Checkpoint CCSA R70.1

1. Which of the following uses the same key to decrypt as it does to encrypt?

Asymmetric encryption

Symmetric encryption

Certificate-based encryption

Dynamic encryption

2. A rule _______ is designed to log and drop all other communication that does not match another rule?

Stealth

Cleanup

Reject

Anti-Spoofing

3. You believe Phase 2 negotiations are railing while you are attempting to configure a site-to-site VPN with one of your firm's business pastners. Which SmartConsol application should you use to confirm your suspicions?

SmartDashboard

SmartView Tracker

SmartUpdate

SmartView status

4. The Check Point Security Gateway's virtual machine (kernel) exists between which two layers of the OSI model?

Session and Network layers

Application and Presentation layers

Physical and Data link layers

Network and Data link layers

5. Which the following statement is TRUE about management plug-ins?

The plug-in is a package installed on the Security Gateway

A management plug-in interacts with a Security Management Server to provide new features and support for new products

Using a plug m offers full central management only if special licensing is applied to specific features of the plug-in

Installing a management plug-in is just like an upgrade process (It overwrites existing components )

6. If you check the box "Use Agressive Mode" in the IKE Properties dialog box, the standard:

Three-packet IKE Phase2 exchange is replaced by a six-packet

Three-packet IKE Phase 2 exchange is replaced by a two-packet exchange

Six-packet IKE Phase 1 exchange replaced by a three-packet exchange

Three-packet IKE phase 1 exchange is replaced by a six-packet exchange

7. The third-shift Administrator was updating Security Management Server access settings in global properties. He managed to lock all of the administrators out of their accounts. How should you unlock these accounts?

Login to SmartDashboard as the special cpconfig_admin user account, right click on administrator object and select Unlock.

Type fwm lock_admin -ua from the command line of the Security Manager server.

Reinstall the Security Management Server and restore using upgrade_import.

Delete the file admin.lock in the $fwDIR/tmp/ directory of the Security Management server.

8. Security Gateway R71 supports User Authentication for which of the following services? Select the response below that contains the most complete list of supported services.

FTP, HTTP, TELNET

FTP, TELNET

SMTP, FTP, HTTP, TELNET

SMTP, FTP, TELNET

9. Which of the following are authentication methods that Security Gateway R7Tuses to validate connection attempts? Select the response below that includes the MOST complete list of valid authentication methods.

Proxied, User, Dynamic, Session

Connection, User, Client

User, Client, Session

Connection, Proxied, Session

10. You are running a R71 Security Gatewayon SecurePlatform, in case of a harware failure. You have a server with the exact same hardware installed. What backup method should you use to quickly put the secondary firewall into production.

Upgrade_export

Manual backup

Snapshot

Backup

11. In SmartView tracker, which rule shows when a packet is dropped due to anti-spoofing?

Blank field under Rule Number

Rule 0

Cleanup rule

Rule 1

12. You have created a rule Base Firewall, websydney. Now you are going to create a new policy package with security and address transaction rules for a secured gateway. What is true about the new package's NAT rules?

Rules 1 and 5 will be appear in the new package

Rules 2, 3 and 4 will appear in the new package

NAT rules will be empty in the new package

13. You find a suspicious connection from a problematic host. You decide that you want to block everything from the whole network, not just the problematic host. You want to block this for an hour while you investigate further, but you do not want to add any rules to the rule base. How do you achieve this?

Add a “temporary” rule using SmartDashboard and select hide rule.

Create a Suspicious Activity Rule in SmartView Monitor

Use dbedit to script the addition of a rule directly into the Rule Bases_5_0. fws configuration file.

Select block intruder from the tools menu in SmartView Tracker.

14. An advantage of using central instead of local licensing is:

A license can be taken from one Security Management server and given to another Security Management Server.

Only one IP address is used for all licenses.

Licenses are automatically attached to their respective Security Gateways.

15. The URL Filtering Policy can be configured to monitor URLs in order to:

Log Sites from blocked categories

Redirect users to a new URL

Block sites only once

Alert the administrator to block a suspicious site

16. What happens hi relation to the CRL cache after a cpstop and spstart have been Initiated

The Gateway retrieves a new CRL on startup, and then discards the old CRL as invalid

The gateway continues to use the old CRL, as long as it is valid

The gateway continues to use the old CRL even if it is not valid, until a new CRL is cached

The gateway issues a crl_zap on startup, which empties the cache and forces certificate

17. What physical machine must have access to the User center public IP address when checking for new packages with smartUpdate

SmartUpdate GUI PC

SmartUpdate Repository SQL database Server

A Security gateway retrieving the new upgrade package

SmartUpdate installed Security Management Server PC

18. For normal packet transaction of an accepted communication to a host protocol by a Security Gate Way how many lines per packet are recorded on a packet analyzer like wire Shark using fw monitor?

