CCSE Revision Questions 156-315.77

This entry is part 1 of 3 in the series CCSE Revision Questions 156-315.77

Checkpoint Certified Security Expert (CCSE) Revision Questions 156-315.77

As a trainer, many conversations I have with delegates revolve around explaining why the “guaranteed pass” answers are not just wrong but ridiculously wrong. Here in these posts, I include explanations as to why a particular answer is correct as opposed to expecting someone to take my word for it as the other cowboy exam prep people do.

 

QUESTION 1

Control connections between the Security Management Server and the Gateway are not
encrypted by the VPN Community. How are these connections secured?

A. They are encrypted and authenticated using SIC.
B. They are not encrypted, but are authenticated by the Gateway
C. They are secured by PPTP
D. They are not secured.

[su_spoiler title=”Answer:” style=”default”] A

Explanation: SIC is based on certificates. When your Security Management Server (SMS) is initially loaded, part of the post-installation is the initialization of the Internal Certificate Authority (ICA). The SMS is a full-featured certificate authority and the first thing the ICA does is create a certificate for itself (the “SMS-Cert”). From that point on all communication between the SMS and Security Gateway is authenticated and encrypted using SMS-Cert & FW-Cert and trust has been established between the two entities.[/su_spoiler]

QUESTION 2

If Bob wanted to create a Management High Availability configuration, what is the minimum
number of Security Management servers required in order to achieve his goal?

A. Three
B. Two
C. Four
D. One

[su_spoiler title=”Answer:” style=”default”]B

Explanation:[/su_spoiler]

QUESTION 3

David wants to manage hundreds of gateways using a central management tool. What tool would
David use to accomplish his goal?

A. SmartProvisioning
B. SmartBlade
C. SmartDashboard
D. SmartLSM

[su_spoiler title=”Answer:” style=”default”]A

Explanation:[/su_spoiler]

QUESTION 4

You find that Gateway fw2 can NOT be added to the cluster object. What are possible reasons for that?
1) fw2 is a member in a VPN community.
2) ClusterXL software blade is not enabled on fw2.
3) fw2 is a DAIP Gateway.

A. 2 or 3
B. 1 or 2
C. 1 or 3
D. All

[su_spoiler title=”Answer:” style=”default”] C
Explanation:

A gateway must first be removed from a VPN community before adding it to a cluster
ClusterXL is automatically enabled on the cluster object
It is not possible to create a cluster with DHCP on the external interface(s)
[/su_spoiler]

QUESTION 5

Review the Rule Base displayed. For which rules will the connection templates be generated in SecureXL?

18[1]
A. Rules 2 and 5
B. Rules 2 through 5
C. Rule 2 only
D. All rules except Rule 3
[su_spoiler title=”Answer:” style=”default”] D

Explanation:

[/su_spoiler]

QUESTION 6

In the following cluster configuration; if you reboot sglondon_1 which device will be active when
sglondon_1 is back up and running? Why?

sglondon_2
sglondon_1

A. Sglondon_1, because it is up again, sglondon_2 took over during reboot
B. Sglondon_2 because I has highest IP
C. Sglondon_2 because it has highest priority
D. Sglondon_1 because it the first configured object with the lowest IP

[su_spoiler title=”Answer:” style=”default”] C
Explanation:

The first gateway listed has the highest initial priority, therefore:

A is incorrect as Sglondon_1 would not take over a higher priority gateway
B is nonsense – priority is never measured by IP
D is nonsense – priority is never measured by IP

[/su_spoiler]

QUESTION 7

Review the Rule Base displayed. For which rules will the connection templates be generated in SecureXL?
A. Rules 2 and 5
B. Rules 2 through 5
C. Rule 2 only
D. All rules except Rule 3

[su_spoiler title=”Answer:” style=”default”] C

Explanation:

Referring to the restrictions below: Rule 3 has a client auth rule – SecureXL connections will not be generated for this and all following rules

In general, Connections Templates will be created only for plain UDP or TCP connections. The following restrictions apply for Connection Template generation:

Global restrictions:

SYN Defender — Connection Templates for TCP connections will not be created
VPN connections
Complex connections (H323, FTP, SQL)
NetQuotas
ISN Spoofing

If the Rule Base contains a rule regarding one of the following components, the Connection Templates will be disabled for connections matching this rule, and for all of the following rules:

Security Server connections.
Time objects in the rules.
Dynamic Objects and/or Domain Objects.
Services of type “other” with a match expression.
User/Client/Session Authentication actions.
Services of type RPC/DCERPC/DCOM.

