checkpoint.actualtests.156-115.77.v2018-06-28.by.margaret€¦ · 28/06/2018 · ...

https://www.gratisexam.com/

156-115.77.exam.176q

Number: 156-115.77Passing Score: 800Time Limit: 120 min


156-115.77

Check Point Certified Security Master


NAT

QUESTION 1You are attempting to establish an FTP session between your computer and a remote server, but it is not being completed successfully. You think the issue may bedue to IPS. Viewing SmartView Tracker shows no drops. How would you confirm if the traffic is actually being dropped by the gateway?


A. Search the connections table for that connection.

B. Run a fw monitor packet capture on the gateway.

C. Look in SmartView Monitor for that connection to see why it’s being dropped.

D. Run fw ctl zdebug drop on the gateway.

Correct Answer: DSection: (none)Explanation

Explanation/Reference:

QUESTION 2The fw tab –t ___________ command displays the NAT table.

A. loglist

B. tablist

C. fwx_alloc

D. conns

Correct Answer: CSection: (none)Explanation



QUESTION 3While troubleshooting a DHCP relay issue, you run a fw ctl zdebug drop and see the following output:

;[cpu_1];[fw_0];fw_log_drop: Packet proto=17 10.216.14.108:67 > 172.31.2.1:67 dropped by fw_handle_first_packet Reason: fwconn_init_links (INBOUND) failed;

Where 10.216.14.108 is the IP address of the DHCP server and 172.31.2.1 is the VIP of the Cluster. What is the most likely cause of this drop?

A. An inbound collision due to a connections table check on pre-existing connections.

B. An outbound collision due to a Rule Base check, and dropped by incorrectly configuring DHCP in the firewall policy.

C. A link collision due to more than one NAT symbolic link being created for outgoing connections to the DHCP server.

D. A link collision due to more than one NAT symbolic link being created for connections returning from the DHCP server back to the VIP of the Cluster.



QUESTION 4You are trying to troubleshoot a NAT issue on your network, and you use a kernel debug to verify a connection is correctly translated to its NAT address. What flagsshould you use for the kernel debug?

A. fw ctl debug -m fw + conn drop nat vm xlate xltrc

B. fw ctl debug -m fw + conn drop ld

C. fw ctl debug -m nat + conn drop nat xlate xltrc

D. fw ctl debug -m nat + conn drop fw xlate xltrc

Correct Answer: ASection: (none)Explanation


QUESTION 5Since switching your network to ISP redundancy you find that your outgoing static NAT connections are failing. You use the command _________ to debug theissue.


A. fwaccel stats misp

B. fw ctl pstat

C. fw ctl debug -m fw + nat drop

D. fw tab -t fwx_alloc -x



QUESTION 6Remote VPN clients can initiate connections with internal hosts, but internal hosts are unable to initiate connections with the remote VPN clients, even though thepolicy is configured to allow it. You think that this is caused by NAT. What command can you run to see if NAT is occurring on a packet?

A. fw tab -t fwx_alloc -x

B. fw ctl pstat

C. fwaccel stats misp

D. fw ctl debug -m fw + conn drop packet xlate xltrc nat



QUESTION 7Where in a fw monitor output would you see source address translation occur in cases of automatic Hide NAT?

A. Between the “I” and “o”

B. Hide NAT does not adjust the source IP

C. Between the “o” and “O”

D. Between the “i” and “I”

Correct Answer: CSection: (none)


Explanation


QUESTION 8Where in a fw monitor output would you see destination address translation occur in cases of inbound automatic static NAT?

A. Static NAT does not adjust the destination IP

B. Between the “i” and “I”

C. Between the “I” and “o”

D. Between the “o” and “O”

Correct Answer: BSection: (none)Explanation


QUESTION 9Which flag in the fw monitor command is used to print the position of the kernel chain?


A. -all

B. -k

C. -c

D. -p




QUESTION 10Server A is subject to automatically static NAT and also resides on a network which is subject to automatic Hide NAT. With regards to address translation what willhappen when Server A initiates outbound communication?

A. This will cause a policy verification error.

B. This is called hairpin NAT, the traffic will return to the server.

C. The static NAT will take precedence.

D. The Hide NAT will take precedence.



QUESTION 11In your SecurePlatform configuration you need to set up a manual static NAT entry. After creating the proper NAT rule what step needs to be completed?

A. Edit or create the file local.arp.

B. No further actions are required.

C. Edit or create the file discntd.if.

D. Edit the file netconf.conf.



QUESTION 12How do you set up Port Address Translation?

A. Since Hide NAT changes to random high ports it is by definition PAT (Port Address Translation).

B. Create a manual NAT rule and specify the source and destination ports.

C. Edit the service in SmartDashboard, click on the NAT tab and specify the translated port.


D. Port Address Translation is not support in Check Point environment



QUESTION 13You have set up a manual NAT rule, however fw monitor shows you that the device still uses the automatic Hide NAT rule. How should you correct this?

A. Move your manual NAT rule above the automatic NAT rule.

B. In Global Properties > NAT ensure that server side NAT is enabled.

C. Set the following fwx_alloc_man kernel parameter to 1.

D. In Global Properties > NAT ensure that Merge Automatic to Manual NAT is selected.



QUESTION 14Since R76 GAiA, what is the method for configuring proxy ARP entries for manual NAT rules?

A. WebUI or add proxy ARP ... commands via CLISH

B. SmartView Tracker

C. local.arp file

D. SmartDashboard




QUESTION 15Tom is troubleshooting NAT issues using fw monitor and Wireshark. He tries to initiate a connection from the external network to a DMZ server using the public IPwhich the firewall translates to the actual IP of the server. He analyzes the captured packets using Wireshark and observes that the destination IP is being changedas required by the firewall but does not see the packet leave the external interface. What could be the reason?

A. The translation might be happening on the client side and the packet is being routed by the OS back to the external interface.

B. The translation might be happening on the server side and the packet is being routed by OS back to the external interface.

C. Packet is dropped by the firewall.

D. After the translation, the packet is dropped by the Anti-Spoofing Protection.



QUESTION 16Tom has a Web server for which he has created a manual NAT rule. The rule is not working. He tries to initiate a connection from the external network to a DMZserver using the public IP which the firewall translates to the actual IP of the server. He analyzes the captured packets using Wireshark and observes that thedestination IP is being changed as required by the firewall but does not see the packet leave the internal interface. Which box in Global Properties should bechecked?


A. Automatic NAT rules > Allow bi-directional NAT

B. Automatic NAT rules > Automatic ARP Configuration

C. Automatic NAT rules > Translate destination on client side

D. Manual NAT rules > Translate destination on client side



QUESTION 17Which FW-1 kernel flags should be used to properly debug and troubleshoot NAT issues?

A. nat, route, conn, fwd, zeco, err

B. nat, xlate, fwd, vm, ld, chain

C. nat, xltrc, xlate, drop, conn, vm

D. nat, drop, conn, xlate, filter, ioctl



QUESTION 18Which file should be edited to modify ClusterXL VIP Hide NAT rules, and where?

