Copy and Edit

Exam 4 - CCSA 156-215 v7

Description

Exam 4 - CCSA 156-215 v7
Gustavo Gonçalves
Quiz by Gustavo Gonçalves, updated more than 1 year ago
Gustavo Gonçalves
Created by Gustavo Gonçalves over 7 years ago
31
0
0

Resource summary

Question 1

Question
QUESTION 1 Identify the ports to which the Client Authentication daemon listens by default.
Answer
  • A. 259, 900
  • B. 256, 600
  • C. 80, 256
  • D. 8080, 529

Question 2

Question
QUESTION 2 What is the Manual Client Authentication TELNET port?
Answer
  • A. 23
  • B. 264
  • C. 900
  • D. 259

Question 3

Question
QUESTION 3 Your company's Security Policy forces users to authenticate to the Gateway explicitly, before they can use any services. The Gateway does not allow the Telnet service to itself from any location. How would you configure authentication on the Gateway? With a:
Answer
  • A. Client Authentication rule using the manual sign-on method, using HTTP on port 900
  • B. Client Authentication rule, using partially automatic sign on
  • C. Client Authentication for fully automatic sign on
  • D. Session Authentication rule

Question 4

Question
QUESTION 4 Which authentication type permits five different sign-on methods in the authentication properties window?
Answer
  • A. Client Authentication
  • B. Manual Authentication
  • C. User Authentication
  • D. Session Authentication

Question 5

Question
QUESTION 5 Which Client Authentication sign-on method requires the user to first authenticate via the User Authentication mechanism, when logging in to a remote server with Telnet?
Answer
  • A. Manual Sign On
  • B. Agent Automatic Sign On
  • C. Partially Automatic Sign On
  • D. Standard Sign On

Question 6

Question
QUESTION 6 Which Security Gateway R77 configuration setting forces the Client Authentication authorization time-out to refresh, each time a new user is authenticated? The:
Answer
  • A. Time properties, adjusted on the user objects for each user, in the Client Authentication rule Source.
  • B. IPS > Application Intelligence > Client Authentication > Refresh User Timeout option enabled.
  • C. Refreshable Timeout setting, in Client Authentication Action Properties > Limits
  • D. Global Properties > Authentication parameters, adjusted to allow for Regular Client Refreshment.

Question 7

Question
QUESTION 7 All R77 Security Servers can perform authentication with the exception of one. Which of the Security Servers can NOT perform authentication?
Answer
  • A. FTP
  • B. SMTP
  • C. HTTP
  • D. RLOGIN

Question 8

Question
QUESTION 8 Which of the following are authentication methods that Security Gateway R77 uses to validate connection attempts? Select the response below that includes the MOST complete list of valid authentication methods.
Answer
  • A. Proxied, User, Dynamic, Session
  • B. Connection, User, Client
  • C. User, Client, Session
  • D. User, Proxied, Session

Question 9

Question
QUESTION 9 Security Gateway R77 supports User Authentication for which of the following services? Select the response below that contains the MOST correct list of supported services.
Answer
  • A. SMTP, FTP, TELNET
  • B. SMTP, FTP, HTTP, TELNET
  • C. FTP, HTTP, TELNET
  • D. FTP, TELNET

Question 10

Question
QUESTION 10 With the User Directory Software Blade, you can create R77 user definitions on a(n) _________ Server.
Answer
  • A. LDAP
  • B. Radius
  • C. SecureID
  • D. NT Domain

Question 11

Question
QUESTION 11 The User Directory Software Blade is used to integrate which of the following with Security Gateway R77?
Answer
  • A. RADIUS server
  • B. Account Management Client server
  • C. UserAuthority server
  • D. LDAP server

Question 12

Question
QUESTION 12 If you are experiencing LDAP issues, which of the following should you check?
Answer
  • A. Connectivity between the R77 Gateway and LDAP server
  • B. Secure Internal Communications (SIC)
  • C. Overlapping VPN Domains
  • D. Domain name resolution

Question 13

Question
QUESTION 13 Which type of R77 Security Server does not provide User Authentication?
Answer
  • A. SMTP Security Server
  • B. HTTP Security Server
  • C. FTP Security Server
  • D. HTTPS Security Server

Question 14

Question
QUESTION 14 You are about to integrate RSA SecurID users into the Check Point infrastructure. What kind of users are to be defined via SmartDashboard?
Answer
  • A. A group with generic user
  • B. All users
  • C. LDAP Account Unit Group
  • D. Internal user Group

Question 15

Question
QUESTION 15 For which service is it NOT possible to configure user authentication?
Answer
  • A. Telnet
  • B. SSH
  • C. FTP
  • D. HTTPS

Question 16

Question
QUESTION 16 Charles requests a Website while using a computer not in the net_singapore network. What is TRUE about his location restriction? Exhibit:
Image:
16 (binary/octet-stream)
Answer
  • A. Source setting in Source column always takes precedence
  • B. Source setting in User Properties always takes precedence
  • C. As location restrictions add up, he would be allowed from net_singapore and net_sydney.
  • D. It depends on how the User Auth object is configured; whether User Properties or Source Restriction takes precedence.

Question 17

Question
QUESTION 17 In the Rule Base displayed, user authentication in Rule 4 is configured as fully automatic. Eric is a member of the LDAP group, MSD_Group. What happens when Eric tries to connect to a server on the Internet?
Answer
  • A. None of these things will happen
  • B. Eric will be authenticated and get access to the requested server.
  • C. Eric will be blocked because LDAP is not allowed in the Rule Base.
  • D. Eric will be dropped by the Stealth Rule

Question 18

Question
QUESTION 18 Which of the following is an authentication method used by Identity Awareness?
Answer
  • A. SSL
  • B. Captive Portal
  • C. RSA
  • D. PKI

Question 19

Question
QUESTION 19 What is the purpose of an Identity Agent?
Answer
  • A. Provide user and machine identity to a gateway
  • B. Manual entry of user credentials for LDAP authentication
  • C. Audit a user's access, and send that data to a log server
  • D. Disable Single Sign On

Question 20

Question
QUESTION 20 What type of traffic can be re-directed to the Captive Portal?
Answer
  • A. SMTP
  • B. HTTP
  • C. All of the above
  • D. FTP

Question 21

Question
QUESTION 21 The Captive Portal tool:
Answer
  • A. Acquires identities from unidentified users.
  • B. Is only used for guest user authentication.
  • C. Allows access to users already identified.
  • D. Is deployed from the Identity Awareness page in the Global Properties settings

Question 22

Question
QUESTION 22 Captive Portal is a __________ that allows the gateway to request login information from the user.
Answer
  • A. Pre-configured and customizable web-based tool
  • B. Transparent network inspection tool
  • C. LDAP server add-on
  • D. Separately licensed feature

Question 23

Question
QUESTION 23 Complete this statement from the options provided. Using Captive Portal, unidentified users may be either; blocked, allowed to enter required credentials, or required to download the _____________.
Answer
  • A. Identity Awareness Agent
  • B. Full Endpoint Client
  • C. ICA Certificate
  • D. SecureClient

Question 24

Question
QUESTION 24 Users with Identity Awareness Agent installed on their machines login with __________, so that when the user logs into the domain, that information is also used to meet Identity Awareness credential requests.
Answer
  • A. Key-logging
  • B. ICA Certificates
  • C. SecureClient
  • D. Single Sign-On

Question 25

Question
QUESTION 25 Which of the following methods is NOT used by Identity Awareness to catalog identities?
Answer
  • A. AD Query
  • B. Captive Portal
  • C. Identity Agent
  • D. GPO

Question 26

Question
QUESTION 26 When using AD Query to authenticate users for Identity Awareness, identity data is received seamlessly from the Microsoft Active Directory (AD). What is NOT a recommended usage of this method?
Answer
  • A. Leveraging identity in the application control blade
  • B. Basic identity enforcement in the internal network
  • C. Identity-based auditing and logging
  • D. Identity-based enforcement for non-AD users (non-Windows and guest users)

Question 27

Question
QUESTION 27 The Identity Agent is a lightweight endpoint agent that authenticates securely with Single Sign-On (SSO). What is not a recommended usage of this method?
Answer
  • A. When accuracy in detecting identity is crucial
  • B. Leveraging identity for Data Center protection
  • C. Protecting highly sensitive servers
  • D. Identity based enforcement for non-AD users (non-Windows and guest users)

Question 28

Question
QUESTION 28 Which of the following is NOT a valid option when configuring access for Captive Portal?
Answer
  • A. From the Internet
  • B. Through internal interfaces
  • C. Through all interfaces
  • D. According to the Firewall Policy

Question 29

Question
QUESTION 29 If you were NOT using IKE aggressive mode for your IPsec tunnel, how many packets would you see for normal Phase 1 exchange?
Answer
  • A. 9
  • B. 2
  • C. 3
  • D. 6

Question 30

Question
QUESTION 30 How many packets does the IKE exchange use for Phase 1 Main Mode?
Answer
  • A. 12
  • B. 1
  • C. 3
  • D. 6

Question 31

Question
QUESTION 31 How many packets does the IKE exchange use for Phase 1 Aggressive Mode?
Answer
  • A. 12
  • B. 6
  • C. 3
  • D. 1

Question 32

Question
QUESTION 32 Which of the following actions take place in IKE Phase 2 with Perfect Forward Secrecy disabled?
Answer
  • A. Symmetric IPsec keys are generated.
  • B. Each Security Gateway generates a private Diffie-Hellman (DH) key from random pools.
  • C. The DH public keys are exchanged.
  • D. Peers authenticate using certificates or preshared secrets.

Question 33

Question
QUESTION 33 Which of the following commands can be used to remove site-to-site IPsec Security Association (SA)?
Answer
  • A. vpn debug ipsec
  • B. vpn ipsec
  • C. fw ipsec tu
  • D. vpn tu

Question 34

Question
QUESTION 34 How many packets are required for IKE Phase 2?
Answer
  • A. 12
  • B. 2
  • C. 6
  • D. 3

Question 35

Question
QUESTION 35 Which of the following actions do NOT take place in IKE Phase 1?
Answer
  • A. Peers agree on encryption method.
  • B. Diffie-Hellman key is combined with the key material to produce the symmetrical IPsec key.
  • C. Peers agree on integrity method.
  • D. Each side generates a session key from its private key and the peer's public key.

Question 36

Question
QUESTION 36 When using vpn tu, which option must you choose if you only want to clear phase 2 for a specific IP (gateway)? Exhibit:
Image:
36 (binary/octet-stream)
Answer
  • A. (5) Delete all IPsec SAs for a given peer (GW)
  • B. (7) Delete all IPsec+IKE SAs for a given peer (GW)
  • C. (6) Delete all IPsec SAs for a given User (Client)
  • D. (8) Delete all IPsec+IKE SAs for a given User (Client)

Question 37

Question
QUESTION 37 When using vpn tu, which option must you choose if you want to rebuild your VPN for a specific IP (gateway)? Exhibit:
Image:
37 (binary/octet-stream)
Answer
  • A. (6) Delete all IPsec SAs for a given User (Client)
  • B. (5) Delete all IPsec SAs for a given peer (GW)
  • C. (8) Delete all IPsec+IKE SAs for a given User (Client)
  • D. (7) Delete all IPsec+IKE SAs for a given peer (GW)

Question 38

Question
QUESTION 38 Which SmartConsole component can Administrators use to track changes to the Rule Base?
Answer
  • A. WebUI
  • B. SmartView Tracker
  • C. SmartView Monitor
  • D. SmartReporter

Question 39

Question
QUESTION 39 UDP packets are delivered if they are ___________.
Answer
  • A. a stateful ACK to a valid SYN-SYN/ACK on the inverse UDP ports and IP
  • B. a valid response to an allowed request on the inverse UDP ports and IP
  • C. bypassing the kernel by the forwarding layer of ClusterXL
  • D. referenced in the SAM related dynamic tables

Question 40

Question
QUESTION 40 The INSPECT engine inserts itself into the kernel between which two OSI model layers?
Answer
  • A. Session and Transport
  • B. Physical and Data
  • C. Presentation and Application
  • D. Datalink and Network

Question 41

Question
QUESTION 41 Your company has two headquarters, one in London, and one in New York. Each office includes several branch offices. The branch offices need to communicate with the headquarters in their country, not with each other, and only the headquarters need to communicate directly. What is the BEST configuration for establishing VPN Communities for this company? VPN Communities comprised of:
Answer
  • A. One star Community with the option to mesh the center of the star: New York and London Gateways added to the center of the star with the mesh center Gateways option checked; all London branch offices defined in one satellite window, but, all New York branch offices defined in another satellite window.
  • B. Two mesh and one star Community: One mesh Community is set up for each of the headquarters and its branch offices. The star Community is configured with London as the center of the Community and New York is the satellite.
  • C. Two star and one mesh Community: One star Community is set up for each site, with headquarters as the Community center, and its branches as satellites. The mesh Community includes only New York and London Gateways.
  • D. Three mesh Communities: One for London headquarters and its branches, one for New York headquarters and its branches, and one for London and New York headquarters.

Question 42

Question
QUESTION 42 Your company has two headquarters, one in London, one in New York. Each of the headquarters includes several branch offices. The branch offices only need to communicate with the headquarters in their country, not with each other, and the headquarters need to communicate directly. What is the BEST configuration for establishing VPN Communities among the branch offices and their headquarters, and between the two headquarters? VPN Communities comprised of:
Answer
  • A. Three mesh Communities: one for London headquarters and its branches; one for New York headquarters and its branches; and one for London and New York headquarters.
  • B. Two mesh and one star Community: Each mesh Community is set up for each site between headquarters their branches. The star Community has New York as the center and London as its satellite.
  • C. Two star communities and one mesh: A star community for each city with headquarters as center, and branches as satellites. Then one mesh community for the two headquarters.
  • D. One star Community with the option to mesh the center of the star: New York and London Gateways added to the center of the star with the "mesh center Gateways? option checked; all London branch offices defined in one satellite window; but, all New York branch offices defined in another satellite window.

Question 43

Question
QUESTION 43 Match the terms with their definitions: Exhibit:
Image:
43 (binary/octet-stream)
Answer
  • A. A-3, B-2, C-4, D-1
  • B. A-2, B-3, C-4, D-1
  • C. A-3, B-2, C-1, D-4
  • D. A-3, B-4, C-1, D-2

Question 44

Question
QUESTION 44 Which of these attributes would be critical for a site-to-site VPN?
Answer
  • A. Scalability to accommodate user groups
  • B. Centralized management
  • C. Strong authentication
  • D. Strong data encryption

Question 45

Question
QUESTION 45 Which of the following is NOT true for Clientless VPN?
Answer
  • A. The Gateway can enforce the use of strong encryption.
  • B. The Gateway accepts any encryption method that is proposed by the client and supported in the VPN.
  • C. Secure communication is provided between clients and servers that support HTTP.
  • D. User Authentication is supported.

Question 46

Question
QUESTION 46 You want to establish a VPN, using certificates. Your VPN will exchange certificates with an external partner. Which of the following activities should you do first?
Answer
  • A. Create a new logical-server object to represent your partner's CA.
  • B. Exchange exported CA keys and use them to create a new server object to represent your partner's Certificate Authority (CA).
  • C. Manually import your partner's Certificate Revocation List.
  • D. Manually import your partner's Access Control List.

Question 47

Question
QUESTION 47 Your company is still using traditional mode VPN configuration on all Gateways and policies. Your manager now requires you to migrate to a simplified VPN policy to benefit from the new features. This needs to be done with no downtime due to critical applications which must run constantly. How would you start such a migration?
Answer
  • A. This cannot be done without downtime as a VPN between a traditional mode Gateway and a simplified mode Gateway does not work.
  • B. This can not be done as it requires a SIC- reset on the Gateways first forcing an outage.
  • C. You first need to completely rewrite all policies in simplified mode and then push this new policy to all Gateways at the same time.
  • D. Convert the required Gateway policies using the simplified VPN wizard, check their logic and then migrate Gateway per Gateway.

Question 48

Question
QUESTION 48 Your manager requires you to setup a VPN to a new business partner site. The administrator from the partner site gives you his VPN settings and you notice that he setup AES 128 for IKE phase 1 and AES 256 for IKE phase 2. Why is this a problematic setup?
Answer
  • A. The two algorithms do not have the same key length and so don't work together. You will get the error .... No proposal chosen....
  • B. All is fine as the longest key length has been chosen for encrypting the data and a shorter key length for higher performance for setting up the tunnel.
  • C. Only 128 bit keys are used for phase 1 keys which are protecting phase 2, so the longer key length in phase 2 only costs performance and does not add security due to a shorter key in phase 1.
  • D. All is fine and can be used as is.

Question 49

Question
QUESTION 49 Why are certificates preferred over pre-shared keys in an IPsec VPN?
Answer
  • A. Weak performancE. PSK takes more time to encrypt than Diffie-Hellman.
  • B. Weak Security: PSK are static and can be brute-forced.
  • C. Weak security: PSKs can only have 112 bit length.
  • D. Weak scalability: PSKs need to be set on each and every Gateway.
Show full summary Hide full summary

Want to create your own Quizzes for free with GoConqr? Learn more.

Similar

Chemistry Facts
beth2384
Girls' and Boys' Education - A Mind Map
Cecelia Price
Characters in Lord of the Flies
lowri_luxton
Algebraic Fractions
Olivia McKenzie
OCR Gateway GCSE P3 Revision Quiz
xhallyx
AQA AS Biology Unit 2 The Cell cycle
elliedee
Perimeter Check-up
whitbyd
Ch. 2 Ancient Mesopotamia & Egypt
msandovalbarrios
Expertise in Project Management
tonesha_g
PSBD TEST # 3_1
Mwebaze Green
Music Therapy Practice Exam (with explanations)
Hannah Rebecca
Browse Library