156-915.77 Exam - Check Point Certified Security Expert Update Blade

NEW QUESTION 1

Where do you verify that UserDirectory is enabled?

• A. Verify that Security Gateway > General Properties > Authentication > Use UserDirectory (LDAP) for Security Gateways is checked
• B. Verify that Global Properties > Authentication > Use UserDirectory (LDAP) for Security Gateways is checked
• C. Verify that Security Gateway > General Properties > UserDirectory (LDAP) > Use UserDirectory (LDAP) for Security Gateways is checked
• D. Verify that Global Properties > UserDirectory (LDAP) > Use UserDirectory (LDAP) for Security Gateways is checked

Answer: D

NEW QUESTION 2
10.10.x is configured for Hide NAT behind the Security Gateway’s external interface.

What is the best configuration for 10.10.10.x users to access the DMZ servers, using the DMZ servers’ public IP addresses?

• A. When connecting to internal network 10.10.10.x, configure Hide NAT for the DMZ network behind the Security Gateway DMZ interface.
• B. When the source is the internal network 10.10.10.x, configure manual static NAT rules to translate the DMZ servers.
• C. When connecting to the Internet, configure manual Static NAT rules to translate the DMZ servers.
• D. When trying to access DMZ servers, configure Hide NAT for 10.10.10.x behind the DMZ’s interface.

Answer: B

NEW QUESTION 3

Complete this statement from the options provided. Using Captive Portal, unidentified users may be either; blocked, allowed to enter required credentials, or required to download the___.

• A. Identity Awareness Agent
• B. Full Endpoint Client
• C. ICA Certificate
• D. SecureClient

Answer: A

NEW QUESTION 4

How granular may an administrator filter an Access Role with identity awareness? Per:

• A. Specific ICA Certificate
• B. AD User
• C. Radius Group
• D. Windows Domain

Answer: B

NEW QUESTION 5

You just installed a new Web server in the DMZ that must be reachable from the Internet. You create a manual Static NAT rule as follows:
Source: Any || Destination: web_public_IP || Service: Any || Translated Source: original ||
Translated Destination: web_private_IP || Service: Original
“web_public_IP” is the node object that represents the new Web server’s public IP address. “web_private_IP” is the node object that represents the new Web site’s private IP address. You enable all settings from Global Properties > NAT.
When you try to browse the Web server from the Internet you see the error “page cannot be displayed”. Which of the following is NOT a possible reason?

• A. There is no Security Policy defined that allows HTTP traffic to the protected Web server.
• B. There is no ARP table entry for the protected Web server’s public IP address.
• C. There is no route defined on the Security Gateway for the public IP address to the Web server’s private IP address.
• D. There is no NAT rule translating the source IP address of packets coming from the protected Web server.

Answer: D

NEW QUESTION 6

Several Security Policies can be used for different installation targets. The Firewall protecting Human Resources’ servers should have its own Policy Package. These rules must be installed on this machine and not on the Internet Firewall. How can this be accomplished?

• A. A Rule Base is always installed on all possible target
• B. The rules to be installed on a Firewall are defined by the selection in the Rule Base row Install On.
• C. When selecting the correct Firewall in each line of the Rule Base row Install On, only this Firewall is shown in the list of possible installation targets after selecting Policy > Install on Target.
• D. In the menu of SmartDashboard, go to Policy > Policy Installation Targets and select the correct firewall via Specific Targets.
• E. A Rule Base can always be installed on any Check Point Firewall objec
• F. It is necessary to select the appropriate target directly after selecting Policy > Install on Target.

Answer: C

NEW QUESTION 7

Which Check Point tool allows you to open a debug file and see the VPN packet exchange details.

• A. PacketDebug.exe
• B. VPNDebugger.exe
• C. IkeView.exe
• D. IPSECDebug.exe

Answer: C

NEW QUESTION 8

MultiCorp is running Smartcenter R71 on an IPSO platform and wants to upgrade to a new Appliance with R77. Which migration tool is recommended?

• A. Download Migration Tool R77 for IPSO and Splat/Linux from Check Point website.
• B. Use already installed Migration Tool.
• C. Use Migration Tool from CD/ISO
• D. Fetch Migration Tool R71 for IPSO and Migration Tool R77 for Splat/Linux from CheckPoint website

Answer: A

NEW QUESTION 9
CORRECT TEXT
To stop acceleration on a GAiA Security Gateway, enter command:

• A. Yes
• B. Not Mastered

Answer: A

NEW QUESTION 10

After implementing Static Address Translation to allow Internet traffic to an internal Web Server on your DMZ, you notice that any NATed connections to that machine are being dropped by anti-spoofing protections. Which of the following is the MOST LIKELY cause?

