Checkpoint

Exam 156-315.77
Check Point Certified Security Expert
Version: 8.1

[ Total Questions: 354 ]

 Topic break down

Topic No. of Questions

Topic 1: Volume A 100
Topic 2: Volume B 100
Topic 3: Volume C 154

2
Topic 1, Volume A

Question No : 1 - (Topic 1)

Which of the following is the preferred method for adding static routes in GAiA?

A. In the CLI with the command “route add”

B. In Web Portal, under Network Management > IPv4 Static Routes
C. In the CLI via sysconfig
D. In SmartDashboard under Gateway Properties > Topology

Answer: B

Question No : 2 CORRECT TEXT - (Topic 1)

Fill in the blank. To verify SecureXL statistics, you would use the command ________ .

Answer: fwaccel stats

Question No : 3 CORRECT TEXT - (Topic 1)

MultiCorp is located in Atlanta. It has a branch office in Europe, Asia, and Africa. Each
location has its own AD controller for local user login. How many ADqueries have to be
configured?

Answer: 4

Question No : 4 - (Topic 1)

You run cphaprob -a if. When you review the output, you find the word DOWN. What does
DOWN mean?

A. The cluster link is down.

B. The physical interface is administratively set to DOWN.
C. The physical interface is down.

3
D. CCP pakets couldn't be sent to or didn't arrive from neighbor member.

Answer: D

Question No : 5 - (Topic 1)

Can you implement a complete R77 IPv6 deployment without IPv4 addresses?

A. No. SmartCenter cannot be accessed from everywhere on the Internet.

B. Yes. Only one TCP stack (IPv6 or IPv4) can be used at the same time.
C. Yes, There is no requirement for managing IPv4 addresses.
D. No. IPv4 addresses are required for management.

Answer: C

Question No : 6 - (Topic 1)

The process ________ is responsible for Policy compilation.

A. FWM
B. CPD
C. FWCMP
D. CPLMD

Answer: A

Question No : 7 - (Topic 1)

What process is responsible for transferring the policy file from SmartCenter to the
Gateway?

A. CPD
B. FWM
C. CPRID
D. FWD

Answer: A

4
Question No : 8 - (Topic 1)

Control connections between the Security Management Server and the Gateway are not
encrypted by the VPN Community. How are these connections secured?

A. They are not secured.

B. They are not encrypted, but are authenticated by the Gateway
C. They are encrypted and authenticated using SIC.
D. They are secured by PPTP

Answer: C

Question No : 9 - (Topic 1)

To run GAiA in 64bit mode, which of the following is true?

1) Run set edition default 64-bit.

2) Install more than 4 GB RAM.

3) Install more than 4 TB of Hard Disk.

A. 1 and 3
B. 1 and 2
C. 2 and 3
D. 1, 2, and 3

Answer: B

Question No : 10 - (Topic 1)

When, during policy installation, does the atomic load task run?

A. Immediately after fwm load runs on the SmartCenter.

B. Before CPD runs on the Gateway.
C. It is the last task during policy installation.
D. It is the first task during policy installation.

5
Answer: C

Question No : 11 - (Topic 1)

MultiCorp is running Smartcenter R71 on an IPSO platform and wants to upgrade to a new
Appliance with R77. Which migration tool is recommended?

A. Download Migration Tool R77 for IPSO and Splat/Linux from Check Point website.
B. Use already installed Migration Tool.
C. Use Migration Tool from CD/ISO
D. Fetch Migration Tool R71 for IPSO and Migration Tool R77 for Splat/Linux from
CheckPoint website

Answer: A

Question No : 12 - (Topic 1)

Which two processes are responsible on handling Identity Awareness?

A. pdp and lad

B. pdp and pdp-11
C. pep and lad
D. pdp and pep

Answer: D

Question No : 13 - (Topic 1)

MicroCorp experienced a security appliance failure. (LEDs of all NICs are off.) The age of
the unit required that the RMA-unit be a different model. Will a revert to an existing
snapshot bring the new unit up and running?

A. There is no dynamic update at reboot.

B. No. The revert will most probably not match to hard disk.
C. Yes. Everything is dynamically updated at reboot.
D. No. At installation the necessary hardware support is selected. The snapshot saves this
state.

6
Answer: D

Question No : 14 CORRECT TEXT - (Topic 1)

Fill in the blank. In New Mode HA, the internal cluster IP VIP address is 10.4.8.3. An
internal host 10.4.8.108 successfully pings its Cluster and receives replies.

Review the ARP table from the internal Windows host 10.4.8.108. Based on this
information, what is the active cluster member’s IP address?

Answer: 10.4.8.2

Question No : 15 - (Topic 1)

A snapshot delivers a complete backup of GAiA. How do you restore a local snapshot
named MySnapshot.tgz?

A. Reboot the system and call the start menu. Select option Snapshot Management,
provide the Expert password and select [L] for a restore from a local file. Then, provide the
correct file name.
B. As Expert user, type command snapshot - R to restore from a local file. Then, provide
the correct file name.
C. As Expert user, type command revert --file MySnapshot.tgz.
D. As Expert user, type command snapshot -r MySnapshot.tgz.

7
Answer: C

Question No : 16 CORRECT TEXT - (Topic 1)

Fill in the blank. To verify that a VPN Tunnel is properly established, use the command
_________

Answer: vpn tunnelutil

Question No : 17 - (Topic 1)

MegaCorp is using SmartCenter Server with several gateways. Their requirements result in
a heavy log load. Would it be feasible to add the SmartEvent Correlation Unit and
SmartEvent Server to their SmartCenter Server?

A. No. SmartCenter SIC will interfere with the function of SmartEvent.

B. No. If SmartCenter is already under stress, the use of a separate server for SmartEvent
is recommended.
C. No, SmartEvent and Smartcenter cannot be installed on the same machine at the same
time.
D. Yes. SmartEvent must be installed on your SmartCenter Server.

Answer: B

Question No : 18 - (Topic 1)

Which three of the following components are required to get a SmartEvent up and running?

1) SmartEvent SIC

2) SmartEvent Correlation Unit

3) SmartEvent Server

4) SmartEvent Analyzer

5) SmartEvent Client

8
A. 2, 3, and 5
B. 1, 2, and 4
C. 1, 2, and 3
D. 3, 4, and 5

Answer: A

Question No : 19 CORRECT TEXT - (Topic 1)

Type the full cphaprob command and syntax that will show full synchronization status.

Answer: cphaprob -i list

Question No : 20 - (Topic 1)

The process _______ provides service to access the GAIA configuration database.

A. configdbd
B. confd
C. fwm
D. ipsrd

Answer: B

Question No : 21 CORRECT TEXT - (Topic 1)

Fill in the blanks. To view the number of concurrent connections going through your
firewall, you would use the command and syntax __ ___ __ __________ __ .

Answer: fw tab -t connections -s

Question No : 22 - (Topic 1)

Which command will only show the number of entries in the connection table?

9
A. fw tab -t connections -s
B. fw tab -t connections -u
C. fw tab -t connections
D. fw tab

Answer: A

Question No : 23 CORRECT TEXT - (Topic 1)

Type the command and syntax you would use to verify that your Check Point cluster is
functioning correctly.

Answer: cphaprob state

Question No : 24 - (Topic 1)

You are troubleshooting a HTTP connection problem. You've started fw monitor -o

http.pcap. When you open http.pcap with Wireshark there is only one line. What is the most
likely reason?

A. fw monitor was restricted to the wrong interface.

B. Like SmartView Tracker only the first packet of a connection will be captured by fw
monitor.
C. By default only SYN pakets are captured.
D. Acceleration was turned on and therefore fw monitor sees only SYN.

Answer: D

Question No : 25 CORRECT TEXT - (Topic 1)

Fill in the blanks. To view the number of concurrent connections going through core 0 on
the firewall, you would use the command and syntax __ __ _ ___ __ ___________ __ .

Answer: fw -i 0 tab -t connections -s

10
Question No : 26 - (Topic 1)

Which statements about Management HA are correct?

1) Primary SmartCenter describes first installed SmartCenter

2) Active SmartCenter is always used to administrate with SmartConsole

3) Active SmartCenter describes first installed SmartCenter

4) Primary SmartCenter is always used to administrate with SmartConsole

A. 1 and 4
B. 2 and 3
C. 1 and 2
D. 3 and 4

Answer: C

Question No : 27 - (Topic 1)

Jon is explaining how the inspection module works to a colleague. If a new connection
passes through the inspection module and the packet matches the rule, what is the next
step in the process?

A. Verify if another rule exists.

B. Verify if any logging or alerts are defined.
C. Verify if the packet should be moved through the TCP/IP stack.
D. Verify if the packet should be rejected.

Answer: B

Question No : 28 CORRECT TEXT - (Topic 1)

Type the command and syntax to view critical devices on a cluster member in a ClusterXL
environment.

Answer: cphaprob -ia list

11
Question No : 29 CORRECT TEXT - (Topic 1)

Fill in the blank. What is the correct command and syntax used to view a connection table
summary on a Check Point Firewall?

Answer: fw tab -t connections -s

Question No : 30 - (Topic 1)

If your firewall is performing a lot of IPS inspection and the CPUs assigned to
fw_worker_thread are at or near 100%, which of the following could you do to improve
performance?

A. Add more RAM to the system.

B. Add more Disk Drives.
C. Assign more CPU cores to CoreXL
D. Assign more CPU cores to SecureXL.

Answer: C

Question No : 31 - (Topic 1)

What is the primary benefit of using upgrade_export over either backup or snapshot?

A. upgrade_export will back up routing tables, hosts files, and manual ARP configurations,
where backup and snapshot will not.
B. upgrade_export is operating system independent and can be used when backup or
snapshot is not available.
C. upgrade_export has an option to backup the system and SmartView Tracker logs while
backup and snapshot will not.
D. The commands backup and snapshot can take a long time to run whereas
upgrade_export will take a much shorter amount of time.

Answer: B

12
Question No : 32 - (Topic 1)

In the following cluster configuration; if you reboot sglondon_1 which device will be active
when sglondon_1 is back up and running? Why?

A. sglondon_1 because it the first configured object with the lowest IP.
B. sglondon_2 because sglondon_1 has highest IP.
C. sglondon_1, because it is up again, sglondon_2 took over during reboot.
D. sglondon_2 because it has highest priority.

Answer: D

Question No : 33 - (Topic 1)

What is the correct policy installation process order?

1.Verification

2.Code generation and compilation

3.Initiation

4.Commit

5. Conversion

6. CPTA

A. 1, 2, 3, 4, 5, 6
B. 3, 1, 5, 2, 6, 4
C. 4, 2, 3, 5, 6, 1
D. 6, 5, 4, 3, 2, 1

Answer: B

Question No : 34 - (Topic 1)

Security server configuration settings are stored in _______________ .

A. $FWDIR/conf/fwauthd.conf
B. $FWDIR/conf/AMT.conf

13
C. $FWDIR/conf/fwopsec.conf
D. $FWDIR/conf/Fwauth.c

Answer: A

Question No : 35 - (Topic 1)

You have pushed a policy to your firewall and you are not able to access the firewall. What
command will allow you to remove the current policy from the machine?

A. fw purge active
B. fw purge policy
C. fw fetch policy
D. fw unloadlocal

Answer: B

Question No : 36 - (Topic 1)

Which is the lowest Gateway version manageable by SmartCenter R77?

A. R65
B. S71
C. R55
D. R60A

Answer: A

Question No : 37 - (Topic 1)

When a packet is flowing through the security gateway, which one of the following is a valid
inspection path?

A. Acceleration Path
B. Small Path
C. Firewall Path
D. Medium Path

14
Answer: D

Question No : 38 - (Topic 1)

You configure a Check Point QoS Rule Base with two rules: an HTTP rule with a weight of
40, and the Default Rule with a weight of 10. If the only traffic passing through your QoS
Module is HTTP traffic, what percent of bandwidth will be allocated to the HTTP traffic?

A. 80%
B. 50%
C. 40%
D. 100%

Answer: B

Question No : 39 - (Topic 1)

How could you compare the Fingerprint shown to the Fingerprint on the server? Run
cpconfig and select:

Exhibit:

15
A. the Certificate Authority option and view the fingerprint.
B. the GUI Clients option and view the fingerprint.
C. the Certificate's Fingerprint option and view the fingerprint.
D. the Server Fingerprint option and view the fingerprint.

Answer: C

Question No : 40 CORRECT TEXT - (Topic 1)

Fill in the blank. In New Mode HA, the internal cluster IP VIP address is 10.4.8.3. The
internal interfaces on two members are 10.4.8.1 and 10.4.8.2 Internal host 10.4.8.108
pings 10.4.8.3, and receives replies.

16
Review the ARP table from the internal Windows host 10.4.8.108. According to the output,
which member is the standby machine?

Answer: 10.4.8.1

Question No : 41 CORRECT TEXT - (Topic 1)

Fill in the blank. You can set Acceleration to ON or OFF using command syntax
___________ .

Answer: fwaccel off/on

Question No : 42 - (Topic 1)

How do you upload the results of “CPSIZEME” to Check Point when using a PROXY server
with authentication?

A. [expert@HostName]# ./cpsizeme.exe –a username:password@proxy_address:port

B. [expert@HostName]# ./cpsizeme –p username:password@proxy_address:port
C. [expert@HostName]# ./cpsizeme –a username:password@proxy_address:port
D. [expert@HostName]# ./cpsizeme.exe –p username:password@proxy_address:port

Answer: B

Question No : 43 - (Topic 1)

You are trying to configure Directional VPN Rule Match in the Rule Base. But the Match
column does not have the option to see the Directional Match. You see the following
window. What must you enable to see the Directional Match?

Exhibit:

17
A. directional_match (true) in the objects_5_0.C file on Security Management Server
B. VPN Directional Match on the Gateway object’s VPN tab
C. VPN Directional Match on the VPN advanced window, in Global Properties
D. Advanced Routing on each Security Gateway

Answer: C

Question No : 44 - (Topic 1)

Which protocol can be used to provide logs to third-party reporting?

A. CPMI (Check Point Management Interface)

B. LEA (Log Export API)
C. AMON (Application Monitoring)
D. ELA (Event Logging API)

Answer: B

18
Question No : 45 - (Topic 1)

Which of the following is NOT a feature of ClusterXL?

A. Transparent upgrades
B. Zero downtime for mission-critical environments with State Synchronization
C. Enhanced throughput in all ClusterXL modes (2 gateway cluster compared with 1
gateway)
D. Transparent failover in case of device failures

Answer: A

Question No : 46 - (Topic 1)

Which command will erase all CRL’s?

A. vpn crladmin
B. cpstop/cpstart
C. vpn crl_zap
D. vpn flush

Answer: C

Question No : 47 - (Topic 1)

Which of the following is NOT part of the policy installation process?

A. Initiation
B. Validation
C. Code compilation
D. Code generation

Answer: B

Question No : 48 - (Topic 1)

The process ________ is responsible for Management High Availability synchronization.

