156-215.80 Exam - Check Point Certified Security Administrator

NEW QUESTION 1
An administrator is creating an IPsec site-to-site VPN between his corporate office and branch office. Both offices are protected by Check Point Security Gateway managed by the same Security Management Server. While configuring the VPN community to specify the pre-shared secret the administrator found that the check box to enable pre-shared secret is shared and cannot be enabled. Why does it not allow him to specify the pre-shared secret?

• A. IPsec VPN blade should be enabled on both Security Gateway.
• B. Pre-shared can only be used while creating a VPN between a third party vendor and Check Point Security Gateway.
• C. Certificate based Authentication is the only authentication method available between two Security Gateway managed by the same SMS.
• D. The Security Gateways are pre-R75.40.

Answer: C

NEW QUESTION 2
What does the “unknown” SIC status shown on SmartConsole mean?

• A. The SMS can contact the Security Gateway but cannot establish Secure Internal Communication.
• B. SIC activation key requires a reset.
• C. The SIC activation key is not known by any administrator.
• D. There is no connection between the Security Gateway and SMS.

Answer: D

Explanation: The most typical status is Communicating. Any other status indicates that the SIC communication is problematic. For example, if the SIC status is Unknown then there is no connection between the Gateway an the Security Management server. If the SIC status is Not Communicating, the Security Management server is able to contact the gateway, but SIC communication cannot be established.

NEW QUESTION 3
What statement is true regarding Visitor Mode?

• A. VPN authentication and encrypted traffic are tunneled through port TCP 443.
• B. Only ESP traffic is tunneled through port TCP 443.
• C. Only Main mode and Quick mode traffic are tunneled on TCP port 443.
• D. All VPN traffic is tunneled through UDP port 4500.

Answer: A

NEW QUESTION 4
Which of these attributes would be critical for a site-to-site VPN?

• A. Scalability to accommodate user groups
• B. Centralized management
• C. Strong authentication
• D. Strong data encryption

Answer: D

NEW QUESTION 5
Phase 1 of the two-phase negotiation process conducted by IKE operates in a_____ mode.

• A. Main
• B. Authentication
• C. Quick
• D. High Alert

Answer: A

NEW QUESTION 6
Which tool provides a list of trusted files to the administrator so they can specify to the Threat Prevention blade that these files do not need to be scanned or analyzed?

• A. ThreatWiki
• B. Whitelist Files
• C. AppWiki
• D. IPS Protections

Answer: A

NEW QUESTION 7
In R80, Unified Policy is a combination of

• A. Access control policy, QoS Policy, Desktop Security Policy and endpoint policy.
• B. Access control policy, QoS Policy, Desktop Security Policy and Threat Prevention Policy.
• C. Firewall policy, address Translation and application and URL filtering, QoS Policy, Desktop Security Policy and Threat Prevention Policy.
• D. Access control policy, QoS Policy, Desktop Security Policy and VPN policy.

Answer: D

Explanation: D is the best answer given the choices. Unified Policy
In R80 the Access Control policy unifies the policies of these pre-R80 Software Blades:
Firewall and VPN
Application Control and URL Filtering
Identity Awareness
Data Awareness
Mobile Access
Security Zones

NEW QUESTION 8
All R77 Security Servers can perform authentication with the exception of one. Which of the Security Servers can NOT perform authentication?

• A. FTP
• B. SMTP
• C. HTTP
• D. RLOGIN

Answer: B

NEW QUESTION 9
Vanessa is firewall administrator in her company; her company is using Check Point firewalls on central and remote locations, which are managed centrally by R80 Security Management Server. One central location has an installed R77.30 Gateway on Open server. Remote location is using Check Point UTM-1 570 series appliance with R71. Which encryption is used in Secure Internal Communication (SIC) between central management and firewall on each location?

• A. On central firewall AES128 encryption is used for SIC, on Remote firewall 3DES encryption is used for SIC.
• B. On both firewalls, the same encryption is used for SI
• C. This is AES-GCM-256.
• D. The Firewall Administrator can choose which encryption suite will be used by SIC.
• E. On central firewall AES256 encryption is used for SIC, on Remote firewall AES128 encryption is used for SIC.

Answer: A

Explanation: Gateways above R71 use AES128 for SIC. If one of the gateways is R71 or below, the gateways use 3DES.

NEW QUESTION 10
Which one of the following is TRUE?

• A. Ordered policy is a sub-policy within another policy
• B. One policy can be either inline or ordered, but not both
• C. Inline layer can be defined as a rule action
• D. Pre-R80 Gateways do not support ordered layers

Answer: C

NEW QUESTION 11
Which statement is NOT TRUE about Delta synchronization?

• A. Using UDP Multicast or Broadcast on port 8161
• B. Using UDP Multicast or Broadcast on port 8116
• C. Quicker than Full sync
• D. Transfers changes in the Kernel tables between cluster members

Answer: A

NEW QUESTION 12
You noticed that CPU cores on the Security Gateway are usually 100% utilized and many packets were dropped. You don’t have a budget to perform a hardware upgrade at this time. To optimize drops you decide to use Priority Queues and fully enable Dynamic Dispatcher. How can you enable them?

• A. fw ctl multik dynamic_dispatching on
• B. fw ctl multik dynamic_dispatching set_mode 9
• C. fw ctl multik set_mode 9
• D. fw ctl miltik pq enable

Answer: C

NEW QUESTION 13
While enabling the Identity Awareness blade the Identity Awareness wizard does not automatically detect the windows domain. Why does it not detect the windows domain?

• A. Security Gateways is not part of the Domain
• B. SmartConsole machine is not part of the domain
• C. SMS is not part of the domain
• D. Identity Awareness is not enabled on Global properties

Answer: B

Explanation: To enable Identity Awareness:
Log in to SmartDashboard.
From the Network Objects tree, expand the Check Poinbtranch.
Double-click the Security Gateway on which to enable Identity Awareness.
In the Software Blades section, select Identity Awarenesosn the Network Security tab. The Identity Awareness Configuration wizard opens.
Select one or more options. These options set the methods for acquiring identities of managed and unmanaged assets.
AD Query - Lets the Security Gateway seamlessly identify Active Directory users and computers.
Browser-Based Authentication - Sends users to a Web page to acquire identities from unidentified users. If Transparent Kerberos Authentication is configured, AD users may be identified transparently.
Terminal Servers - Identify users in a Terminal Server environment (originating from one IP address).
See Choosing Identity Sources.
Note - When you enable Browser-Based Authentication on a Security Gateway that is on an IP Series appliance, make sure to set the Voyager management application port to a port other than 443 or 80.
Click Next.
The Integration With Active Directory window opens.
When SmartDashboard is part of the domain, SmartDashboard suggests this domain automatically. If you select this domain, the system creates an LDAP Account Unit with alolf the domain controllers in the organization's Active Directory.

NEW QUESTION 14
You have enabled “Full Log” as a tracking option to a security rule. However, you are still not seeing any data type information. What is the MOST likely reason?

• A. Logging has disk space issue
• B. Change logging storage options on the logging server or Security Management Server properties and install database.
• C. Data Awareness is not enabled.
• D. Identity Awareness is not enabled.
• E. Logs are arriving from Pre-R80 gateways.

Answer: A

Explanation: The most likely reason for the logs data to stop is the low disk space on the logging device, which can be the Management Server or the Gateway Server.

NEW QUESTION 15
What are the two types of address translation rules?

• A. Translated packet and untranslated packet
• B. Untranslated packet and manipulated packet
• C. Manipulated packet and original packet
• D. Original packet and translated packet

Answer: D

Explanation: NAT Rule Base
The NAT Rule Base has two sections that specify how the IP addresses are translated:
Original Packet
Translated Packet References:

NEW QUESTION 16
When you upload a package or license to the appropriate repository in SmartUpdate, where is the package or license stored

• A. Security Gateway
• B. Check Point user center
• C. Security Management Server
• D. SmartConsole installed device

Answer: C

Explanation: SmartUpdate installs two repositories on the Security Management server:
License & Contract Repository, which is stored on all platforms in the directory $FWDIRconf.
Package Repository, which is stored:
on Windows machines in C:SUroot.
on UNIX machines in /var/suroot.
The Package Repository requires a separate license, in addition to the license for the Security Management server. This license should stipulate the number of nodes that can be managed in the Package Repository.

NEW QUESTION 17
Packages and licenses are loaded from all of these sources EXCEPT

• A. Download Center Web site
• B. UserUpdate
• C. User Center
• D. Check Point DVD

Answer: B

Explanation: the Download Center web site (packages)
the Check Point DVD (packages)
the User Center (licenses)
by importing a file (packages and licenses)
by running the cplic command line
Packages and licenses are loaded into these repositories from several sources: References: