008 as both Security Management Server and Security Gateway. This is an example of a(n):

QUESTION 11 The customer has a small Check Point installation which includes one Windows 2008 server as the SmartConsole and a second server running GAiA as both Security Management Server and the Security Gateway. This is an example of a(n):

QUESTION 12 The customer has a small Check Point installation which includes one Windows 7 workstation as the SmartConsole, one GAiA device working as Security Management Server, and a third server running SecurePlatform as Security Gateway. This is an example of a(n):

QUESTION 13 The customer has a small Check Point installation which includes one Windows 2008 server as SmartConsole and Security Management Server with a second server running GAiA as Security Gateway. This is an example of a(n):

QUESTION 14 When doing a Stand-Alone Installation, you would install the Security Management Server with which other Check Point architecture component?

QUESTION 15 Tom has been tasked to install Check Point R77 in a distributed deployment. Before Tom installs the systems this way, how many machines will he need if he does NOT include a SmartConsole machine in his calculations?

QUESTION 16 Which command allows Security Policy name and install date verification on a Security Gateway?

QUESTION 17 You have two rules, ten users, and two user groups in a Security Policy. You create database version 1 for this configuration. You then delete two existing users and add a new user group. You modify one rule and add two new rules to the Rule Base. You save the Security Policy and create database version 2. After awhile, you decide to roll back to version 1 to use the Rule Base, but you want to keep your user database. How can you do this?

QUESTION 18 Which feature or command provides the easiest path for Security Administrators to revert to earlier versions of the same Security Policy and objects configuration?

QUESTION 19 Your Security Management Server fails and does not reboot. One of your remote Security Gateways managed by the Security Management Server reboots. What occurs with the remote Gateway after reboot?

QUESTION 20 How can you configure an application to automatically launch on the Security Management Server when traffic is dropped or accepted by a rule in the Security Policy?

QUESTION 21 Which of the following is NOT useful to verify whether or not a Security Policy is active on a Gateway?

QUESTION 22 Exhibit: Of the following, what parameters will not be preserved when using Database Revision Control?

QUESTION 23 You are about to test some rule and object changes suggested in an R77 news group. Which backup solution should you use to ensure the easiest restoration of your Security Policy to its previous configuration after testing the changes?

QUESTION 24 Exhibit: You plan to create a backup of the rules, objects, policies, and global properties from an R77 Security Management Server. Which of the following backup and restore solutions can you use?

QUESTION 25 Which R77 feature or command allows Security Administrators to revert to earlier Security Policy versions without changing object configurations?

QUESTION 26 What must a Security Administrator do to comply with a management requirement to log all traffic accepted through the perimeter Security Gateway?

QUESTION 27 Which utility allows you to configure the DHCP service on GAiA from the command line?

QUESTION 28 The third-shift Administrator was updating Security Management Server access settings in Global Properties and testing. He managed to lock himself out of his account. How can you unlock this account?

QUESTION 29 The third-shift Administrator was updating Security Management Server access settings in Global Properties. He managed to lock all administrators out of their accounts. How should you unlock these accounts?

QUESTION 30 You are the Security Administrator for ABC-Corp. A Check Point Firewall is installed and in use on GAiA. You are concerned that the system might not be retaining your entries for the interfaces and routing configuration. You would like to verify your entries in the corresponding file(s) on GAiA. Where can you view them? Give the BEST answer.

QUESTION 31 When using GAiA, it might be necessary to temporarily change the MAC address of the interface eth 0 to 00:0C:29:12:34:56. After restarting the network the old MAC address should be active. How do you configure this change?

QUESTION 32 Several Security Policies can be used for different installation targets. The Firewall protecting Human Resources' servers should have its own Policy Package. These rules must be installed on this machine and not on the Internet Firewall. How can this be accomplished?

QUESTION 33 You have a diskless appliance platform. How do you keep swap file wear to a minimum?

QUESTION 34 Your R77 primary Security Management Server is installed on GAiA. You plan to schedule the Security Management Server to run fw logswitch automatically every 48 hours. How do you create this schedule?

QUESTION 35 Which of the following methods will provide the most complete backup of an R77 configuration?

QUESTION 36 Which of the following commands can provide the most complete restoration of a R77 configuration?

QUESTION 37 When restoring R77 using the command upgrade_import, which of the following items are NOT restored?

QUESTION 38 Your organization's disaster recovery plan needs an update to the backup and restore section to reap the new distributed R77 installation benefits. Your plan must meet the following required and desired objectives: Required ObjectivE. The Security Policy repository must be backed up no less frequently than every 24 hours. Desired ObjectivE. The R77 components that enforce the Security Policies should be backed up at least once a week. Desired ObjectivE. Back up R77 logs at least once a week. Your disaster recovery plan is as follows: - Use the cron utility to run the command upgrade_export each night on the Security Management Servers. - Configure the organization's routine back up software to back up the files created by the command upgrade_export. - Configure the GAiA back up utility to back up the Security Gateways every Saturday night. - Use the cron utility to run the command upgrade_export each Saturday night on the log servers. - Configure an automatic, nightly logswitch. - Configure the organization's routine back up software to back up the switched logs every night. Upon evaluation, your plan:

QUESTION 39 Your company is running Security Management Server R77 on GAiA, which has been migrated through each version starting from Check Point 4.1. How do you add a new administrator account?

QUESTION 40 Peter is your new Security Administrator. On his first working day, he is very nervous and enters the wrong password three times. His account is locked. What can be done to unlock Peter's account? Give the BEST answer.

QUESTION 41 Where can you find the Check Point's SNMP MIB file?

QUESTION 42 You want to generate a cpinfo file via CLI on a system running GAiA. This will take about 40 minutes since the log files are also needed. What action do you need to take regarding timeout?

QUESTION 43 Many companies have defined more than one administrator. To increase security, only one administrator should be able to install a Rule Base on a specific Firewall. How do you configure this?

QUESTION 44 What is the officially accepted diagnostic tool for IP Appliance Support?

QUESTION 45 Which of these Security Policy changes optimize Security Gateway performance?

QUESTION 46 Your perimeter Security Gateway's external IP is 200.200.200.3. Your network diagram shows: Required: Allow only network 192.168.10.0 and 192.168.20.0 to go out to Internet, using 200.200.200.5. The local network 192.168.1.0/24 needs to use 200.200.200.3 to go out to the Internet. Assume you enable all the settings in the NAT page of Global Properties. How do you achieve this requirement?

QUESTION 47 Because of pre-existing design constraints, you set up manual NAT rules for your HTTP server. However, your FTP server and SMTP server are both using automatic NAT rules. All traffic from your FTP and SMTP servers are passing through the Security Gateway without a problem, but traffic from the Web server is dropped on rule 0 because of anti-spoofing settings. What is causing this?

QUESTION 48 You enable Hide NAT on the network object, 10.1.1.0 behind the Security Gateway's external interface. You browse to the Google Website from host, 10.1.1.10 successfully. You enable a log on the rule that allows 10.1.1.0 to exit the network. How many log entries do you see for that connection in SmartView Tracker?

QUESTION 49 Which of the following statements BEST describes Check Point's Hide Network Address Translation method?

QUESTION 50 Which Check Point address translation method allows an administrator to use fewer ISP-assigned IP addresses than the number of internal hosts requiring Internet connectivity?

QUESTION 51 NAT can NOT be configured on which of the following objects?

QUESTION 52 Which Check Point address translation method is necessary if you want to connect from a host on the Internet via HTTP to a server with a reserved (RFC 1918) IP address on your DMZ?

QUESTION 53 You want to implement Static Destination NAT in order to provide external, Internet users access to an internal Web Server that has a reserved (RFC 1918) IP address. You have an unused valid IP address on the network between your Security Gateway and ISP router. You control the router that sits between the firewall external interface and the Internet. What is an alternative configuration if proxy ARP cannot be used on your Security Gateway?

QUESTION 54 After implementing Static Address Translation to allow Internet traffic to an internal Web Server on your DMZ, you notice that any NATed connections to that machine are being dropped by anti- spoofing protections. Which of the following is the MOST LIKELY cause?

QUESTION 55 Which NAT option applicable for Automatic NAT applies to Manual NAT as well?

QUESTION 56 Your main internal network 10.10.10.0/24 allows all traffic to the Internet using Hide NAT. You also have a small network 10.10.20.0/24 behind the internal router. You want to configure the kernel to translate the source address only when network 10.10.20.0 tries to access the Internet for HTTP, SMTP, and FTP services. Which of the following configurations will allow this network to access the Internet?

QUESTION 57 You have three servers located in a DMZ, using private IP addresses. You want internal users from 10.10.10.x to access the DMZ servers by public IP addresses. Internal_net 10.10.10.x is configured for Hide NAT behind the Security Gateway's external interface. What is the best configuration for 10.10.10.x users to access the DMZ servers, using the DMZ servers' public IP addresses?

QUESTION 58 An internal host initiates a session to the Google.com website and is set for Hide NAT behind the Security Gateway. The initiating traffic is an example of __________.

QUESTION 59 A host on the Internet initiates traffic to the Static NAT IP of your Web server behind the Security Gateway. With the default settings in place for NAT, the initiating packet will translate the _________.

QUESTION 60 A Web server behind the Security Gateway is set to Automatic Static NAT. Client side NAT is not checked in the Global Properties. A client on the Internet initiates a session to the Web Server. Assuming there is a rule allowing this traffic, what other configuration must be done to allow the traffic to reach the Web server?

QUESTION 61 With deployment of SecureClient, you have defined in the policy that you allow traffic only to an encrypted domain. But when your mobile users move outside of your company, they often cannot use SecureClient because they have to register first (i.e. in Hotel or Conference rooms). How do you solve this problem?

QUESTION 62 What statement is true regarding Visitor Mode?

QUESTION 63 When attempting to connect with SecureClient Mobile you get the following error message: The certificate provided is invalid. Please provide the username and password. What is the probable cause of the error?

QUESTION 64 What port is used for communication to the User Center with SmartUpdate?

QUESTION 65 You are a Security Administrator preparing to deploy a new HFA (Hotfix Accumulator) to ten Security Gateways at five geographically separate locations. What is the BEST method to implement this HFA?

QUESTION 66 What action can be performed from SmartUpdate R77?

QUESTION 67 Which tool CANNOT be launched from SmartUpdate R77?

QUESTION 68 Sally has a Hot Fix Accumulator (HFA) she wants to install on her Security Gateway which operates with GAiA, but she cannot SCP the HFA to the system. She can SSH into the Security Gateway, but she has never been able to SCP files to it. What would be the most likely reason she cannot do so?

QUESTION 69 Which of the following are available SmartConsole clients which can be installed from the R77 Windows CD? Read all answers and select the most complete and valid list.

QUESTION 70 What is a possible reason for the IKE failure shown in this screenshot?

QUESTION 71 When using an encryption algorithm, which is generally considered the best encryption method?

QUESTION 72 Which do you configure to give remote access VPN users a local IP address?

QUESTION 73 You have a mesh VPN Community configured to create a site-to-site VPN. Given the displayed VPN properties, what can you conclude about this community? Exhibit:

QUESTION 74 Certificates for Security Gateways are created during a simple initialization from _____________.

QUESTION 75 Which of the below is the MOST correct process to reset SIC from SmartDashboard?

QUESTION 76 Exhibit: You installed Security Management Server on a computer using GAiA in the MegaCorp home office. You use IP address 10.1.1.1. You also installed the Security Gateway on a second GAiA computer, which you plan to ship to another Administrator at a MegaCorp hub office. What is the correct order for pushing SIC certificates to the Gateway before shipping it?

QUESTION 77 Although SIC was already established and running, Joe reset SIC between the Security Management Server and a remote Gateway. He set a new activation key on the Gateway's side with the command cpconfig and put in the same activation key in the Gateway's object on the Security Management Server. Unfortunately, SIC can not be established. What is a possible reason for the problem?

QUESTION 78 You want to reset SIC between smberlin and sgosaka. In SmartDashboard, you choose sgosaka, Communication, Reset. On sgosaka, you start cpconfig, choose Secure Internal Communication and enter the new SIC Activation Key. The screen reads The SIC was successfully initialized and jumps back to the cpconfig menu. When trying to establish a connection, instead of a working connection, you receive this error message: "Failed to connect to the module" What is the reason for this behavior?

QUESTION 79 John is the Security Administrator in his company. He installs a new R77 Security Management Server and a new R77 Gateway. He now wants to establish SIC between them. After entering the activation key, he gets the following message in SmartDashboard - "Trust established" SIC still does not seem to work because the policy won't install and interface fetching does not work. What might be a reason for this?

QUESTION 80 The SIC certificate is stored in the directory _______________.

QUESTION 81 You run cpconfig to reset SIC on the Security Gateway. After the SIC reset operation is complete, the policy that will be installed is the:

QUESTION 82 Exhibit: Chris has lost SIC communication with his Security Gateway and he needs to re-establish SIC. What would be the correct order of steps needed to perform this task?

QUESTION 83 What happens when you open the Gateway object window Trusted Communication and press and confirm Reset?

QUESTION 84 Identity Awareness is implemented to manage access to protected resources based on a user's _____________.

QUESTION 85 Which of the following allows administrators to allow or deny traffic to or from a specific network based on the user's credentials?