A. $FWDIR/lib/base.def on the cluster members

B. $FWDIR/lib/table.def on the SMC

C. $FWDIR/lib/table.def on the cluster members

D. $FWDIR/lib/base.def on the SMC

Correct Answer: BSection: (none)


Explanation


QUESTION 19When viewing a NAT Table, What represents the second hexadecimal number of the 6-tuple:

A. Source port

B. Protocol

C. Source IP

D. Destination port



QUESTION 20By default, the size of the fwx_alloc table is:

A. 65535

B. 65536

C. 25000


D. 1024



ClusterXL

QUESTION 1With the default ClusterXL settings what will be the state of an active gateway upon using the command ClusterXL_admin up?

A. Ready

B. Down

C. Standby

D. Active



QUESTION 2Which command should you use to stop kernel module debugging (excluding SecureXL)?


A. fw ctl debug 0

B. fw ctl zdebug - all

C. fw debug fwd off; vpn debug off

D. fw debug fwd off



QUESTION 3


Which command should you run to debug the VPN-1 kernel module?

A. fw debug vpn on

B. vpn debug on TDERROR_ALL_ALL=5

C. fw ctl zdebug crypt kbuf

D. fw ctl debug -m VPN all



QUESTION 4Which command can be used to see all active modules on the Security Gateway:

A. fw ctl zdebug drop

B. fw ctl debug -h

C. fw ctl chain

D. fw ctl debug -m



QUESTION 5In some situations, switches may not play nicely with a Check Point Cluster and it is necessary to change from multicast to broadcast. What command should youinvoke to correct the issue?

A. set ccp broadcast

B. cphaconf set_ccp broadcast

C. cpha_conf set ccp broadcast

D. This can only be changed via GuiDbEdit.

Correct Answer: B


Section: (none)Explanation


QUESTION 6Which of the following commands shows the high watermark threshold for triggering the cluster under load mechanism in R77?

A. fw ctl get int fwha_cul_mechanism_enable

B. fw ctl get int fwha_cul_cluster_short_timeout

C. fw ctl get int fwha_cul_member_cpu_load_limit

D. fw ctl get int fwha_cul_policy_freeze_event_timeout_millisec



QUESTION 7What mechanism solves asymmetric routing issues in a load sharing cluster?

A. Flush and ACK

B. Stateful Inspection

C. SYN Defender

D. State Synchronization



QUESTION 8When you have edited the local.arp configuration, to support a manual NAT, what must be done to ensure proxy arps for both manual and automatic NAT rulesfunction?


A. In Global Properties > NAT tree select Merge manual proxy ARP configuration check box

B. Run the command fw ctl ARP –a on the gateway

C. In Global Properties > NAT tree select Translate on client side check box

D. Create and run a script to forward changes to the local.arp tables of your gateway



QUESTION 9Which command clears all the connection table entries on a Security Gateway?

A. fw tab –t connetion –u

B. fw ctl tab –t connetions –u

C. fw tab –t connetion -s

D. fw tab –t connections -x



QUESTION 10Extended Cluster Anti-Spoofing checks what value to determine if a packet with the source IP of a gateway in the cluster is being spoofed?

A. The source IP of the packet.

B. The packet has a TTL value of less than 255.

C. The source MAC address of the packet.

D. The destination IP of the packet.



Explanation


QUESTION 11How do you clear the connections table?

A. Run the command fw tab –t connections –x

B. In Gateway Properties > Optimizations click Clear connections table

C. Run the command fw tab –t conns –c

D. Run the command fw tab –t connections –c



QUESTION 12In order to prevent outgoing NTP traffic from being hidden behind a Cluster IP you should?

A. Edit the relevant table.def on the Management Server and add the line no_hide_services_ports = { <17, 123> }; and then push policy.

B. Edit the relevant table.def on the gateway and add the line no_hide_services_ports = { <17, 123> };.

C. Edit the relevant table.def on the Management Server and add the line no_hide_services_ports = { <123, 17> }; and then push policy.


D. Edit the relevant table.def on the gateway and add the line no_hide_services_ports = { <123, 17> }.




QUESTION 13Of the following answer choices, which best describes a possible effect of expanding the connections table?

A. Increased memory consumption

B. Decreased memory consumption

C. Increased connection duration

D. Decreased connection duration



QUESTION 14Adam wants to find idle connections on his gateway. Which command would be best suited for viewing the connections table?

A. fw tab -t connections

B. fw tab -t connections -u –f

C. fw tab -t connections –x

D. fw tab -t connections –s



QUESTION 15From the output of the following cphaprob -i list, what is the most likely cause of the clustering issue?

Cluster B> cphaprob -i listBuilt-in Devices:Device Name: Interface Active Check Current state: OKDevice Name: HA Initialization Current state: OK


Device Name: Recovery Delay Current state: OKRegistered Devices:Device Name: Synchronization Registration number: 0 Timeout: none Current state: OK Time since last report: 3651.5 secDevice Name: Filter Registration number: 1 Timeout: none Current state: problem Time since last report: 139 secDevice Name: routed Registration number: 2 Timeout: none Current state: OK Time since last report: 3651.9 secDevice Name: cphad Registration number: 3 Timeout: none Current state: OK Time since last report: 3696.5 secDevice Name: fwd Registration number: 4 Timeout: none Current state: OK Time since last report: 3696.5 sec

A. There is an interface down on Cluster A

B. There is a sync network issue between Cluster A and Cluster B

C. The routing table on Cluster B is different from Cluster A

D. Cluster B and Cluster A have different versions of policy installed.



QUESTION 16Which command would a troubleshooter use to verify table connection info (peak, concurrent) and verify information about cluster synchronization state?

A. fw tab –t connections –s

B. fw ctl pstat

C. fw ctl multik stat

D. Show info all



QUESTION 17Which definition best describes the file table.def function? It is a placeholder for:

A. definitions of various kernel tables for Security Gateways.


B. definitions of various kernel tables for Management Servers.

C. user defined implied rules for Security Gateways.

D. user defined implied rules for Management Servers.



QUESTION 18Your customer receives an alert from their network operation center, they are seeing ARP and Ping scans of their network originating from the firewall. What couldbe the reason for the behaviour?

A. Check Point firewalls probe adjacent networking devices during normal operation.

B. IPS is disabled on the firewalls and there is a known OpenSSL vulnerability that allows a hacker to cause a network scan to originate from the firewall.

C. One or both of the firewalls in a cluster have stopped receiving CCP packets on an interface.

D. Check Point's Antibot blade performs anti-bot scans of the surrounding network.



QUESTION 19Your cluster member is showing a state of "Ready". Which of the following is NOT a reason one would expect for this behaviour?

A. One cluster member is configured for 32 bit and the other is configured for 64 bit

B. CoreXL is configured differently on the two machines

C. The firewall that is showing "Ready" has been upgraded but the other firewall has not yet been upgraded

D. Firewall policy has not yet been installed to the firewall




QUESTION 20Which of the following is NOT a cphaprob status?

A. “Standby”

B. “Active”

C. “Backup”

D. “Down Attention” (or “Down!” in VSX mode)



QUESTION 21What would be a reason for changing the “Magic MAC”?

A. To allow for automatic upgrades.

B. To allow two or more cluster members to exist on the same network.

C. To allow two or more clusters to exist on the same network.

D. To allow the two cluster members to use the same virtual IP address.



QUESTION 22What are the kernel parameters that control “Magic MACs”?