When installing a policy containing restricted rules, you will receive console messages indicating that Connection Templates will not be created due to the rules that have been defined. The warnings should be used as a recommendation that will assist you to fine-tune your policy in order to optimize performance.

[/su_spoiler]

QUESTION 8

You are trying to configure Directional VPN Rule Match in the Rule Base but the Match column does not have the option to see the Directional Match. What must you enable to see the Directional Match?

A. directional_match(true) in the objects_5_0.C file on Security Management Server
B. VPN Directional Match on the Gateway object’s VPN tab
C. VPN Directional Match on the VPN advanced window, in Global Properties
D. Advanced Routing on each Security Gateway

[su_spoiler title=”Answer:” style=”default”] C

Explanation:

For directional VPN enforcement to be configured, it must first be enabled in the Global properties > VPN > Advanced > select Enable VPN directional match in VPN column
[/su_spoiler]

QUESTION 9

MultiCorp is running Smartcenter R71 on an IPSO platform and wants to upgrade to a new Appliance with R77. Which migration tool is recommended?

A. Download Migration Tool R77 for IPSO and Splat/Linux from Check Point website.
B. Use already installed Migration Tool.
C. Use Migration Tool from CD/ISO
D. Fetch Migration Tool R71 for IPSO and Migration Tool R77 for Splat/Linux from CheckPoint website

[su_spoiler title=”Answer:” style=”default”] A

Explanation:

Always use the latest migration tool for the version you are upgrading *to* not from.
[/su_spoiler]

QUESTION 10

MegaCorp is running Smartcenter R70, some Gateways at R65 and some other Gateways with R60. Management wants to upgrade to the most comprehensive IPv6 support. What should the administrator do first?
A. Upgrade Smartcenter to R77 first.
B. Upgrade R60-Gateways to R65.
C. Upgrade every unit directly to R77.
D. Check the ReleaseNotes to verify that every step is supported.

[su_spoiler title=”Answer:” style=”default”] D

Explanation:

These upgrades will need to be done in steps – check each release note for upgrade possibilities and use this upgrade map to check for valid hops.

[/su_spoiler]

QUESTION 11

MicroCorp experienced a security appliance failure. (LEDs of all NICs are off.) The age of the unit required that the RMA-unit be a different model. Will a revert to an existing snapshot bring the new unit up and running?

A. There is no dynamic update at reboot.
B. No. The revert will most probably not match to hard disk.
C. Yes. Everything is dynamically updated at reboot.
D. No. At installation the necessary hardware support is selected. The snapshot saves this state.
[su_spoiler title=”Answer:” style=”default”] D

Explanation:

The question is somewhat ambiguous as there is no mention of whether the old disk has been imported into the new appliance. Regardless of this, A and C dymnamic update doesn’t exist, B would only be applicable if the old HDD had been imported so D is the only viable answer.

The snapshot utility backs up everything, including the drivers, and is available only on SecurePlatform.
Snapshot can be used to backup both your firewall and management modules.
The disadvantages of this utility are that the generated file is very big, and can only be restored to the same device, and exactly the same state (same OS, same Check Point version, same patch level).

[/su_spoiler]

QUESTION 12

Which is the lowest Gateway version manageable by SmartCenter R77?
A. R65
B. S71
C. R55
D. R60A
[su_spoiler title=”Answer:” style=”default”] A

Explanation:

See the Compatibility Matrix for details on backwards compatibility.
[/su_spoiler]

QUESTION 13

Can you implement a complete IPv6 deployment without IPv4 addresses?

A. No. SmartCenter cannot be accessed from everywhere on the Internet.
B. Yes. Only one TCP stack (IPv6 or IPv4) can be used at the same time.
C. Yes, There is no requirement for managing IPv4 addresses.
D. No. IPv4 addresses are required for management.

[su_spoiler title=”Answer:” style=”default”] C

Explanation:

As the answer says, there is no requirement for IPv4 addresses. However, if you are migrating existing deployments then you may need to use a “dual stack”, “tunnelling” or “translation” – see this Checkpoint whitepaper for further details: IPv6 Public Whitepaper.

[/su_spoiler]

QUESTION 14

A ClusterXL configuration is limited to ___ members.
A. There is no limit.
B. 16
C. 6
D. 2
[su_spoiler title=”Answer:” style=”default”] C

Explanation:

Whilst C is the closest answer, it is not necessarily correct – from sk 83100:

The following are the maximum number of supported nodes in a cluster:

ClusterXL: 8 (According to page 6 in “ClusterXL Advanced Technical Reference Guide” – “Up to 8 cluster members are supported in ClusterXL”
IP Clustering on IPSO: 4
Third Party Clustering: 8
VSLS: 13

If full state synchronization is used in Security Gateway, the recommended maximum number of nodes is 4 regardless of the clustering mechanism used.

