CCSE Revision Questions 156-315.77

This entry is part 1 of 3 in the series CCSE Revision Questions 156-315.77

Checkpoint Certified Security Expert (CCSE) Revision Questions 156-315.77

As a trainer, many conversations I have with delegates revolve around explaining why the “guaranteed pass” answers are not just wrong but ridiculously wrong. Here in these posts, I include explanations as to why a particular answer is correct as opposed to expecting someone to take my word for it as the other cowboy exam prep people do.



Control connections between the Security Management Server and the Gateway are not
encrypted by the VPN Community. How are these connections secured?

A. They are encrypted and authenticated using SIC.
B. They are not encrypted, but are authenticated by the Gateway
C. They are secured by PPTP
D. They are not secured.

[su_spoiler title=”Answer:” style=”default”] A

Explanation: SIC is based on certificates. When your Security Management Server (SMS) is initially loaded, part of the post-installation is the initialization of the Internal Certificate Authority (ICA). The SMS is a full-featured certificate authority and the first thing the ICA does is create a certificate for itself (the “SMS-Cert”). From that point on all communication between the SMS and Security Gateway is authenticated and encrypted using SMS-Cert & FW-Cert and trust has been established between the two entities.[/su_spoiler]


If Bob wanted to create a Management High Availability configuration, what is the minimum
number of Security Management servers required in order to achieve his goal?

A. Three
B. Two
C. Four
D. One

[su_spoiler title=”Answer:” style=”default”]B



David wants to manage hundreds of gateways using a central management tool. What tool would
David use to accomplish his goal?

A. SmartProvisioning
B. SmartBlade
C. SmartDashboard
D. SmartLSM

[su_spoiler title=”Answer:” style=”default”]A



You find that Gateway fw2 can NOT be added to the cluster object. What are possible reasons for that?
1) fw2 is a member in a VPN community.
2) ClusterXL software blade is not enabled on fw2.
3) fw2 is a DAIP Gateway.

A. 2 or 3
B. 1 or 2
C. 1 or 3
D. All

[su_spoiler title=”Answer:” style=”default”] C

A gateway must first be removed from a VPN community before adding it to a cluster
ClusterXL is automatically enabled on the cluster object
It is not possible to create a cluster with DHCP on the external interface(s)


Review the Rule Base displayed. For which rules will the connection templates be generated in SecureXL?

A. Rules 2 and 5
B. Rules 2 through 5
C. Rule 2 only
D. All rules except Rule 3
[su_spoiler title=”Answer:” style=”default”] D




In the following cluster configuration; if you reboot sglondon_1 which device will be active when
sglondon_1 is back up and running? Why?


A. Sglondon_1, because it is up again, sglondon_2 took over during reboot
B. Sglondon_2 because I has highest IP
C. Sglondon_2 because it has highest priority
D. Sglondon_1 because it the first configured object with the lowest IP

[su_spoiler title=”Answer:” style=”default”] C

The first gateway listed has the highest initial priority, therefore:

A is incorrect as Sglondon_1 would not take over a higher priority gateway
B is nonsense – priority is never measured by IP
D is nonsense – priority is never measured by IP



Review the Rule Base displayed. For which rules will the connection templates be generated in SecureXL?
A. Rules 2 and 5
B. Rules 2 through 5
C. Rule 2 only
D. All rules except Rule 3

[su_spoiler title=”Answer:” style=”default”] C


Referring to the restrictions below: Rule 3 has a client auth rule – SecureXL connections will not be generated for this and all following rules

In general, Connections Templates will be created only for plain UDP or TCP connections. The following restrictions apply for Connection Template generation:

Global restrictions:

SYN Defender — Connection Templates for TCP connections will not be created
VPN connections
Complex connections (H323, FTP, SQL)
ISN Spoofing

If the Rule Base contains a rule regarding one of the following components, the Connection Templates will be disabled for connections matching this rule, and for all of the following rules:

Security Server connections.
Time objects in the rules.
Dynamic Objects and/or Domain Objects.
Services of type “other” with a match expression.
User/Client/Session Authentication actions.
Services of type RPC/DCERPC/DCOM.

When installing a policy containing restricted rules, you will receive console messages indicating that Connection Templates will not be created due to the rules that have been defined. The warnings should be used as a recommendation that will assist you to fine-tune your policy in order to optimize performance.



You are trying to configure Directional VPN Rule Match in the Rule Base but the Match column does not have the option to see the Directional Match. What must you enable to see the Directional Match?

A. directional_match(true) in the objects_5_0.C file on Security Management Server
B. VPN Directional Match on the Gateway object’s VPN tab
C. VPN Directional Match on the VPN advanced window, in Global Properties
D. Advanced Routing on each Security Gateway

[su_spoiler title=”Answer:” style=”default”] C


For directional VPN enforcement to be configured, it must first be enabled in the Global properties > VPN > Advanced > select Enable VPN directional match in VPN column


MultiCorp is running Smartcenter R71 on an IPSO platform and wants to upgrade to a new Appliance with R77. Which migration tool is recommended?

A. Download Migration Tool R77 for IPSO and Splat/Linux from Check Point website.
B. Use already installed Migration Tool.
C. Use Migration Tool from CD/ISO
D. Fetch Migration Tool R71 for IPSO and Migration Tool R77 for Splat/Linux from CheckPoint website

[su_spoiler title=”Answer:” style=”default”] A


Always use the latest migration tool for the version you are upgrading *to* not from.


MegaCorp is running Smartcenter R70, some Gateways at R65 and some other Gateways with R60. Management wants to upgrade to the most comprehensive IPv6 support. What should the administrator do first?
A. Upgrade Smartcenter to R77 first.
B. Upgrade R60-Gateways to R65.
C. Upgrade every unit directly to R77.
D. Check the ReleaseNotes to verify that every step is supported.

[su_spoiler title=”Answer:” style=”default”] D


These upgrades will need to be done in steps – check each release note for upgrade possibilities and use this upgrade map to check for valid hops.



MicroCorp experienced a security appliance failure. (LEDs of all NICs are off.) The age of the unit required that the RMA-unit be a different model. Will a revert to an existing snapshot bring the new unit up and running?

A. There is no dynamic update at reboot.
B. No. The revert will most probably not match to hard disk.
C. Yes. Everything is dynamically updated at reboot.
D. No. At installation the necessary hardware support is selected. The snapshot saves this state.
[su_spoiler title=”Answer:” style=”default”] D


The question is somewhat ambiguous as there is no mention of whether the old disk has been imported into the new appliance. Regardless of this, A and C dymnamic update doesn’t exist, B would only be applicable if the old HDD had been imported so D is the only viable answer.

The snapshot utility backs up everything, including the drivers, and is available only on SecurePlatform.
Snapshot can be used to backup both your firewall and management modules.
The disadvantages of this utility are that the generated file is very big, and can only be restored to the same device, and exactly the same state (same OS, same Check Point version, same patch level).



Which is the lowest Gateway version manageable by SmartCenter R77?
A. R65
B. S71
C. R55
D. R60A
[su_spoiler title=”Answer:” style=”default”] A


See the Compatibility Matrix for details on backwards compatibility.


Can you implement a complete IPv6 deployment without IPv4 addresses?

A. No. SmartCenter cannot be accessed from everywhere on the Internet.
B. Yes. Only one TCP stack (IPv6 or IPv4) can be used at the same time.
C. Yes, There is no requirement for managing IPv4 addresses.
D. No. IPv4 addresses are required for management.

[su_spoiler title=”Answer:” style=”default”] C


As the answer says, there is no requirement for IPv4 addresses. However, if you are migrating existing deployments then you may need to use a “dual stack”, “tunnelling” or “translation” – see this Checkpoint whitepaper for further details: IPv6 Public Whitepaper.



A ClusterXL configuration is limited to ___ members.
A. There is no limit.
B. 16
C. 6
D. 2
[su_spoiler title=”Answer:” style=”default”] C


Whilst C is the closest answer, it is not necessarily correct – from sk 83100:

The following are the maximum number of supported nodes in a cluster:

ClusterXL: 8 (According to page 6 in “ClusterXL Advanced Technical Reference Guide” – “Up to 8 cluster members are supported in ClusterXL”
IP Clustering on IPSO: 4
Third Party Clustering: 8
VSLS: 13

If full state synchronization is used in Security Gateway, the recommended maximum number of nodes is 4 regardless of the clustering mechanism used.

VSLS uses a more efficient state synchronization method and can safely support more than 4 nodes in a cluster.


Select the command set best used to verify proper failover function of a new ClusterXL configuration.

A. reboot
B. cphaprob -d failDevice -s problem -t 0 register / cphaprob -d failDevice unregister
C. clusterXL_admin down / clusterXL_admin up
D. cpstop/cpstart

[su_spoiler title=”Answer:” style=”default”] C


Page 62 of the R77 ClusterXL admin guide states:

Recommended method:
clusterXL_admin down
clusterXL_admin up



You are troubleshooting a HTTP connection problem. You’ve started fw monitor -o http.pcap. When you open http.pcap with Wireshark there is only one line. What is the most likely reason?

A. fw monitor was restricted to the wrong interface.
B. Like SmartView Tracker only the first packet of a connection will be captured by fw monitor.
C. By default only SYN packets are captured.
D. Acceleration was turned on and therefore fw monitor sees only SYN.

[su_spoiler title=”Answer:” style=”default”] D


If SecureXL is enabled on the Security Gateway, then ‘FW Monitor’ and ‘tcpdump’ will show only the non-accelerated packets (e.g., ‘TCP SYN’ will be shown, and ‘TCP ACK’ will not).



Which two processes are responsible on handling Identity Awareness?
A. pdp and lad
B. pdp and pdp-11
C. pep and lad
D. pdp and pep

[su_spoiler title=”Answer:” style=”default”] D


Referring to this article on processes and daemons:

pepd – Policy Enforcement Point daemon:

Receives identities via identity sharing
Redirects users to Captive Portal

pdpd – Policy Decision Point daemon

Acquires identities from identity sources
Shares identities with another gateways



Which three of the following are ClusterXL member requirements?

1) same operating systems
2) same Check Point version
3) same appliance model
4) same policy

A. 1, 3, and 4
B. 1, 2, and 4
C. 2, 3, and 4
D. 1, 2, and 3

[su_spoiler title=”Answer:” style=”default”] D

Explanation: Page 18 of R77 ClusterXL Admin Guide states that:

All cluster members must run on identically configured platforms
All cluster members must use the same Check Point software version
The policy is also installed to the cluster object, not individual firewall so they MUST have the same policy.



Fill in the blank. You can set Acceleration to ON or OFF using command syntax ___________ .

[su_spoiler title=”Answer:” style=”default”] fwaccel on / off [/su_spoiler]


You run cphaprob -a if. When you review the output, you find the word DOWN. What does DOWN mean?
A. The cluster link is down.
B. The physical interface is administratively set to DOWN.
C. The physical interface is down.
D. CCP pakets couldn’t be sent to or didn’t arrive from neighbor member.

[su_spoiler title=”Answer:” style=”default”] D

Explanation: From the CLusterXL Troubleshooting guide, “Down” means that one of the critical devices is down.

A “Down” category is assigned when a member does not receive any CCP packets from its neighbour.



Which three of the following components are required to get a SmartEvent up and running?

1) SmartEvent SIC
2) SmartEvent Correlation Unit
3) SmartEvent Server
4) SmartEvent Analyzer
5) SmartEvent Client

A. 2, 3, and 5
B. 1, 2, and 4
C. 1, 2, and 3
D. 3, 4, and 5

[su_spoiler title=”Answer:” style=”default”] A

Explanation: SmartEvent has several components that work together to help track down security threats and make your network more secure:

Correlation Unit that analyzes log entries on Log servers
SmartEvent server that contains the Events Database
SmartEvent client that manages SmartEvent

They work together in the following manner:

The Correlation Unit analyzes each log entry as it enters a Log server, looking for patterns according to the installed Event Policy. The logs contain data from both Check Point products and certain third-party devices. When a threat pattern is identified, the Correlation Unit forwards what is known as an event to the SmartEvent server.
When the SmartEvent server receives events from a Correlation Unit, it assigns a severity level to the event, invokes any defined automatic reactions, and adds the event to the Events Database that resides on the server. The severity level and automatic reaction are based on the Events Policy.
The SmartEvent client displays the received events, and is the place to manage events (such as filtering and closing events) and fine-tune and install the Events Policy.



MegaCorp is using SmartCenter Server with several gateways. Their requirements result in a heavy log load. Would it be feasible to add the SmartEvent Correlation Unit and SmartEvent Server to their SmartCenter Server?

A. No. SmartCenter SIC will interfere with the function of SmartEvent.
B. No. If SmartCenter is already under stress, the use of a separate server for SmartEvent is recommended.
C. No, SmartEvent and Smartcenter cannot be installed on the same machine at the same time.
D. Yes. SmartEvent must be installed on your SmartCenter Server.

[su_spoiler title=”Answer:” style=”default”] B

Explanation: The SmartEvent components can be installed on a single machine along with Smartcenter server but this will bring additional load – if the SCS is already under load then a separate machine for SmartEvent is recommended.



Fill in the blank. To verify that a VPN Tunnel is properly established, use the command _________

[su_spoiler title=”Answer:” style=”default”] vpn tunnelutil

Explanation: This can be shortened to “vpn tu”



MultiCorp is located in Atlanta. It has a branch office in Europe, Asia, and Africa. Each location has its own AD controller for local user login. How many ADqueries have to be configured?

[su_spoiler title=”Answer:” style=”default”] 4

Explanation: One query for each controller in Atlanta, Europe, Asia, and Africa.[/su_spoiler]


Fill in the blank. The command that typically generates the firewall application, operating system, and hardware specific drivers is _________ .

[su_spoiler title=”Answer:” style=”default”] snapshot

Explanation: The SecurePlatform Image and configuration can be saved and reverted with the snapshot and revert commands. These commands can be run in Standard and Expert Modes, and can use a TFTP or SCP server to store snapshots (locally, if necessary).


Fill in the blanks. To view the number of concurrent connections going through your firewall, you would use the command and syntax __ ___ __ __________ __ .

[su_spoiler title=”Answer:” style=”default”] fw tab -t connections -s


fw tab -t connections -s (for summary)
fw tab -t connections -x (to clear)


Fill in the blanks. To view the number of concurrent connections going through core 0 on the firewall, you would use the command and syntax __ __ _ ___ __ ___________ __ .

[su_spoiler title=”Answer:” style=”default”] fw -i 0 tab -t connections -s

Explanation: To see what connections are assigned to a particular core, use this command ‘fw -i tab -t connections’:
[Expert@HostName]# fw -i 0 tab -t connections
[Expert@HostName]# fw -i 0 tab -t connections -s


Which Check Point tool allows you to open a debug file and see the VPN packet exchange details.
A. PacketDebug.exe
B. VPNDebugger.exe
C. IkeView.exe
D. IPSECDebug.exe

[su_spoiler title=”Answer:” style=”default”] C

Explanation: C is the only viable answer as the other utilities do not exist.



When a packet is flowing through the security gateway, which one of the following is a valid inspection path?

A. Acceleration Path
B. Small Path
C. Firewall Path
D. Medium Path

[su_spoiler title=”Answer:” style=”default”] D


Slow path – Packets and connections that are inspected by the Firewall and are not processed by SecureXL.
Fast (Accelerated) path – Packets and connections that are offloaded to SecureXL and are not processed by the Firewall.
Medium path – Packets that require deeper inspection cannot use the accelerated path. It is not necessary for the Firewall to inspect these packets, they can be offloaded and do not use the slow path. For example, packets that are inspected by IPS cannot use the accelerated path and can be offloaded to the IPS PSL (Passive Streaming Library). SecureXL processes these packets more quickly than packets on the slow path.


To run GAiA in 64bit mode, which of the following is true?

1) Run set edition default 64-bit.
2) Install more than 4 GB RAM.
3) Install more than 4 TB of Hard Disk.

A. 1 and 3
B. 1 and 2
C. 2 and 3
D. 1, 2, and 3

[su_spoiler title=”Answer:” style=”default”] B


You are required to run the set edition command and have more than 4GB RAM but HDD size has no impact.

Series NavigationCCSE Revision Questions 156-315.77 – Part 2 >>

6 Replies to “CCSE Revision Questions 156-315.77”

Leave a ReplyCancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Exit mobile version