A. fwha_magic_mac and fw_forward_magic_mac

B. fwha_mac_magic and fw_mac_forward_magic

C. cpha_mac_magic and cp_mac_forward_magic


D. cpha_magic_mac and cpha_mac_forward_magic



QUESTION 23How many sync interfaces are supported on Check Point R77 GAiA?

A. 3

B. 4

C. 2

D. 1



QUESTION 24Which is NOT a valid upgrade method in an R77 GAiA ClusterXL deployment?


A. Optimal Service Upgrade

B. Full Connectivity Upgrade

C. Minimal Effort Upgrade

D. Automatic Incremental Upgrade

Correct Answer: D




QUESTION 25What would be a reason to use the command cphaosu stat?

A. To determine the number of connections from OPSEC software using Open Source Licenses.

B. To decide when to fail over traffic to a new cluster member.

C. This is not a valid command.

D. To see the policy install dates on each of the members in the cluster.



QUESTION 26You run the commands:

fw ctl debug 0fw ctl debug -buf 32000

Which of the following commands would be best to troubleshoot a clustering issue?

A. fw ctl zdebug -m cluster + all

B. fw ctl debug -m CLUSTER + conf stat

C. fw ctl debug -m cluster + pnote stat if

D. fw ctl kdebug -m CLUSTER all




QUESTION 27You run the command fw tab -t connections -s on both members in the cluster. Both members report differing values for "vals" and "peaks". Which may NOT be areason for this difference?

A. Synchronization is not working between the two members

B. SGMs in a 61k environment only sync selective parts of the connections table.

C. Heavily used short-lived services have had synchronization disabled for performance improvement.

D. Standby member does not synchronize until a failover is needed.



QUESTION 28Your customer reports that the time on the standby cluster member is not correct. After failing over and making it active, the time is now correct. NTP has beenconfigured on both machines, so it is expected that both machines be in sync with the NTP server. Upon investigating, it was found that the standby member wasnever able to communicate with the NTP server while it was in standby configuration. What could be the problem?

A. You should be syncing your backup to the primary for time settings.

B. NTP is not supported in active-passive mode.

C. Traffic from the standby member was hidden behind the cluster IP address and was therefore returning to the active member.

D. Routing prevents the standby member from performing functions such as peering with dynamic routing and obtaining NTP updates.



QUESTION 29Your customer has an R77 Multi-domain Management Server managing a mix of firewalls of R70 and R77 versions. A change was made to the file $FWDIR/lib/tables.def on one of the domains. However, it was found that the change was not applied to the R70 firewalls. What could be the problem?

A. Changes to the table.def can only be applied to firewalls matching the Management Server version. The customer needs to upgrade the firewalls to the same


version as the firewall.

B. R70 is end of life and is not supported. Most functions will work, but modifying the table.def will not.

C. In order to make changes on R70 machines you need work within GuiDBedit

D. To support R70, the file in the compatibility directory should have been modified.



QUESTION 30What is the function of the setting "no_hide_services_ports" in the tables.def files?

A. Preventing the secondary member from hiding its presence by not forwarding any packets.

B. Allowing management traffic to be accepted in an applied rule ahead of the stealth rule.

C. Hiding the particular tables from being synchronized to the other cluster member.

D. Preventing outbound traffic from being hidden behind the cluster IP address.




VPN Troubleshooting

QUESTION 1What file contains IKEv2 debug messages?


A. $FWDIR/log/ikev2

B. $FWDIR/log/ike.xml

C. $FWDIR/log/vpnd.elg

D. $FWDIR/log/ike.elg



QUESTION 2What is the log file that shows the keep alive packets during the debug process?

A. $FWDIR/log/ikev2.xmll

B. $FWDIR/log/ike.xmll

C. $FWDIR/log/ike.elg

D. $FWDIR/log/vpnd.elg



QUESTION 3


What is the log file that shows the processes that participate in the tunnel initiation stage?

A. $FWDIR/log/ikev2.xmll

B. $FWDIR/log/ike.xmll

C. $FWDIR/log/vpnd.elg

D. $FWDIR/log/ike.elg



QUESTION 4Which program could you use to analyze Phase I and Phase II packet exchanges?

A. vpnView

B. Check PointView

C. IKEView

D. vpndebugView



QUESTION 5Check Point Best Practices suggest that when you finish a kernel debug, you should run the command _____________________ .

A. fw debug 0

B. fw debug off

C. fw ctl debug default

D. fw ctl debug 0

Correct Answer: D




QUESTION 6Given the following IKEView output, what do we know about QuickMode Packet 1?


A. Packet 1 proposes a symmetrical key

B. Packet 1 proposes a subnet and host ID, an encryption and hash algorithm

C. Packet 1 Proposes SA life Type, Sa Life Duration, Authentication and Encapsulation Algorithm

D. Packet 1 proposes either a subnet or host ID, an encryption and hash algorithm, and ID data



QUESTION 7You are attempting to establish a VPN tunnel between a Check Point gateway and a 3rd party vendor. When attempting to send traffic to the peer gateway it isfailing. You look in SmartView Tracker and see that the failure is due to “Encryption failure: no response from peer”. After running a VPN debug on the problematicgateway, what is one of the files you would want to analyze?

A. $FWDIR/log/fw.log

B. $FWDIR/log/fwd.elg

C. $FWDIR/log/ike.elg

D. /var/log/fw_debug.txt



QUESTION 8You want to run VPN debug that will generate both ike.elg and vpn.elg files. What is the best command that can be used to achieve this goal?

A. vpn debug ikeon

B. vpn debug on TDERR_ALL_ALL=5

C. vpn debug trunc

D. vpn debug trunc




QUESTION 9In IKEView while troubleshooting a VPN issue between your gateway and a partner site you see an entry that states “Invalid ID”. Which of the following is the mostlikely cause?

A. IKEv1 is not supported by the peer.

B. Time is not matching between two members.

C. The encryption parameters (hash, encryption type, etc.) do not match.

D. Wrong subnets are being negotiated.



QUESTION 10While troubleshooting a VPN issue between your gateway and a partner site you see an entry in Smartview Tracker that states “Info: encryption failure: Differentcommunity ID: possible NAT problem”. Which of the following is the most likely cause?

A. You have an encryption method mismatch.

B. Implied rules in global properties such as ICMP and DNS are set to first instead of before last.

C. You have not created a specific rule allowing VPN traffic.

D. You have the wrong encryption domains configured.




QUESTION 11You are troubleshooting a VPN issue between your gateway and a partner site and you get a drop log on your gateway that states “Clear text packet should beencrypted”. Which of the following would be the best troubleshooting step?


A. Use the excluded services in the VPN community to exclude this traffic from the VPN or determine why the traffic is leaving the initiating (partner) gateway asclear text.

B. Use the excluded services in the VPN community to exclude this traffic from the VPN or determine why the traffic is leaving local (your) gateway as clear text.