VSLS uses a more efficient state synchronization method and can safely support more than 4 nodes in a cluster.
[/su_spoiler]

QUESTION 15

Select the command set best used to verify proper failover function of a new ClusterXL configuration.

A. reboot
B. cphaprob -d failDevice -s problem -t 0 register / cphaprob -d failDevice unregister
C. clusterXL_admin down / clusterXL_admin up
D. cpstop/cpstart

[su_spoiler title=”Answer:” style=”default”] C

Explanation:

Page 62 of the R77 ClusterXL admin guide states:

Recommended method:
Run:
clusterXL_admin down
clusterXL_admin up
[/su_spoiler]

 

QUESTION 16

You are troubleshooting a HTTP connection problem. You’ve started fw monitor -o http.pcap. When you open http.pcap with Wireshark there is only one line. What is the most likely reason?

A. fw monitor was restricted to the wrong interface.
B. Like SmartView Tracker only the first packet of a connection will be captured by fw monitor.
C. By default only SYN packets are captured.
D. Acceleration was turned on and therefore fw monitor sees only SYN.

[su_spoiler title=”Answer:” style=”default”] D

Explanation:

If SecureXL is enabled on the Security Gateway, then ‘FW Monitor’ and ‘tcpdump’ will show only the non-accelerated packets (e.g., ‘TCP SYN’ will be shown, and ‘TCP ACK’ will not).

[/su_spoiler]

QUESTION 17

Which two processes are responsible on handling Identity Awareness?
A. pdp and lad
B. pdp and pdp-11
C. pep and lad
D. pdp and pep

[su_spoiler title=”Answer:” style=”default”] D

Explanation:

Referring to this article on processes and daemons:

pepd – Policy Enforcement Point daemon:

Receives identities via identity sharing
Redirects users to Captive Portal

pdpd – Policy Decision Point daemon

Acquires identities from identity sources
Shares identities with another gateways

[/su_spoiler]

QUESTION 18

Which three of the following are ClusterXL member requirements?

1) same operating systems
2) same Check Point version
3) same appliance model
4) same policy

A. 1, 3, and 4
B. 1, 2, and 4
C. 2, 3, and 4
D. 1, 2, and 3

[su_spoiler title=”Answer:” style=”default”] D

Explanation: Page 18 of R77 ClusterXL Admin Guide states that:

All cluster members must run on identically configured platforms
All cluster members must use the same Check Point software version
The policy is also installed to the cluster object, not individual firewall so they MUST have the same policy.

[/su_spoiler]

QUESTION 19

Fill in the blank. You can set Acceleration to ON or OFF using command syntax ___________ .

[su_spoiler title=”Answer:” style=”default”] fwaccel on / off [/su_spoiler]

QUESTION 20

You run cphaprob -a if. When you review the output, you find the word DOWN. What does DOWN mean?
A. The cluster link is down.
B. The physical interface is administratively set to DOWN.
C. The physical interface is down.
D. CCP pakets couldn’t be sent to or didn’t arrive from neighbor member.

[su_spoiler title=”Answer:” style=”default”] D

Explanation: From the CLusterXL Troubleshooting guide, “Down” means that one of the critical devices is down.

A “Down” category is assigned when a member does not receive any CCP packets from its neighbour.

[/su_spoiler]

QUESTION 21

Which three of the following components are required to get a SmartEvent up and running?

1) SmartEvent SIC
2) SmartEvent Correlation Unit
3) SmartEvent Server
4) SmartEvent Analyzer
5) SmartEvent Client

A. 2, 3, and 5
B. 1, 2, and 4
C. 1, 2, and 3
D. 3, 4, and 5

[su_spoiler title=”Answer:” style=”default”] A

Explanation: SmartEvent has several components that work together to help track down security threats and make your network more secure:

Correlation Unit that analyzes log entries on Log servers
SmartEvent server that contains the Events Database
SmartEvent client that manages SmartEvent

They work together in the following manner:

The Correlation Unit analyzes each log entry as it enters a Log server, looking for patterns according to the installed Event Policy. The logs contain data from both Check Point products and certain third-party devices. When a threat pattern is identified, the Correlation Unit forwards what is known as an event to the SmartEvent server.
When the SmartEvent server receives events from a Correlation Unit, it assigns a severity level to the event, invokes any defined automatic reactions, and adds the event to the Events Database that resides on the server. The severity level and automatic reaction are based on the Events Policy.
The SmartEvent client displays the received events, and is the place to manage events (such as filtering and closing events) and fine-tune and install the Events Policy.