• A. The Global Properties setting Translate destination on client side is unchecke
• B. But the topology on the DMZ interface is set to Internal - Network defined by IP and Mas
• C. Check the Global Properties setting Translate destination on client side.
• D. The Global Properties setting Translate destination on client side is unchecke
• E. But the topology on the external interface is set to Others +. Change topology to External.
• F. The Global Properties setting Translate destination on client side is checke
• G. But the topology on the external interface is set to Externa
• H. Change topology to Others +.
• I. The Global Properties setting Translate destination on client side is checke
• J. But the topology on the DMZ interface is set to Internal - Network defined by IP and Mas
• K. Uncheck the Global Properties setting Translate destination on client side.

Answer: A

NEW QUESTION 11
CORRECT TEXT
Type the full fw command and syntax that allows you to disable only sync on a cluster firewall member.

• A. Yes
• B. Not Mastered

Answer: A

NEW QUESTION 12

What is Check Point's CoreXL?

• A. A way to synchronize connections across cluster members
• B. TCP-18190
• C. Multiple core interfaces on the device to accelerate traffic
• D. Multi Core support for Firewall Inspection

Answer: D

NEW QUESTION 13

When configuring numbered VPN Tunnel Interfaces (VTIs) in a clustered environment, what issues need to be considered?
1) Each member must have a unique source IP address.
2) Every interface on each member requires a unique IP address.
3) All VTI's going to the same remote peer must have the same name.
4) Cluster IP addresses are required.

• A. 1, 2, and 4
• B. 2 and 3
• C. 1, 2, 3 and 4
• D. 1, 3, and 4

Answer: C

NEW QUESTION 14

Your organization maintains several IKE VPN’s. Executives in your organization want to know which mechanism Security Gateway R77 uses to guarantee the authenticity and integrity of messages. Which technology should you explain to the executives?

• A. Certificate Revocation Lists
• B. Application Intelligence
• C. Key-exchange protocols
• D. Digital signatures

Answer: D

NEW QUESTION 15

Which of the following is a CLI command for Security Gateway R77?

• A. fw tab -u
• B. fw shutdown
• C. fw merge
• D. fwm policy_print <policyname>

Answer: A

NEW QUESTION 16

You find that Users are not prompted for authentication when they access their Web servers, even though you have created an HTTP rule via User Authentication. Choose the BEST reason why.

• A. You checked the cache password on desktop option in Global Properties.
• B. Another rule that accepts HTTP without authentication exists in the Rule Base.
• C. You have forgotten to place the User Authentication Rule before the Stealth Rule.
• D. Users must use the SecuRemote Client, to use the User Authentication Rule.

Answer: B

NEW QUESTION 17

How could you compare the Fingerprint shown to the Fingerprint on the server? Run cpconfig and select:
Exhibit:

• A. the Certificate Authority option and view the fingerprint.
• B. the GUI Clients option and view the fingerprint.
• C. the Certificate's Fingerprint option and view the fingerprint.
• D. the Server Fingerprint option and view the fingerprint.

Answer: C

NEW QUESTION 18

In the Rule Base displayed, user authentication in Rule 4 is configured as fully automatic. Eric is a member of the LDAP group, MSD_Group.

What happens when Eric tries to connect to a server on the Internet?

• A. None of these things will happen.
• B. Eric will be authenticated and get access to the requested server.
• C. Eric will be blocked because LDAP is not allowed in the Rule Base.
• D. Eric will be dropped by the Stealth Rule.

Answer: D

NEW QUESTION 19

You have created a Rule Base for firewall, websydney. Now you are going to create a new policy package with security and address translation rules for a second Gateway.

What is TRUE about the new package’s NAT rules?

• A. Rules 1, 2, 3 will appear in the new package.
• B. Only rule 1 will appear in the new package.
• C. NAT rules will be empty in the new package.
• D. Rules 4 and 5 will appear in the new package.

Answer: A

NEW QUESTION 20

Which Check Point address translation method is necessary if you want to connect from a host on the Internet via HTTP to a server with a reserved (RFC 1918) IP address on your DMZ?

• A. Dynamic Source Address Translation
• B. Hide Address Translation
• C. Port Address Translation
• D. Static Destination Address Translation

Answer: D

NEW QUESTION 21
......