C. Your phase one algorithms are mismatched between gateways.

D. This is management traffic and we need to enable implied rule to address this issue.



QUESTION 12Your company has recently decided to allow remote access for clients. You find that no one is able to connect, although you are confident that your rule set andremote access community has been defined correctly. What is the most likely cause, based on the options below? You have the following debug file:


A. RDP is being blocked upstream.

B. You have selected IKEv2 only in Global Properties > Remote Access > VPN – Authentication and Encryption.

C. Remote access clients are all behind NAT devices.

D. Implied rule is not set to accept control connections.




QUESTION 13You are experiencing an issue where Endpoint Connect client connects successfully however, it disconnects every 20 seconds. What is the most likely cause of thisissue?

A. The Accept Remote Access control connections is not enabled in Global Properties > FireWall Implied Rules.

B. You have selected IKEv2 only in Global Properties > Remote Access > VPN – Authentication and Encryption.

C. You are not licensed for Endpoint Connect client.

D. Your remote access community is not configured.



QUESTION 14In a VPN configuration, the following mode can be used to increase throughput by bypassing firewall enforcement.

A. Virtual Tunnel Interface (VTI) Mode can bypass firewall for all encrypted traffic

B. Hub Mode can be used to bypass stateful inspection

C. There is no such mode that can bypass firewall enforcement

D. Wire mode can be used to bypass stateful inspection



QUESTION 15


When VPN user-based authentication fails, which of the following debug logs is essential to understanding the issue?

A. VPN-1 kernel debug logs

B. IKE.elg

C. Vpnd.elg

D. fw monitor trace



QUESTION 16In Tracker you are troubleshooting a VPN issue between your gateway and a partner site and you get a drop log that states “No proposal chosen” what is the mostlikely cause?

A. There is a time mismatch

B. The peer machine is not accepting multicast packets

C. A mismatch in the settings between the two peers

D. Using IKEv1 when peer uses IKEv2



QUESTION 17Which of the following is NEVER affected by incorrect OS time and date configuration?

A. VPN PSK authentication

B. VPN certificate authentication

C. SIC

D. Identity Awareness Kerberos authentication

Correct Answer: A




QUESTION 18In the process of troubleshooting traffic issues across a VPN tunnel, you notice on the output of fw monitor -e host(172.21.1.10), accept; that packets are goingthrough the inbound chain (i > I) and then disappearing after the outbound chain (o > __), while you were expecting to see the packet leave on O. What could becausing this issue?

A. When packets are destined to leave through a VPN tunnel, it is encrypted and encapsulated in an ESP packet, and thus will not show up on a fw monitor.

B. It’s not showing up on the fw monitor because it is exiting the wrong interface

C. The packet is getting silently dropped because there is no route for the packet.

D. The gateway never completed the IKE and IPSec key exchange, and the tunnel does not exist yet.



QUESTION 19You are troubleshooting your VPN and are reviewing the output of your command fw monitor, shown below. What can you determine from the following output?


A. The fw monitor command cannot display the relevant information since it is encrypted traffic

B. NAT is not being applied to the IP address 10.10.10.86

C. There is no issue, since the traffic is being seen at all points in the inspection kernel

D. Traffic is not being encrypted

Correct Answer: D




QUESTION 20What would the following command fw monitor tell you?

A. Only OSPF and FTP traffic between 10.10.10.86 and 192.168.10.4

B. Only traffic between 10.10.10.86 and 192.168.10.4 on port 21 or port 89

C. Only accepted traffic between 10.10.10.86 and 192.168.10.4, or any accepted FTP traffic, or any accepted OSPF traffic

D. Any communication between 10.10.10.86 and 192.168.10.4, or any FTP traffic, or any OSPF traffic



QUESTION 21After disabling SecureXL you ran command fw monitor to help troubleshoot a VPN issue. In your review you note that you only see pre-inbound traffic (“i”) and noother traffic after this. Which of the following reasons could explain this output?

A. You don’t have an “encrypt” rule

B. Traffic is not destined to the correct MAC address because you failed to set up proxy ARP


C. You have overlapping encryption domains with the remote site


D. Routes are set up incorrectly




SecureXL Acceleration debugging

QUESTION 1What command would you use to determine if a particular connection is being accelerated by SecureXL?


A. fw tab –t connections –u

B. fw ctl kdebug

C. fwaccel stat

D. fwaccel conns



QUESTION 2A new packet has arrived to a firewall's interface. The packet was compared with the connection table and there is no match. What process does the firewall startwith that connection?

A. The packet will be then forwarded to the outbound interface for handling.

B. The new packet represents a new flow and requires a new connection table entry.

C. The packet will be rejected by the kernel firewall.

D. The packet will be forwarded to the firewall to apply the Security Policy.




QUESTION 3According to this Rule Base, templates will be created until which rule?

A. Rule 4

B. Rule 2

C. Rule 3

D. Rule 5



QUESTION 4


How to check the overall SecureXL statistics:

A. fwaccel on

B. fwaccel stat

C. cat /proc/ppk/statistics

D. fwaccel conns



QUESTION 5When are rules that include identity awareness access roles accelerated through SecureXL?

A. Rules using Identity Awareness are always accelerated.

B. Only when ‘Unauthenticated Guests’ is included in the access role.

C. They have no bearing on whether the connection for the rule is accelerated.

D. Rules using Identity Awareness are never accelerated.



QUESTION 6What command show the same information as fwaccel stats –l?

A. cat /proc/ppk/cpls

B. cat /proc/ppk/statistics

C. cphaprob –a hconf

D. fwaccell stats –s –u -k

Correct Answer: B




QUESTION 7In order to perform some connection troubleshooting, you run the command fw monitor –e accept dport = 443. You do NOT see the TCP ACK packet. Why is this?

A. The connection is encrypted.

B. The connection is NATted.

C. The connection is dropped.

D. The connection is accelerated.



QUESTION 8What is the corresponding connection template entered into the SecureXL connection table from the connection: “10.0.0.100:1024 > 216.239.59.59:80”

A. “10.0.0.100:1024 > 216.239.59.59:80”

B. “10.0.0.100:1024 > 216.239.59.59:*”

C. “10.0.0.100:* > 216.239.59.59:*”

D. “10.0.0.100:* > 216.239.59.59:80”



QUESTION 9When are rules that include Identity Awareness Access (IDA) roles accelerated through SecureXL?


A. Only when ‘Unauthenticated Guests’ is included in the access role.

B. Never, the inclusion of an IDA role disables SecureXL.

C. The inclusion of an IDA role has no bearing on whether the connection for the rule is accelerated.


D. Always, the inclusion of an IDA role guarantees the connection for the rule is accelerated.



QUESTION 10In the policy below, which rule disables SecureXL?


A. 5

B. 1

C. 4

D. 3



QUESTION 11When optimizing a customer firewall Rule Base, what is the BEST way to start the analysis?


A. With the command fwaccel stat followed by the command fwaccel stats.

B. At the top of the Rule Base.

C. Using the hit count column.

D. Using the Compliance Software Blade.



QUESTION 12What do the ‘F’ flags mean in the output of fwaccel conns?

A. Forward to firewall

B. Flag set for debug

C. Fast path packets

D. Flow established



QUESTION 13What command should a firewall administrator use to begin debugging SecureXL?

A. fwaccel dbg api + verbose add

B. fwaccel debug –m <module name> <flag>

C. fwaccel dbg -m <module name> <flag>

D. SecureXL cannot be dubugged and the kernel debug will give enough output to help the firewall administrator to understand the firewalls behaviour. The rightcommand to use is fw ctl debug –m fw.

Correct Answer: CSection: (none)


Explanation


QUESTION 14A firewall administrator knows the details of the packet header for an already established connection going through a firewall. What command will show if SecureXLwill accelerate that packet?

A. fw ctl zdebug + sxl error warning asm

B. fwaccel conns

C. fwaccel templates

D. fw tab –t connections –f | grep ‘dest. port #’ | grep ‘source port #’ | grep ‘dest. IP address’



QUESTION 15What is the command to check how many connections the firewall has detected for the SecureXL device?


B. fw tab -t cphwd_db –s

C. fw tab –t connection –s | grep template

D. fwaccel conns




Hardware Optimization

QUESTION 1In an HA cluster, you modify the number of cores given to CoreXL on only one member using cpconfig and then issue a reboot. What is the expected ClusterXLstatus of this member when it comes up?

A. Standby

B. Ready

C. Active

D. Down



QUESTION 2Which information CANNOT be displayed by issuing the command cat /proc/cpuinfo?


A. CPU family

B. NFS_Unstable

C. fpu

D. vendor_id




QUESTION 3You find that your open server SecurePlatform system is lagging although you know you have plenty of memory and the complexity of the Rule Base has notchanged significantly. You think that upgrading the CPU frequency speed could help your performance. Which command could help you see what speed and modelof CPU you are using?

A. top

B. sysconfig

C. cat /proc/cpuinfo

D. fw tab



QUESTION 4Where would you find CPU information like model, number of cores, vendor and architecture?

A. In the file cpuinfo in the directory /proc.

B. Right click the gateway object in Smart Dashboard and view properties

C. WebUI

D. sysconfig



QUESTION 5From which version can you add Proxy ARP entries through the GAiA portal?

A. R77.10

B. R77

C. R75.40

D. R76




QUESTION 6What happens to manual changes in the file $FWDIR/conf/local.arp when adding Proxy ARP entries through the GAiA portal or Clish?

A. Nothing.

B. If the file $FWDIR/conf/local.arp has been edited manually, you are not able to add Proxy ARP entries through the GAiA portal or Clish.

C. They are merged with the new entries added from the GAiA Portal / Clish.

D. They are overwritten.



QUESTION 7You are analyzing your firewall logs, /var/log/messages, and repeatedly see the following kernel message:

'kernel: neighbor table overflow'

What is the cause?

A. Arp cache overflow

B. OSPF neighbor down

C. Nothing, you can disconsider it.

D. Cluster member table overflow




QUESTION 8The 'Maximum Entries' value in the GAiA Portal corresponds to the 'gc_thresh3' parameter in the Linux kernel and has value of 1024. Knowing this, you know thatgc_thresh2 and gc_thresh1 if are automatically set to the values:

A. gc_thresh2=256 and gc_thresh1=128

B. gc_thresh2=512 and gc_thresh1=256

C. gc_thresh2=1024 and gc_thresh1=1024

D. gc_thresh1=256 and gc_thresh2=128



QUESTION 9Your ARP cache is overflowing negatively impacting users experience on your network. Which command can you issue to increase the ARP cache on the fly? Youdo not need this to survive reboot.

A. Modify the /etc/sysctl.conf: net.ipv4.neigh.default.gc_thresh3 = 1024.

B. echo 1024 > /proc/sys/net/ipv4/neigh/default/gc_thresh3

C. arp cache table > 1024

D. You cannot increase the size of the ARP cache on the fly.



QUESTION 10Your gateway object is currently defined with a max connection count of 25k connections in Smart Dashboard. Which of the following commands would show youthe current and peak connection counts?


A. show connections all

B. fw ctl conn

C. fw ctl chain

D. fw ctl pstat



QUESTION 11Which command will NOT display information related to memory usage?

A. free

B. fw ctl pstat

C. cat /proc/meminfo

D. memoryinfo.conf



QUESTION 12What does the command fwaccel templates do?


A. Starts firewall acceleration after fwaccel off was run or SecureXL was enabled by using the command cpconfig.

B. That SecureXL has been enabled in the cpconfig command menu.


C. Shows templates existing in the SecureXL device. This is so that an administrator can look for the template that matches the specific traffic.

D. The Rule Base mapping between actual rules and the template built up in Layer 2.



QUESTION 13Running the command fw ctl pstat –l would return what information?

A. Additional hmem details

B. General Security Gateway statistics

C. Additional kmem details

D. Additional smem details



QUESTION 14You have a user-defined SMTP trap configured to send an alert to your mail server, and you also have SmartView Monitor configured to trigger the alert wheneverpolicy is pushed to your gateway. However, you are not getting any mails even when you test for pushing policy. What process should you troubleshoot on theManagement Server?

A. fwd

B. fwm

C. cpwd_admin

D. cpstat_monitor




QUESTION 15what command other than fw ctl pstat, will display your peak concurrent connections?

A. fw ctl get int fw_peak_connections

B. netstat -ni

C. fw tab -t connections -s

D. top



QUESTION 16You have just configured HA and find that connections are not being synced. When you have a failover, users complain that they are losing their connections. Whatcommand could you run to see the state synchronization statistics?

A. fw ctl pstat

B. fw sync stats

C. cphaprob stat

D. fw ctl get int fw_state_sync_stats



QUESTION 17Which of the following is a valid synchronization status as an output to fw ctl pstat?

A. Unable to receive sync packets

B. Sync member down


C. Synchronized

D. Communicating



QUESTION 18You are running some diagnostics on your GAIA gateway. You are reviewing the number of fragmented packets; you notice that there are a lot of large andduplicate packets. Which command did you issue to get this information?

A. sysconfig

B. fw ctl pstat

C. fw ctl get int fw_frag_stats

D. cat /proc/cpuinfo



QUESTION 19Your company has grown significantly over the past few months. You are seeing that new connections are being dropped but note that the connections table is notfull. You suspect that the kernel memory allocated to the firewall has reached its full capacity. To check the “Machine Capacity Summary” statistics, you usecommand:

A. ps -aux

B. top

C. cat /proc/net/capacity

D. fw ctl pstat



Explanation/Reference:C6O4 - Hardware Optimization

QUESTION 20Under which scenario would you most likely consider the use of Multi-Queue?

A. When IPS is heavily used.

B. When most of the traffic is accelerated.

C. When most of the processing is done in CoreXL.

D. When trying to increase session rate.



QUESTION 21If you need to use a Domain object in the Rule Base, where should this rule be located?

A. No higher than the 2nd rule.

B. The first rule in the Rule Base.

C. The last rule before the clean up rule.

D. The last rule after the clean up rule.



QUESTION 22You have a requirement to implement a strict security policy. With this in mind, you must create a stealth rule. How will this impact your packet acceleration?

A. Using a stealth rule disables SecureXL.

B. There will be no impact as long as the rule is not logged.


C. NAT templates will not work.

D. There will be no impact, since stealth rules do not affect SecureXL.



QUESTION 23What will be the outcome if you set the kernel parameters cphwd_nat_templates_enabled and cphwd_nat_templates_support?

A. This would enable Hide NAT support.

B. These parameters are mutually exclusive and cannot be used at the same time.

C. This would enable SecureXL NAT templates.

D. These are not valid parameters.



QUESTION 24You are finding that some users are complaining about slow connection speed. You would like to review a summary of your connections, including whichconnections are accelerated and those that are not. What command could you use?

A. fw ctl pstat

B. fwaccel perf

C. fw tab -t connections -s

D. fwaccel stats -s




QUESTION 25You want to verify that the majority of your connections are being optimized by SecureXL. What command would you run to establish this information?

A. fw ctl pstat

B. fw tab -t connections -s

C. fwaccel conns -s

D. sim_dbg -s



QUESTION 26What is the difference between “connection establishment acceleration” (templating) and “traffic acceleration”?

A. These are the same technologies with different names.

B. “Connection establishment acceleration” only accelerates a single connection, while “traffic acceleration” accelerates similar traffic.

C. “Traffic acceleration” is accelerated through hardware, and “connection establishment acceleration” is accelerated in software.

D. “Traffic acceleration” only accelerates a single connection, while “connection establishment acceleration” accelerates similar traffic.



QUESTION 27What type of connections cannot be templated?

A. Any connections that contain Hide NAT

B. Complex connections such as FTP, H323, SQL, ETC

C. UDP because it is not connection oriented

D. TCP




QUESTION 28You issue the command fwaccel stat and see the following:


What is a possible reason that the “accept templates” is disabled?

A. Rule one is a drop rule.

B. Rule one uses static NAT.

C. Rule one contains a time object.

D. Your administrator has not enabled templating.



QUESTION 29PXL is considered to be what type of acceleration?


A. Fast Path

B. Slow Path

C. Medium Path

D. PXL is not related to acceleration



QUESTION 30You are running an inventory process within your corporate environment (R77) and need to find out CPU, memory, disk space, and information regarding thesoftware blades enabled. What command could you use to easily gather this information?


A. cpconfig

B. fw ctl pstat

C. SmartView Tracker

D. cpview




Enable CoreXL

QUESTION 1Your customer has a well optimized Rule Base with most traffic accelerated by SecureXL. They are still seeing slow performance. They are using an 8 coremachine. They see the following output from fw ctl affinity -l. What could be done to improve performance with this deployment?

A. Increase the number of cores dedicated to logging.


B. Increase the number of Secure Network Dispatchers as the accelerated traffic is not passed to a worker core.

C. Add more CPU resources to the hardware.

D. Upgrade to SAM hardware.



QUESTION 2The CoreXL software architecture includes the Secure Network Dispatcher (SND). One of the responsibilities of SND is to:


A. Distribute non-accelerated packets among kernel instances

B. Dispatch the packet securely through the VPN link

C. Processing outgoing traffic from the network interfaces

D. Dispatch the packet securely through the physical link



QUESTION 3What is the method to change the number of cores that CoreXL will use?

A. cpconfig

B. SmartDashboard

C. sysconfig


D. CoreXL automatically recognizes the number of cores on a system at startup so there is no method or reason to modify the setting.



QUESTION 4What command verifies which core each gateway interface and firewall instance is currently running on?

A. fw ctl pstat

B. fw accel stat

C. show corexl stat

D. fw ctl affinity -l



QUESTION 5A Security Administrator wants to increase the amount of processing cores on a Check Point Security Gateway. He starts by increasing the number of cores,however the number of kernel instances remain the same way. What is the correct process to increase the number of kernel instances?

A. Cpconfig- Enable Check Point CoreXL- Change the number of firewall instances-define how many firewall instances to enable-cprestart

B. Cpconfig- Check Point CoreXL- Change the number of firewall instances-define how many firewall instances to enable-reboot

C. Cpconfig- Enable Check Point ClusterXL- Change the number of firewall instances-define how many firewall instances to enable-reboot

D. Cpconfig- Check Point CoreXL- Change the number of firewall instances-define how many firewall instances to enable-cpstop,cpstart




QUESTION 6What command displays the Connections Table for a specified CoreXL firewall instance?


B. fw -i FW_INSTANCE_ID tab -t connections [flags]

C. fw tab –t connection | grep fw<FW_INSTANCE_ID>

D. fw tab –t connections



QUESTION 7Why would you not see a CoreXL configuration option in cpconfig?

A. The gateway only has one processor core.

B. CoreXL is not enabled in the gateway object.

C. CoreXL is not licensed.

D. CoreXL is disabled via policy.



QUESTION 8Where would you go to adjust the number of Kernels in CoreXL?

A. Cpconfig

B. fw ctl conf

C. fw ctl affinity

D. fw ctl multik stat




QUESTION 9CoreXL on IPSO R77.20 does NOT support which of the following features?

A. Check Point QoS

B. IPv6

C. Overlapping NAT

D. Route-based VPN



QUESTION 10When troubleshooting a performance problem on multicore firewall that is using CoreXL, what command checks the number of connections each core isprocessing?

A. sim affinity -l

B. cat fwkern.conf

C. fw CTL pstat

D. fw ctl multik stat



QUESTION 11


A firewall has 8 CPU cores and the correct license. CoreXL is enabled. How could you set kernel instance #3 to run on processing core #5?

A. This is not possible CoreXL is best left to manage the Kernel to CPU core mappings. It is only when a daemon is bound to a dedicated core that CoreXL willignore that CPU core when mapping Kernel instances to CPU cores.

B. fw ctl affinity -s -k 3 5

C. Run fwaffinity_apply –t 3 -k 5 and then check that the settings have taken affect with the command fw ctl multik stat.

D. Edit the file fwaffinity.conf and add the line “k3 cpuid 5”



QUESTION 12What command would you use to check if CoreXL is enabled?

A. fw ctl multik stat

B. cpconfig

C. fw ctl affinity -1

D. fw ctl pstat



QUESTION 13Which command will allow you to change firewall affinity and survive a reboot with no further modification?

A. fw ctl affinity –s

B. sim affinity –l

C. fw affinity –l

D. sim affinity –s





QUESTION 14What does the output of the commands fw ctl multik stat and fw6ctl multik stat show?

A. Only the number of total connections currently being handled by all Kernels on a CoreXL enabled firewalls.

B. Information for each kernel instance. The output displays state and processing core number of each instance.

C. Which CPU cores are Kernel and SND bound cores.

D. The number of Firewall Kernels that are installed.



QUESTION 15You are at a customer site, and when you run cphaprob stat you are not seeing a normal ClusterXL Health. What command could you run verify the number ofcores are not matched on both cluster members?

A. cpconfig

B. cphaprob -a if

C. fw ctl multik stat

D. cphaprob stat


IPS

QUESTION 1In IPS which of the two initial profiles is the more resource intensive?

A. Prevention

B. Standard

C. Default

D. Recommended



QUESTION 2In IPS what does a high confidence rating mean?


A. This is a rating for how confident Check Point is with catching this attack

B. This is a rating for how likely this attack is to penetrate most systems

C. There is a high likelihood of false positives

D. There is a low likelihood of false positives



QUESTION 3


Which of the following CANNOT be used as a source/destination for an IPS network exception?

A. Network Group

B. Identity Awareness Access Role

C. Any

D. IP Address



QUESTION 4When using Geo Protections, you find there are logs for a country that you believe is incorrect. What file do you review to verify what country Geo Protectionsshould identify the traffic as?

A. asm.C

B. objects.C

C. objects_5_0.C

D. IpToCountry.csv



QUESTION 5When performing a Clean IPS procedure to resolve a corrupt IPS files issue, what file is modified in order for the SDUU process to automatically update the IPSfiles after completing the procedure?

A. asm.C

B. inspect.C

C. objects_5_0.C

D. profiles.C




QUESTION 6How would one enable ‘INSPECT debugging’ if one suspects IPS false positives?

A. Run command fw ctl set int enable_inspect_debug 1 from the command line.

B. Toggle the checkbox in Global Properties > Firewalls > Inspection section.

C. WebUI

D. Set the following parameter to true using GuiDBedit: enable_inspect_debug_compilation.



QUESTION 7You have configured IPS on your network; you find you are being overwhelmed with what you believe are false positives. You investigated this traffic and confirmedthey are false positives. What can you do to stop these IPS alerts?

A. Right click the alert and “ignore”

B. Disable the IPS protection for this network

C. Use a SAM rule to categorize this traffic

D. Add an exception for this traffic under the IPS protection



QUESTION 8


You have spent time configuring the IPS profile on your primary gateway firewall. You want to ensure that this profile can be applied to all gateway firewalls in yourenvironment. How can you share this information between firewalls?

A. From the command line, run: ips_export <profile-name> [-o <export-file-name>] [-p <ip>].

B. IPS profiles must be manually configured on each gateway.

C. From the Smart Dashboard IPS tab select export IPS profiles and select the gateway to send this export to.

D. From the command line, run: ips_export_import export <profile-name> [-o <export-file-name>] [-p <ip>].



QUESTION 9You are adding a new gateway into your network. You must make sure that it is running the latest Corporate approved IPS profile. How can you get this informationto your new gateway?

A. From the command line, run: ips_import <new-profile-name> -f <file-name> [-p <ip>].


C. From the command line, run: ips_export_import import <new-profile-name> -f <file-name> [-p <ip>].

D. From the Smart Dashboard IPS tab select import IPS profiles and select the gateway to get the profile from.



QUESTION 10SNORT is a popular open source IDS, you would like to import SNORT rules from plain text into Check Point Smart Center. How can you accomplish this?

A. Under the IPS tree Protections > By Protocol > IPS Software Blade > Application Intelligence > SNORT import and select the SNORT import option.


C. Check Point does not support third party signatures.

D. From the command line, run: ips_export_import import <SNORTprofilename> -f <file-name> [-p <ip>].




QUESTION 11You would like to import SNORT rules but to comply with corporate policy you need to test the conversion prior to import. How can you do this?

A. You must manually review each signature.

B. SnortConvertor update -f <inputfile> --dry-run

C. Check Point does not support third party signatures.

D. Under the IPS tree Protections > By Protocol > IPS Software Blade > Application Intelligence > SNORT import and select the SNORT import option.



QUESTION 12You are a system administrator and would like to configure Geo Protection on your gateway to comply with a new corporate policy. What must you have to do this?


A. Valid IPS contract and software blade licensing

B. DNS resolution on the gateway

C. Geo Protection is enabled by default

D. The latest IPS update




QUESTION 13You have just taken over as a firewall administrator. Your company is using Geo Protections on your gateway, but you want to verify that the protections are up-to-date. How can you see when these were updated?

A. In the IPS tree Protections > Select Check for Update.

B. Check asm_update_version_geo in GuiDBedit.

C. In the IPS tree Protections > Geo Protections and check the profile name which is mm/dd/yy.

D. Check the time stamp of $FWDIR/tmp/geo_location_tmp/updates/IpToCountry.csv.



QUESTION 14What would be considered Best Practice to determine which IPS protections you can safely disable for your environment?

A. You should use vulnerability tools to perform an assessment of your environment.

B. Work through turning on each protection to see which signatures get alerts.

C. You should set all protections to “Detect”.

D. You should not disable any IPS protections.



QUESTION 15You are troubleshooting an issue for your HR team. One of the users is using IP 10.10.10.24. They having been trying to access the vacation servers but allconnections are failing. You have checked the logs and do not see any dropped traffic. You have a suspicion that the drop is not being logged. What commandcould you use to confirm this?


A. fw -t connections -s

B. fw ctl zdebug + log dynlog

C. You cannot run a command for this; you must enable logging on all rules

D. fw ctl pstat host 10.10.10.24


Explanation/Reference:C9O3 - IPS

QUESTION 16In R77, Under what circumstances would IPS bypass be enforced?

A. Single CoreXL fw instance usage over ‘High’ threshold, Average Memory over ‘High’ threshold

B. Single CoreXL fw instance usage over ‘Low’ threshold, Average Memory over ‘High’ threshold

C. Average CPU over ‘High’ threshold, Average Memory over ‘Low’ threshold

D. Average CPU over ‘High’ threshold, Average Memory over ‘High’ threshold



QUESTION 17Your Customer would like to enable IPS in his Corporate Cluster, but he is concerned about high CPU usage because if the IPS inspection. What feature would youconfigure to disable inspection if a high CPU usage develops?

A. It is not possible. In this case no enable IPS

B. Bypass Under Load. (In IPS Option on Gateway Properties)

C. Bypass Inspection. (In IPS Option on Gateway Properties)

D. Disable Inspection. (In IPS Option on Gateway Properties)



Explanation


QUESTION 18Where do you run the command get_ips_statistics.sh from?

A. $FWDIR/conf on the Management Server

B. $FWDIR/scripts on the Management Server

C. $FWDIR/conf on the gateway

D. $FWDIR/scripts on the gateway



QUESTION 19“Tuning” IPS protections to suit the specific needs of an environment can be accomplished by all of the following EXCEPT:

A. Focusing on high confidence level protections.

B. Focusing on low capacity protections.

C. Focusing on low performance impact protections.

D. Focusing on high severity protections.



QUESTION 20OF the following, which is NOT a kernel parameter relating to the IPS “Bypass Under Load” settings:

A. ids_timeout


B. ids_tolerance_no_stress

C. ids_assume_stress

D. ids_limit_stress



QUESTION 21“If the machine is under stress, we do not want to leave the stress condition due to a single measurement (which could be an anomaly), but rather wait for a givenlength of time, before changing the condition.” …describes which of the following “Bypass under Load” setting kernel parameters?

A. ids_assume_stress

B. ide_tolerance_no_stress

C. ids_tolerance_stress

D. ids_timeout



QUESTION 22Jerry is a network administrator for ACME Co. Their network contains 5 gateways all managed by a single Management Server. They are currently receiving anexorbitant amount of false positive for traffic traversing their network. Based on this information, what factor do you think is contributing most to the high amount offalse positives Jerry is receiving?

A. She is performing IPS inspection on all traffic

B. She has set protections to run in “Detect” mode

C. She has enabled protections based on the network devices and requirements

D. She has created a dedicated IPS profile for each Security Gateway

Correct Answer: ASection: (none)


Explanation


QUESTION 23You have created a number of profiles and activated the relevant protections. Afterwards, you decide that the ‘Enterprise gateway’ should allow instant messaging.The current profile enabled for Enterprise gateway blocks instant messaging. The profile for the Enterprise gateway is currently being used on the Voyager gatewayand the Bird of Prey gateway. What is the best process for making this change on the Enterprise gateway only?

A. Create an exception for the Enterprise gateway

B. Create a rule allowing that traffic and install it on the Enterprise gateway

C. Create a new profile and apply to the Enterprise gateway

D. Edit the existing profile



QUESTION 24What steps can be taken if IPS is causing a High Performance Impact?

A. Consider activating the "Bypass under Load" IPS setting on the gateway

B. Check your IPS configuration assigned to this gateway and deactivate protections with critical or high performance impact

C. Determine if different or custom IPS profiles are better suited for different gateways in your organization

D. All options listed



QUESTION 25When the IPS ‘Bypass under Load’ mechanism detects that the certain CPU and memory usage thresholds have been reached, which of the following occurs?


A. The mechanism configures all IPS protections in ‘Detect Mode’

B. IPS is disabled completely

C. The mechanism disables all IPS protections by placing them under ‘exception’

D. Stateful Inspection is disabled



QUESTION 26Which of the following IPS Layers is responsible for ensuring that only valid retransmission packets are allowed to proceed to destinations?

A. Protocol Parsers

B. Context Management Interface layer (CMI)

C. Protections

D. Passive Streaming Library (PSL)



QUESTION 27One of IPS Layers’ main functions are to ensure compliance to well-defined protocol standards, detect anomalies if any exist, and assemble the data for furtherinspection by other components of the IPS engine. Which component is responsible for these functions?


A. Context Management Interface layer (CMI)


B. Protections

C. Protocol Parsers

D. Passive Streaming Library (PSL)



QUESTION 28Which of the following IPS Layers is the "brain" of the IPS? That is, what coordinates between different components, decides which protections should run on acertain packet, decides the final action to be performed on the packet and issues an event log?

A. Protections

B. Passive Streaming Library (PSL)

C. Protocol Parsers

D. Context Management Interface layer (CMI)



QUESTION 29Which of the following IPS Layers is a set of signatures and/or handlers, where:?Signature is a malicious pattern that is searched for.?Handler is the INSPECT code that performs more complex inspection.

A. Passive Streaming Library (PSL)

B. Protections

C. Context Management Interface layer (CMI)

D. Protocol Parsers



Explanation


QUESTION 30You have strict IPS corporate guidelines. This is having a performance impact on the firewall. What steps could you take to minimize this impact withoutcompromising the corporate policy?

A. Select “Protect Internal hosts only”

B. Select “Bypass IPS inspection when gateway is under heavy load”

C. Select “Perform IPS inspection on all traffic”

D. Without minimizing signatures you cannot improve performance




IPV6

QUESTION 1Which of the following is true when IPv6 is enabled on a Security Gateway?


A. An interface on the Gateway can either have IPv4 or IPv6 IP address or have both.

B. As of version R77, IPv6 is only supported on Security Management Server.

C. IPv4 will be completely disabled when IPv6 has been enabled.

D. An interface on the Gateway can either have IPv4 or IPv6 IP address but cannot have both.



QUESTION 2Which of the following is true about Node / Host objects?

A. A Node / Host object can either have IPv4 or IPv6 IP address or have both.

B. A Node / Host object can either have IPv4 or IPv6 IP address but not have both. Separate objects need to be created for hosts that use dual stack.

C. A Node / Host object can only have IPv4 IP address. For IPv6, a Node / Host6 object must be used.

D. Node / Host object does not support IPv6, hence a Network object must be created for IPv6.



QUESTION 3


Which of these commands can be used to display the IPv6 routes?

A. show route

B. show ipv6 route

C. show routes all

D. show route ipv6



QUESTION 4Which of these commands can be used to display the IPv6 status?

A. show ipv6-stat

B. show ipv6 all

C. show ipv6 status

D. show ipv6-status



QUESTION 5You enabled IPv6 in your environment and would like to erase all IPv6 connection tables. How can you do it?

A. fw tab –t connections –x

B. fw tab –t connections6 –x

C. clear connections table ipv6

D. fw6 tab –t connections –x

Correct Answer: D




QUESTION 6What is the length of an IPv6 address?

A. 128 Bytes

B. 54 bits

C. 128 bits

D. 6 Bytes



QUESTION 7In a ClusterXL that uses IPV6 Address, how do you configure the sync interface?

A. You must configure synchronization interfaces with an IPv4 address only.

B. If an interface does not require IPv6, only the IPv4 definition address is necessary.

C. All interfaces configured with an IPv6 address must also have a corresponding IPv4 address.

D. You must configure synchronization interfaces with an IPv6 address only.



QUESTION 8What command allows you to monitor IPV6 packets in the kernel module?


A. ip -6 neigh show

B. ip -6 addr show

C. tcpdump -nni eth<n> ip6

D. fw6 monitor



QUESTION 9True or False: It is possible to operate a Security Gateway entirely with IPv6 addressing.

A. True: All IPv4 features are supported in IPv6’

B. True: Management can occur over IPv4 or IPv6 thus all gateways can have interfaces configured with valid IP addresses of either type’

C. False: There are many common IPv4 features that are not supported in IPv6’

D. False: Management only occurs over IPv4 thus all gateways are required to have interfaces configured with valid IPv4 addresses’



QUESTION 10What VSX components do not support IPv6 in R77 VSX mode?

A. VSX mode does not support IPv6

B. All devices support IPv6

C. Virtual Systems

D. Virtual Routers




QUESTION 11A system administrator wants to convert an IPv6 gateway from a standard gateway into a gateway running VSX mode. What does he need to consider?

A. It is not possible to convert a gateway with IPv6 enabled to VSX mode.

B. There needs to be proper IPv6 routing setup.

C. At least two interfaces need to be configured with IPv6.

D. Policy needs to be properly applied to the gateway before converting the system to VSX mode.



QUESTION 12How do you enable IPv6 support on a R77 gateway running the GAiIA OS?


A. IPv6 is enabled by default.

B. Under WebUI go to System Management > System Configuration, turn on IPv6 Support, click apply and reboot.

C. Enable the IPv6 Software Blade for the gateway in Smart Dashboard.

D. Run the IPv6 script $FWDIR/scripts/fwipv6_enable and reboot.




QUESTION 13How do you disable IPv6 on an IPSO gateway?

A. Run $FWDIR/scripts/fwipv6_enable off and reboot.

B. Remove the IPv6 license from the gateway.

C. You cannot disable IPv6.

D. In IPSO go to System Management > System Configuration, set IPv6 Support to off, and click Apply.



QUESTION 14Does R77 SmartDashboard support IPv6?

A. Yes provided the operating system on which Smart Dashboard is installed is configured with IPv6.

B. SmartDashboard does not support IPv6.

C. IPv6 needs to be tunneled through IPv4 to support IPv6.

D. R77.20 and above provides the support for Smart Dashboard and IPv6 support.



QUESTION 15Which of the following statements about Full HA support with IPv6 is NOT true?

A. There is no Dynamic Routing with IPv6.

B. Mirrored Interfaces must have IPv4 addresses.

C. Sync traffic must be IPv4.

D. IPv6 does not support a Secondary Management Server.

checkpoint.actualtests.156-115.77.v2018-06-28.by.margaret€¦ · 28/06/2018 · ...

Documents