[/su_spoiler]

QUESTION 22

MegaCorp is using SmartCenter Server with several gateways. Their requirements result in a heavy log load. Would it be feasible to add the SmartEvent Correlation Unit and SmartEvent Server to their SmartCenter Server?

A. No. SmartCenter SIC will interfere with the function of SmartEvent.
B. No. If SmartCenter is already under stress, the use of a separate server for SmartEvent is recommended.
C. No, SmartEvent and Smartcenter cannot be installed on the same machine at the same time.
D. Yes. SmartEvent must be installed on your SmartCenter Server.

[su_spoiler title=”Answer:” style=”default”] B

Explanation: The SmartEvent components can be installed on a single machine along with Smartcenter server but this will bring additional load – if the SCS is already under load then a separate machine for SmartEvent is recommended.

[/su_spoiler]

QUESTION 23

Fill in the blank. To verify that a VPN Tunnel is properly established, use the command _________

[su_spoiler title=”Answer:” style=”default”] vpn tunnelutil

Explanation: This can be shortened to “vpn tu”

[/su_spoiler]

QUESTION 24

MultiCorp is located in Atlanta. It has a branch office in Europe, Asia, and Africa. Each location has its own AD controller for local user login. How many ADqueries have to be configured?

[su_spoiler title=”Answer:” style=”default”] 4

Explanation: One query for each controller in Atlanta, Europe, Asia, and Africa.[/su_spoiler]

QUESTION 25

Fill in the blank. The command that typically generates the firewall application, operating system, and hardware specific drivers is _________ .

[su_spoiler title=”Answer:” style=”default”] snapshot

Explanation: The SecurePlatform Image and configuration can be saved and reverted with the snapshot and revert commands. These commands can be run in Standard and Expert Modes, and can use a TFTP or SCP server to store snapshots (locally, if necessary).
[/su_spoiler]

QUESTION 26

Fill in the blanks. To view the number of concurrent connections going through your firewall, you would use the command and syntax __ ___ __ __________ __ .

[su_spoiler title=”Answer:” style=”default”] fw tab -t connections -s

Explanation:

fw tab -t connections -s (for summary)
fw tab -t connections -x (to clear)
[/su_spoiler]

QUESTION 27

Fill in the blanks. To view the number of concurrent connections going through core 0 on the firewall, you would use the command and syntax __ __ _ ___ __ ___________ __ .

[su_spoiler title=”Answer:” style=”default”] fw -i 0 tab -t connections -s

Explanation: To see what connections are assigned to a particular core, use this command ‘fw -i tab -t connections’:
[Expert@HostName]# fw -i 0 tab -t connections
[Expert@HostName]# fw -i 0 tab -t connections -s
[/su_spoiler]

QUESTION 28

Which Check Point tool allows you to open a debug file and see the VPN packet exchange details.
A. PacketDebug.exe
B. VPNDebugger.exe
C. IkeView.exe
D. IPSECDebug.exe

[su_spoiler title=”Answer:” style=”default”] C

Explanation: C is the only viable answer as the other utilities do not exist.

[/su_spoiler]

QUESTION 29

When a packet is flowing through the security gateway, which one of the following is a valid inspection path?

A. Acceleration Path
B. Small Path
C. Firewall Path
D. Medium Path

[su_spoiler title=”Answer:” style=”default”] D

Explanation:

Slow path – Packets and connections that are inspected by the Firewall and are not processed by SecureXL.
Fast (Accelerated) path – Packets and connections that are offloaded to SecureXL and are not processed by the Firewall.
Medium path – Packets that require deeper inspection cannot use the accelerated path. It is not necessary for the Firewall to inspect these packets, they can be offloaded and do not use the slow path. For example, packets that are inspected by IPS cannot use the accelerated path and can be offloaded to the IPS PSL (Passive Streaming Library). SecureXL processes these packets more quickly than packets on the slow path.
[/su_spoiler]

QUESTION 30

To run GAiA in 64bit mode, which of the following is true?

1) Run set edition default 64-bit.
2) Install more than 4 GB RAM.
3) Install more than 4 TB of Hard Disk.

A. 1 and 3
B. 1 and 2
C. 2 and 3
D. 1, 2, and 3

[su_spoiler title=”Answer:” style=”default”] B

Explanation:

You are required to run the set edition command and have more than 4GB RAM but HDD size has no impact.
[/su_spoiler]

CCSE Revision Questions 156-315.77 – Part 2

This entry is part 2 of 3 in the series CCSE Revision Questions 156-315.77

CCSE Revision Questions 156-315.77 – Part 2

This is the next post in the series, following on from the first CCSE Revision Questions article. Without further ado, let’s get stuck in:

QUESTION 31

If your firewall is performing a lot of IPS inspection and the CPUs assigned to fw_worker_thread are at or near 100%, which of the following could you do to improve performance?

A. Add more RAM to the system.
B. Add more Disk Drives.
C. Assign more CPU cores to CoreXL
D. Assign more CPU cores to SecureXL.

[su_spoiler title=”Answer:” style=”default”] C

Explanation: By adding more cores you will reduce the load on existing cores. Do this using cpconfig:

From a command line on the gateway, run: cpconfig.
The configuration menu shows.
Enter option 8: Configure Check Point CoreXL.

[/su_spoiler]

QUESTION 32

Which of the following CLISH commands would you use to set the admin user’s shell to bash?
A. set user admin shell bash
B. set user admin shell /bin/bash
C. set user admin shell = /bin/bash
D. set user admin /bin/bash

[su_spoiler title=”Answer:” style=”default”] B

Explanation:

See here for details.

[/su_spoiler]

QUESTION 33

What is Check Point’s CoreXL?
A. A way to synchronize connections across cluster members
B. TCP-18190
C. Multiple core interfaces on the device to accelerate traffic
D. Multi Core support for Firewall Inspection

[su_spoiler title=”Answer:” style=”default”] D

Explanation: CoreXL is a performance-enhancing technology for Security Gateways on multi-core processing platforms. CoreXL enhances Security Gateway performance by enabling the processing cores to concurrently perform multiple tasks.
[/su_spoiler]

 

 

QUESTION 34

Does Check Point recommend generating an upgrade_export on standby SmartCenters?
A. Yes. This is the only way to get the upgrade_export
B. No. All Check Point processes are stopped.
C. No. There is no way to verify the actual configuration.
D. Yes. All information is available at both SmartCenters.

[su_spoiler title=”Answer:” style=”default”] C

Explanation:

[/su_spoiler]

QUESTION 35

The challenges to IT involve deployment, security, management, and what else?

A. Assessments
B. Maintenance
C. Transparency
D. Compliance

[su_spoiler title=”Answer:” style=”default”] D

Explanation: An ambiguous question; compliance is certainly important from a security perspective though

[/su_spoiler]

QUESTION 36

What is the correct policy installation process order?

1. Verification
2. Code generation and compilation
3. Initiation
4. Commit
5. Conversion
6. CPTA

A. 1, 2, 3, 4, 5, 6
B. 3, 1, 5, 2, 6, 4
C. 4, 2, 3, 5, 6, 1
D. 6, 5, 4, 3, 2, 1

[su_spoiler title=”Answer:” style=”default”] B

Explanation:

The answer B is correct assuming:

* verification refers to the viability of the policy and not the integrity of the policy file which is transferred to the gateway for installation
* we ignore “conversion” as it is not mentioned in any checkpoint docs

See here for the actual process.

[/su_spoiler]

QUESTION 37

What is the offline CPSIZEME upload procedure?
A. Find the cpsizeme_of_<gwname>.pdf, attach it to an e-mail and send it to cpsizeme_upload@checkpoint.com
B. Use the webbrowser version of cpsizeme and fax it to Check Point.
C. Find the cpsizeme_of_<gwname>.xml, attach it to an e-mail and send it to cpsizeme_upload@checkpoint.com
D. There is no offline upload method.

[su_spoiler title=”Answer:” style=”default”] C

Explanation:

From sk88160:

The ‘cpsizeme’ is a lightweight shell script that produces a detailed performance report of Check Point Security Gateway. This script measures the ongoing resource utilization on Security Gateway during the given time period (refer to “Running ‘cpsizeme'” section). During this period, the script gathers information about CPU, memory consumption, throughput and few other important performance parameters.

This script allows to automatically upload the collected raw performance data securely to Check Point servers. If an e-mail address was provided, then after getting the raw performance data, a PDF report will be sent to that e-mail address.

Offline upload procedure – If the Security Gateway does not have connectivity to Check Point servers, you can upload the data via e-mail:

Procedure:

  • Locate the cpsizeme output XML file on the Security Gateway. Run:
    [Expert@HostName]# ./cpsizeme -S
  • Select option 5 ‘Show location of generated files’.
  • Transfer the cpsizeme output XML file from the Security Gateway to your computer.
  • Attach the cpsizeme output XML file to an e-mail.
  • Send the e-mail to the following e-mail address: cpsizeme_upload@checkpoint.com
  • You will receive an e-mail from sizing@checkpoint.com with attached PDF report within 1 hour.

[/su_spoiler]

QUESTION 38

How frequently does CPSIZEME run by default?
A. weekly
B. 12 hours
C. 24 hours
D. 1 hour

[su_spoiler title=”Answer:” style=”default”] C

Explanation: From the sk:

To run the script with default parameters:
[Expert@HostName]# ./cpsizeme
By default, the script will run for 24 hours.
[/su_spoiler]

QUESTION 39

How do you run “CPSIZEME” on SPLAT?
A. [expert@HostName]#>./cpsizeme -h
B. [expert@HostName]# ./cpsizeme -R
C. This is not possible on SPLAT
D. [expert@HostName]# ./cpsizeme

[su_spoiler title=”Answer:” style=”default”] D

Explanation: As previous question:
To run the script with default parameters:
[Expert@HostName]# ./cpsizeme
[/su_spoiler]

QUESTION 40

How do you check the version of “CPSIZEME” on GAiA?
A. [expert@HostName]# ./cpsizeme.exe
B. [expert@HostName]# ./cpsizeme.exe version
C. [expert@HostName]# ./cpsizeme -V
D. [expert@HostName]# ./cpsizeme version

[su_spoiler title=”Answer:” style=”default”] C

Explanation: A and C are .exe – this refers to a Gaia installation. The correct switch is “-V”
[/su_spoiler]

QUESTION 41

How do you upload the results of “CPSIZEME” to Check Point when using a PROXY server with authentication?
A. [expert@HostName]# ./cpsizeme.exe -a username:password@proxy_address:port
B. [expert@HostName]# ./cpsizeme -p username:password@proxy_address:port
C. [expert@HostName]# ./cpsizeme -a username:password@proxy_address:port
D. [expert@HostName]# ./cpsizeme.exe -p username:password@proxy_address:port

[su_spoiler title=”Answer:” style=”default”] B

Explanation: “-p” is the correct switch to use for a proxy:

If a Proxy is used to access HTTPS servers, then run:
[Expert@HostName]# ./cpsizeme -p PROXY_IP_ADDRESS:PROXY_PORT
If a username and password are required for the Proxy, then run:
[Expert@HostName]# ./cpsizeme -p USERNAME:PASSWORD@PROXY_IP_ADDRESS:PROXY_PORT
[/su_spoiler]

QUESTION 42

By default, what happens to the existing connections on a firewall when a new policy is installed?

A. All existing data connections will be kept open until the connections have ended.
B. Existing connections are always allowed
C. All existing control and data connections will be kept open until the connections have ended.
D. All existing connections not allowed under the new policy will be terminated.

[su_spoiler title=”Answer:” style=”default”] D
[/su_spoiler]

QUESTION 43

Which protocol can be used to provide logs to third-party reporting?
A. CPMI (Check Point Management Interface)
B. LEA (Log Export API)
C. AMON (Application Monitoring)
D. ELA (Event Logging API)

[su_spoiler title=”Answer:” style=”default”] B

Explanation:

The OPSEC LEA (Log Export API) provides the ability to pull logs from a Check Point device based on the OPSEC SDK. OPSEC LEA listens on port tcp/18184 on the device (OPSEC LEA Server) which will contain your logs. Your OPSEC LEA Client will then connect into 18184 and pull the logs.
[/su_spoiler]

QUESTION 44

Can the smallest appliance handle all Blades simultaneously?
A. Depends on the number of protected clients and throughput.
B. Depends on number of concurrent sessions.
C. Firewall throughput is the only relevant factor.
D. It depends on required SPU for customer environment.