19
A. CPD
B. FWSYNC
C. CPLMD
D. FWM

Answer: D

Question No : 49 - (Topic 1)

How do you run “CPSIZEME” on SPLAT?

A. [expert@HostName]#>./cpsizeme -h
B. [expert@HostName]# ./cpsizeme -R
C. This is not possible on SPLAT
D. [expert@HostName]# ./cpsizeme

Answer: D

Question No : 50 CORRECT TEXT - (Topic 1)

Fill in the blank. To save your OSPF configuration in GAiA, enter the command
___________ .

Answer: save config

Question No : 51 - (Topic 1)

Can the smallest appliance handle all Blades simultaneously?

A. Depends on the number of protected clients and throughput.

B. Depends on number of concurrent sessions.
C. Firewall throughput is the only relevant factor.
D. It depends on required SPU for customer environment.

Answer: D

20
Question No : 52 CORRECT TEXT - (Topic 1)

Write the full fw command and syntax that you would use to troubleshoot ClusterXL sync
issues.

Answer: fw tab -s -t connections

Question No : 53 - (Topic 1)

How frequently does CPSIZEME run by default?

A. weekly
B. 12 hours
C. 24 hours
D. 1 hour

Answer: C

Question No : 54 - (Topic 1)

Which of the following CLISH commands would you use to set the admin user's shell to
bash?

A. set user admin shell bash

B. set user admin shell /bin/bash
C. set user admin shell = /bin/bash
D. set user admin /bin/bash

Answer: B

Question No : 55 - (Topic 1)

_________ is the called process that starts when opening SmartView Tracker application.

21
A. FWM
B. CPLMD
C. logtrackerd
D. fwlogd

Answer: B

Question No : 56 - (Topic 1)

What is the offline CPSIZEME upload procedure?

A. Find the cpsizeme_of_<gwname>.pdf, attach it to an e-mail and send it to

[email protected]
B. Use the webbrowser version of cpsizeme and fax it to Check Point.
C. Find the cpsizeme_of_<gwname>.xml, attach it to an e-mail and send it to
[email protected]
D. There is no offline upload method.

Answer: C

Question No : 57 CORRECT TEXT - (Topic 1)

Fill in the blank. The command that typically generates the firewall application, operating
system, and hardware specific drivers is _________ .

Answer: snapshot

Question No : 58 CORRECT TEXT - (Topic 1)

Fill in the blank. In Load Sharing Unicast mode, the internal cluster IP address is 10.4.8.3.
The internal interfaces on two members are 10.4.8.1 and 10.4.8.2. Internal host 10.4.8.108
Pings 10.4.8.3, and receives replies. The following is the ARP table from the internal
Windows host 10.4.8.108.

22
Review the exhibit and type the IP address of the member serving as the pivot machine in
the space below.

Answer: 10.4.8.2

Question No : 59 - (Topic 1)

What step should you take before running migrate_export?

A. Install policy and exit SmartDashboard.

B. Disconnect all GUI clients.
C. Run a cpstop on the Security Management Server.
D. Run a cpstop on the Security Gateway.

Answer: B

Question No : 60 - (Topic 1)

Select the command set best used to verify proper failover function of a new ClusterXL
configuration.

A. reboot
B. cphaprob -d failDevice -s problem -t 0 register / cphaprob -d failDevice unregister
C. clusterXL_admin down / clusterXL_admin up
D. cpstop/cpstart

23
Answer: C

Question No : 61 - (Topic 1)

You find that Gateway fw2 can NOT be added to the cluster object.

What are possible reasons for that?

1) fw2 is a member in a VPN community.

2) ClusterXL software blade is not enabled on fw2.

3) fw2 is a DAIP Gateway.

A. 2 or 3
B. 1 or 2
C. 1 or 3
D. All

Answer: C

24
Question No : 62 - (Topic 1)

In which case is a Sticky Decision Function relevant?

A. Load Balancing - Forward

B. High Availability
C. Load Sharing - Multicast
D. Load Sharing - Unicast

Answer: A

Question No : 63 - (Topic 1)

The process ___________ is responsible for all other security server processes run on the
Gateway.

A. CPD
B. FWM
C. FWD
D. FWSSD

Answer: C

Question No : 64 - (Topic 1)

Your R7x-series Enterprise Security Management Server is running abnormally on

Windows Server 2008 R2. You decide to try reinstalling the Security Management Server,
but you want to try keeping the critical Security Management Server configuration settings
intact (i.e., all Security Policies, databases, SIC, licensing etc.) What is the BEST method
to reinstall the Server and keep its critical configuration?

A. 1. Insert the R77 CD-ROM and select the option to export the configuration using the
latest upgrade utilities.
2. Follow steps suggested by upgrade_verification and re-export the configuration if
needed.
3. Save the exported file *.tgz to a local directory c:/temp.
4. Uninstall all packages using Add/Remove Programs and reboot.
5. Install again using the R77 CD-ROM as a primary Security Management Server and
reboot.

25
6. Run upgrade_import to import the configuration.
B. 1. Create a data base revision control back up using SmartDashboard.
2. Create a compressed archive of the directories %FWDIR%/conf and %FWDIR%/lib and
copy them to another networked machine.
3. Uninstall all packages using Add/Remove Programs and reboot.
4. Install again as a primary Security Management Server using the R77 CD-ROM.
5. Reboot and restore the two archived directories over the top of the new installation,
choosing to overwrite existing files.
C. 1. Download the latest utility upgrade_export and run from a local directory c:/temp to
export the configuration into a *.tgz file.
2. Skip any upgrade_verification warnings since you are not upgrading.
3. Transfer the file *.tgz to another networked machine.
4. Download and run the utility cpclean and reboot.
5. Use the R77 CD-ROM to select option upgrade_import to import the configuration.
D. 1. Download the latest utility upgrade_export and run from directory c:/temp to export
the configuration into a *.tgz file.
2. Follow steps suggested by upgrade_verification.
3. Uninstall all packages using Add/Remove Programs and reboot.
4. Use SmartUpdate to reinstall the Security Management Server and reboot.
5. Transfer file *.tgz back to local directory /temp.
6. Run upgrade_import to import the configuration.

Answer: A

Question No : 65 CORRECT TEXT - (Topic 1)

Type the command and syntax that you would use to view the virtual cluster interfaces of a
ClusterXL environment.

Answer: cphaprob -a if

Question No : 66 CORRECT TEXT - (Topic 1)

Type the full fw command and syntax that allows you to disable only sync on a cluster
firewall member.

Answer: fw ctl setsync off

26
Question No : 67 - (Topic 1)

The process ________ is responsible for GUIClient communication with the SmartCenter.

A. CPGUI
B. CPD
C. FWD
D. FWM

Answer: D

Question No : 68 - (Topic 1)

Which of the following is NOT an advantage of SmartLog?

A. SmartLog has a “Top Results” pane showing things like top sources, rules, and users.
B. SmartLog displays query results across multiple log files, reducing the need to open
previous files to view results.
C. SmartLog requires less disk space by consolidating log entries into fewer records.
D. SmartLog creates an index of log entries, increasing query speed.

Answer: C

Question No : 69 CORRECT TEXT - (Topic 1)

Fill in the blank. To remove site-to-site IKE and IPSEC keys you would enter command
____ ___ and select the option to delete all IKE and IPSec SA’s.

Answer: vpn tu

Question No : 70 - (Topic 1)

The connection to the ClusterXL member ‘A’ breaks. The ClusterXL member ‘A’ status is
now ‘down’. Afterwards the switch admin set a port to ClusterXL member ‘B’ to ‘down’.
What will happen?

27
A. ClusterXL member ‘B’ also left the cluster.
B. ClusterXL member ‘B’ stays active as last member.
C. Both ClusterXL members share load equally.
D. ClusterXL member ‘A’ is asked to come back to cluster.

Answer: B

Question No : 71 - (Topic 1)

Paul has just joined the MegaCorp security administration team. Natalie, the administrator,
creates a new administrator account for Paul in SmartDashboard and installs the policy.
When Paul tries to login it fails. How can Natalie verify whether Paul’s IP address is
predefined on the security management server?

A. Login to Smart Dashboard, access Properties of the SMS, and verify whether Paul’s IP
address is listed.
B. Type cpconfig on the Management Server and select the option “GUI client List” to see if
Paul’s IP address is listed.
C. Login in to Smart Dashboard, access Global Properties, and select Security
Management, to verify whether Paul’s IP address is listed.
D. Access the WEBUI on the Security Gateway, and verify whether Paul’s IP address is
listed as a GUI client.

Answer: B

Question No : 72 - (Topic 1)

The process ________________ compiles $FWDIR/conf/*.W files into machine language.

A. fwd
B. fw gen
C. cpd
D. fwm

Answer: B

Question No : 73 - (Topic 1)

28
Which of the following statements accurately describes the migrate command?

A. upgrade_export is used when upgrading the Security Gateway, and allows certain files
to be included or excluded before exporting.
B. Used primarily when upgrading the Security Management Server, migrate stores all
object databases and the conf directories for importing to a newer version of the Security
Gateway.
C. Used when upgrading the Security Gateway, upgrade_export includes modified files,
such as in the directories /lib and /conf.
D. upgrade_export stores network-configuration data, objects, global properties, and the
database revisions prior to upgrading the Security Management Server.

Answer: B

Question No : 74 - (Topic 1)

A ClusterXL configuration is limited to ___ members.

A. There is no limit.
B. 16
C. 6
D. 2

Answer: C

Question No : 75 - (Topic 1)

Which Check Point tool allows you to open a debug file and see the VPN packet exchange
details.

A. PacketDebug.exe
B. VPNDebugger.exe
C. IkeView.exe
D. IPSECDebug.exe

Answer: C

Question No : 76 - (Topic 1)
29
Which process should you debug if SmartDashboard login fails?

A. sdm
B. cpd
C. fwd
D. fwm

Answer: D

Question No : 77 - (Topic 1)

David wants to manage hundreds of gateways using a central management tool. What tool
would David use to accomplish his goal?

A. SmartDashboard
B. SmartBlade
C. SmartLSM
D. SmartProvisioning

Answer: D

Question No : 78 - (Topic 1)

Exhibit:

From the following output of cphaprob state, which ClusterXL mode is this?

A. Unicast mode
B. Multicast mode
C. New mode
D. Legacy mode

30
Answer: A

Question No : 79 - (Topic 1)

Which CLI tool helps on verifying proper ClusterXL sync?

A. fw stat
B. fw ctl sync
C. fw ctl pstat
D. cphaprob stat

Answer: C

Question No : 80 - (Topic 1)

Review the Rule Base displayed.

For which rules will the connection templates be generated in SecureXL?

A. Rules 2 and 5
B. Rules 2 through 5
C. Rule 2 only
D. All rules except Rule 3

Answer: D

Question No : 81 CORRECT TEXT - (Topic 1)

31
To bind a NIC to a single processor when using CoreXL on GAiA, you would use the
command

Answer: sim affinity

Question No : 82 - (Topic 1)

How do you check the version of “CPSIZEME” on GAiA?

A. [expert@HostName]# ./cpsizeme.exe –v
B. [expert@HostName]# ./cpsizeme.exe –version
C. [expert@HostName]# ./cpsizeme –V
D. [expert@HostName]# ./cpsizeme –version

Answer: C

Question No : 83 - (Topic 1)

Anytime a client initiates a connection to a server, the firewall kernel signals the FWD
process using a trap. FWD spawns the ________ child service, which runs the security
server.

A. FWSD
B. FWD
C. In.httpd
D. FWSSD

Answer: D

Question No : 84 - (Topic 1)

How do you verify the Check Point kernel running on a firewall?

A. fw ver -k
B. fw ctl pstat
C. fw ctl get kernel

32
D. fw kernel

Answer: B

Question No : 85 - (Topic 1)

MultiCorp has bought company OmniCorp and now has two active AD domains. How
would you deploy Identity Awareness in this environment?

A. You must run an ADquery for every domain.

B. Identity Awareness can only manage one AD domain.
C. Only one ADquery is necessary to ask for all domains.
D. Only Captive Portal can be used.

Answer: A

Question No : 86 - (Topic 1)

MegaCorp is running Smartcenter R70, some Gateways at R65 and some other Gateways
with R60. Management wants to upgrade to the most comprehensive IPv6 support. What
should the administrator do first?

A. Upgrade Smartcenter to R77 first.

B. Upgrade R60-Gateways to R65.
C. Upgrade every unit directly to R77.
D. Check the ReleaseNotes to verify that every step is supported.

Answer: D

Question No : 87 - (Topic 1)

What is Check Point's CoreXL?

A. A way to synchronize connections across cluster members

B. TCP-18190
C. Multiple core interfaces on the device to accelerate traffic
D. Multi Core support for Firewall Inspection

33
Answer: D

Question No : 88 - (Topic 1)

Which three of the following are ClusterXL member requirements?

1) same operating systems

2) same Check Point version

3) same appliance model

4) same policy

A. 1, 3, and 4
B. 1, 2, and 4
C. 2, 3, and 4
D. 1, 2, and 3

Answer: B

Question No : 89 - (Topic 1)

The challenges to IT involve deployment, security, management, and what else?

A. Assessments
B. Maintenance
C. Transparency
D. Compliance

Answer: D

Question No : 90 - (Topic 1)

What firewall kernel table stores information about port allocations for Hide NAT
connections?

A. NAT_dst_any_list

34
B. NAT_alloc
C. NAT_src_any_list
D. fwx_alloc

Answer: D

Question No : 91 - (Topic 1)

If Bob wanted to create a Management High Availability configuration, what is the minimum
number of Security Management servers required in order to achieve his goal?

A. Two
B. One
C. Four
D. Three

Answer: A

Question No : 92 CORRECT TEXT - (Topic 1)

Type the command and syntax to configure the Cluster Control Protocol (CCP) to use
Broadcast.

Answer: cphaconf set_ccp broadcast

Question No : 93 - (Topic 1)

Where do you define NAT properties so that NAT is performed either client side or server
side? In SmartDashboard under:

A. Gateway Setting
B. NAT Rules
C. Global Properties > NAT definition
D. Implied Rules

Answer: C

35
Question No : 94 CORRECT TEXT - (Topic 1)

Fill in the blank. To enter the router shell, use command __________ .

Answer: cligated

Question No : 95 - (Topic 1)

User definitions are stored in ________________ .

A. $FWDIR/conf/users.NDB
B. $FWDIR/conf/fwmuser.conf
C. $FWDIR/conf/fwusers.conf
D. $FWDIR/conf/fwauth.NDB

Answer: D

Question No : 96 CORRECT TEXT - (Topic 1)

Fill in the blank. To verify the SecureXL status, you would enter command _____________
.

Answer: fwaccel stat

Question No : 97 CORRECT TEXT - (Topic 1)

Type the full fw command and syntax that will show full synchronization status.