2

4

3

None

19. You run cpconfig to reset SIC on the Security Gateway. After the SIC reset operation is complete, the policy that will be installed is the

Last policy that was installed

Default filter

Standard policy

Initial policy

20. A Web server behind the Security Gateway is set to Automatic Static NAT Client side NAT is not checked in the Global Properties. A client on the Internet initiates a session to the Web Server. Assuming there is a rule allowing this traffic, what other configuration must be done to allow the traffic to reach the Web server?

Automatic ARP must be unchecked in the Global Properties.

A static route must be added on the Security Gateway to the internal host.

Nothing else must be configured.

A static route for the NAT IP must be added to the Gateway's upstream router.

21. Which port must be allowed to pass through enforcement points in order to allow packet logging to operate correctly?

514

256

257

258

22. While in Smart View Tracker, Brady has noticed some very odd network traffic that he thinks could be an intrusion. He decides to block the traffic for 60 but cannot remember all the steps. What is the correct order of steps needed to perform this? 1) Select the Active Mode tab In Smart view Tracker 2) Select Tools > Block Intruder 3) Select the Log Viewing tab in SmartView Tracker 4) Set the Blocking Time out value to 60 minutes 5) Highlight the connection he wishes to block

3, 2, 5, 4

3, 5, 2, 4

1, 5, 2, 4

1, 2, 5, 4

23. Phase 1 uses________.

Conditional

Sequential

Asymmetric

Symmetric

24. When configuring the network interfaces of a checkpoint Gateway, the direction can be defined as Internal or external. What is meaning of interface leading to DMZ?

It defines the DMZ Interface since this information is necessary for Content Control.

Using restricted Gateways, this option automatically turns off the counting of IP Addresses originating from this interface

When selecting this option. Ann-Spoofing is configured automatically to this net.

Activating this option automatically turns this interface to External

25. Which service is it NOT possible to configure user authentication?

HTTPS

FTP

SSH

Telnet

26. What can NOT be selected for VPN tunnel sharing?

One tunnel per subnet pair

One tunnel per Gateway pair

One tunnel per pair of hosts

One tunnel per VPN domain pair

27. Which type of resource could a Security Administrator use to control access to specific share on target machines?URI

URI

CIFS

Telnet

FTP

28. Latency has lost SIC communication with her Security Gateway and she needs to re establish SIC. What would be the correct order of steps needed to perform this task? 1) Create a new activation key on the Security Gateway, then exit cpconfig. 2) Click the Communication tab on the Security Gateway object, and then click Reset. 3) Run the cpconfig tool, and then select Secure Internal Communication to reset. 4) Input the new activation key in the Security Gateway object, and then click initialize 5) Run the cpconfig tool, then select source Internal Communication to reset.

5, 4, 1, 2

2, 3, 1, 4

2, 5, 1, 4

3, 1, 4, 2

29. Which answers are TRUE? Automatic Static NAT CANNOT be used when: i) NAT decision is based on the destination port ii) Source and Destination IP both have to be translated iii) The NAT rule should only be installed on a dedicated Gateway only iv) NAT should be performed on the server side

(i), (ii), and (iii)

(i), and (ii)

(ii) and (iv)

Only (i)

30. Which Security Servers can perform authentication tasks, but CANNOT perform content security tasks?

HTTPS

Telnet

FTP

HTTP

31. Your R71 enterprise Security Management Server is running abnormally on Windows 2003 Server. You decide to try reinstalling the Security Management Server, but you want to try keeping the critical Security Management Server configuration settings impact (i.e , all security policies database, SIC, licensing etc). What is the BEST method to reinstall the Server and keep its critical configuration?

32. You want to implement Static Destination NAT in order to provide external. Internet users access to an internal Webserver that has a reserved (RFC 1918) IP address You have an unused valid IP address on the network between your Security Gateway and ISP router. You control the router that sits between the external interface of the firewall and the Internet. What is an alternative configuration if proxy ARP cannot be used on your Security Gateway?

Place a static host route on the firewall for the valid IP address to the internal Web server.

Place a static ARP entry on the ISP router for the valid IP address to the firewall’s external address.

Publish a proxy ARP entry on the ISP router instead of the firewall for the valid IP address.

Publish a proxy ARP entry on the internal Web server instead of the firewall for the valid IP address.

33. Which of these security policy changes optimize Security Gateway performance?

Use Automatic NAT rules instead of Manual NAT rules whenever possible

Putting the least-used rule at the top of the Rule Base

Using groups within groups in the manual NAT Rule Base

Using domain objects in rules when possible

34. The Customer has a small Check Point installation which includes one Windows XP workstation as SmartConsole, one Solaris server working as security Management Server, and a third server running SecurePlatform as Security Gateway. This is an Example of a (n):Stand-Alone Installation.

Stand-Alone Installation

Unsupported configuration

Distributed Installation

Hybrid Installation

35. Of the following, what parameters will not be preserved when using Database Revision Control

Simplified mode Rule bases

Traditional mode Rule Bases

Secure platform WebUI users

SIC Certificates

Smartview Tracker audit logs

SmartView Tracker traffic logs

Implied Rules

IPS Profiles

Blocked Connections

Manual NAT rules

VPN Communities

Gateway Route table

Gateway licenses

Submit

Checkpoint CCSA R70.1

1. Which of the following uses the same key to decrypt as it does to encrypt?

2.

What first name or nickname would you like us to use?

2. A rule _______ is designed to log and drop all other communication that does not match another rule?

3. You believe Phase 2 negotiations are railing while you are attempting to configure a site-to-site VPN with one of your firm's business pastners. Which SmartConsol application should you use to confirm your suspicions?

4. The Check Point Security Gateway's virtual machine (kernel) exists between which two layers of the OSI model?

5. Which the following statement is TRUE about management plug-ins?

6. If you check the box "Use Agressive Mode" in the IKE Properties dialog box, the standard:

7. The third-shift Administrator was updating Security Management Server access settings in global properties. He managed to lock all of the administrators out of their accounts. How should you unlock these accounts?

8. Security Gateway R71 supports User Authentication for which of the following services? Select the response below that contains the most complete list of supported services.

9. Which of the following are authentication methods that Security Gateway R7Tuses to validate connection attempts? Select the response below that includes the MOST complete list of valid authentication methods.

10. You are running a R71 Security Gatewayon SecurePlatform, in case of a harware failure. You have a server with the exact same hardware installed. What backup method should you use to quickly put the secondary firewall into production.

11. In SmartView tracker, which rule shows when a packet is dropped due to anti-spoofing?

12. You have created a rule Base Firewall, websydney. Now you are going to create a new policy package with security and address transaction rules for a secured gateway. What is true about the new package's NAT rules?

14. An advantage of using central instead of local licensing is:

15. The URL Filtering Policy can be configured to monitor URLs in order to:

16. What happens hi relation to the CRL cache after a cpstop and spstart have been Initiated

17. What physical machine must have access to the User center public IP address when checking for new packages with smartUpdate

18. For normal packet transaction of an accepted communication to a host protocol by a Security Gate Way how many lines per packet are recorded on a packet analyzer like wire Shark using fw monitor?

19. You run cpconfig to reset SIC on the Security Gateway. After the SIC reset operation is complete, the policy that will be installed is the

21. Which port must be allowed to pass through enforcement points in order to allow packet logging to operate correctly?

23. Phase 1 uses________.

24. When configuring the network interfaces of a checkpoint Gateway, the direction can be defined as Internal or external. What is meaning of interface leading to DMZ?

25. Which service is it NOT possible to configure user authentication?

26. What can NOT be selected for VPN tunnel sharing?

27. Which type of resource could a Security Administrator use to control access to specific share on target machines?URI

29. Which answers are TRUE? Automatic Static NAT CANNOT be used when: i) NAT decision is based on the destination port ii) Source and Destination IP both have to be translated iii) The NAT rule should only be installed on a dedicated Gateway only iv) NAT should be performed on the server side

30. Which Security Servers can perform authentication tasks, but CANNOT perform content security tasks?

33. Which of these security policy changes optimize Security Gateway performance?

34. The Customer has a small Check Point installation which includes one Windows XP workstation as SmartConsole, one Solaris server working as security Management Server, and a third server running SecurePlatform as Security Gateway. This is an Example of a (n):Stand-Alone Installation.

35. Of the following, what parameters will not be preserved when using Database Revision Control