[su_spoiler title=”Answer:” style=”default”] D

Explanation:

SPU is a new metric introduced by Checkpoint to provide more useful information on appliances’ capabilities.
[/su_spoiler]

QUESTION 45

The process _______ provides service to access the GAIA configuration database.
A. configdbd
B. confd
C. fwm
D. ipsrd

[su_spoiler title=”Answer:” style=”default”] B

Explanation:

See here
[/su_spoiler]

QUESTION 46

Which CLI tool helps on verifying proper ClusterXL sync?
A. fw stat
B. fw ctl sync
C. fw ctl pstat
D. cphaprob stat

[su_spoiler title=”Answer:” style=”default”] C

Explanation: fw ctl pstat outputs the ClusterXL sync statistics.
[/su_spoiler]

QUESTION 47

The connection to the ClusterXL member `A’ breaks. The ClusterXL member `A’ status is now `down’. Afterwards the switch admin set a port to ClusterXL member `B’ to `down’. What will happen?
A. ClusterXL member `B’ also left the cluster.
B. ClusterXL member `B’ stays active as last member.
C. Both ClusterXL members share load equally.
D. ClusterXL member `A’ is asked to come back to cluster.

[su_spoiler title=”Answer:” style=”default”] B

Explanation:

As B is the last member it will stay active – “Active Attention”
[/su_spoiler]

QUESTION 48

Which command will only show the number of entries in the connection table?
A. fw tab -t connections -s
B. fw tab -t connections -u
C. fw tab -t connections
D. fw tab

[su_spoiler title=”Answer:” style=”default”] A

Explanation: The “-s” switch shows a summary:

[Expert@gw]# fw tab -t connections -s
HOST NAME ID #VALS #PEAK #SLINKS
localhost connections 8158 67 1893 252

[/su_spoiler]

QUESTION 49

Which statements about Management HA are correct?

1) Primary SmartCenter describes first installed SmartCenter
2) Active SmartCenter is always used to administrate with SmartConsole
3) Active SmartCenter describes first installed SmartCenter
4) Primary SmartCenter is always used to administrate with SmartConsole

A. 1 and 4
B. 2 and 3
C. 1 and 2
D. 3 and 4

[su_spoiler title=”Anwer:” style=”default”] C

Explanation: Primary is always installed first, administration is done on the active smartcentre, irrelevant of whether primary or secondary.
[/su_spoiler]

QUESTION 50

Which process should you debug if SmartDashboard login fails?
A. sdm
B. cpd
C. fwd
D. fwm

[su_spoiler title=”Answer:” style=”default”] D

Explanation:

fwm is responsible for communication between SmartConsole applications and Security Management Server. See here.

[/su_spoiler]

QUESTION 51

Paul has just joined the MegaCorp security administration team. Natalie, the administrator, creates a new administrator account for Paul in SmartDashboard and installs the policy. When Paul tries to login it fails. How can Natalie verify whether Paul’s IP address is predefined on the security management server?

A. Login to Smart Dashboard, access Properties of the SMS, and verify whether Paul’s IP address is listed.
B. Type cpconfig on the Management Server and select the option “GUI client List” to see if Paul’s IP address is listed.
C. Login in to Smart Dashboard, access Global Properties, and select Security Management, to verify whether Paul’s IP address is listed.
D. Access the WEBUI on the Security Gateway, and verify whether Paul’s IP address is listed as a GUI client.

[su_spoiler title=”Answer:” style=”default”] B

Explanation:
[Expert@gw]# cpconfig
This program will let you re-configure
your Check Point products configuration.

Configuration Options:
———————-
(1) Licenses and contracts
(2) Administrator
(3) GUI Clients <----- .... [/su_spoiler]

QUESTION 52

MultiCorp has bought company OmniCorp and now has two active AD domains. How would you deploy Identity Awareness in this environment?
A. You must run an ADquery for every domain.
B. Identity Awareness can only manage one AD domain.
C. Only one ADquery is necessary to ask for all domains.
D. Only Captive Portal can be used.

[su_spoiler title=”Answer:” style=”default”] A

Explanation:

One query per AD domain is required.
[/su_spoiler]

QUESTION 53

Which of the following is the preferred method for adding static routes in GAiA?
A. In the CLI with the command “route add”
B. In Web Portal, under Network Management > IPv4 Static Routes
C. In the CLI via sysconfig
D. In SmartDashboard under Gateway Properties > Topology

[su_spoiler title=”Answer:” style=”default”] B

Explanation: Preferred administration with Gaia is via web gui or clish: A is a linux (expert) command, sysconfig is deprecated and there is no routing config in dashboard.
[/su_spoiler]

QUESTION 54

Which command will erase all CRL’s?
A. vpn crladmin
B. cpstop/cpstart
C. vpn crl_zap
D. vpn flush

[su_spoiler title=”Answer:” style=”default”] C

Explanation: vpn crl_zap

This command is used to erase all Certificate Revocation Lists (CRLs) from the cache, see the VPN admin guide.

QUESTION 55

Which of the following is NOT an advantage of SmartLog?
A. SmartLog has a “Top Results” pane showing things like top sources, rules, and users.
B. SmartLog displays query results across multiple log files, reducing the need to open previous files to view results.
C. SmartLog requires less disk space by consolidating log entries into fewer records.
D. SmartLog creates an index of log entries, increasing query speed.

[su_spoiler title=”Answer:” style=”default”] C

Explanation: See here for details.
[/su_spoiler]

QUESTION 56

Write the full fw command and syntax that you would use to troubleshoot ClusterXL sync issues.

[su_spoiler title=”Answer:” style=”default”] fw ctl pstat [/su_spoiler]

QUESTION 57

Type the full cphaprob command and syntax that will show full synchronization status.

[su_spoiler title=”Answer:” style=”default”] cphaprob -i list

Explanation: Somewhat ambiguous – cphaprob -i list will show a list of all devices, cphaprob synstat will show all statistics but not necessarily *status*
[/su_spoiler]

QUESTION 58

Type the full fw command and syntax that will show full synchronization status.

[su_spoiler title=”Answer:” style=”default”] fw ctl pstat [/su_spoiler]

QUESTION 59

Type the full fw command and syntax that allows you to disable only sync on a cluster firewall member.

[su_spoiler title=”Answer:” style=”default”] fw ctl setsync off [/su_spoiler]

Explanation: fw ctl setsync off and fw ctl setsync on will turn sync off and on respectively [/su_spoiler]

QUESTION 60

Type the command and syntax you would use to verify that your Check Point cluster is functioning correctly.

[su_spoiler title=”Answer:” style=”default”] cphaprob state [/su_spoiler]

CCSE Revision Questions 156-315.77 – Part 3

This entry is part 3 of 3 in the series CCSE Revision Questions 156-315.77

CCSE Revision Questions 156-315.77 – Part 3

QUESTION 61

Type the command and syntax that you would use to view the virtual cluster interfaces of a ClusterXL environment.

[su_spoiler title=”Answer:” style=”default”] cphaprob -a if [/su_spoiler]

QUESTION 62

Type the command and syntax to view critical devices on a cluster member in a ClusterXL environment.

[su_spoiler title=”Answer:” style=”default”] cphaprob -ia list [/su_spoiler]

QUESTION 63

Type the command and syntax to configure the Cluster Control Protocol (CCP) to use Broadcast.

[su_spoiler title=”Answer:” style=”default”] cphaconf set_ccp broadcast [/su_spoiler]

QUESTION 64

Fill in the blank. In New Mode HA, the internal cluster IP VIP address is 10.4.8.3. The internal interfaces on two members are 10.4.8.1 and 10.4.8.2 Internal host 10.4.8.108 pings 10.4.8.3, and receives replies.

Review the ARP table from the internal Windows host 10.4.8.108. According to the output, which member is the standby machine?

[su_spoiler title=”Answer:” style=”default”] 10.4.8.1 [/su_spoiler]

QUESTION 65

Fill in the blank. In New Mode HA, the internal cluster IP VIP address is 10.4.8.3. An internal host 10.4.8.108 successfully pings its Cluster and receives replies. Review the ARP table from the internal Windows host 10.4.8.108. Based on this information, what is the active cluster member’s IP address?

[su_spoiler title=”Answer:” style=”default”] 10.4.8.2 [/su_spoiler]

QUESTION 66

Fill in the blank. In Load Sharing Unicast mode, the internal cluster IP address is 10.4.8.3. The internal interfaces on two members are 10.4.8.1 and 10.4.8.2. Internal host 10.4.8.108 Pings 10.4.8.3, and receives replies. The following is the ARP table from the internal Windows host 10.4.8.108. Review the exhibit and type the IP address of the member serving as the pivot machine in the space below.

[su_spoiler title=”Answer:” style=”default”] 10.4.8.2

C:>arp
Interface 10.4.8.108 on interface 0x4

Internet Add Physical Address Type
10.4.8.1 00-b0-d0-b7-b5-d5 dynamic
10.4.8.2 00-01-03-34-e3-9d dynamic
10.4.8.3 00-01-03-34-e3-9d dynamic
[/su_spoiler]

QUESTION 67

To stop acceleration on a GAiA Security Gateway, enter command:

[su_spoiler title=”Answer:” style=”default”] fwaccel off [/su_spoiler]

QUESTION 68

To bind a NIC to a single processor when using CoreXL on GAiA, you would use the command

[su_spoiler title=”Answer:” style=”default”] sim affinity [/su_spoiler]