Answer: fw ctl pstat

Question No : 98 - (Topic 1)

Does Check Point recommend generating an upgrade_export on standby SmartCenters?

36
A. Yes. This is the only way to get the upgrade_export
B. No. All Check Point processes are stopped.
C. No. There is no way to verify the actual configuration.
D. Yes. All information is available at both SmartCenters.

Answer: C

Question No : 99 - (Topic 1)

By default, what happens to the existing connections on a firewall when a new policy is
installed?

A. All existing data connections will be kept open until the connections have ended.
B. Existing connections are always allowed
C. All existing control and data connections will be kept open until the connections have
ended.
D. All existing connections not allowed under the new policy will be terminated.

Answer: D

Question No : 100 CORRECT TEXT - (Topic 1)

To stop acceleration on a GAiA Security Gateway, enter command:

Answer: fwaccel off

Topic 2, Volume B

Question No : 101 - (Topic 2)

How are cached usernames and passwords cleared from the memory of a Security
Gateway?

A. By using the Clear User Cache button in SmartDashboard

B. Usernames and passwords only clear from memory after they time out
C. By retrieving LDAP user information using the command fw fetchldap
D. By installing a Security Policy

37
Answer: D

Question No : 102 - (Topic 2)

When synchronizing clusters, which of the following statements is NOT true?

A. In the case of a failover, accounting information on the failed member may be lost
despite a properly working synchronization.
B. An SMTP resource connection using CVP will be maintained by the cluster.
C. User Authentication connections will be lost by the cluster.
D. Only cluster members running on the same OS platform can be synchronized.

Answer: B

Question No : 103 - (Topic 2)

In SmartDirectory, what is each LDAP server called?

A. Account Server
B. LDAP Unit
C. Account Unit
D. LDAP Server

Answer: C

Question No : 104 - (Topic 2)

What is the supported ClusterXL configuration when configuring a cluster synchronization

network on a VLAN interface?

A. It is supported on the lowest VLAN tag of the VLAN interface.

B. It is not supported on a VLAN tag.
C. It is supported on VLAN tag 4095.
D. It is supported on VLAN tag 4096.

Answer: A

38
Question No : 105 - (Topic 2)

Remote clients are using SSL VPN to authenticate via LDAP server to connect to the
organization. Which gateway process is responsible for the authentication?

A. vpnd
B. cvpnd
C. fwm
D. fwd

Answer: B

Question No : 106 - (Topic 2)

You are running a R77 Security Gateway on GAiA. In case of a hardware failure, you have
a server with the exact same hardware and firewall version installed. What backup method
could be used to quickly put the secondary firewall into production?

A. backup
B. snapshot
C. migrate_import
D. manual backup

Answer: B

Question No : 107 - (Topic 2)

When restoring R77 using the command upgrade_import, which of the following items are
NOT restored?

A. Route tables
B. Gateway topology
C. Licenses
D. User db

Answer: A

Question No : 108 - (Topic 2)

39
John is upgrading a cluster from NGX R65 to R77. John knows that you can verify the
upgrade process using the pre-upgrade verifier tool. When John is running Pre-Upgrade
Verification, he sees the warning message:

Title: Incompatible pattern.

What is happening?

A. The actual configuration contains user defined patterns in IPS that are not supported in
R77. If the patterns are not fixed after upgrade, they will not be used with R77 Security
Gateways.
B. R77 uses a new pattern matching engine. Incompatible patterns should be deleted
before upgrade process to complete it successfully.
C. Pre-Upgrade Verification tool only shows that message but it is only informational.
D. Pre-Upgrade Verification process detected a problem with actual configuration and
upgrade will be aborted.

Answer: A

Question No : 109 - (Topic 2)

Which process is responsible for delta synchronization in ClusterXL?

A. fwd on the Security Gateway

B. fw kernel on the Security Gateway
C. Clustering on the Security Gateway
D. cpd on the Security Gateway

Answer: B

Question No : 110 - (Topic 2)

Check Point recommends that you back up systems running Check Point products. Run
your back ups during maintenance windows to limit disruptions to services, improve CPU
usage, and simplify time allotment. Which back up method does Check Point recommend
before major changes, such as upgrades?

A. upgrade_export
B. migrate export
C. snapshot

40
D. backup

Answer: C

Question No : 111 - (Topic 2)

How does a cluster member take over the VIP after a failover event?

A. Gratuitous ARP
B. Broadcast storm
C. arp -s
D. Ping the sync interface

Answer: A

Question No : 112 - (Topic 2)

Which is NOT a valid option when upgrading Cluster Deployments?

A. Fast path Upgrade

B. Minimal Effort Upgrade
C. Full Connectivity Upgrade
D. Zero Downtime

Answer: A

Question No : 113 - (Topic 2)

When an Endpoint user is able to authenticate but receives a message from the client that
it is unable to enforce the desktop policy, what is the most likely scenario?

A. The gateway could not locate the user in SmartDirectory and is allowing the connection
with limitations based on a generic profile.
B. The user’s rights prevent access to the protected network.
C. A Desktop Policy is not configured.
D. The user is attempting to connect with the wrong Endpoint client.

41
Answer: D

Question No : 114 - (Topic 2)

What is NOT a valid LDAP use in Check Point SmartDirectory?

A. Retrieve gateway CRL’s

B. Enforce user access to internal resources
C. External users management
D. Provide user authentication information for the Security Management Server

Answer: B

Question No : 115 - (Topic 2)

The file snapshot generates is very large, and can only be restored to:

A. The device that created it, after it has been upgraded.

B. A device having exactly the same Operating System and hardware as the device that
created the file.
C. Individual members of a cluster configuration.
D. Windows Server class systems.

Answer: B

Question No : 116 - (Topic 2)

If using AD Query for seamless identity data reception from Microsoft Active Directory (AD),
which of the following methods is NOT Check Point recommended?

A. Identity-based enforcement for non-AD users (non-Windows and guest users)

B. Basic identity enforcement in the internal network
C. Leveraging identity in Internet application control
D. Identity-based auditing and logging

Answer: A

42
Question No : 117 - (Topic 2)

A Zero Downtime Upgrade of a cluster:

A. Upgrades all cluster members except one at the same time.

B. Is only supported in major releases (R70 to R71, R71 to R77).
C. Requires breaking the cluster and upgrading members independently.
D. Treats each individual cluster member as an individual gateway.

Answer: A

Question No : 118 - (Topic 2)

Remote clients are using IPSec VPN to authenticate via LDAP server to connect to the
organization. Which gateway process is responsible for the authentication?

A. fwm
B. fwd
C. vpnd
D. cvpnd

Answer: C

Question No : 119 - (Topic 2)

When using Captive Portal to send unidentified users to a Web portal for authentication,
which of the following is NOT a recommended use for this method?

A. For deployment of Identity Agents

B. Identity-based enforcement for non-AD users (non-Windows and guest users)
C. Leveraging identity in Internet application control
D. Basic identity enforcement in the internal network

Answer: D

Question No : 120 - (Topic 2)

43
When using SmartDashboard to manage existing users in SmartDirectory, when are the
changes applied?

A. At database synchronization
B. Instantaneously
C. Never, you cannot manage users through SmartDashboard
D. At policy installation

Answer: B

Question No : 121 - (Topic 2)

What is a Sticky Connection?

A. A Sticky Connection is one in which a reply packet returns through the same gateway as
the original packet.
B. A Sticky Connection is a connection that remains the same.
C. A Sticky Connection is a VPN connection that remains up until you manually bring it
down.
D. A Sticky Connection is a connection that always chooses the same gateway to set up
the initial connection.

Answer: A

Question No : 122 - (Topic 2)

When using ClusterXL in Load Sharing, what is the default sharing method based on?

A. IPs
B. IPs, SPIs
C. IPs, Ports
D. IPs, Ports, SPIs

Answer: D

Question No : 123 - (Topic 2)

44
How would you set the debug buffer size to 1024?

A. Run fw ctl kdebug 1024

B. Run fw ctl set buf 1024
C. Run fw ctl set int print_cons 1024
D. Run fw ctl debug -buf 1024

Answer: D

Question No : 124 - (Topic 2)

An organization may be distributed across several SmartDirectory (LDAP) servers. What

provision do you make to enable a Gateway to use all available resources? Each
SmartDirectory (LDAP) server must be:

A. a member in the LDAP group.

B. represented by a separate Account Unit.
C. represented by a separate Account Unit that is a member in the LDAP group.
D. a member in a group that is associated with one Account Unit.

Answer: B

Question No : 125 - (Topic 2)

Which command would you use to save the routing information before upgrading a
Windows Gateway?

A. cp /etc/sysconfig/network.C [location]
B. ifconfig > [filename].txt
C. ipconfig –a > [filename].txt
D. netstat –rn > [filename].txt

Answer: D

Question No : 126 - (Topic 2)

Check Point recommends that you back up systems running Check Point products. Run

45
your back ups during maintenance windows to limit disruptions to services, improve CPU
usage, and simplify time allotment. Which back up method does Check Point recommend
every couple of months, depending on how frequently you make changes to the network or
policy?

A. migrate export
B. upgrade_export
C. snapshot
D. backup

Answer: D

Question No : 127 - (Topic 2)

Which of the following is a supported Sticky Decision Function of Sticky Connections for
Load Sharing?

A. Support for SecureClient/SecuRemote/SSL Network Extender encrypted connections

B. Multi-connection support for VPN-1 cluster members
C. Support for all VPN deployments (except those with third-party VPN peers)
D. Support for Performance Pack acceleration

Answer: A

Question No : 128 - (Topic 2)

Which command would you use to save the IP address and routing information before
upgrading a GAiA Gateway?

A. netstat –rn > [filename].txt

B. ipconfig –a > [filename].txt
C. cp /etc/sysconfig/network.C [location]
D. ifconfig > [filename].txt

Answer: C

Question No : 129 - (Topic 2)

46
Identity Agent is a lightweight endpoint agent that authenticates securely with Single Sign-
On (SSO). Which of the following is NOT a recommended use for this method?

A. Leveraging machine name or identity

B. When accuracy in detecting identity is crucial
C. Identity based enforcement for non-AD users (non-Windows and guest users)
D. Protecting highly sensitive servers

Answer: C

Question No : 130 - (Topic 2)

Which of the following commands do you run on the AD server to identify the DN name
before configuring LDAP integration with the Security Gateway?

A. dsquery user –name administrator

B. query ldap –name administrator
C. ldapquery –name administrator
D. cpquery –name administrator

Answer: A

Question No : 131 - (Topic 2)

Which of the following is a valid Active Directory designation for user Jane Doe in the MIS
department of AcmeCorp.com?

A. Cn=jane_doe,ou=MIS,dc=acmecorp,dc=com
B. Cn= jane_doe,ou=MIS,cn=acmecorp,dc=com
C. Cn= jane_doe,ca=MIS,dc=acmecorp,dc=com
D. Cn= jane_doe,ca=MIS,cn=acmecorp,dc=com

Answer: A

Question No : 132 - (Topic 2)

The process __________ is responsible for the authentication for Remote Access clients.

47
A. fwm
B. vpnd
C. cvpnd
D. cpd

Answer: B

Question No : 133 - (Topic 2)

When defining SmartDirectory for High Availability (HA), which of the following should you
do?

A. Configure Secure Internal Communications with each server and fetch branches from
each.
B. Replicate the same information on multiple Active Directory servers.
C. Configure a SmartDirectory Cluster object.
D. Configure the SmartDirectory as a single object using the LDAP cluster IP. Actual HA
functionality is configured on the servers.

Answer: B

Question No : 134 - (Topic 2)

Steve is troubleshooting a connection problem with an internal application. If he knows the

source IP address is 192.168.4.125, how could he filter this traffic?

A. Run fw monitor -e "accept src-ip=192.168.4.125;"

B. Run fw monitor -e "accept src=192.168.4.125;"
C. Run fw monitor -e "accept dst-ip=192.168.4.125;"
D. Run fw monitor -e "accept ip=192.168.4.125;"

Answer: B

Question No : 135 - (Topic 2)

__________ is a proprietary Check Point protocol. It is the basis for Check Point ClusterXL
inter-module communication.

48
A. CPP
B. CPHA
C. CKPP
D. CCP

Answer: D

Question No : 136 - (Topic 2)

An administrator has installed the latest HFA on the system for fixing traffic problems after
creating a backup file. A large number of routes were added or modified, causing network
problems. The Check Point configuration has not been changed. What would be the most
efficient way to revert to a working configuration?

A. A back up cannot be restored, because the binary files are missing.

B. The restore is not possible because the backup file does not have the same build
number (version).
C. Select Snapshot Management from the SecurePlatform boot menu.
D. Use the command restore and select the appropriate backup file.

Answer: D

Question No : 137 - (Topic 2)

__________ is NOT a ClusterXL mode.

A. Legacy
B. Unicast
C. Broadcast
D. New

Answer: C

Question No : 138 - (Topic 2)

You are the MegaCorp Security Administrator. This company uses a firewall cluster,
consisting of two cluster members. The cluster generally works well but one day you find
that the cluster is behaving strangely. You assume that there is a connectivity problem with

49
the cluster synchronization link (cross-over cable). Which of the following commands is the
BEST for testing the connectivity of the crossover cable?

A. ifconfig -a
B. arping <IP address of the synchronization interface on the other cluster member>
C. telnet <IP address of the synchronization interface on the other cluster member>
D. ping <IP address of the synchronization interface on the other cluster member>

Answer: B

Question No : 139 - (Topic 2)

Which is NOT a method through which Identity Awareness receives its identities?

A. AD Query
B. Group Policy
C. Identity Agent
D. Captive Portal

Answer: B

Question No : 140 - (Topic 2)

Included in the customer’s network are some firewall systems with the Performance Pack
in use. The customer wishes to use these firewall systems in a cluster (Load Sharing
mode). He is not sure if he can use the Sticky Decision Function in this cluster. Explain the
situation to him.

A. The customer can use the firewalls with Performance Pack inside the cluster, which
should support the Sticky Decision Function. It is just necessary to configure it with the
clusterXL_SDF_enable command.
B. ClusterXL always supports the Sticky Decision Function in the Load Sharing mode.
C. The customer can use the firewalls with Performance Pack inside the cluster, which
should support the Sticky Decision Function. It is just necessary to enable the Sticky
Decision Function in the SmartDashboard cluster object in the ClusterXL page, Advanced
Load Sharing Configuration window.
D. Sticky Decision Function is not supported when employing either Performance Pack or a
hardware-based accelerator card. Enabling the Sticky Decision Function disables these
acceleration products.

50
Answer: D

Question No : 141 - (Topic 2)

You can NOT use SmartDashboard’s SmartDirectory features to connect to the LDAP
server. What should you investigate?

1. Verify you have read-only permissions as administrator for the operating system.

2. Verify there are no restrictions blocking SmartDashboard's User Manager from

connecting to the LDAP server.

3. Check that the login Distinguished Name configured has at least write permission in the
access control configuration of the LDAP server.

A. 2 and 3
B. 1, 2, and 3
C. 1 and 2
D. 1 and 3

Answer: A

Question No : 142 - (Topic 2)

When configuring an LDAP Group object, select the option ____________ if you want the
gateway to reference all groups defined on the LDAP server for authentication purposes.

A. Only Sub Tree

B. Only Group in Branch
C. OU Accept and select appropriate domain
D. All Account-Unit’s Users

Answer: D

Question No : 143 - (Topic 2)

If ClusterXL Load Sharing is enabled with state synchronization enabled, what will happen
if one member goes down?

51
A. The processing of all connections handled by the faulty machine is immediately taken
over by the other member(s).
B. The processing of all connections handled by the faulty machine is dropped, so all
connections need to be re-established through the other machine(s).
C. There is no state synchronization on Load Sharing, only on High Availability.
D. The connections are dropped as Load Sharing does not support High Availability.

Answer: A

Question No : 144 - (Topic 2)

Which describes the function of the account unit?

A. An Account Unit is the Check Point account that SmartDirectory uses to access an
(LDAP) server
B. An Account Unit is a system account on the Check Point gateway that SmartDirectory
uses to access an (LDAP) server
C. An Account Unit is the administration account on the LDAP server that SmartDirectory
uses to access to (LDAP) server
D. An Account Unit is the interface which allows interaction between the Security
Management server and Security Gateways, and the SmartDirectory (LDAP) server.

Answer: D

Question No : 145 - (Topic 2)

When synchronizing clusters, which of the following statements is NOT true?

A. Client Authentication or Session Authentication connections through a cluster member

will be lost if the cluster member fails.
B. In the case of a failover, accounting information on the failed member may be lost
despite properly working synchronization.
C. Only cluster members running on the same OS platform can be synchronized.
D. The state of connections using resources is maintained by a Security Server, so these
connections cannot be synchronized.

Answer: A

52
Question No : 146 - (Topic 2)

The process that performs the authentication for legacy session authentication is:

A. cvpnd
B. fwm
C. vpnd
D. fwssd

Answer: D

Question No : 147 - (Topic 2)

Choose the BEST sequence for configuring user management in SmartDashboard, using
an LDAP server.

A. Configure a server object for the LDAP Account Unit, and create an LDAP resource
object.
B. Configure a workstation object for the LDAP server, configure a server object for the
LDAP Account Unit, and enable LDAP in Global Properties.
C. Configure a server object for the LDAP Account Unit, enable LDAP in Global Properties,
and create an LDAP resource object.
D. Enable LDAP in Global Properties, configure a host-node object for the LDAP server,
and configure a server object for the LDAP Account Unit.

Answer: D

Question No : 148 - (Topic 2)

Your primary Security Management Server runs on GAiA. What is the fastest way to back
up your Security Gateway R77 configuration, including routing and network configuration
files?

A. Copying the directories $FWDIR/conf and $FWDIR/lib to another location.

B. Use the command snapshot.
C. Using the command upgrade_export.
D. Using the native GAiA back up utility from command line or in the Web-based user
interface.

53
Answer: D

Question No : 149 - (Topic 2)

You have a High Availability ClusterXL configuration. Machines are not synchronized. What
happens to connections on failover?

A. Open connections are lost but can be reestablished.

B. It is not possible to configure High Availability that is not synchronized.
C. Connections cannot be established until cluster members are fully synchronized.
D. Open connections are lost but are automatically recovered whenever the failed machine
recovers.

Answer: A

Question No : 150 - (Topic 2)

The process _______ executes the authentication for logging in to SmartDashboard.

A. fwm
B. vpnd
C. cpd
D. cvpnd

Answer: A

Question No : 151 - (Topic 2)

After you add new interfaces to a cluster, how can you check if the new interfaces and the
associated virtual IP address are recognized by ClusterXL?

Exhibit:

54
A. By running the command cphaprob -I list on both members
B. By running the command cphaprob -a if on both members
C. By running the command cpconfig on both members
D. By running the command cphaprob state on both members

Answer: B

Question No : 152 - (Topic 2)

In ClusterXL, _______ is defined by default as a critical device.

A. fw.d
B. vpnd
C. Filter
D. cpd

Answer: C

Question No : 153 - (Topic 2)

55
In ClusterXL, _______ is defined by default as a critical device.

A. fwm
B. assld
C. cpp
D. fwd

Answer: D

Question No : 154 - (Topic 2)

Which process is responsible for kernel table information sharing across all cluster
members?

A. cpd
B. fwd daemon
C. CPHA
D. fw kernel

Answer: B

Question No : 155 - (Topic 2)

Check Point support has asked Tony for a firewall capture of accepted packets. What
would be the correct syntax to create a capture file to a filename called monitor.out?

A. Run fw monitor -e "accept;" -f monitor.out

B. Run fw monitor -e "accept;" -c monitor.out
C. Run fw monitor -e "accept;" -o monitor.out
D. Run fw monitor -e "accept;" -m monitor.out

Answer: C

Question No : 156 - (Topic 2)

You need to back up the routing, interface, and DNS configuration information from your
R77 GAiA Security Gateway. Which backup-and-restore solution do you use?

56
A. Manual copies of the directory $FWDIR/conf
B. GAiA back up utilities
C. Database Revision Control
D. Commands upgrade_export and upgrade_import

Answer: B

Question No : 157 - (Topic 2)

In a Cluster, some features such as VPN only function properly when:

A. all cluster members have the same number of interfaces configured.

B. all cluster members’ clocks are synchronized.
C. all cluster members have the same policy.
D. all cluster members have the same Hot Fix Accumulator pack installed.

Answer: B

Question No : 158 - (Topic 2)

When upgrading a cluster in Full Connectivity Mode, the first thing you must do is see if all
cluster members have the same products installed. Which command should you run?

A. fw fcu
B. cpconfig
C. cphaprob fcustat
D. fw ctl conn –a

Answer: D

Question No : 159 - (Topic 2)

Which command would you use to save the interface information before upgrading a GAiA
Gateway?

A. ipconfig –a > [filename].txt

B. cp /etc/sysconfig/network.C [location]

57
C. netstat –rn > [filename].txt
D. ifconfig > [filename].txt

Answer: D

Question No : 160 - (Topic 2)

When troubleshooting user authentication, you may see the following entries in a debug of
the user authentication process. In which order are these messages likely to appear?

A. make_au, au_auth, au_fetchuser, au_auth_auth, cpLdapCheck, cpLdapGetUser

B. make_au, au_auth, au_fetchuser, cpLdapGetUser, cpLdapCheck, au_auth_auth
C. cpLdapGetUser, au_fetchuser, cpLdapCheck, make_au, au_auth, au_auth_auth
D. au_fetchuser, make_au, au_auth, cpLdapGetUser, au_auth_auth, cpLdapCheck

Answer: B

Question No : 161 - (Topic 2)

A Full Connectivity Upgrade of a cluster:

A. Treats each individual cluster member as an individual gateway.

B. Requires breaking the cluster and upgrading members independently.
C. Is only supported in minor version upgrades (R70 to R71, R71 to R77).
D. Upgrades all cluster members except one at the same time.

Answer: C

Question No : 162 - (Topic 2)

Which of the following is NOT a LDAP server option in SmartDirectory?

A. Standard_DS
B. Novell_DS
C. Netscape_DS
D. OPSEC_DS

58
Answer: A

Question No : 163 - (Topic 2)

There are several SmartDirectory (LDAP) features that can be applied to further enhance
SmartDirectory (LDAP) functionality, which of the following is NOT one of those features?

A. Support many Domains under the same account unit

B. Support multiple SmartDirectory (LDAP) servers on which many user databases are
distributed
C. High Availability, where user information can be duplicated across several servers
D. Encrypted or non-encrypted SmartDirectory (LDAP) Connections usage

Answer: A

Question No : 164 - (Topic 2)

The process that performs the authentication for SSL VPN Users is:

A. cpd
B. cvpnd
C. fwm
D. vpnd

Answer: B

Question No : 165 - (Topic 2)

An Account Unit is the interface between the __________ and the __________.

A. System, Database
B. Clients, Server
C. Users, Domain
D. Gateway, Resources

Answer: B

59
Question No : 166 - (Topic 2)

Organizations are sometimes faced with the need to locate cluster members in different
geographic locations that are distant from each other. A typical example is replicated data
centers whose location is widely separated for disaster recovery purposes. What are the
restrictions of this solution?

A. There are two restrictions: 1. The synchronization network must guarantee no more than
100ms latency and no more than 5% packet loss. 2. The synchronization network may only
include switches and hubs.
B. There is one restriction: The synchronization network must guarantee no more than 150
ms latency (ITU Standard G.114).
C. There is one restriction: The synchronization network must guarantee no more than 100
ms latency.
D. There are no restrictions.

Answer: A

Question No : 167 - (Topic 2)

Each entry in SmartDirectory has a unique _______________ ?

A. Container
B. Distinguished Name
C. Organizational Unit
D. Schema

Answer: B

Question No : 168 - (Topic 2)

By default, a standby Security Management Server is automatically synchronized by an

active Security Management Server, when:

A. The Security Policy is installed.

B. The user data base is installed.
C. The standby Security Management Server starts for the first time.
D. The Security Policy is saved.

60
Answer: A

Question No : 169 - (Topic 2)

Where multiple SmartDirectory servers exist in an organization, a query from one of the
clients for user information is made to the servers based on a priority. By what category
can this priority be defined?

A. Location or Account Unit

B. Gateway or Domain
C. Gateway or Account Unit
D. Location or Domain

Answer: C

Question No : 170 - (Topic 2)

Typically, when you upgrade the Security Management Server, you install and configure a
fresh R77 installation on a new computer and then migrate the database from the original
machine. What is the correct order of the steps below to successfully complete this
procedure?

1) Export databases from source.

2) Connect target to network.

3) Prepare the source machine for export.

4) Import databases to target.

5) Install new version on target.

6) Test target deployment.

A. 3, 1, 5, 4, 2, 6
B. 5, 2, 6, 3, 1, 4
C. 3, 5, 1, 4, 6, 2
D. 6, 5, 3, 1, 4, 2

Answer: C

61
Question No : 171 - (Topic 2)

How does Check Point recommend that you secure the sync interface between gateways?

A. Use a dedicated sync network.

B. Configure the sync network to operate within the DMZ.
C. Secure each sync interface in a cluster with Endpoint.
D. Encrypt all sync traffic between cluster members.

Answer: A

Question No : 172 - (Topic 2)

Your users are defined in a Windows 2008 Active Directory server. You must add LDAP
users to a Client Authentication rule. Which kind of user group do you need in the Client
Authentication rule in R77?

A. LDAP group
B. All Users
C. External-user group
D. A group with a generic user

Answer: A

Question No : 173 - (Topic 2)

Check Point Clustering protocol, works on:

A. UDP 18184
B. TCP 8116
C. UDP 8116
D. TCP 18184

Answer: C

Question No : 174 - (Topic 2)

62
The ________ Check Point ClusterXL mode must synchronize the virtual IP and MAC
addresses on all clustered interfaces.

A. HA Mode Legacy
B. HA Mode New
C. Mode Unicast Load Sharing
D. Mode Multicast Load Sharing

Answer: B

Question No : 175 - (Topic 2)

When configuring an LDAP Group object, select option _______________ if you want the
gateway to reference a specific group defined on the LDAP server for authentication
purposes.

A. Group Agnostic
B. All Account-Unit's Users
C. Only Sub Tree
D. Only Group in Branch

Answer: C

Question No : 176 - (Topic 2)

While authorization for users managed by SmartDirectory is performed by the gateway, the
authentication mostly occurs in __________.

A. ldapauth
B. cpauth
C. ldapd
D. cpShared

Answer: B

Question No : 177 - (Topic 2)

63
The set of rules that governs the types of objects in the directory and their associated
attributes is called the:

A. Schema
B. SmartDatabase
C. Access Control List
D. LDAP Policy

Answer: A

Question No : 178 - (Topic 2)

Your R77 enterprise Security Management Server is running abnormally on Windows 2008
Server. You decide to try reinstalling the Security Management Server, but you want to try
keeping the critical Security Management Server configuration settings intact (i.e., all
Security Policies, databases, SIC, licensing etc.) What is the BEST method to reinstall the
Server and keep its critical configuration?

A. 1. Insert the R77 CD-ROM and select the option to export the configuration using the
latest upgrade utilities.
2. Complete steps suggested by upgrade_verification and re-export the configuration if
needed.
3. Save the exported file *.tgz to a local directory c:/temp.
4. Uninstall all packages using Add/Remove Programs and reboot.
5. Install again using the R77 CD-ROM as a primary Security Managment Server and
reboot.
6. Run upgrade_import to import configuration.
B. 1. Download the latest utility upgrade_export and run from directory c:\temp to export
the configuration to a *.tgz file.
2. Complete steps suggested by upgrade_verification.
3. Uninstall all packages using Add/Remove Programs and reboot.
4. Use SmartUpdate to reinstall the Security Management Server and reboot.
5. Transfer file *.tgz back to local directory /temp.
6. Run upgrade_import to import configuration.
C. 1. Download the latest utility upgrade_export and run from directory c:\temp to export
the configuration to a *.tgz file.
2. Skip upgrade_verification warnings since you are not upgrading.
3. Transfer file *.tgz to another networked machine.
4. Download and run utility cpclean and reboot.
5. Use the R77 CD-ROM to select option upgrade_import to import the configuration.
D. 1. Create a data base revision control back up using SmartDashboard.
2. Create a compressed archive of the directories %FWDIR%/conf and %FWDIR%/lib and

64
copy them to another networked machine.
3. Uninstall all packages using Add/Remove Programs and reboot.
4. Install again using the R77 CD-ROM as a primary Security Managment Server and
reboot.
5. Restore the two archived directories over the top of the new installation, choosing to
overwrite existing files.

Answer: A

Question No : 179 - (Topic 2)

Check Point recommends that you back up systems running Check Point products. Run
your back ups during maintenance windows to limit disruptions to services, improve CPU
usage, and simplify time allotment. Which back up method does Check Point recommend
anytime outside a maintenance window?

A. snapshot
B. backup
C. backup_export
D. migrate export

Answer: D

Question No : 180 - (Topic 2)

Where do you verify that SmartDirectory is enabled?

A. Global properties > Authentication > Use SmartDirectory (LDAP) for Security Gateways
is checked
B. Gateway properties > Smart Directory (LDAP) > Use SmartDirectory (LDAP) for Security
Gateways is checked
C. Gateway properties > Authentication > Use SmartDirectory (LDAP) for Security
Gateways is checked
D. Global properties > Smart Directory (LDAP) > Use SmartDirectory (LDAP) for Security
Gateways is checked

Answer: D

65
Question No : 181 - (Topic 2)

Which of the following access options would you NOT use when configuring Captive
Portal?

A. From the Internet

B. Through all interfaces
C. Through internal interfaces
D. Through the Firewall policy

Answer: A

Question No : 182 - (Topic 2)

During a Security Management Server migrate export, the system:

A. Creates a backup file that includes the SmartEvent database.

B. Creates a backup archive for all the Check Point configuration settings.
C. Saves all system settings and Check Point product configuration settings to a file.
D. Creates a backup file that includes the SmartReporter database.

Answer: B

Question No : 183 - (Topic 2)

If no flags are defined during a back up on the Security Management Server, where does
the system store the *.tgz file?

A. /var/backups
B. /var/CPbackup/backups
C. /var/opt/backups
D. /var/tmp/backups

Answer: B

Question No : 184 - (Topic 2)

66
When using migrate to upgrade a Secure Management Server, which of the following is
included in the migration?

A. System interface configuration

B. SmartEvent database
C. classes.C file
D. SmartReporter database

Answer: C

Question No : 185 - (Topic 2)

A customer calls saying that a Load Sharing cluster shows drops with the error First packet
is not SYN. Complete the following sentence. You will recommend:

A. turning off SDF (Sticky Decision Function).

B. switch to Multicast Mode.
C. turning on SDF (Sticky Decision Function).
D. configuring flush and ack.

Answer: C

Question No : 186 - (Topic 2)

A connection is said to be Sticky when:

A. A copy of each packet in the connection sticks in the connection table until a
corresponding reply packet is received from the other side.
B. A connection is not terminated by either side by FIN or RST packet.
C. All the connection packets are handled, in either direction, by a single cluster member.
D. The connection information sticks in the connection table even after the connection has
ended.

Answer: C

Question No : 187 - (Topic 2)

67
When using a template to define a user in SmartDirectory, the user’s password should be
defined in the ______________ object.

A. VPN Community
B. LDAP
C. Template
D. User

Answer: D

Question No : 188 - (Topic 2)

When a failed cluster member recovers, which of the following actions is NOT taken by the
recovering member?

A. It will not check for any updated policy and load the last installed policy with a warning
message indicating that the Security Policy needs to be installed from the Security
Management Server.
B. It will try to take the policy from one of the other cluster members.
C. It compares its local policy to the one on the Security Management Server.
D. If the Security Management Server has a newer policy, it will be retrieved, else the local
policy will be loaded.

Answer: A

Question No : 189 - (Topic 2)

Which process is responsible for full synchronization in ClusterXL?

A. cpd on the Security Gateway

B. fwd on the Security Gateway
C. fw kernel on the Security Gateway
D. Clustering on the Security Gateway

Answer: B

Question No : 190 - (Topic 2)

68
Typically, when you upgrade the Security Management Server, you install and configure a
fresh R77 installation on a new computer and then migrate the database from the original
machine. When doing this, what is required of the two machines? They must both have the
same:

A. Products installed.
B. Interfaces configured.
C. State.
D. Patch level.

Answer: A

Question No : 191 - (Topic 2)

If you are experiencing LDAP issues, which of the following should you check?

A. Domain name resolution

B. Secure Internal Communications (SIC)
C. Overlapping VPN Domains
D. Connectivity between the Gateway and LDAP server

Answer: D

Question No : 192 - (Topic 2)

Review the R77 configuration. Is it correct for Management High Availability?

Exhibit:

69
A. No, the Security Management Servers must reside on the same network.
B. No, the Security Management Servers do not have the same number of NICs.
C. No, the Security Management Servers must be installed on the same operating system.
D. No, a R77 Security Management Server cannot run on Red Hat Linux 9.0.

Answer: C

Question No : 193 - (Topic 2)

The User Directory Software Blade is used to integrate which of the following with a R77
Security Gateway?

A. UserAuthority server
B. RADIUS server
C. Account Management Client server
D. LDAP server

Answer: D

Question No : 194 - (Topic 2)

A Minimal Effort Upgrade of a cluster:

A. Is only supported in major releases (R70 to R71, R71 to R77).

B. Requires breaking the cluster and upgrading members independently.
C. Treats each individual cluster member as an individual gateway.
D. Upgrades all cluster members except one at the same time.

Answer: C

Question No : 195 - (Topic 2)

Which of the following methods will provide the most complete backup of an R77
configuration?

A. Database Revision Control

B. Policy Package Management

70
C. The command migrate_export
D. Copying the directories $FWDIR\conf and $CPDIR\conf to another server

Answer: C

Question No : 196 - (Topic 2)

When restoring a Security Management Server from a backup file, the restore package can
be retrieved from which source?

A. Local folder, TFTP server, or Disk

B. Disk, SCP server, or TFTP server
C. HTTP server, FTP server, or TFTP server
D. Local folder, TFTP server, or FTP server

Answer: D

Question No : 197 - (Topic 2)

Restoring a snapshot-created file on one machine that was created on another requires
which of the following to be the same on both machines?

A. Windows version, objects database, patch level, and interface configuration

B. State, SecurePlatform version, and patch level
C. State, SecurePlatform version, and objects database
D. Windows version, interface configuration, and patch level

Answer: B

Question No : 198 - (Topic 2)

A customer called to report one cluster member’s status as Down. What command should
you use to identify the possible cause?

A. tcpdump/snoop
B. cphaprob list
C. fw ctl pstat

71
D. fw ctl debug -m cluster + forward

Answer: B

Question No : 199 - (Topic 2)

Which of the following is a valid Active Directory designation for user John Doe in the Sales
department of AcmeCorp.com?

A. Cn=john_doe,ca=Sales,ou=acmecorp,dc=com
B. Cn=john_doe,ou=Sales,ou=acmecorp,dc=com
C. Cn=john_doe,ou=Sales,dc=acmecorp,dc=com
D. Cn=john_doe,ca=Sales,dc=acmecorp,dc=com

Answer: C

Question No : 200 - (Topic 2)

With the User Directory Software Blade, you can create R77 user definitions on a(n)
_________ Server.

A. RSA ACE/Authentication Manager

B. Radius
C. NT Domain
D. LDAP

Answer: D

Topic 3, Volume C

Question No : 201 - (Topic 3)

How do you verify a VPN Tunnel Interface (VTI) is configured properly?

A. vpn shell display interface detailed <VTI name>

B. vpn shell show <VTI name> detailed
C. vpn shell display <VTI name> detailed

72
D. vpn shell show interface detailed <VTI name>

Answer: D

Question No : 202 - (Topic 3)

John is configuring a new R77 Gateway cluster but he can not configure the cluster as
Third Party IP Clustering because this option is not available in Gateway Cluster
Properties. What’s happening?

Exhibit:

A. Third Party Clustering is not available for R77 Security Gateways.

B. John has an invalid ClusterXL license.
C. John is not using third party hardware as IP Clustering is part of Check Point’s IP
Appliance.

73
Answer: A

Question No : 203 - (Topic 3)

You want VPN traffic to match packets from internal interfaces. You also want the traffic to
exit the Security Gateway bound for all site-to-site VPN Communities, including Remote
Access Communities. How should you configure the VPN match rule?

A. internal_clear > All_communities

B. Internal_clear > External_Clear
C. Communities > Communities
D. internal_clear > All_GwToGw

Answer: A

Question No : 204 - (Topic 3)

Which of these is a type of acceleration in SecureXL?

A. QoS
B. FTP
C. connection rate
D. GRE

Answer: C

Question No : 205 - (Topic 3)

Your expanding network currently includes ClusterXL running Multicast mode on two
members, as shown in this topology:

74
A. You need to add interfaces: 10.10.10.1/24 on Member A, and 10.10.10.2/24 on Member
B. The virtual IP address for these interfaces is 10.10.10.3/24. Both cluster gateways have
a Quad card with an available eth3 interface. What is the correct procedure to add these
interfaces?
B. 1. Disable "Cluster membership" from one Gateway via cpconfig.
2. Configure the new interface via sysconfig from the "non-member" Gateway.
3. Re-enable "Cluster membership" on the Gateway.
4. Perform the same steps on the other Gateway.
5. Update the topology in the cluster object.
6. Install the Security Policy.
C. 1. Configure the new interface on both members using WebUI.
2. Update the new topology in the cluster object from SmartDashboard.
3. Define virtual IP in the Dashboard
4. Install the Security Policy.
D. 1. Use WebUI to configure the new interfaces on both member.
2. Update the topology in the cluster object.
3. Reboot both gateways.
4. Install the Security Policy.
E. 1. Use the command ifconfig to configure and enable the new interface on both
members.
2. Update the topology in the cluster object for the cluster and both members.
3. Install the Security Policy.

75
4. Reboot the gateway.

Answer: B

Question No : 206 - (Topic 3)

______________ is NOT an SmartEvent event-triggered Automatic Reaction.

A. SNMP Trap
B. Block Access
C. Mail
D. External Script

Answer: B

Question No : 207 - (Topic 3)

A tracked SmartEvent Candidate in a Candidate Pool becomes an Event. What does NOT
happen in the Analyzer Server?

A. SmartEvent provides the beginning and end time of the Event.

B. The Event is kept open, but condenses many instances into one Event.
C. The Correlation Unit keeps adding matching logs to the Event.
D. SmartEvent stops tracking logs related to the Candidate.

Answer: D

Question No : 208 - (Topic 3)

Which method of load balancing describes “Round Robin”?

A. Assigns service requests to servers at random.

B. Ensures that incoming requests are handled by the server with the fastest response
time.
C. Measures the load on each server to determine which server has the most available
resources.
D. Assigns service requests to the next server in a series.

76
Answer: D

Question No : 209 - (Topic 3)

You want to establish a VPN, using certificates. Your VPN will exchange certificates with
an external partner. Which of the following activities should you do first?

A. Exchange exported CA keys and use them to create a new server object to represent
your partner’s Certificate Authority (CA).
B. Create a new logical-server object to represent your partner’s CA.
C. Manually import your partner’s Access Control List.
D. Manually import your partner’s Certificate Revocation List.

Answer: A

Question No : 210 - (Topic 3)

Which command would you use to save the interface information before upgrading a GAiA
Gateway?

A. save configuration
B. cp /etc/sysconfig/network.C [location]
C. netstat –rn > [filename].txt
D. ifconfig > [filename].txt

Answer: A

Question No : 211 - (Topic 3)

Which file defines the fields for each object used in the file objects.C (color, num/string,
default value…)?

A. $FWDIR/conf/classes.C
B. $FWDIR/conf/scheam.C
C. $FWDIR/conf/fields.C
D. $FWDIR/conf/table.C

77
Answer: A

Question No : 212 - (Topic 3)

How can you disable SecureXL via the command line (it does not need to survive a
reboot)?

A. fw ctl accel off

B. securexl off
C. fwaccel off
D. fw xl off

Answer: C

Question No : 213 - (Topic 3)

_____________ generates a SmartEvent Report from its SQL database.

A. Security Management Server

B. SmartReporter
C. SmartEvent Client
D. SmartDashboard Log Consolidator

Answer: B

Question No : 214 - (Topic 3)

Which of the following services will cause SecureXL templates to be disabled?

A. HTTPS
B. LDAP
C. FTP
D. TELNET

Answer: C

78
Question No : 215 - (Topic 3)

In CoreXL, what process is responsible for processing incoming traffic from the network
interfaces, securely accelerating authorized packets, and distributing non-accelerated
packets among kernel instances?

A. NAD (Network Accelerator Daemon)

B. SNP (System Networking Process)
C. SND (Secure Network Distributor)
D. SSD (Secure System Distributor)

Answer: C

Question No : 216 - (Topic 3)

What is the command to show OSPF adjacencies?

A. show ospf summary-address

B. show ospf interface
C. show ospf neighbors
D. show running-config

Answer: C

Question No : 217 - (Topic 3)

Which Check Point product implements a Consolidation Policy?

A. SmartLSM
B. SmartView Tracker
C. SmartView Monitor
D. SmartReporter

Answer: D

Question No : 218 - (Topic 3)

79
A ClusterXL configuration is limited to ___ members.

A. 16
B. 8
C. 2

Answer: C

Question No : 219 - (Topic 3)

Review the cphaprob state command output from one New Mode High Availability
ClusterXL member.

Which member will be active after member 192.168.1.2 fails over and is rebooted?

A. Both members’ state will be in collision.

B. Both members’ state will be active.
C. 192.168.1.1
D. 192.168.1.2

Answer: C

Question No : 220 - (Topic 3)

What is the reason for the following error?

Exhibit:

80
A. A third-party cluster solution is implemented.
B. Cluster membership is not enabled on the gateway.
C. Device Name contains non-ASCII characters.
D. Objects.C does not contain a cluster object.

Answer: B

Question No : 221 - (Topic 3)

Which of the following log files contains verbose information regarding the negotiation
process and other encryption failures?

A. ike.elg
B. vpn.elg
C. iked.elg
D. vpnd.elg

Answer: D

Question No : 222 - (Topic 3)

Which of the following is NOT a restriction for connection template generation?

A. SYN Defender

81
B. UDP services with no protocol type or source port mentioned in advanced properties
C. ISN Spoofing
D. VPN Connections

Answer: B

Question No : 223 - (Topic 3)

For Management High Availability, if an Active SMS goes down, does the Standby SMS
automatically take over?

A. Yes, if you set up VRRP

B. Yes, if you set up ClusterXL
C. No, the transition should be initiated manually
D. Yes, if you set up SecureXL

Answer: C

Question No : 224 - (Topic 3)

How many Events can be shown at one time in the Event preview pane?

A. 5,000
B. 15,000
C. 30,000
D. 1,000

Answer: C

Question No : 225 - (Topic 3)

Which of the following is TRUE concerning unnumbered VPN Tunnel Interfaces (VTIs)?

A. VTIs must be assigned a proxy interface.

B. VTIs are only supported on SecurePlatform.
C. VTIs can only be physical, not loopback.
D. Local IP addresses are not configured, remote IP addresses are configured.

82
Answer: A

Question No : 226 - (Topic 3)

What could be a reason why synchronization between primary and secondary Security
Management Servers does not occur?

A. If the set of installed products differ from each other, the Security Management Servers
do not synchronize the database to each other.
B. You have installed both Security Management Servers on different server systems (e. g.
one machine on HP hardware and the other one on DELL).
C. You are using different time zones.
D. You did not activate synchronization within Global Properties.

Answer: A

Question No : 227 - (Topic 3)

The customer wishes to install a cluster. In his network, there is a switch which is incapable
of forwarding multicast. Is it possible to install a cluster in this situation?

A. No, the customer needs to replace the switch with a new switch, which supports
multicast forwarding.
B. Yes, you can toggle on ClusterXL between broadcast and multicast using the command
cphaconf set_ccp broadcast/multicast.
C. Yes, the ClusterXL changes automatically to the broadcast mode if the multicast is not
forwarded.
D. Yes, you can toggle on ClusterXL between broadcast and multicast by setting the
multicast mode using the command cphaconf set_ccp multicast on¦off. The default setting
is broadcast.

Answer: B

Question No : 228 - (Topic 3)

What is the most common cause for a Quick mode packet 1 failing with the error “No
Proposal Chosen” error?

83
A. The encryption strength and hash settings of one peer does not match the other.
B. The previously established Permanent Tunnel has failed.
C. There is a network connectivity issue.
D. The OS and patch level of one gateway does not match the other.

Answer: A

Question No : 229 - (Topic 3)

Match the VPN-related terms with their definitions. Each correct term is only used once.

Exhibit:

A. A-3, B-4, C-1, D-5

B. A-4, B-3, C-5, D-2
C. A-2, B-5, C-4, D-1
D. A-3, B-2, C-1, D-4

Answer: B

Question No : 230 - (Topic 3)

MEP VPN’s use the Proprietary Probing Protocol to send special UDP RDP packets to port
____ to discover if an IP is accessible.

A. 259
B. 256
C. 264
D. 201

Answer: A

Question No : 231 - (Topic 3)

84
There are times when you want to use Link Selection to manage high-traffic VPN
connections. With Link Selection you can:

A. Assign links to use Dynamic DNS.

B. Use Load Sharing to distribute VPN traffic.
C. Use links based on Day/Time.
D. Use links based on authentication method.

Answer: B

Question No : 232 - (Topic 3)

You are reviewing computer information collected in ClientInfo. You can NOT:

A. Run Google.com search using the contents of the selected cell.

B. Enter new credential for accessing the computer information.
C. Save the information in the active tab to an .exe file.
D. Copy the contents of the selected cells.

Answer: C

Question No : 233 - (Topic 3)

You are preparing computers for a new ClusterXL deployment. For your cluster, you plan to
use four machines with the following configurations:

Cluster Member 1: OS - GAiA; NICs - QuadCard; Memory - 1 GB; Security Gateway only,
version: R77

Cluster Member 2: OS - GAiA; NICs - 4 Intel 3Com; Memory - 1 GB; Security Gateway
only, version: R77

Cluster Member 3: OS - GAiA; NICs - 4 other manufacturers; Memory: 512 MB; Security
Gateway only, version: R77

Security Management Server: MS Windows 2008; NIC - Intel NIC (1); Security Gateway
and primary Security Management Server installed, version: R77

Are these machines correctly configured for a ClusterXL deployment?

A. No, Cluster Member 3 does not have the required memory.

85
B. No, the Security Gateway cannot be installed on the Security Management Pro Server.
C. No, the Security Management Server is not running the same operating system as the
cluster members.
D. Yes, these machines are configured correctly for a ClusterXL deployment.

Answer: D

Question No : 234 - (Topic 3)

Review the cphaprob state command output from a New Mode High Availability cluster
member. Which machine has the highest priority?

Exhibit:

A. This output does not indicate which machine has the highest priority.
B. 192.168.1.1, because it is <local>
C. 192.168.1.2, because its state is active
D. 192.168.1.1, because its number is 1

Answer: D

Question No : 235 - (Topic 3)

Review the following list of actions that Security Gateway R75 can take when it controls
packets. The Policy Package has been configured for Simplified Mode VPN. Select the
response below that includes the available actions:

A. Accept, Reject, Encrypt, Drop

B. Accept, Hold, Reject, Proxy
C. Accept, Drop, Reject, Client Auth
D. Accept, Drop, Encrypt, Session Auth

Answer: C

86
Question No : 236 - (Topic 3)

Which of the following is NOT supported by CoreXL?

A. Route-based VPN
B. SmartView Tracker
C. IPS
D. IPV4

Answer: A

Question No : 237 - (Topic 3)

Which type of VPN routing relies on a VPN Tunnel Interface (VTI) to route traffic?

A. Host-based VPN
B. Route-based VPN
C. Domain-based VPN
D. Subnet-based VPN

Answer: B

Question No : 238 - (Topic 3)

Where is it necessary to configure historical records in SmartView Monitor to generate

Express reports in SmartReporter?

A. In SmartDashboard, the SmartView Monitor page in the R77 Security Gateway object
B. In SmartReporter, under Express > Network Activity
C. In SmartReporter, under Standard > Custom
D. In SmartView Monitor, under Global Properties > Log and Masters

Answer: A

87
Question No : 239 - (Topic 3)

What is the behavior of ClusterXL in a High Availability environment?

A. The active member responds to the virtual address and is the only member that passes
traffic.
B. Both members respond to the virtual address and both members pass traffic.
C. Both members respond to the virtual address but only the active member is able to pass
traffic.
D. The active member responds to the virtual address and, using sync network forwarding,
both members pass traffic.

Answer: A

Question No : 240 CORRECT TEXT - (Topic 3)

The command useful for debugging by capturing packet information, including verifying
LDAP authentication on all Check Point platforms is

Answer: fw monitor

Question No : 241 - (Topic 3)

A VPN Tunnel Interface (VTI) is defined on GAiA as:

vpn shell interface add numbered 10.10.0.1 10.10.0.2 madrid.cp

What do you know about this VTI?

A. 10.10.0.1 is the local Gateway’s internal interface, and 10.10.0.2 is the internal interface
of the remote Gateway.
B. The peer Security Gateway’s name is madrid.cp.
C. The VTI name is madrid.cp.
D. The local Gateway's object name is madrid.cp.

Answer: B

Question No : 242 - (Topic 3)

88
Which load-balancing method below is NOT valid?

A. Domain
B. They are all valid
C. Round Trip
D. Random

Answer: B

Question No : 243 - (Topic 3)

In which ClusterXL Load Sharing mode, does the pivot machine get chosen automatically
by ClusterXL?

A. Hot Standby Load Sharing

B. Multicast Load Sharing
C. Unicast Load Sharing
D. CCP Load Sharing

Answer: C

Question No : 244 - (Topic 3)

Your customer asks you about the Performance Pack. You explain to him that a
Performance Pack is a software acceleration product which improves the performance of
the Security Gateway. You may enable or disable this acceleration by either:

1) the command: cpconfig

89
2) the command: fwaccel on¦off

What is the difference between these two commands?

A. The fwaccel command determines the default setting. The command cpconfig can
dynamically change the setting, but after the reboot it reverts to the default setting.
B. Both commands function identically.
C. The command cpconfig works on the Security Platform only. The command fwaccel can
be used on all platforms.
D. The cpconfig command enables acceleration. The command fwaccel can dynamically
change the setting, but after the reboot it reverts to the default setting.

Answer: D

Question No : 245 - (Topic 3)

At what router prompt would you save your OSPF configuration?

90
A. localhost.localdomain(config-router-ospf)#
B. localhost.localdomain(config-if)#
C. localhost.localdomain(config)#
D. localhost.localdomain#

Answer: D

Question No : 246 - (Topic 3)

You are establishing a ClusterXL environment, with the following topology:

VIP internal cluster IP = 172.16.10.3; VIP external cluster IP = 192.168.10.3

Cluster Member 1: 4 NICs, 3 enableD. hme0: 192.168.10.1/24, hme1: 10.10.10.1/24, qfe2:

172.16.10.1/24

Cluster Member 2: 5 NICs, 3 enabled; hme3: 192.168.10.2/24, hme1: 10.10.10.2/24, hme2:

172.16.10.2/24

External interfaces 192.168.10.1 and 192.168.10.2 connect to a VLAN switch. The

upstream router connects to the same VLAN switch. Internal interfaces 172.16.10.1 and
172.16.10.2 connect to a hub. 10.10.10.0 is the synchronization network. The Security
Management Server is located on the internal network with IP 172.16.10.3. What is the
problem with this configuration?

A. The Cluster interface names must be identical across all cluster members.
B. Cluster members cannot use the VLAN switch. They must use hubs.
C. The Security Management Server must be in the dedicated synchronization network, not
the internal network.
D. There is an IP address conflict.

Answer: D

Question No : 247 - (Topic 3)

The CoreXL SND (Secure Network Distributor) is responsible for:

A. distributing non-accelerated packets among kernel instances.

B. accelerating VPN traffic.
C. shutting down cores when they are not needed.
D. changing routes to distribute the load across multiple firewalls.

91
Answer: A

Question No : 248 - (Topic 3)

Which statement is TRUE for route-based VPN’s?

A. IP Pool NAT must be configured on each Gateway.

B. Dynamic-routing protocols are not required.
C. Route-based VPN’s are a form of partial overlap VPN Domain.
D. Route-based VPN’s replace domain-based VPN’s.

Answer: B

Question No : 249 - (Topic 3)

What is the proper command for importing users into the R77 User Database?

A. fwm importusrs
B. fwm dbimport
C. fwm import
D. fwm importdb

Answer: B

Question No : 250 - (Topic 3)

The ______________ contains the Events Data Base.

A. SmartEvent Server
B. SmartEvent DataServer
C. SmartEvent Client
D. SmartEvent Correlation Unit

Answer: A

92
Question No : 251 - (Topic 3)

The SmartEvent Server:

A. displays the received events

B. deletes events from the events database
C. analyzes each IPS log entry as it enters the Log server
D. invokes defined automatic reactions

Answer: D

Question No : 252 - (Topic 3)

_______________ manages Standard Reports and allows the administrator to specify

automatic uploads of reports to a central FTP server.

A. SmartReporter Database
B. SmartReporter
C. SmartDashboard Log Consolidator
D. Security Management Server

Answer: B

Question No : 253 - (Topic 3)

To help organize events, SmartReporter uses filtered queries. Which of the following is
NOT an SmartEvent event property you can query?

A. Event: Critical, Suspect, False Alarm

B. TimE. Last Hour, Last Day, Last Week
C. TypE. Scans, Denial of Service, Unauthorized Entry
D. StatE. Open, Closed, False Alarm

Answer: A

Question No : 254 - (Topic 3)

93
State Synchronization is enabled on both members in a cluster, and the Security Policy is
successfully installed. No protocols or services have been unselected for selective sync.

Review the fw tab -t connections -s output from both members. Is State Synchronization
working properly between the two members?

A. Members A and B are synchronized, because ID for both members is identical in the
connections table.
B. Members A and B are not synchronized, because #VALS in the connections table are
not close.
C. Members A and B are synchronized, because #SLINKS are identical in the connections
table.
D. Members A and B are not synchronized, because #PEAK for both members is not close
in the connections table.

Answer: B

Question No : 255 CORRECT TEXT - (Topic 3)

Complete this statement. To save interface information before upgrading a Windows

Gateway, use command

Answer: ipconfig -a > [filename].txt

Question No : 256 - (Topic 3)

Check Point New Mode HA is a(n) _________ solution.

A. primary-domain

94
B. hot-standby
C. acceleration
D. load-balancing

Answer: B

Question No : 257 - (Topic 3)

What is the best tool to produce a report which represents historical system information?

A. SmartReporter-Standard Reports
B. SmartView Tracker
C. Smartview Monitor
D. SmartReporter-Express Reports

Answer: D

Question No : 258 - (Topic 3)

Exhibit:

What cluster mode is represented in this case?

A. HA (New mode).
B. 3rd party cluster
C. Load Sharing (multicast mode)
D. Load Sharing Unicast (Pivot) mode

Answer: A

Question No : 259 - (Topic 3)

VPN routing can also be configured by editing which file?

95
A. $FWDIR/VPN/route_conf.c
B. $FWDIR/conf/vpn_route.conf
C. $FWDIR/bin/vpn_route.conf
D. $FWDIR/conf/vpn_route.c

Answer: B

Question No : 260 - (Topic 3)

Which of the following statements is TRUE concerning MEP VPN’s?

A. The VPN Client selects which Security Gateway takes over, should the first connection
fail.
B. MEP VPN’s are restricted to the location of the gateways.
C. State synchronization betweened Security Gateways is required.
D. MEP Security Gateways cannot be managed by separate Management Servers.

Answer: A

Question No : 261 - (Topic 3)

What are the 3 main components of the SmartEvent Software Blade?

1) Correlation Unit

2) Correlation Client

3) Correlation Server

4) Analyzer Server

5) Analyzer Client

6) Analyzer Unit

A. 1, 3, 4
B. 1, 4, 5
C. 1, 2, 3
D. 4, 5, 6

Answer: B

96
Question No : 262 - (Topic 3)

Which SmartReporter report type is generated from the SmartView Monitor history file?

A. Standard
B. Traditional
C. Express
D. Custom

Answer: C

Question No : 263 - (Topic 3)

If Jack was concerned about the number of log entries he would receive in the
SmartReporter system, which policy would he need to modify?

A. Log Sequence Policy

B. Report Policy
C. Log Consolidator Policy
D. Consolidation Policy

Answer: D

Question No : 264 - (Topic 3)

Which of the following does NOT happen when using Pivot Mode in ClusterXL?

A. The Pivot forwards the packet to the appropriate cluster member.

B. The Pivot’s Load Sharing decision function decides which cluster member should handle
the packet.
C. The Security Gateway analyzes the packet and forwards it to the Pivot.
D. The packet is forwarded through the same physical interface from which it originally
came, not on the sync interface.

Answer: C

97
Question No : 265 - (Topic 3)

Which component receives events and assigns severity levels to the events; invokes any
defined automatic reactions, and adds the events to the Events Data Base?

A. SmartEvent Correlation Unit

B. SmartEvent Server
C. SmartEvent Analysis DataServer
D. SmartEvent Client

Answer: B

Question No : 266 - (Topic 3)

When migrating the SmartEvent data base from one server to another, the first step is to
back up the files on the original server. Which of the following commands should you run to
back up the SmartEvent data base?

A. migrate export
B. eva_db_backup
C. snapshot
D. backup

Answer: B

Question No : 267 - (Topic 3)

What is used to validate a digital certificate?

A. IPsec
B. CRL
C. PKCS
D. S/MIME

Answer: B

Question No : 268 - (Topic 3)

98
Which of the following is TRUE concerning unnumbered VPN Tunnel Interfaces (VTIs)?

A. They are supported on the GAiA Operating System.

B. Local IP addresses are not configured, remote IP addresses are configured.
C. VTIs can only be physical, not loopback.
D. VTIs cannot be assigned a proxy interface.

Answer: A

Question No : 269 - (Topic 3)

What access level cannot be assigned to an Administrator in SmartEvent?

A. Read only
B. Write only
C. No Access
D. Events Database

Answer: B

Question No : 270 - (Topic 3)

Which of the following is TRUE concerning numbered VPN Tunnel Interfaces (VTIs)?

A. VTIs can use an already existing physical-interface IP address

B. VTIs cannot share IP addresses
C. VTIs are assigned only local addresses, not remote addresses
D. VTIs are supported on SecurePlatform Pro

Answer: D

Question No : 271 - (Topic 3)

By default Check Point High Availability components send updates about their state every:

A. 0.5 second.
B. 1 second.

99
C. 5 seconds.
D. 0.1 second.

Answer: D

Question No : 272 - (Topic 3)

In Management High Availability, what is an Active SMS?

A. Active Security Master Server

B. Active Smart Master Server
C. Active Smart Management Server
D. Active Security Management Server

Answer: D

Question No : 273 - (Topic 3)

Your company has the requirement that SmartEvent reports should show a detailed and
accurate view of network activity but also performance should be guaranteed. Which
actions should be taken to achieve that?

1) Use same hard drive for database directory, log files, and temporary directory.

2) Use Consolidation Rules.

3) Limit logging to blocked traffic only.

4) Use Multiple Database Tables.

A. 2, 4
B. 1, 3, 4
C. 1, 2, 4
D. 1, 2

Answer: A

Question No : 274 - (Topic 3)

100
What SmartConsole application allows you to change the SmartReporter Policy?

A. SmartDashboard
B. SmartReporter
C. SmartEvent Server
D. SmartUpdate

Answer: A

Question No : 275 - (Topic 3)

If you need strong protection for the encryption of user data, what option would be the
BEST choice?

A. Use Diffie-Hellman for key construction and pre-shared keys for Quick Mode. Choose
SHA in Quick Mode and encrypt with AES. Use AH protocol. Switch to Aggressive Mode.
B. When you need strong encryption, IPsec is not the best choice. SSL VPN’s are a better
choice.
C. Use certificates for Phase 1, SHA for all hashes, AES for all encryption and PFS, and
use ESP protocol.
D. Disable Diffie-Hellman by using stronger certificate based key-derivation. Use AES-256
bit on all encrypted channels and add PFS to QuickMode. Use double encryption by
implementing AH and ESP as protocols.

Answer: C

Question No : 276 - (Topic 3)

What is the SmartEvent Client’s function?

A. Assign severity levels to events.

B. Invoke and define automatic reactions and add events to the database.
C. Generate a threat analysis report from the Reporter database.
D. Display received threats and tune the Events Policy.

Answer: D

Question No : 277 CORRECT TEXT - (Topic 3)

101
In a zero downtime scenario, which command do you run manually after all cluster
members are upgraded?

Answer: cphaconf set_ccp multicast

Question No : 278 - (Topic 3)

You have three Gateways in a mesh community. Each gateway’s VPN Domain is their
internal network as defined on the Topology tab setting All IP Addresses behind Gateway
based on Topology information.

You want to test the route-based VPN, so you created VTIs among the Gateways and
created static route entries for the VTIs. However, when you test the VPN, you find out the
VPN still go through the regular domain IPsec tunnels instead of the routed VTI tunnels.

What is the problem and how do you make the VPN use the VTI tunnels?

A. Domain VPN takes precedence over the route-based VTI. To make the VPN go through
VTI, remove the Gateways out of the mesh community and replace with a star community
B. Domain VPN takes precedence over the route-based VTI. To make the VPN go through
VTI, use an empty group object as each Gateway’s VPN Domain
C. Route-based VTI takes precedence over the Domain VPN. To make the VPN go
through VTI, use dynamic-routing protocol like OSPF or BGP to route the VTI address to
the peer instead of static routes
D. Route-based VTI takes precedence over the Domain VPN. Troubleshoot the static route
entries to insure that they are correctly pointing to the VTI gateway IP.

Answer: B

Question No : 279 - (Topic 3)

Use the table to match the BEST Management High Availability synchronication-status
descriptions for your Security Management Server (SMS).

102
A. A-5, B-3, C-1, D-2
B. A-3, B-1, C-4, D-2
C. A-3, B-5, C-2, D-4
D. A-3, B-1, C-5, D-4

Answer: D

Question No : 280 - (Topic 3)

For Management High Availability synchronization, what does the Advance status mean?

A. The peer SMS has not been synchronized properly.

B. The peer SMS is properly synchronized.
C. The peer SMS is more up-to-date.
D. The active SMS and its peer have different installed policies and databases.

Answer: C

Question No : 281 - (Topic 3)

How do new connections get established through a Security Gateway with SecureXL
enabled?

A. New connections are always inspected by the firewall and if they are accepted, the
subsequent packets of the same connection will be passed through SecureXL
B. New connection packets never reach the SecureXL module.
C. The new connection will be first inspected by SecureXL and if it does not match the drop
table of SecureXL, then it will be passed to the firewall module for a rule match.
D. If the connection matches a connection or drop template in SecureXL, it will either be

103
established or dropped without performing a rule match, else it will be passed to the firewall
module for a rule match.

Answer: D

Question No : 282 CORRECT TEXT - (Topic 3)

Fill in the blank with a numeric value. The default port number for Secure Sockets Layer
(SSL) connections with the LDAP Server is

Answer: 636

Question No : 283 - (Topic 3)

What process manages the dynamic routing protocols (OSPF, RIP, etc.) on GAiA?

A. gated
B. There's no separate process, but the Linux default router can take care of that.
C. routerd
D. arouted

Answer: A

Question No : 284 - (Topic 3)

You have just upgraded your Load Sharing gateway cluster (both members) from NGX R65
to R77. cphaprob stat shows:

Cluster Mode: New High Availability (Active Up)

Member Unique Address Assigned Load State

1 (local) 172.16.185.21 100% Active

2 172.16.185.22 0% Ready

Which of the following is NOT a possible cause of this?

104
A. Member 1 is at a lower version than member 2
B. You have not run cpconfig on member 2 yet.
C. You have a different number of cores defined for CoreXL between the two members
D. Member 1 has CoreXL disabled and member 2 does not

Answer: B

Question No : 285 - (Topic 3)

What is a requirement for setting up R77 Management High Availability?

A. All Security Management Servers must reside in the same LAN.

B. State synchronization must be enabled on the secondary Security Management Server.
C. All Security Management Servers must have the same operating system.
D. All Security Management Servers must have the same number of NICs.

Answer: C

Question No : 286 - (Topic 3)

The SmartEvent Correlation Unit:

A. looks for patterns according to the installed Event Policy.

B. assigns a severity level to an event.
C. adds events to the events database.
D. displays the received events.

Answer: A

Question No : 287 - (Topic 3)

SmartReporter reports can be used to analyze data from a penetration-testing regimen in

all of the following examples, EXCEPT:

A. Analyzing traffic patterns against public resources.

B. Possible worm/malware activity.
C. Analyzing access attempts via social-engineering.

105
D. Tracking attempted port scans.

Answer: C

Question No : 288 - (Topic 3)

What type of object may be explicitly defined as a MEP VPN?

A. Star VPN Community

B. Any VPN Community
C. Mesh VPN Community
D. Remote Access VPN Community

Answer: A

Question No : 289 - (Topic 3)

Which specific R77 GUI would you use to view the length of time a TCP connection was
open?

A. SmartReporter
B. SmartView Status
C. SmartView Monitor
D. SmartView Tracker

Answer: D

Question No : 290 - (Topic 3)

After Travis added new processing cores on his server, CoreXL did not use them. What
would be the most plausible reason why? Travis did not:

A. edit Gateway Properties and increase the kernel instances.

B. edit Gateway Properties and increase the number of CPU cores.
C. run cpconfig to increase the firewall instances.
D. run cpconfig to increase the number of CPU cores.

106
Answer: C

Question No : 291 - (Topic 3)

Exhibit:

What cluster mode is represented in this case?

A. 3rd party cluster

B. HA (New mode)
C. Load Sharing Unicast (Pivot) mode
D. Load Sharing (multicast mode)

Answer: D

Question No : 292 - (Topic 3)

If the number of kernel instances for CoreXL shown is 6, how many cores are in the
physical machine?

A. 6
B. 8
C. 3
D. 4

Answer: B

Question No : 293 - (Topic 3)

When migrating the SmartEvent data base from one server to another, the first step is to
back up the files on the original server. Which of the following commands should you run to
back up the SmartEvent data base?

107
A. B. evas_backup
B. C. snapshot
C. D. backup

Answer: B

Question No : 294 - (Topic 3)

The SmartEvent Client:

A. adds events to the events database.

B. analyzes each IPS log entry as it enters the Log server.
C. assigns a severity level to an event.
D. displays the received events.

Answer: D

Question No : 295 - (Topic 3)

Which of the following is NOT accelerated by SecureXL?

A. SSH
B. HTTPS
C. FTP
D. Telnet

Answer: C

Question No : 296 CORRECT TEXT - (Topic 3)

Fill in the blank with a numeric value. The default port number for standard TCP
connections with the LDAP server is

Answer: 389

108
Question No : 297 CORRECT TEXT - (Topic 3)

To provide full connectivity upgrade status, use command

Answer: cphaprob fcustat

Question No : 298 - (Topic 3)

Which of the following log files contains only information about the negotiation process for
encryption?

A. iked.elg
B. ike.elg
C. vpn.elg
D. vpnd.elg

Answer: B

Question No : 299 - (Topic 3)

How do you enable SecureXL (command line) on GAiA?

A. fwaccel on
B. fw securexl on
C. fw accel on
D. fwsecurexl on

Answer: A

Question No : 300 - (Topic 3)

Your organization maintains several IKE VPN’s. Executives in your organization want to
know which mechanism Security Gateway R77 uses to guarantee the authenticity and
integrity of messages. Which technology should you explain to the executives?

A. Certificate Revocation Lists

109
B. Application Intelligence
C. Key-exchange protocols
D. Digital signatures

Answer: D

Question No : 301 - (Topic 3)

Which of the following would be a result of having more than one active Security
Management Server in a Management High Availability (HA) configuration?

A. An error notification will popup during SmartDashboard login if the two machines can
communicate indicating Collision status.
B. The need to manually synchronize the secondary Security Management Server with the
Primary Security Management Server is eliminated.
C. Allows for faster seamless failover: from active-to-active instead of standby-to-active.
D. Creates a High Availability implementation between the Gateways installed on the
Security Management Servers.

Answer: A

Question No : 302 - (Topic 3)

Which of the following is NOT a SmartEvent Permission Profile type?

A. No Access
B. Events Database
C. View
D. Read/Write

Answer: C

Question No : 303 - (Topic 3)

There are times when you want to use Link Selection to manage high-traffic VPN
connections. With Link Selection you can:

110
A. Assign links to specific VPN communities.
B. Probe links for availability.
C. Use links based on authentication method.
D. Use links based on Day/Time.

Answer: B

Question No : 304 - (Topic 3)

The following graphic illustrates which command being issued on GAiA?

Exhibit:

A. fwsecurexl stats
B. fwaccel stats
C. fw securexl stats
D. fw accel stats

Answer: B

Question No : 305 - (Topic 3)

To clean the system of all SmartEvent events, you should delete the files in which
folder(s)?

111
A. $RTDIR/events_db
B. $FWDIR/distrib_db and $FWDIR/events
C. $RTDIR/distrib and $RTDIR/events_db
D. $FWDIR/distrib

Answer: C

Question No : 306 - (Topic 3)

When configuring a Permanent Tunnel between two gateways in a Meshed VPN

community, in what object is the tunnel managed?

A. VPN Community object

B. Only the local Security Gateway object
C. Each participating Security Gateway object
D. Security Management Server

Answer: A

Question No : 307 - (Topic 3)

In a Windows environment, SmartReporter Data Base settings could be modified in:

A. $FWDIR/Eventia/conf/ini.C
B. $ERDIR/conf/my.cnf
C. %RTDIR%\Database\conf\my.ini
D. $CPDIR/Database/conf/conf.C

Answer: C

Question No : 308 - (Topic 3)

Which statement defines Public Key Infrastructure? Security is provided:

A. by authentication.
B. via both private and public keys, without the use of digital Certificates.
C. by Certificate Authorities, digital certificates, and public key encryption.

112
D. by Certificate Authorities, digital certificates, and two-way symmetric-key encryption.

Answer: C

Question No : 309 - (Topic 3)

When migrating the SmartEvent data base from one server to another, the last step is to
save the files on the new server. Which of the following commands should you run to save
the SmartEvent data base files on the new server?

A. cp
B. restore
C. migrate import
D. eva_db_restore

Answer: D

Question No : 310 - (Topic 3)

A SmartProvisioning Gateway could be a member of which VPN communities?

1) Center in Star Topology

2) Satellite in Star Topology

3) Center in Remote Access Community

4) Meshed Community

A. 2 only
B. 2 and 3
C. 1, 2 and 3
D. All

Answer: B

Question No : 311 - (Topic 3)

MegaCorps' disaster recovery plan is past due for an update to the backup and restore

113
section to enjoy the benefits of the new distributed R77 installation. You must propose a
plan that meets the following required and desired objectives:

Required: Security Policy repository must be backed up no less frequently than every 24
hours.

Desired: Back up R77 components enforcing the Security Policies at least once a week.

Desired: Back up R77 logs at least once a week.

You develop a disaster recovery plan proposing the following:

* Use the utility cron to run the command upgrade_export each night on the Security
Management Servers.

* Configure the organization's routine backup software to back up files created by the
command upgrade_export.

* Configure GAiA back up utility to back up Security Gateways every Saturday night.

* Use the utility cron to run the command upgrade_export each Saturday night on the log
servers.

* Configure an automatic, nightly logswitch.

* Configure the organization's routine back up software to back up the switched logs every
night.

The corporate IT change review committee decides your plan:

A. meets the required objective and only one desired objective.

B. meets the required objective and both desired objectives.
C. meets the rquired objective but does not meet either deisred objective.
D. does not meet the required objective.

Answer: B

Question No : 312 - (Topic 3)

Check Point New Mode HA is a(n) _________ solution.

A. B. active-standby
B. C. acceleration
C. D. load-balancing

114
Answer: B

Question No : 313 - (Topic 3)

Your customer complains of the weak performance of his systems. He has heard that
Connection Templates accelerate traffic. How do you explain to the customer about
template restrictions and how to verify that they are enabled?

A. To enhance connection-establishment acceleration, a mechanism attempts to "group

together" all connections that match a particular service and whose sole discriminating
element is the source port. To test if connection templates are enabled, use the command
fw ctl templates.
B. To enhance connection-establishment acceleration, a mechanism attempts to "group
together" all connections that match a particular service and whose sole discriminating
element is the source port. To test if connection templates are enabled, use the command
fwaccel stat.
C. To enhance connection-establishment acceleration, a mechanism attempts to "group
together" all connections that match a particular service and whose sole discriminating
element is the destination port. To test if connection templates are enabled, use the
command fwacel templates.
D. To enhance connection-establishment acceleration, a mechanism attempts to "group
together" all connections that match a particular service and whose sole discriminating
element is the destination port. To test if connection templates are enabled, use the
command fw ctl templates.

Answer: B

Question No : 314 - (Topic 3)

When Load Sharing Multicast mode is defined in a ClusterXL cluster object, how are
packets being handled by cluster members?

A. Only one member at a time is active. The active cluster member processes all packets.
B. All members receive all packets. All members run an algorithm which determines which
member processes packets further and which members delete the packet from memory.
C. The pivot machine will handle it.
D. All cluster members process all packets and members synchronize with each other.

Answer: B

115
Question No : 315 - (Topic 3)

When configuring numbered VPN Tunnel Interfaces (VTIs) in a clustered environment,

what issues need to be considered?

1) Each member must have a unique source IP address.

2) Every interface on each member requires a unique IP address.

3) All VTI's going to the same remote peer must have the same name.

4) Cluster IP addresses are required.

A. 1, 2, and 4
B. 2 and 3
C. 1, 2, 3 and 4
D. 1, 3, and 4

Answer: C

Question No : 316 - (Topic 3)

Where do you verify that SmartDirectory is enabled?

A. Global properties > Authentication> Use SmartDirectory(LDAP) for Security Gateways

is checked
B. Gateway properties > Smart Directory (LDAP) > Use SmartDirectory(LDAP) for Security
Gateways is checked
C. Gateway properties > Authentication> Use SmartDirectory(LDAP) for Security
Gateways is checked
D. Global properties > User Directory (LDAP) > Use SmartDirectory(LDAP) for Security
Gateways is checked

Answer: D

Question No : 317 - (Topic 3)

In a UNIX environment, SmartReporter Data Base settings could be modified in:

A. $CPDIR/Database/conf/conf.C

116
B. $RTDIR/Database/conf/my.cnf
C. $ERDIR/conf/my.cnf
D. $FWDIR/Eventia/conf/ini.C

Answer: B

Question No : 318 - (Topic 3)

What is the SmartEvent Correlation Unit’s function?

A. Analyze log entries, looking for Event Policy patterns.

B. Display received threats and tune the Events Policy.
C. Assign severity levels to events.
D. Invoke and define automatic reactions and add events to the database.

Answer: A

Question No : 319 - (Topic 3)

The SmartEvent Correlation Unit:

A. analyzes each IPS log entry as it enters the Log server.

B. assigns a severity level to an event.
C. adds events to the events database.
D. displays the received events.

Answer: A

Question No : 320 - (Topic 3)

There are times when you want to use Link Selection to manage high-traffic VPN
connections. With Link Selection you can:

A. Assign links to specific VPN communities.

B. Use links based on services.
C. Prohibit Dynamic DNS.
D. Assign links to use Dynamic DNS.

117
Answer: B

Question No : 321 - (Topic 3)

Which Check Point product is used to create and save changes to a Log Consolidation
Policy?

A. SmartEvent Server
B. SmartDashboard Log Consolidator
C. SmartReporter Client
D. Security Management Server

Answer: B

Question No : 322 - (Topic 3)

Which of the following statements accurately describes the migrate command?

A. B. Used primarily when upgrading the Security Management Server, migrate stores all
object databases and the conf directories for importing to a newer version of the Security
Management Server.
B. Used when upgrading the Security Gateway, upgrade_export includes modified files,
such as in the directories /lib and /conf.
C. upgrade_export stores network-configuration data, objects, global properties, and the
database revisions prior to upgrading the Security Management Server.

Answer: B

Question No : 323 - (Topic 3)

What is the purpose of the pre-defined exclusions included with SmartEvent R77?

A. To allow SmartEvent R77 to function properly with all other R71 devices.
B. To avoid incorrect event generation by the default IPS event definition; a scenario that
may occur in deployments that include Security Gateways of versions prior to R71.
C. As a base for starting and building exclusions.
D. To give samples of how to write your own exclusion.

118
Answer: B

Question No : 324 - (Topic 3)

There are times when you want to use Link Selection to manage high-traffic VPN
connections. With Link Selection you can:

A. Assign links to specific VPN communities.

B. Assign links to use Dynamic DNS.
C. Set up links for Remote Access.
D. Use links based on Day/Time.

Answer: C

Question No : 325 - (Topic 3)

When distributing IPSec packets to gateways in a Load Sharing Multicast mode cluster,
which valid Load Sharing method will consider VPN information?

A. Load Sharing based on SPIs

B. Load Sharing based on IP addresses, ports, and serial peripheral interfaces
C. Load Sharing based on IP addresses, ports, and security parameter indexes
D. Load Sharing based on ports, VTI, and IP addresses

Answer: C

Question No : 326 - (Topic 3)

By default, the Cluster Control Protocol (CCP) uses this to send delta sync messages to
other cluster members.

A. Multicast
B. Unicast
C. Anycast
D. Broadcast

Answer: A

119
Question No : 327 - (Topic 3)

Match the ClusterXL modes with their configurations.

Exhibit:

A. A-2, B-3, C-4, D-1

B. A-2, B-3, C-1, D-5
C. A-3, B-5, C-1, D-4
D. A-5, B-2, C-4, D-1

Answer: C

Question No : 328 - (Topic 3)

Frank is concerned with performance and wants to configure the affinities settings. His
gateway does not have the Performance Pack running. What would Frank need to perform
in order configure those settings?

A. Edit affinity.conf and change the settings.

B. Run fw affinity and change the settings.

120
C. Edit $FWDIR/conf/fwaffinity.conf and change the settings.
D. Run sim affinity and change the settings.

Answer: C

Question No : 329 - (Topic 3)

If both domain-based and route-based VPN’s are configured, which will take precedence?

A. Route-based
B. Must be chosen/configured manually by the Administrator in the Policy > Global
Properties
C. Domain-based
D. Must be chosen/configured manually by the Administrator in the VPN community object

Answer: C

Question No : 330 - (Topic 3)

Included in the client’s network are some switches, which rely on IGMP snooping. You
must find a solution to work with these switches. Which of the following answers does NOT
lead to a successful solution?

A. Set the value of fwha_enable_igmp_snooping module configuration parameter to 1.

B. Disable IGMP registration in switches that rely on IGMP packets
C. ClusterXL supports IGMP snooping by default. There is no need to configure anything.
D. Configure static CAMs to allow multicast traffic on specific ports.

Answer: C

Question No : 331 - (Topic 3)

Which of the following is TRUE concerning numbered VPN Tunnel Interfaces (VTIs)?

A. VTIs are assigned only local addresses, not remote addresses

B. VTIs cannot share IP addresses
C. VTIs are only supported on IPSO

121
D. VTIs cannot use an already existing physical-interface IP address

Answer: D

Question No : 332 - (Topic 3)

What configuration change must you make to change an existing ClusterXL cluster object
from Multicast to Unicast mode?

A. Change the cluster mode to Unicast on the cluster object. Reinstall the Security Policy.
B. Change the cluster mode to Unicast on each of the cluster-member objects.
C. Run cpstop and cpstart, to re-enable High Availability on both objects. Select Pivot
mode in cpconfig.
D. Reset Secure Internal Communications (SIC) on the cluster-member objects. Reinstall
the Security Policy.

Answer: A

Question No : 333 - (Topic 3)

You are concerned that the processor for your firewall running R71 SecurePlatform may be
overloaded. What file would you view to determine the speed of your processor(s)?

A. cat /etc/sysconfig/cpuinfo
B. cat /proc/cpuinfo
C. cat /etc/cpuinfo
D. cat /var/opt/CPsuite-R71/fw1/conf/cpuinfo

Answer: B

Question No : 334 - (Topic 3)

When do modifications to the Event Policy take effect?

A. As soon as the Policy Tab window is closed.

B. When saved on the SmartEvent Server and installed to the Correlation Units.
C. When saved on the Correlation Units, and pushed as a policy.

122
D. When saved on the SmartEvent Client, and installed on the SmartEvent Server.

Answer: B

Question No : 335 - (Topic 3)

Due to some recent performance issues, you are asked to add additional processors to
your firewall. If you already have CoreXL enabled, how are you able to increase Kernel
instances?

A. Use cpconfig to reconfigure CoreXL.

B. Once CoreXL is installed you cannot enable additional Kernel instances without
reinstalling R75.
C. In SmartUpdate, right-click on Firewall Object and choose Add Kernel Instances.
D. Kernel instances are automatically added after process installed and no additional
configuration is needed.

Answer: A

Question No : 336 - (Topic 3)

What process manages the dynamic routing protocols (OSPF, RIP, etc.) on GAiA?

A. There's no separate process, but the Linux default router can take care of that.
B. routerd
C. arouted

Answer: A

Question No : 337 - (Topic 3)

Which of the following statements is TRUE concerning MEP VPN’s?

A. MEP Security Gateways can be managed by separate Management Servers.

B. The VPN Client is assigned a Security Gateway to connect to based on a priority list,
should the first connection fail.
C. State synchronization between Security Gateways is required.

123
D. MEP VPN’s are restricted to the location of the gateways.

Answer: A

Question No : 338 - (Topic 3)

If Jack was concerned about the number of log entries he would receive in the
SmartReporter system, which policy would he need to modify?

A. Smartreporter Policy
B. Log Consolidator Policy
C. Consolidation Policy

Answer: B

Question No : 339 - (Topic 3)

You want to upgrade a cluster with two members to R77. The Security Management Server
and both members are version NGX R65, with the latest Hotfix Accumulator. What is the
correct upgrade procedure?

1. Change the version in the General Properties of the Gateway-cluster object.

2. Upgrade the Security Management Server, and reboot.

3. Run cpstop on one member, while leaving the other member running. Upgrade one
member at a time and reboot after upgrade.

4. Install the Security Policy.

A. 3, 2, 1, 4
B. 2, 4, 3, 1
C. 2, 3, 1, 4
D. 1, 3, 2, 4

Answer: C

Question No : 340 - (Topic 3)

124
What is the benefit to running SmartEvent in Learning Mode?

A. There is no SmartEvent Learning Mode

B. To generate a report with system Event Policy modification suggestions
C. To run SmartEvent, with a step-by-step online configuration guide for training/setup
purposes
D. To run SmartEvent with preloaded sample data in a test environment

Answer: B

Question No : 341 - (Topic 3)

To back up all events stored in the SmartEvent Server, you should back up the contents of
which folder(s)?

A. $FWDIR/distrib
B. $FWDIR/distrib_db and $FWDIR/events
C. $RTDIR/distrib and $RTDIR/events_db
D. $RTDIR/events_db

Answer: C

Question No : 342 CORRECT TEXT - (Topic 3)

In a zero downtime firewall cluster environment, what command syntax do you run to avoid
switching problems around the cluster for command cphaconf?

Answer: set_ccp broadcast

Question No : 343 - (Topic 3)

You are running a R77.10 Security Gateway on GAiA. In case of a hardware failure, you
have a server with the exact same hardware and firewall version installed. What backup
method could you use to quickly put the secondary firewall into production?

A. snapshot

125
B. migrate_import
C. manual backup

Answer: B

Question No : 344 - (Topic 3)

You have selected the event Port Scan from Internal Network in SmartEvent, to detect an
event when 30 port scans have occurred within 60 seconds. You also want to detect two
port scans from a host within 10 seconds of each other. How would you accomplish this?

A. Define the two port-scan detections as an exception.

B. You cannot set SmartEvent to detect two port scans from a host within 10 seconds of
each other.
C. Select the two port-scan detections as a sub-event.
D. Select the two port-scan detections as a new event.

Answer: A

Question No : 345 - (Topic 3)

Which of the following statements is TRUE concerning MEP VPN’s?

A. State synchronization between Security Gateways is NOT required.

B. The VPN Client is assigned a Security Gateway to connect to based on a priority list,
should the first connection fail.
C. MEP Security Gateways cannot be managed by separate Management Servers.
D. MEP VPN’s are restricted to the location of the gateways.

Answer: A

Question No : 346 - (Topic 3)

In a R75 Management High Availability (HA) configuration, you can configure

synchronization to occur automatically, when:

1. The Security Policy is installed.

126
2. The Security Policy is saved.

3. The Security Administrator logs in to the seconday Security Management Server and
changes its status to Active.

4. A scheduled event occurs.

5. The user data base is installed.

Select the BEST response for the synchronization trigger.

A. 1, 2, 4
B. 1, 3, 4
C. 1, 2, 5
D. 1, 2, 3, 4

Answer: A

Question No : 347 - (Topic 3)

Which of the following is TRUE concerning unnumbered VPN Tunnel Interfaces (VTIs)?

A. Local IP addresses are not configured, remote IP addresses are configured

B. VTIs cannot be assigned a proxy interface
C. VTI specific additional local and remote IP addresses are not configured
D. VTIs are only supported on SecurePlatform

Answer: C

Question No : 348 - (Topic 3)

The SmartEvent Server:

A. assigns a severity level to an event.

B. forwards what is known as an event to the SmartEvent Server.
C. analyzes each IPS log entry as it enters the Log server.
D. displays the received events.

Answer: A

127
Question No : 349 - (Topic 3)

What is the SmartEvent Analyzer's function?

A. Generate a threat analysis report from the Analyzer database.

B. Display received threats and tune the Events Policy.
C. Assign severity levels to events.
D. Analyze log entries, looking for Event Policy patterns.

Answer: C

Question No : 350 - (Topic 3)

Which of the following statements is TRUE concerning MEP VPN’s?

A. The VPN Client is assigned a Security Gateway to connect to based on a priority list,
should the first connection fail.
B. MEP VPN’s are not restricted to the location of the gateways.
C. MEP Security Gateways cannot be managed by separate Management Servers.
D. State synchronization between Security Gateways is required.

Answer: B

Question No : 351 - (Topic 3)

You are preparing computers for a new ClusterXL deployment. For your cluster, you plan to
use three machines with the following configurations:

Cluster Member 1: OS - GAiA; NICs - QuadCard; Memory - 1 GB; Security Gateway -

version: R71 and primary Security Management Server installed, version: R77

Cluster Member 2: OS - GAiA; NICs - 4 Intel 3Com; Memory - 1 GB; Security Gateway
only, version: R77

Cluster Member 3: OS - GAiA; NICs - 4 other manufacturers; Memory - 512 MB; Security
Gateway only, version: R77

Are these machines correctly configured for a ClusterXL deployment?

A. No, Cluster Member 3 does not have the required memory.

128
B. Yes, these machines are configured correctly for a ClusterXL deployment.
C. No, the Security Management Server is not running the same operating system as the
cluster members.
D. No, the Security Gateway cannot be installed on the Security Management Server.

Answer: D

Question No : 352 - (Topic 3)

The SmartEvent Correlation Unit:

A. forwards what is identified as an event to the SmartEvent server.

B. adds events to the events database.
C. assigns a severity level to an event.
D. displays the received events.

Answer: A

Question No : 353 - (Topic 3)

In a R77 ClusterXL Load Sharing configuration, which type of ARP related problem can
force the use of Unicast Mode (Pivot) configuration due to incompatibility on some adjacent
routers and switches?

A. MGCP MAC address response to a Multicast IP request

B. Multicast MAC address response to a Unicast IP request
C. Unicast MAC address response to a Multicast IP request
D. Multicast MAC address response to a RARP request

Answer: B

Question No : 354 - (Topic 3)

How many pre-defined exclusions are included by default in SmartEvent R77 as part of the
product installation?

A. 5

129
B. 0
C. 10
D. 3

Answer: D

130