QUESTION 86 John Adams is an HR partner in the ACME organization. ACME IT wants to limit access to HR servers to a set of designated IP addresses to minimize malware infection and unauthorized access risks. Thus, the gateway policy permits access only from John's desktop which is assigned a static IP address 10.0.0.19. He has received a new laptop and wants to access the HR Web Server from anywhere in the organization. The IT department gave the laptop a static IP address, but that limits him to operating it only from his desk. The current Rule Base contains a rule that lets John Adams access the HR Web Server from his laptop with a static IP (10.0.0.19). He wants to move around the organization and continue to have access to the HR Web Server. To make this scenario work, the IT administrator: 1) Enables Identity Awareness on a gateway, selects AD Query as one of the Identity Sources, and installs the policy. 2) Adds an access role object to the Firewall Rule Base that lets John Adams access the HR Web Server from any machine and from any location and installs policy. John plugged in his laptop to the network on a different network segment and was not able to connect to the HR Web server. What is the next BEST troubleshooting step?

QUESTION 87 John Adams is an HR partner in the ACME organization. ACME IT wants to limit access to HR servers to designated IP addresses to minimize malware infection and unauthorized access risks. Thus, the gateway policy permits access only from John's desktop which is assigned an IP address 10.0.0.19 via DHCP. John received a laptop and wants to access the HR Web Server from anywhere in the organization. The IT department gave the laptop a static IP address, but that limits him to operating it only from his desk. The current Rule Base contains a rule that lets John Adams access the HR Web Server from his laptop. He wants to move around the organization and continue to have access to the HR Web Server. To make this scenario work, the IT administrator: 1) Enables Identity Awareness on a gateway, selects AD Query as one of the Identity Sources installs the policy. 2) Adds an access role object to the Firewall Rule Base that lets John Adams PC access the HR Web Server from any machine and from any location. John plugged in his laptop to the network on a different network segment and he is not able to connect. How does he solve this problem?

QUESTION 88 John Adams is an HR partner in the ACME organization. ACME IT wants to limit access to HR servers to designated IP addresses to minimize malware infection and unauthorized access risks. Thus, the gateway policy permits access only from John's desktop which is assigned a static IP address 10.0.0.19. John received a laptop and wants to access the HR Web Server from anywhere in the organization. The IT department gave the laptop a static IP address, but that limits him to operating it only from his desk. The current Rule Base contains a rule that lets John Adams access the HR Web Server from his laptop with a static IP (10.0.0.19). He wants to move around the organization and continue to have access to the HR Web Server. To make this scenario work, the IT administrator: 1) Enables Identity Awareness on a gateway, selects AD Query as one of the Identity Sources installs the policy. 2) Adds an access role object to the Firewall Rule Base that lets John Adams PC access the HR Web Server from any machine and from any location. What should John do when he cannot access the web server from a different personal computer?

QUESTION 89 Jennifer McHanry is CEO of ACME. She recently bought her own personal iPad. She wants use her iPad to access the internal Finance Web server. Because the iPad is not a member of the Active Directory domain, she cannot identify seamlessly with AD Query. However, she can enter her AD credentials in the Captive Portal and then get the same access as on her office computer. Her access to resources is based on rules in the R77 Firewall Rule Base. To make this scenario work, the IT administrator must: 1) Enable Identity Awareness on a gateway and select Captive Portal as one of the Identity Sources. 2) In the Portal Settings window in the User Access section, make sure that Name and password login is selected. 3) Create a new rule in the Firewall Rule Base to let Jennifer McHanry access network destinations. Select accept as the Action. Ms. McHanry tries to access the resource but is unable. What should she do?

QUESTION 90 When using LDAP as an authentication method for Identity Awareness, the query:

QUESTION 91 Which of the following firewall modes DOES NOT allow for Identity Awareness to be deployed?

QUESTION 92 What happens if the identity of a user is known?

QUESTION 93 What happens if the identity of a user is known?

QUESTION 94 Which rule position in the Rule Base should hold the Cleanup Rule? Why?

QUESTION 95 Which item below in a Security Policy would be enforced first?

QUESTION 96 When you hide a rule in a Rule Base, how can you then disable the rule?

QUESTION 97 A Cleanup rule:

QUESTION 98 Which statement is TRUE about implicit rules?

QUESTION 99 You have included the Cleanup Rule in your Rule Base. Where in the Rule Base should the Accept ICMP Requests implied rule have no effect?

QUESTION 100 All of the following are Security Gateway control connections defined by default implied rules, EXCEPT: