Checkpoint.Certkiller.156-115.77.v2019-02-05.by.Gary€¦ · Explanation/Reference: QUESTION 9 You are running a debugging session and you have set the debug environment to TDERROR_ALL_ALL=5

https://www.gratisexam.com/

156-115.77.exam.182q

Number: 156-115.77Passing Score: 800Time Limit: 120 min


156-115.77

Check Point Certified Security Master


Topic 1, Chain Modules

QUESTION 1Which of the following BEST describes the command fw ctl chain function?

A. View how CoreXL is distributing traffic among the firewall kernel instances.

B. View established connections in the connections table.

C. View the inbound and outbound kernel modules and the order in which they are applied.

D. Determine if VPN Security Associations are being established.

Correct Answer: CSection: (none)Explanation

Explanation/Reference:

QUESTION 2The command _____________ shows which firewall chain modules are active on a gateway.

A. fw stat

B. fw ctl debug

C. fw ctl chain

D. fw ctl multik stat



QUESTION 3The command fw ctl kdebug <params> is used to:

A. list enabled debug parameters.

B. read the kernel debug buffer to obtain debug messages.

C. enable kernel debugging.


D. select specific kernel modules for debugging.

Correct Answer: BSection: (none)Explanation


QUESTION 4Compare these two images to establish which blade/feature was disabled on the firewall.



A. IPS

B. VPN

C. NAT

D. L2TP



QUESTION 5What command would give you a summary of all the tables available to the firewall kernel?


A. fw tab

B. fw tab -s

C. fw tab -h

D. fw tab -o



QUESTION 6Which directory below contains the URL Filtering engine update info? Here you can also go to see the status of the URL Filtering and Application Control updates.

A. $FWDIR/urlf/update


B. $FWDIR/appi/update

C. $FWDIR/appi/urlf

D. $FWDIR/update/appi



QUESTION 7For URL Filtering in the Cloud in R75 and above, what table is used to contain the URL Filtering cache values?

A. urlf_blade_on_gw

B. urlf_cache_tbl

C. urlf_cache_table

D. url_scheme_tab



QUESTION 8You are troubleshooting a Security Gateway, attempting to determine which chain is causing a problem. What command would you use to show all the chainsthrough which traffic passed?

A. [Expert@HostName]# fw ctl chain

B. [Expert@HostName]# fw monitor -e "accept;" -p all

C. [Expert@HostName]# fw ctl debug –m

D. [Expert@HostName]# fw ctl zdebug all




QUESTION 9You are running a debugging session and you have set the debug environment to TDERROR_ALL_ALL=5 using the command export TDERROR_ALL_ALL=5.How do you return the debug value to defaults?

A. fw ctl debug 0x1ffffe0

B. fw debug 0x1ffffe0

C. export TDERROR_ALL_ALL

D. unset TDERROR_ALL_ALL

Correct Answer: DSection: (none)Explanation


QUESTION 10What command would you use to view which debugs are set in your current working environment?

A. “env” and “fw ctl debug”

B. “cat /proc/etc”

C. “fw ctl debug all”

D. “export”

Correct Answer: ASection: (none)Explanation


QUESTION 11What causes the SIP Early NAT chain module to appear in the chain?

A. The SIP traffic is trying to pass through the firewall.

B. SIP is configured in IPS.


C. A VOIP domain is configured.

D. The default SIP service is used in the Rule Base.



QUESTION 12When you perform an install database, the status window is filled with large amounts of text. What could be the cause?

A. There is an active fw monitor running.

B. There is an environment variable of TDERROR_ALL_ALL set on the gateway.

C. There is an active debug on the SmartConsole.

D. There is an active debug on the FWM process.



QUESTION 13Which commands will properly set the debug level to maximum and then run a policy install in debug mode for the policy Standard on gateway A-GW from an R77GAiA Management Server?

A. setenv TDERROR_ALL_ALL=5fwm –d load A-GW Standard

B. setenv TDERROR_ALL_ALL=5fwm –d load Standard A-GW

C. export TDERROR_ALL_ALL=5fwm –d load Standard A-GW

D. export TDERROR_ALL_ALL=5fwm –d load A-GW Standard




QUESTION 14Which of the following items is NOT part of the columns of the chain modules?

A. Inbound/Outbound chain

B. Function Pointer

C. Chain position

D. Module location



QUESTION 15John is a Security Administrator of a Check Point platform. He has a mis-configuration issue that points to the Rule Base. To obtain information about the issue,John runs the command:

A. fw debug fw on and checks the file fwm.elg.

B. fw kdebug fwm on and checks the file fwm.elg.

C. fw debug fwm on and checks the file fwm.elg.

D. fw kdebug fwm on and checks the file fw.elg.



QUESTION 16The user tried to connect in SmartDashboard and did not work. You started a FWM debug and receive the logs below:


What is the error cause?

A. IP not defined in $FWDIR/conf/gui-clients

B. Wrong user and password

C. Wrong password

D. Wrong user




QUESTION 17When troubleshooting and trying to understand which chain is causing a problem on the Security Gateway, you should use the command:

A. fw ctl zdebug drop

B. fw tab –t connections

C. fw monitor -e "accept;" -p all

D. fw ctl chain




Topic 2, NAT

QUESTION 1Since switching your network to ISP redundancy you find that your outgoing static NAT connections are failing. You use the command _________ to debug theissue.

A. fwaccel stats misp

B. fw ctl pstat

C. fw ctl debug -m fw + nat drop

D. fw tab -t fwx_alloc -x



QUESTION 2Remote VPN clients can initiate connections with internal hosts, but internal hosts are unable to initiate connections with the remote VPN clients, even though thepolicy is configured to allow it. You think that this is caused by NAT. What command can you run to see if NAT is occurring on a packet?

A. fw tab -t fwx_alloc -x

B. fw ctl pstat

C. fwaccel stats misp

D. fw ctl debug -m fw + conn drop packet xlate xltrc nat



QUESTION 3Where in a fw monitor output would you see source address translation occur in cases of automatic Hide NAT?

A. Between the “I” and “o”

B. Hide NAT does not adjust the source IP


C. Between the “o” and “O”

D. Between the “i” and “I”



QUESTION 4Where in a fw monitor output would you see destination address translation occur in cases of inbound automatic static NAT?

A. Static NAT does not adjust the destination IP

B. Between the “i” and “I”

C. Between the “I” and “o”

D. Between the “o” and “O”



QUESTION 5Which flag in the fw monitor command is used to print the position of the kernel chain?

A. -all

B. -k

C. -c

D. -p




QUESTION 6Server A is subject to automatically static NAT and also resides on a network which is subject to automatic Hide NAT. With regards to address translation what willhappen when Server A initiates outbound communication?

A. This will cause a policy verification error.

B. This is called hairpin NAT, the traffic will return to the server.

C. The static NAT will take precedence.

D. The Hide NAT will take precedence.



QUESTION 7In your SecurePlatform configuration you need to set up a manual static NAT entry. After creating the proper NAT rule what step needs to be completed?

A. Edit or create the file local.arp.

B. No further actions are required.

C. Edit or create the file discntd.if.

D. Edit the file netconf.conf.



QUESTION 8Which FW-1 kernel flags should be used to properly debug and troubleshoot NAT issues?

A. nat, route, conn, fwd, zeco, err

B. nat, xlate, fwd, vm, ld, chain

C. nat, xltrc, xlate, drop, conn, vm

D. nat, drop, conn, xlate, filter, ioctl




QUESTION 9Which file should be edited to modify ClusterXL VIP Hide NAT rules, and where?

A. $FWDIR/lib/base.def on the cluster members

B. $FWDIR/lib/table.def on the SMC

C. $FWDIR/lib/table.def on the cluster members

D. $FWDIR/lib/base.def on the SMC



QUESTION 10When viewing a NAT Table, What represents the second hexadecimal number of the 6-tuple:


A. Source port

B. Protocol

C. Source IP

D. Destination port

Correct Answer: CSection: (none)


Explanation


QUESTION 11By default, the size of the fwx_alloc table is:

A. 65535

B. 65536

C. 25000

D. 1024



QUESTION 12Given the screen configuration shown, the failure’s probable cause is:



A. Packet 1 Proposes SA life Type , Sa Life Duration, Authentication and Encapsulation Algorithm.

B. Packet 1 proposes a symmetrical key.

C. Packet 1 proposes a subnet and host ID, an encryption and hash algorithm.

D. Packet 1 proposes either a subnet or host ID, an encryption and hash algorithm, and ID data.



QUESTION 13Ann wants to hide FTP traffic behind the virtual IP of her cluster. Where is the relevant file table.def located to make this modification?

A. $FWDIR/log/table.def

B. $FWDIR/conf/table.def

C. $FWDIR/bin/table.def

D. $FWDIR/lib/table.def



QUESTION 14While troubleshooting a connectivity issue with an internal web server, you know that packets are getting to the upstream router, but when you run a tcpdump on theexternal interface of the gateway, the only traffic you observe is ARP requests coming from the upstream router. Does the problem lie on the Check Point Gateway?

A. Yes – This could be due to a misconfigured route on the firewall.

B. No – This is a layer 2 connectivity issue and has nothing to do with the firewall.

C. No – The firewall is not dropping the traffic, therefore the problem does not lie with the firewall.

D. Yes – This could be due to a misconfigured Static NAT in the firewall policy.

Correct Answer: D


Section: (none)Explanation


QUESTION 15In a production environment, your gateway is configured to apply a Hide NAT for all internal traffic destined to the Internet. However, you are setting up a VPNtunnel with a remote gateway, and you are concerned about the encryption domain that you need to define on the remote gateway. Does the remote gateway needto include your production gateway’s external IP in its encryption domain?

A. No – all packets destined through a VPN will leave with original source and destination packets without translation.

B. No – all packets destined to go through the VPN tunnel will have the payload encapsulated in an ESP packet and after decryption at the remote site, will havethe same internal source and destination IP addresses.

C. Yes – all packets destined to go through the VPN tunnel will have the payload encapsulated in an ESP packet and after decryption at the remote site, the packetwill contain the source IP of the Gateway because of Hide NAT.

D. Yes – The gateway will apply the Hide NAT for this VPN traffic.




Topic 3, ClusterXL

QUESTION 1Which of the following commands shows the high watermark threshold for triggering the cluster under load mechanism in R77?

A. fw ctl get int fwha_cul_mechanism_enable

B. fw ctl get int fwha_cul_cluster_short_timeout

C. fw ctl get int fwha_cul_member_cpu_load_limit

D. fw ctl get int fwha_cul_policy_freeze_event_timeout_millisec



QUESTION 2What mechanism solves asymmetric routing issues in a load sharing cluster?

A. Flush and ACK

B. Stateful Inspection

C. SYN Defender

D. State Synchronization



QUESTION 3When you have edited the local.arp configuration, to support a manual NAT, what must be done to ensure proxy arps for both manual and automatic NAT rulesfunction?

A. In Global Properties > NAT tree select Merge manual proxy ARP configuration check box

B. Run the command fw ctl ARP –a on the gateway

C. In Global Properties > NAT tree select Translate on client side check box


D. Create and run a script to forward changes to the local.arp tables of your gateway



QUESTION 4How can you see a dropped connection and the cause from the kernel?

A. fw zdebug drop

B. fw ctl debug drop on

C. fw debug drop on

D. fw ctl zdebug drop



QUESTION 5After creating and pushing out a new policy, Joe finds that an old connection is still being allowed that should have been closed after his changes. He wants todelete the connection on the gateway, and looks it up with fw tab –t connections –u. Joe finds the connection he is looking for. What command should Joe use toremove this connection?<0,a128c22,89,a158508,89,11;10001,2281,25,15b,a1,4ecdfeee,ac,691400ac,7b6,3e,ffffffff,3c,3c,0,0,0,0,0,0,0,0,0,0,0,0,0,0>

A. fw tab –t connections –x –d “0,a128c22,89,0a158508,89,11"

B. fw tab –t connections –x –e "0,a128c22,00000089,0a158508,00000089,00000011"

C. fw tab –t connections –x –d “00000000,a128c22,00000089,0a158508,00000089,00000011"

D. fw tab –t connections –x –e “0,a128c22,89,0a158508,89,11"




QUESTION 6Using the default values in R77 how many kernel instances will there be on a 16-core gateway?

A. 16

B. 8

C. 12

D. 14



QUESTION 7How do you clear the connections table?

A. Run the command fw tab –t connections –x

B. In Gateway Properties > Optimizations click Clear connections table

C. Run the command fw tab –t conns –c

D. Run the command fw tab –t connections –c



QUESTION 8In order to prevent outgoing NTP traffic from being hidden behind a Cluster IP you should?

A. Edit the relevant table.def on the Management Server and add the line no_hide_services_ports = { <17, 123> }; and then push policy.

B. Edit the relevant table.def on the gateway and add the line no_hide_services_ports = { <17, 123> };.

C. Edit the relevant table.def on the Management Server and add the line no_hide_services_ports = { <123, 17> }; and then push policy.


D. Edit the relevant table.def on the gateway and add the line no_hide_services_ports = { <123, 17> }.



QUESTION 9Of the following answer choices, which best describes a possible effect of expanding the connections table?

A. Increased memory consumption

B. Decreased memory consumption

C. Increased connection duration

D. Decreased connection duration



QUESTION 10Adam wants to find idle connections on his gateway. Which command would be best suited for viewing the connections table?

A. fw tab -t connections

B. fw tab -t connections -u –f

C. fw tab -t connections –x

D. fw tab -t connections –s




QUESTION 11From the output of the following cphaprob -i list, what is the most likely cause of the clustering issue?

Cluster B> cphaprob -i listBuilt-in Devices:Device Name: Interface Active Check Current state: OKDevice Name: HA Initialization Current state: OKDevice Name: Recovery Delay Current state: OKRegistered Devices:Device Name: Synchronization Registration number: 0 Timeout: none Current state: OK Time since last report: 3651.5 secDevice Name: Filter Registration number: 1 Timeout: none Current state: problem Time since last report: 139 secDevice Name: routed Registration number: 2 Timeout: none Current state: OK Time since last report: 3651.9 secDevice Name: cphad Registration number: 3 Timeout: none Current state: OK Time since last report: 3696.5 secDevice Name: fwd Registration number: 4 Timeout: none Current state: OK Time since last report: 3696.5 sec

A. There is an interface down on Cluster A

B. There is a sync network issue between Cluster A and Cluster B

C. The routing table on Cluster B is different from Cluster A

D. Cluster B and Cluster A have different versions of policy installed.



QUESTION 12Which command would a troubleshooter use to verify table connection info (peak, concurrent) and verify information about cluster synchronization state?

A. fw tab –t connections –s

B. fw ctl pstat

C. fw ctl multik stat

D. Show info all




QUESTION 13Which definition best describes the file table.def function? It is a placeholder for:

A. definitions of various kernel tables for Security Gateways.

B. definitions of various kernel tables for Management Servers.

C. user defined implied rules for Security Gateways.

D. user defined implied rules for Management Servers.



QUESTION 14Your customer receives an alert from their network operation center, they are seeing ARP and Ping scans of their network originating from the firewall. What couldbe the reason for the behaviour?

A. Check Point firewalls probe adjacent networking devices during normal operation.

B. IPS is disabled on the firewalls and there is a known OpenSSL vulnerability that allows a hacker to cause a network scan to originate from the firewall.

C. One or both of the firewalls in a cluster have stopped receiving CCP packets on an interface.

D. Check Point's Antibot blade performs anti-bot scans of the surrounding network.



QUESTION 15Your cluster member is showing a state of "Ready". Which of the following is NOT a reason one would expect for this behaviour?

A. One cluster member is configured for 32 bit and the other is configured for 64 bit

B. CoreXL is configured differently on the two machines

C. The firewall that is showing "Ready" has been upgraded but the other firewall has not yet been upgraded


D. Firewall policy has not yet been installed to the firewall



QUESTION 16What would be a reason for changing the “Magic MAC”?


A. To allow for automatic upgrades.

B. To allow two or more cluster members to exist on the same network.

C. To allow two or more clusters to exist on the same network.

D. To allow the two cluster members to use the same virtual IP address.



QUESTION 17What are the kernel parameters that control “Magic MACs”?

A. fwha_magic_mac and fw_forward_magic_mac

B. fwha_mac_magic and fw_mac_forward_magic

C. cpha_mac_magic and cp_mac_forward_magic

D. cpha_magic_mac and cpha_mac_forward_magic

Correct Answer: B




QUESTION 18How many sync interfaces are supported on Check Point R77 GAiA?

A. 3

B. 4

C. 2

D. 1




Topic 4, VPN Troubleshooting

QUESTION 1Which command displays compression/decompression statistics?

A. vpn ver –k

B. vpn compstat

C. vpn compreset

D. vpn crlview



QUESTION 2What debug file would you check to see what IKE version is being used?

A. fwpnd.elg

B. vpn.txt

C. debug.txt

D. vpnd.elg



QUESTION 3What file contains IKEv2 debug messages?

A. $FWDIR/log/ikev2

B. $FWDIR/log/ike.xml

C. $FWDIR/log/vpnd.elg


D. $FWDIR/log/ike.elg



QUESTION 4What is the log file that shows the keep alive packets during the debug process?

A. $FWDIR/log/ikev2.xmll

B. $FWDIR/log/ike.xmll

C. $FWDIR/log/ike.elg

D. $FWDIR/log/vpnd.elg



QUESTION 5What is the log file that shows the processes that participate in the tunnel initiation stage?

A. $FWDIR/log/ikev2.xmll

B. $FWDIR/log/ike.xmll

C. $FWDIR/log/vpnd.elg

D. $FWDIR/log/ike.elg




QUESTION 6Which program could you use to analyze Phase I and Phase II packet exchanges?

A. vpnView

B. Check PointView

C. IKEView

D. vpndebugView



QUESTION 7Check Point Best Practices suggest that when you finish a kernel debug, you should run the command _____________________ .

A. fw debug 0

B. fw debug off

C. fw ctl debug default

D. fw ctl debug 0



QUESTION 8Given the following IKEView output, what do we know about QuickMode Packet 1?



A. Packet 1 proposes a symmetrical key

B. Packet 1 proposes a subnet and host ID, an encryption and hash algorithm

C. Packet 1 Proposes SA life Type, Sa Life Duration, Authentication and Encapsulation Algorithm

D. Packet 1 proposes either a subnet or host ID, an encryption and hash algorithm, and ID data



QUESTION 9You are attempting to establish a VPN tunnel between a Check Point gateway and a 3rd party vendor. When attempting to send traffic to the peer gateway it isfailing. You look in SmartView Tracker and see that the failure is due to “Encryption failure: no response from peer”. After running a VPN debug on the problematicgateway, what is one of the files you would want to analyze?

A. $FWDIR/log/fw.log

B. $FWDIR/log/fwd.elg

C. $FWDIR/log/ike.elg

D. /var/log/fw_debug.txt



QUESTION 10You want to run VPN debug that will generate both ike.elg and vpn.elg files. What is the best command that can be used to achieve this goal?

A. vpn debug ikeon

B. vpn debug on TDERR_ALL_ALL=5

C. vpn debug trunc

D. vpn debug trunc




QUESTION 11In IKEView while troubleshooting a VPN issue between your gateway and a partner site you see an entry that states “Invalid ID”. Which of the following is the mostlikely cause?

A. IKEv1 is not supported by the peer.

B. Time is not matching between two members.

C. The encryption parameters (hash, encryption type, etc.) do not match.

D. Wrong subnets are being negotiated.



QUESTION 12While troubleshooting a VPN issue between your gateway and a partner site you see an entry in Smartview Tracker that states “Info: encryption failure: Differentcommunity ID: possible NAT problem”. Which of the following is the most likely cause?

A. You have an encryption method mismatch.

B. Implied rules in global properties such as ICMP and DNS are set to first instead of before last.

C. You have not created a specific rule allowing VPN traffic.

D. You have the wrong encryption domains configured.




QUESTION 13You are troubleshooting a VPN issue between your gateway and a partner site and you get a drop log on your gateway that states “Clear text packet should beencrypted”. Which of the following would be the best troubleshooting step?

A. Use the excluded services in the VPN community to exclude this traffic from the VPN or determine why the traffic is leaving the initiating (partner) gateway asclear text.

B. Use the excluded services in the VPN community to exclude this traffic from the VPN or determine why the traffic is leaving local (your) gateway as clear text.

C. Your phase one algorithms are mismatched between gateways.

D. This is management traffic and we need to enable implied rule to address this issue.



QUESTION 14Your company has recently decided to allow remote access for clients. You find that no one is able to connect, although you are confident that your rule set andremote access community has been defined correctly. What is the most likely cause, based on the options below? You have the following debug file:


A. RDP is being blocked upstream.

B. You have selected IKEv2 only in Global Properties > Remote Access > VPN – Authentication and Encryption.

C. Remote access clients are all behind NAT devices.

D. Implied rule is not set to accept control connections.




QUESTION 15You are experiencing an issue where Endpoint Connect client connects successfully however, it disconnects every 20 seconds. What is the most likely cause of thisissue?

A. The Accept Remote Access control connections is not enabled in Global Properties > FireWall Implied Rules.

B. You have selected IKEv2 only in Global Properties > Remote Access > VPN – Authentication and Encryption.

C. You are not licensed for Endpoint Connect client.

D. Your remote access community is not configured.



QUESTION 16In a VPN configuration, the following mode can be used to increase throughput by bypassing firewall enforcement.


A. Virtual Tunnel Interface (VTI) Mode can bypass firewall for all encrypted traffic

B. Hub Mode can be used to bypass stateful inspection

C. There is no such mode that can bypass firewall enforcement

D. Wire mode can be used to bypass stateful inspection

Correct Answer: DSection: (none)


Explanation


QUESTION 17When VPN user-based authentication fails, which of the following debug logs is essential to understanding the issue?

A. VPN-1 kernel debug logs

B. IKE.elg

C. Vpnd.elg

D. fw monitor trace



QUESTION 18In Tracker you are troubleshooting a VPN issue between your gateway and a partner site and you get a drop log that states “No proposal chosen” what is the mostlikely cause?

A. There is a time mismatch

B. The peer machine is not accepting multicast packets

C. A mismatch in the settings between the two peers

D. Using IKEv1 when peer uses IKEv2



QUESTION 19Which of the following is NEVER affected by incorrect OS time and date configuration?


A. VPN PSK authentication

B. VPN certificate authentication

C. SIC

D. Identity Awareness Kerberos authentication



QUESTION 20In the process of troubleshooting traffic issues across a VPN tunnel, you notice on the output of fw monitor -e host(172.21.1.10), accept; that packets are goingthrough the inbound chain (i > I) and then disappearing after the outbound chain (o > __), while you were expecting to see the packet leave on O. What could becausing this issue?

A. When packets are destined to leave through a VPN tunnel, it is encrypted and encapsulated in an ESP packet, and thus will not show up on a fw monitor.

B. It’s not showing up on the fw monitor because it is exiting the wrong interface

C. The packet is getting silently dropped because there is no route for the packet.

D. The gateway never completed the IKE and IPSec key exchange, and the tunnel does not exist yet.




Topic 5, SecureXL Acceleration debugging

QUESTION 1The command fwaccel stat displays what information?

A. Accelerator status, accept templates, drop templates

B. Accelerated packets, accept templates, dropped packets

C. Accelerator status, accelerated rules, drop templates

D. Accelerator status, CoreXL state, drop templates



QUESTION 2When running a SecureXL debug how do you initialize the debug buffer to 32000?

A. fwaccel debug –buf 32000

B. fw ctl debug –buf 32000

C. sim debug –buf 32000

D. fwaccel dbg –buf 32000



QUESTION 3What command can be used to get the following output?



A. fw ctl kdebug

B. fw monitor –e “accept;”

C. fwaccel conns

D. netstat -ni



QUESTION 4What command would you use to determine if a particular connection is being accelerated by SecureXL?

A. fw tab –t connections –u

B. fw ctl kdebug

C. fwaccel stat

D. fwaccel conns



QUESTION 5A new packet has arrived to a firewall's interface. The packet was compared with the connection table and there is no match. What process does the firewall startwith that connection?

A. The packet will be then forwarded to the outbound interface for handling.

B. The new packet represents a new flow and requires a new connection table entry.

C. The packet will be rejected by the kernel firewall.

D. The packet will be forwarded to the firewall to apply the Security Policy.

Correct Answer: D




QUESTION 6According to this Rule Base, templates will be created until which rule?

A. Rule 4

B. Rule 2

C. Rule 3

D. Rule 5

Correct Answer: BSection: (none)


Explanation


QUESTION 7How to check the overall SecureXL statistics:

A. fwaccel on

B. fwaccel stat

C. cat /proc/ppk/statistics

D. fwaccel conns



QUESTION 8When are rules that include identity awareness access roles accelerated through SecureXL?

A. Rules using Identity Awareness are always accelerated.

B. Only when ‘Unauthenticated Guests’ is included in the access role.

C. They have no bearing on whether the connection for the rule is accelerated.

D. Rules using Identity Awareness are never accelerated.



QUESTION 9What command show the same information as fwaccel stats –l?

A. cat /proc/ppk/cpls


B. cat /proc/ppk/statistics

C. cphaprob –a hconf

D. fwaccell stats –s –u -k



QUESTION 10In order to perform some connection troubleshooting, you run the command fw monitor –e accept dport = 443. You do NOT see the TCP ACK packet. Why is this?

A. The connection is encrypted.

B. The connection is NATted.

C. The connection is dropped.

D. The connection is accelerated.



QUESTION 11What is the corresponding connection template entered into the SecureXL connection table from the connection: “10.0.0.100:1024 > 216.239.59.59:80”

A. “10.0.0.100:1024 > 216.239.59.59:80”

B. “10.0.0.100:1024 > 216.239.59.59:*”

C. “10.0.0.100:* > 216.239.59.59:*”

D. “10.0.0.100:* > 216.239.59.59:80”




QUESTION 12When are rules that include Identity Awareness Access (IDA) roles accelerated through SecureXL?

A. Only when ‘Unauthenticated Guests’ is included in the access role.

B. Never, the inclusion of an IDA role disables SecureXL.

C. The inclusion of an IDA role has no bearing on whether the connection for the rule is accelerated.

D. Always, the inclusion of an IDA role guarantees the connection for the rule is accelerated.



QUESTION 13In the policy below, which rule disables SecureXL?


A. 5

B. 1

C. 4

D. 3



QUESTION 14When optimizing a customer firewall Rule Base, what is the BEST way to start the analysis?


A. With the command fwaccel stat followed by the command fwaccel stats.

B. At the top of the Rule Base.

C. Using the hit count column.

D. Using the Compliance Software Blade.



QUESTION 15What do the ‘F’ flags mean in the output of fwaccel conns?

A. Forward to firewall

B. Flag set for debug

C. Fast path packets

D. Flow established



QUESTION 16What command should a firewall administrator use to begin debugging SecureXL?


A. fwaccel dbg api + verbose add

B. fwaccel debug –m <module name> <flag>


C. fwaccel dbg -m <module name> <flag>

D. SecureXL cannot be dubugged and the kernel debug will give enough output to help the firewall administrator to understand the firewalls behaviour. The rightcommand to use is fw ctl debug –m fw.



QUESTION 17A firewall administrator knows the details of the packet header for an already established connection going through a firewall. What command will show if SecureXLwill accelerate that packet?

A. fw ctl zdebug + sxl error warning asm

B. fwaccel conns

C. fwaccel templates

D. fw tab –t connections –f | grep ‘dest. port #’ | grep ‘source port #’ | grep ‘dest. IP address’



QUESTION 18What is the command to check how many connections the firewall has detected for the SecureXL device?


B. fw tab -t cphwd_db –s

C. fw tab –t connection –s | grep template

D. fwaccel conns




QUESTION 19While troubleshooting high CPU usage on cores 3 and 4 on a cluster, you notice the following output of fwaccel stats -s:

What could be a possible cause of the high CPU usage?

A. Connections are being partially accelerated by SecureXL, but too many packets are still being processed by the firewall kernel.

B. The Secure Network Dispatcher (SND) is having to process too much inbound traffic from the NICs.

C. Connections are not being accelerated by SecureXL, and all packets are being forwarded to firewall kernel instances for inspection.

D. The Secure Network Dispatcher (SND) is working too hard to distribute the traffic to the acceleration layer.




QUESTION 20Which of the following statements are TRUE about SecureXL?

I. SecureXL is able to accelerate all connections through the firewall.II. Medium path acceleration will still cause some CPU utilization of CoreXL cores.III. F2F connections represent “forwarded to firewall” connections that are not accelerated and fully processed through the firewall kernel.IV. Packets going through SecureXL must be inspected by the firewall kernel before being accelerated.

A. II and III

B. I, II, and III

C. III and IV

D. I and IV




Topic 6, Hardware Optimization

QUESTION 1From which version can you add Proxy ARP entries through the GAiA portal?

A. R77.10

B. R77

C. R75.40

D. R76



QUESTION 2What happens to manual changes in the file $FWDIR/conf/local.arp when adding Proxy ARP entries through the GAiA portal or Clish?

A. Nothing.

B. If the file $FWDIR/conf/local.arp has been edited manually, you are not able to add Proxy ARP entries through the GAiA portal or Clish.

C. They are merged with the new entries added from the GAiA Portal / Clish.

D. They are overwritten.



QUESTION 3You are analyzing your firewall logs, /var/log/messages, and repeatedly see the following kernel message:

'kernel: neighbor table overflow'

What is the cause?


A. Arp cache overflow

B. OSPF neighbor down

C. Nothing, you can disconsider it.

D. Cluster member table overflow



QUESTION 4The 'Maximum Entries' value in the GAiA Portal corresponds to the 'gc_thresh3' parameter in the Linux kernel and has value of 1024. Knowing this, you know thatgc_thresh2 and gc_thresh1 if are automatically set to the values:

A. gc_thresh2=256 and gc_thresh1=128

B. gc_thresh2=512 and gc_thresh1=256

C. gc_thresh2=1024 and gc_thresh1=1024

D. gc_thresh1=256 and gc_thresh2=128



QUESTION 5Your ARP cache is overflowing negatively impacting users experience on your network. Which command can you issue to increase the ARP cache on the fly? Youdo not need this to survive reboot.

A. Modify the /etc/sysctl.conf: net.ipv4.neigh.default.gc_thresh3 = 1024.

B. echo 1024 > /proc/sys/net/ipv4/neigh/default/gc_thresh3

C. arp cache table > 1024

D. You cannot increase the size of the ARP cache on the fly.

Correct Answer: BSection: (none)


Explanation


QUESTION 6Which command will NOT display information related to memory usage?

A. free

B. fw ctl pstat

C. cat /proc/meminfo

D. memoryinfo.conf



QUESTION 7What does the command fwaccel templates do?

A. Starts firewall acceleration after fwaccel off was run or SecureXL was enabled by using the command cpconfig.

B. That SecureXL has been enabled in the cpconfig command menu.

C. Shows templates existing in the SecureXL device. This is so that an administrator can look for the template that matches the specific traffic.

D. The Rule Base mapping between actual rules and the template built up in Layer 2.



QUESTION 8Running the command fw ctl pstat –l would return what information?

A. Additional hmem details


B. General Security Gateway statistics

C. Additional kmem details

D. Additional smem details



QUESTION 9You have a user-defined SMTP trap configured to send an alert to your mail server, and you also have SmartView Monitor configured to trigger the alert wheneverpolicy is pushed to your gateway. However, you are not getting any mails even when you test for pushing policy. What process should you troubleshoot on theManagement Server?

A. fwd

B. fwm

C. cpwd_admin

D. cpstat_monitor



QUESTION 10what command other than fw ctl pstat, will display your peak concurrent connections?

A. fw ctl get int fw_peak_connections

B. netstat -ni

C. fw tab -t connections -s

D. top




QUESTION 11Which of the following is a valid synchronization status as an output to fw ctl pstat?

A. Unable to receive sync packets

B. Sync member down

C. Synchronized

D. Communicating



QUESTION 12You are running some diagnostics on your GAIA gateway. You are reviewing the number of fragmented packets; you notice that there are a lot of large andduplicate packets. Which command did you issue to get this information?

A. sysconfig

B. fw ctl pstat

C. fw ctl get int fw_frag_stats

D. cat /proc/cpuinfo



QUESTION 13Your company has grown significantly over the past few months. You are seeing that new connections are being dropped but note that the connections table is notfull. You suspect that the kernel memory allocated to the firewall has reached its full capacity. To check the “Machine Capacity Summary” statistics, you usecommand:


A. ps -aux

B. top

C. cat /proc/net/capacity

D. fw ctl pstat


Explanation/Reference:C6O4 - Hardware Optimization

QUESTION 14Under which scenario would you most likely consider the use of Multi-Queue?

A. When IPS is heavily used.

B. When most of the traffic is accelerated.

C. When most of the processing is done in CoreXL.

D. When trying to increase session rate.



QUESTION 15If you need to use a Domain object in the Rule Base, where should this rule be located?

A. No higher than the 2nd rule.

B. The first rule in the Rule Base.

C. The last rule before the clean up rule.

D. The last rule after the clean up rule.




QUESTION 16What will be the outcome if you set the kernel parameters cphwd_nat_templates_enabled and cphwd_nat_templates_support?

A. This would enable Hide NAT support.

B. These parameters are mutually exclusive and cannot be used at the same time.

C. This would enable SecureXL NAT templates.

D. These are not valid parameters.



QUESTION 17You are finding that some users are complaining about slow connection speed. You would like to review a summary of your connections, including whichconnections are accelerated and those that are not. What command could you use?

A. fw ctl pstat

B. fwaccel perf

C. fw tab -t connections -s

D. fwaccel stats -s



QUESTION 18You want to verify that the majority of your connections are being optimized by SecureXL. What command would you run to establish this information?

A. fw ctl pstat


B. fw tab -t connections -s

C. fwaccel conns -s

D. sim_dbg -s



QUESTION 19What is the difference between “connection establishment acceleration” (templating) and “traffic acceleration”?


A. These are the same technologies with different names.

B. “Connection establishment acceleration” only accelerates a single connection, while “traffic acceleration” accelerates similar traffic.

C. “Traffic acceleration” is accelerated through hardware, and “connection establishment acceleration” is accelerated in software.

D. “Traffic acceleration” only accelerates a single connection, while “connection establishment acceleration” accelerates similar traffic.



QUESTION 20What type of connections cannot be templated?

A. Any connections that contain Hide NAT

B. Complex connections such as FTP, H323, SQL, ETC

C. UDP because it is not connection oriented


D. TCP




Topic 7, Software Tuning

QUESTION 1How would you determine the value of 'Maximum concurrent connections' of the NAT Table?

A. fwx_alloc

B. fwx_max_conns

C. fwx_auth

D. objects_5_0.C



QUESTION 2What does “cphwd_nat_templates_enabled=1” do when entered into fwkern.conf?

A. Disables NAT templates when SecureXL is turned on.

B. Enables NAT templates when SecureXL is turned on.

C. Enables NAT templates at all times.

D. Disables NAT templates at all times.



QUESTION 3You are a system administrator and you are working with Support. Support asked you to enable kernel core dumps on the files. You are unsure if this has alreadybeen set. You run the command chkconfig -list kdump. Does the screen capture tell you if kernel dumps are enabled on this gateway?


A. There is not enough information to determine if kernel core files will be generated.

B. Yes kernel dump has been enabled and kernel files should be captured.

C. Kdump has nothing to do with kernel core file generation.

D. All values should be set to “on”. A kernel core dump will not be created.



QUESTION 4When a cluster member is completely powered down, how will the other member identify if there is network connectivity?

A. The working member will ARP for the default gateway.

B. The working member will look for replies to traffic sent from internal hosts.

C. The working member will automatically assume connectivity.

D. The working member will Ping IPs in the subnet until it gets a response.




QUESTION 5If the number of Firewall Workers for CoreXL is set higher on one member of a cluster than the other, the cluster will be in what state?

A. Active/Standby

B. Active/Ready

C. Active Attention/Down

D. Active/Down



QUESTION 6What is one way to check cluster status on two gateways running in HA mode?

A. show cluster

B. cphaprob stat

C. cp ha prob stat

D. show cluster ha status



QUESTION 7Which command displays FireWall internal statistics about memory and traffic?



A. fw getifs

B. cpstat os –f memory

C. fw ctl pstat

D. cpstat os –f cpu



QUESTION 8To check what is currently set in the Firewall kernel debug input the command:

A. fw ctl multistate

B. fw ctl debug –x

C. fw ctl pstat

D. fw ctl debug



QUESTION 9Misha is working on a stand-by firewall and deletes the connections table in error. He finds that now the table is out of sync with the Active member. to get themcompletely synced again, Mish should run the command pair ____________ and __________ .

A. fw ctl sync stop, fw ctl sync start

B. fw ctl setsync off, fw ctl setsync start

C. fw ctl setsync stop, fw ctl setsync on

D. fw ctl setsync off, fw ctl setsync on

Correct Answer: B




QUESTION 10In a ClusterXL cluster with delayed synchronization, which of the following is not true?

A. The length of time for the delay can be edited.

B. It applies only to TCP services whose Protocol Type is set to HTTP or None.

C. Delayed Synchronization is disabled if the Track option in the rule is set to Log or Account.

D. Delayed Synchronization is performed only for connections matching a SecureXL Connection Template.




Topic 8, Enable CoreXL

QUESTION 1The CoreXL software architecture includes the Secure Network Dispatcher (SND). One of the responsibilities of SND is to:

A. Distribute non-accelerated packets among kernel instances

B. Dispatch the packet securely through the VPN link

C. Processing outgoing traffic from the network interfaces

D. Dispatch the packet securely through the physical link



QUESTION 2What command verifies which core each gateway interface and firewall instance is currently running on?

A. fw ctl pstat

B. fw accel stat

C. show corexl stat

D. fw ctl affinity -l



QUESTION 3A Security Administrator wants to increase the amount of processing cores on a Check Point Security Gateway. He starts by increasing the number of cores,however the number of kernel instances remain the same way. What is the correct process to increase the number of kernel instances?

A. Cpconfig- Enable Check Point CoreXL- Change the number of firewall instances-define how many firewall instances to enable-cprestart

B. Cpconfig- Check Point CoreXL- Change the number of firewall instances-define how many firewall instances to enable-reboot

C. Cpconfig- Enable Check Point ClusterXL- Change the number of firewall instances-define how many firewall instances to enable-reboot


D. Cpconfig- Check Point CoreXL- Change the number of firewall instances-define how many firewall instances to enable-cpstop,cpstart



QUESTION 4What command displays the Connections Table for a specified CoreXL firewall instance?


B. fw -i FW_INSTANCE_ID tab -t connections [flags]

C. fw tab –t connection | grep fw<FW_INSTANCE_ID>

D. fw tab –t connections



QUESTION 5Why would you not see a CoreXL configuration option in cpconfig?

A. The gateway only has one processor core.

B. CoreXL is not enabled in the gateway object.

C. CoreXL is not licensed.

D. CoreXL is disabled via policy.




QUESTION 6CoreXL on IPSO R77.20 does NOT support which of the following features?

A. Check Point QoS

B. IPv6

C. Overlapping NAT

D. Route-based VPN



QUESTION 7When troubleshooting a performance problem on multicore firewall that is using CoreXL, what command checks the number of connections each core isprocessing?

A. sim affinity -l

B. cat fwkern.conf

C. fw CTL pstat

D. fw ctl multik stat



QUESTION 8What command would you use to check if CoreXL is enabled?



A. fw ctl multik stat

B. cpconfig

C. fw ctl affinity -1

D. fw ctl pstat



QUESTION 9Which command will allow you to change firewall affinity and survive a reboot with no further modification?

A. fw ctl affinity –s

B. sim affinity –l

C. fw affinity –l

D. sim affinity –s



QUESTION 10You are at a customer site, and when you run cphaprob stat you are not seeing a normal ClusterXL Health. What command could you run verify the number ofcores are not matched on both cluster members?

A. cpconfig

B. cphaprob -a if

C. fw ctl multik stat

D. cphaprob stat

Correct Answer: C





Topic 9, IPS

QUESTION 1When performing a Clean IPS procedure to resolve a corrupt IPS files issue, what file is modified in order for the SDUU process to automatically update the IPSfiles after completing the procedure?

A. asm.C

B. inspect.C

C. objects_5_0.C

D. profiles.C



QUESTION 2How would one enable ‘INSPECT debugging’ if one suspects IPS false positives?

A. Run command fw ctl set int enable_inspect_debug 1 from the command line.

B. Toggle the checkbox in Global Properties > Firewalls > Inspection section.

C. WebUI

D. Set the following parameter to true using GuiDBedit: enable_inspect_debug_compilation.



QUESTION 3You have configured IPS on your network; you find you are being overwhelmed with what you believe are false positives. You investigated this traffic and confirmedthey are false positives. What can you do to stop these IPS alerts?

A. Right click the alert and “ignore”

B. Disable the IPS protection for this network


C. Use a SAM rule to categorize this traffic

D. Add an exception for this traffic under the IPS protection



QUESTION 4You have spent time configuring the IPS profile on your primary gateway firewall. You want to ensure that this profile can be applied to all gateway firewalls in yourenvironment. How can you share this information between firewalls?

A. From the command line, run: ips_export <profile-name> [-o <export-file-name>] [-p <ip>].

B. IPS profiles must be manually configured on each gateway.

C. From the Smart Dashboard IPS tab select export IPS profiles and select the gateway to send this export to.

D. From the command line, run: ips_export_import export <profile-name> [-o <export-file-name>] [-p <ip>].



QUESTION 5SNORT is a popular open source IDS, you would like to import SNORT rules from plain text into Check Point Smart Center. How can you accomplish this?

A. Under the IPS tree Protections > By Protocol > IPS Software Blade > Application Intelligence > SNORT import and select the SNORT import option.

B. IPS profiles must be manually configured on each gateway.

C. Check Point does not support third party signatures.

D. From the command line, run: ips_export_import import <SNORTprofilename> -f <file-name> [-p <ip>].




QUESTION 6You would like to import SNORT rules but to comply with corporate policy you need to test the conversion prior to import. How can you do this?

A. You must manually review each signature.

B. SnortConvertor update -f <inputfile> --dry-run

C. Check Point does not support third party signatures.

D. Under the IPS tree Protections > By Protocol > IPS Software Blade > Application Intelligence > SNORT import and select the SNORT import option.



QUESTION 7You have just taken over as a firewall administrator. Your company is using Geo Protections on your gateway, but you want to verify that the protections are up-to-date. How can you see when these were updated?

A. In the IPS tree Protections > Select Check for Update.

B. Check asm_update_version_geo in GuiDBedit.

C. In the IPS tree Protections > Geo Protections and check the profile name which is mm/dd/yy.

D. Check the time stamp of $FWDIR/tmp/geo_location_tmp/updates/IpToCountry.csv.



QUESTION 8What would be considered Best Practice to determine which IPS protections you can safely disable for your environment?

A. You should use vulnerability tools to perform an assessment of your environment.

B. Work through turning on each protection to see which signatures get alerts.

C. You should set all protections to “Detect”.


D. You should not disable any IPS protections.



QUESTION 9You are troubleshooting an issue for your HR team. One of the users is using IP 10.10.10.24. They having been trying to access the vacation servers but allconnections are failing. You have checked the logs and do not see any dropped traffic. You have a suspicion that the drop is not being logged. What commandcould you use to confirm this?

A. fw -t connections -s

B. fw ctl zdebug + log dynlog

C. You cannot run a command for this; you must enable logging on all rules

D. fw ctl pstat host 10.10.10.24


Explanation/Reference:C9O3 - IPS

QUESTION 10Your Customer would like to enable IPS in his Corporate Cluster, but he is concerned about high CPU usage because if the IPS inspection. What feature would youconfigure to disable inspection if a high CPU usage develops?

A. It is not possible. In this case no enable IPS

B. Bypass Under Load. (In IPS Option on Gateway Properties)

C. Bypass Inspection. (In IPS Option on Gateway Properties)

D. Disable Inspection. (In IPS Option on Gateway Properties)




QUESTION 11Where do you run the command get_ips_statistics.sh from?

A. $FWDIR/conf on the Management Server

B. $FWDIR/scripts on the Management Server

C. $FWDIR/conf on the gateway

D. $FWDIR/scripts on the gateway



QUESTION 12OF the following, which is NOT a kernel parameter relating to the IPS “Bypass Under Load” settings:

A. ids_timeout

B. ids_tolerance_no_stress

C. ids_assume_stress

D. ids_limit_stress



QUESTION 13“If the machine is under stress, we do not want to leave the stress condition due to a single measurement (which could be an anomaly), but rather wait for a givenlength of time, before changing the condition.” …describes which of the following “Bypass under Load” setting kernel parameters?



A. ids_assume_stress

B. ide_tolerance_no_stress

C. ids_tolerance_stress

D. ids_timeout



QUESTION 14You have created a number of profiles and activated the relevant protections. Afterwards, you decide that the ‘Enterprise gateway’ should allow instant messaging.The current profile enabled for Enterprise gateway blocks instant messaging. The profile for the Enterprise gateway is currently being used on the Voyager gatewayand the Bird of Prey gateway. What is the best process for making this change on the Enterprise gateway only?

A. Create an exception for the Enterprise gateway

B. Create a rule allowing that traffic and install it on the Enterprise gateway

C. Create a new profile and apply to the Enterprise gateway

D. Edit the existing profile



QUESTION 15What steps can be taken if IPS is causing a High Performance Impact?


A. Consider activating the "Bypass under Load" IPS setting on the gateway

B. Check your IPS configuration assigned to this gateway and deactivate protections with critical or high performance impact

C. Determine if different or custom IPS profiles are better suited for different gateways in your organization

D. All options listed




Topic 10, IPV6

QUESTION 1Which of the following is true about Node / Host objects?

A. A Node / Host object can either have IPv4 or IPv6 IP address or have both.

B. A Node / Host object can either have IPv4 or IPv6 IP address but not have both. Separate objects need to be created for hosts that use dual stack.

C. A Node / Host object can only have IPv4 IP address. For IPv6, a Node / Host6 object must be used.

D. Node / Host object does not support IPv6, hence a Network object must be created for IPv6.



QUESTION 2Which of these commands can be used to display the IPv6 routes?

A. show route

B. show ipv6 route

C. show routes all

D. show route ipv6



QUESTION 3Which of these commands can be used to display the IPv6 status?

A. show ipv6-stat

B. show ipv6 all

C. show ipv6 status


D. show ipv6-status



QUESTION 4You enabled IPv6 in your environment and would like to erase all IPv6 connection tables. How can you do it?

A. fw tab –t connections –x

B. fw tab –t connections6 –x

C. clear connections table ipv6

D. fw6 tab –t connections –x



QUESTION 5What is the length of an IPv6 address?

A. 128 Bytes

B. 54 bits

C. 128 bits

D. 6 Bytes




QUESTION 6In a ClusterXL that uses IPV6 Address, how do you configure the sync interface?

A. You must configure synchronization interfaces with an IPv4 address only.

B. If an interface does not require IPv6, only the IPv4 definition address is necessary.

C. All interfaces configured with an IPv6 address must also have a corresponding IPv4 address.

D. You must configure synchronization interfaces with an IPv6 address only.



QUESTION 7What command allows you to monitor IPV6 packets in the kernel module?

A. ip -6 neigh show

B. ip -6 addr show

C. tcpdump -nni eth<n> ip6

D. fw6 monitor



QUESTION 8True or False: It is possible to operate a Security Gateway entirely with IPv6 addressing.

A. True: All IPv4 features are supported in IPv6’

B. True: Management can occur over IPv4 or IPv6 thus all gateways can have interfaces configured with valid IP addresses of either type’

C. False: There are many common IPv4 features that are not supported in IPv6’

D. False: Management only occurs over IPv4 thus all gateways are required to have interfaces configured with valid IPv4 addresses’




QUESTION 9What VSX components do not support IPv6 in R77 VSX mode?

A. VSX mode does not support IPv6

B. All devices support IPv6

C. Virtual Systems

D. Virtual Routers



QUESTION 10A system administrator wants to convert an IPv6 gateway from a standard gateway into a gateway running VSX mode. What does he need to consider?

A. It is not possible to convert a gateway with IPv6 enabled to VSX mode.

B. There needs to be proper IPv6 routing setup.

C. At least two interfaces need to be configured with IPv6.

D. Policy needs to be properly applied to the gateway before converting the system to VSX mode.



QUESTION 11How do you enable IPv6 support on a R77 gateway running the GAiIA OS?



A. IPv6 is enabled by default.

B. Under WebUI go to System Management > System Configuration, turn on IPv6 Support, click apply and reboot.

C. Enable the IPv6 Software Blade for the gateway in Smart Dashboard.

D. Run the IPv6 script $FWDIR/scripts/fwipv6_enable and reboot.



QUESTION 12How do you disable IPv6 on an IPSO gateway?

A. Run $FWDIR/scripts/fwipv6_enable off and reboot.

B. Remove the IPv6 license from the gateway.

C. You cannot disable IPv6.

D. In IPSO go to System Management > System Configuration, set IPv6 Support to off, and click Apply.




Topic 11, Advanced VPN

QUESTION 1Where do you configure the file user.def to change the encryption domain of the Security Gateway?

A. Management Server

B. Endpoint Client

C. Security Gateway

D. interoperable device



QUESTION 2Which technology is not supported with route-based VPNs?

A. Unnumbered VTI

B. Numbered VTI

C. IKEv2

D. OSPF



QUESTION 3Which feature is not supported with unnumbered VTI?

A. Proxy interfaces

B. High availability

C. Policy based routing


D. Anti-spoofing



QUESTION 4In the gateway object, under topology you select the “Get All Members Interfaces with Topology” option and your newly configured unnumbered VTIs are notpopulated. Why is this information missing?

A. VTI information on unnumbered interfaces should appear, so there is an issue with your configuration.

B. VTI information on unnumbered interfaces is not required information for the VPN to work.

C. VTI information on unnumbered interfaces needs to be entered manually.

D. In order to fetch VTI information on unnumbered interfaces you must add an explicit rule to the policy.



QUESTION 5What operating systems support unnumbered VTIs?

A. GAIA and Secure Platform

B. Solaris and IPSO

C. GAIA and IPSO

D. Secure Platform and IPSO




QUESTION 6You would like to configure unnumbered VTIs and your environment uses load sharing clustering. Would this clustering technology be supported by yourunnumbered VTI’s?

A. No, unnumbered VTIs only support VRRP HA active-passive mode.

B. Yes, unnumbered VTIs only support clustering load sharing.

C. Yes, all HA modes are supported.

D. No, unnumbered VTIs do not support any HA modes.



QUESTION 7You are configuring dynamic routing on Secure Platform, as the administrator you run the command pro enable and reboot. You are confident that yourconfiguration has been done correctly. When you check, you find the dynamic routing daemon has not started. What is the likely cause of this issue?

A. Secure Platform does not support dynamic routing.

B. You need to apply the license and push the policy.

C. Dynamic routing needs to be enabled in cpconfig.

D. You must push the policy after your reboot.




QUESTION 8


What is the prefix name for the interface when creating an unnumbered VTI in GAIA?

A. VTii

B. tun

C. vpnt

D. VTI



QUESTION 9Where would an administrator set an email alert for a specific permanent VPN tunnel?

A. Edit the file vpnconf.

B. Run sysconfig.

C. In the Tunnel Properties select Mail Alert.

D. You can only enable logging or SNMP traps.


Explanation/Reference:C11O2 - Advanced VPN

QUESTION 10Which of the these dynamic route protocols CANNOT be used along with VTI (VPN Tunnel Interface).

A. OSPFR

B. IGRP

C. IPv1

D. BGP4

Correct Answer: B




QUESTION 11When configuring a Numbered VPN-Tunnel, what parameters are necessary?

A. VPN Tunnel ID, Local Address, Remote Address

B. Peer, Local Address, Remote Address

C. VPN Tunnel ID, Peer, Local Address, Remote Address

D. VPN Tunnel ID, Peer, Physical Device



QUESTION 12The current release of Check Point R77, what is a potential performance-related drawback to using Virtual Tunnel Interfaces (VTI) rather than Domain-basedVPNs?

A. Use of VTIs will disable CoreXL and therefore will negatively impact hardware platforms running more than one CPU core.

B. Dynamic routing protocols will work across a domain-based VPN, but will not work across a VTI.

C. Use of VTIs will disable the entire SecureXL mechanism and prevent any traffic acceleration.

D. Domain-based VPNs are easier to configure than VTIs and therefore is the preferred implementation.



QUESTION 13What type(s) of VTI interfaces do Edge gateways support?


A. Both numbered and unnumbered

B. Unnumbered interfaces

C. Numbered interfaces

D. Neither numbered and unnumbered



QUESTION 14You are configuring a VTI in a clustered environment. Which of the following must be TRUE?

A. Every interface on each member requires a unique IP address.

B. Each member must have the same source IP address.

C. You do not need to have cluster IP addresses.

D. You cannot set up a VTI in a clustered environment.



QUESTION 15You are configuring VTIs in a clustered environment. On Peer A the VTI name is VT_Cluster_GWA and on Peer B the VTI name is VT_Cluster_GWB. You find thatthe route-based tunnel is not coming up. What could be the cause?

A. The names for your peers have been reversed.

B. You have not issued the command “vpn write config’ command.

C. You have not licensed your gateways for VTIs.

D. All VTIs going to the same remote peer must have the same name.

Correct Answer: D




QUESTION 16What are the common Best Practices for configuring QoS over a route-based VPN?

A. IKE traffic must have a minimum Guarantee of 50% of the external interface throughput.

B. QoS is not supported.

C. Ensure the VTI is numbered.

D. Ensure the VTI is unnumbered.



QUESTION 17Where do you configure VTIs on your R77 gateway in VSX mode?

A. VTIs are configured in each VS context.

B. VTIs are configured in VS0 context.

C. VTIs are not supported in VSX mode.

D. VTIs are configured in SmartDashboard.


Explanation/Reference:C11O3-5 - Advanced VPN

QUESTION 18Which Dynamic Routing Protocols are supported in GAiA in a Route-based VPN configuration?


A. OSPF,BGP

B. OSPF

C. OSPF,BGP,RIPv2

D. OSPF,BGP,RIPv1,RIPv2



QUESTION 19Jane wants to create a VPN using OSPF. Which VPN configuration would you recommend she use?

A. Site-to-site VPN

B. Domain-based VPN

C. Route-based VPN

D. Remote-access VPN



QUESTION 20Which routing protocols are not supported with GAIA OS running VTIs?

A. RIPv1; RIPv2

B. BGP

C. Static routes

D. OSPF




QUESTION 21In Wire mode. if a packet reaches the gateway from a trusted source and is destined to a trusted destination, will the firewall do stateful inspection?

A. No, but IPS inspection will still be enforced.

B. Yes, the Firewall always performs stateful inspection.

C. Yes, but only if SecureXL is disabled.

D. No



QUESTION 22What considerations are required when configuring IPV6 with Wire mode?

A. IPv6 in Wire mode is only supported in R77.

B. IPV6 must be configured on both end points.

C. IPV6 is not supported in Wire mode.

D. You must use internal IPv6 addressing space to use Wire mode.



QUESTION 23Which operating systems support Wire mode?

A. SecurePlatform and GAIA

B. Solaris and SecurePlatform


C. IPSO and SecurePlatform

D. IPSO and GAIA



QUESTION 24Where can you configure Wire mode?

A. In the gateway object in “Stateful Inspection”

B. In the VPN community in “Advanced Settings”

C. In cpconfig

D. In Global Properties



QUESTION 25Where can you configure Wire mode?

A. In Global properties

B. In the gateway object on the “IPSec VPN” > “VPN Advanced” page

C. In sysconfig

D. In CLISH





Documents

Checkpoint.Certkiller.156-115.77.v2019-02-05.by.Gary€¦ · Explanation/Reference: QUESTION 9 You are running a debugging session and you have set the debug environment to TDERROR_ALL_ALL=5