Q1. - (Topic 3)
Which of the following is NOT true for Clientless VPN?
A. User Authentication is supported.
B. Secure communication is provided between clients and servers that support HTTP.
C. The Gateway accepts any encryption method that is proposed by the client and supported in the VPN.
D. The Gateway can enforce the use of strong encryption.
Answer: B
Q2. - (Topic 1)
Your organization's disaster recovery plan needs an update to the backup and restore section to reap the new distributed R77 installation benefits. Your plan must meet the following required and desired objectives:
Required ObjectivE. The Security Policy repository must be backed up no less frequently than every 24 hours.
Desired ObjectivE. The R77 components that enforce the Security Policies should be backed up at least once a week.
Desired ObjectivE. Back up R77 logs at least once a week.
Your disaster recovery plan is as follows:
-Use the cron utility to run the command upgrade_export each night on the Security Management Servers.
-
Configure the organization's routine back up software to back up the files created by the command upgrade_export.
-
Configure the GAiA back up utility to back up the Security Gateways every Saturday night.
-Use the cron utility to run the command upgrade_export each Saturday night on the log servers.
-
Configure an automatic, nightly logswitch.
-
Configure the organization's routine back up software to back up the switched logs every night.
Upon evaluation, your plan:
A. Meets the required objective and only one desired objective.
B. Meets the required objective but does not meet either desired objective.
C. Meets the required objective and both desired objectives.
D. Does not meet the required objective.
Answer: C
Q3. - (Topic 1)
How can you most quickly reset Secure Internal Communications (SIC) between a Security Management Server and Security Gateway?
A. From the Security Management Server's command line, type fw putkey -p <shared key> <IP Address of Security Gateway>.
B. Run the command fwm sic_reset to reinitialize the Security Management Server Internal Certificate Authority (ICA). Then retype the activation key on the Security Gateway from SmartDashboard.
C. Use SmartUpdate to retype the Security Gateway activation key. This will automatically sync SIC to both the Security Management Server and Gateway.
D. From cpconfig on the Gateway, choose the Secure Internal Communication option and retype the activation key. Next, retype the same key in the Gateway object in SmartDashboard and reinitialize Secure Internal Communications (SIC).
Answer: D
9. - (Topic 1)
Several Security Policies can be used for different installation targets. The Firewall protecting Human Resources' servers should have its own Policy Package. These rules must be installed on this machine and not on the Internet Firewall. How can this be accomplished?
A. A Rule Base is always installed on all possible targets. The rules to be installed on a Firewall are defined by the selection in the Rule Base row Install On.
B. A Rule Base can always be installed on any Check Point Firewall object. It is necessary to select the appropriate target directly after selecting Policy > Install on Target.
C. When selecting the correct Firewall in each line of the Rule Base row Install On, only this Firewall is shown in the list of possible installation targets after selecting Policy > Install on Target.
D. In the menu of SmartDashboard, go to Policy > Policy Installation Targets and select the correct firewall via Specific Targets.
Q4. - (Topic 3)
What happens if the identity of a user is known?
A. If the user credentials do not match an Access Role, the system displays the Captive Portal.
B. If the user credentials do not match an Access Role, the system displays a sandbox.
C. If the user credentials do not match an Access Role, the traffic is automatically dropped.
D. If the user credentials match an Access Role, the rule is applied and traffic is accepted or dropped based on the defined action.
Answer: D
Q5. - (Topic 3)
Central license management allows a Security Administrator to perform which of the following functions?
1.
Check for expired licenses.
2.
Sort licenses and view license properties.
3.
Attach both R77 Central and Local licesnes to a remote module.
4.
Delete both R77 Local Licenses and Central licenses from a remote module.
5.
Add or remove a license to or from the license repository.
6.
Attach and/or delete only R77 Central licenses to a remote module (not Local licenses).
A. 1, 2, 3, 4, & 5
B. 2, 3, 4, & 5
C. 2, 5, & 6
D. 1, 2, 5, & 6
Answer: A
Q6. - (Topic 1)
Where can you find the Check Point's SNMP MIB file?
A. $CPDIR/lib/snmp/chkpt.mib
B. There is no specific MIB file for Check Point products.
C. $FWDIR/conf/snmp.mib
D. It is obtained only by request from the TAC.
Answer: A
Q7. - (Topic 3)
You want to establish a VPN, using certificates. Your VPN will exchange certificates with an external partner. Which of the following activities should you do first?
A. Manually import your partner's Access Control List.
B. Manually import your partner's Certificate Revocation List.
C. Create a new logical-server object to represent your partner's CA.
D. Exchange exported CA keys and use them to create a new server object to represent your partner's Certificate Authority (CA).
Answer: D
Q8. - (Topic 3)
What action can be performed from SmartUpdate R77?
A. cpinfo
B. fw stat -l
C. upgrade_export
D. remote_uninstall_verifier
Answer: A
Q9. - (Topic 3)
You install and deploy GAiA with default settings. You allow Visitor Mode in the Gateway object’s Remote Access properties and install policy. What additional steps are required for this to function correctly?
A. You need to start SSL Network Extender first, then use Visitor Mode.
B. Set Visitor Mode in Policy > Global Properties > Remote-Access > VPN - Advanced.
C. Office mode is not configured.
D. The WebUI on GAiA runs on port 443 (HTTPS). When you configure Visitor Mode it cannot bind to default port 443, because it's used by another program (WebUI). With multi-port no additional changes are necessary.
Answer: D
Q10. - (Topic 1)
You want to reset SIC between smberlin and sgosaka.
In SmartDashboard, you choose sgosaka, Communication, Reset. On sgosaka, you start cpconfig, choose Secure Internal Communication and enter the new SIC Activation Key. The screen reads The SIC was successfully initialized and jumps back to the cpconfig menu. When trying to establish a connection, instead of a working connection, you receive this error message:
What is the reason for this behavior?
A. The Gateway was not rebooted, which is necessary to change the SIC key.
B. The Check Point services on the Gateway were not restarted because you are still in the cpconfig utility.
C. You must first initialize the Gateway object in SmartDashboard (i.e., right-click on the object, choose Basic Setup > Initialize).
D. The activation key contains letters that are on different keys on localized keyboards. Therefore, the activation can not be typed in a matching fashion.
Answer: B