CCSE Revision Questions 156-315.77 – Part 2

This entry is part 2 of 3 in the series CCSE Revision Questions 156-315.77

CCSE Revision Questions 156-315.77 – Part 2

This is the next post in the series, following on from the first CCSE Revision Questions article. Without further ado, let’s get stuck in:


If your firewall is performing a lot of IPS inspection and the CPUs assigned to fw_worker_thread are at or near 100%, which of the following could you do to improve performance?

A. Add more RAM to the system.
B. Add more Disk Drives.
C. Assign more CPU cores to CoreXL
D. Assign more CPU cores to SecureXL.

[su_spoiler title=”Answer:” style=”default”] C

Explanation: By adding more cores you will reduce the load on existing cores. Do this using cpconfig:

From a command line on the gateway, run: cpconfig.
The configuration menu shows.
Enter option 8: Configure Check Point CoreXL.



Which of the following CLISH commands would you use to set the admin user’s shell to bash?
A. set user admin shell bash
B. set user admin shell /bin/bash
C. set user admin shell = /bin/bash
D. set user admin /bin/bash

[su_spoiler title=”Answer:” style=”default”] B


See here for details.



What is Check Point’s CoreXL?
A. A way to synchronize connections across cluster members
B. TCP-18190
C. Multiple core interfaces on the device to accelerate traffic
D. Multi Core support for Firewall Inspection

[su_spoiler title=”Answer:” style=”default”] D

Explanation: CoreXL is a performance-enhancing technology for Security Gateways on multi-core processing platforms. CoreXL enhances Security Gateway performance by enabling the processing cores to concurrently perform multiple tasks.




Does Check Point recommend generating an upgrade_export on standby SmartCenters?
A. Yes. This is the only way to get the upgrade_export
B. No. All Check Point processes are stopped.
C. No. There is no way to verify the actual configuration.
D. Yes. All information is available at both SmartCenters.

[su_spoiler title=”Answer:” style=”default”] C




The challenges to IT involve deployment, security, management, and what else?

A. Assessments
B. Maintenance
C. Transparency
D. Compliance

[su_spoiler title=”Answer:” style=”default”] D

Explanation: An ambiguous question; compliance is certainly important from a security perspective though



What is the correct policy installation process order?

1. Verification
2. Code generation and compilation
3. Initiation
4. Commit
5. Conversion

A. 1, 2, 3, 4, 5, 6
B. 3, 1, 5, 2, 6, 4
C. 4, 2, 3, 5, 6, 1
D. 6, 5, 4, 3, 2, 1

[su_spoiler title=”Answer:” style=”default”] B


The answer B is correct assuming:

* verification refers to the viability of the policy and not the integrity of the policy file which is transferred to the gateway for installation
* we ignore “conversion” as it is not mentioned in any checkpoint docs

See here for the actual process.



What is the offline CPSIZEME upload procedure?
A. Find the cpsizeme_of_<gwname>.pdf, attach it to an e-mail and send it to
B. Use the webbrowser version of cpsizeme and fax it to Check Point.
C. Find the cpsizeme_of_<gwname>.xml, attach it to an e-mail and send it to
D. There is no offline upload method.

[su_spoiler title=”Answer:” style=”default”] C


From sk88160:

The ‘cpsizeme’ is a lightweight shell script that produces a detailed performance report of Check Point Security Gateway. This script measures the ongoing resource utilization on Security Gateway during the given time period (refer to “Running ‘cpsizeme'” section). During this period, the script gathers information about CPU, memory consumption, throughput and few other important performance parameters.

This script allows to automatically upload the collected raw performance data securely to Check Point servers. If an e-mail address was provided, then after getting the raw performance data, a PDF report will be sent to that e-mail address.

Offline upload procedure – If the Security Gateway does not have connectivity to Check Point servers, you can upload the data via e-mail:


  • Locate the cpsizeme output XML file on the Security Gateway. Run:
    [Expert@HostName]# ./cpsizeme -S
  • Select option 5 ‘Show location of generated files’.
  • Transfer the cpsizeme output XML file from the Security Gateway to your computer.
  • Attach the cpsizeme output XML file to an e-mail.
  • Send the e-mail to the following e-mail address:
  • You will receive an e-mail from with attached PDF report within 1 hour.



How frequently does CPSIZEME run by default?
A. weekly
B. 12 hours
C. 24 hours
D. 1 hour

[su_spoiler title=”Answer:” style=”default”] C

Explanation: From the sk:

To run the script with default parameters:
[Expert@HostName]# ./cpsizeme
By default, the script will run for 24 hours.


How do you run “CPSIZEME” on SPLAT?
A. [expert@HostName]#>./cpsizeme -h
B. [expert@HostName]# ./cpsizeme -R
C. This is not possible on SPLAT
D. [expert@HostName]# ./cpsizeme

[su_spoiler title=”Answer:” style=”default”] D

Explanation: As previous question:
To run the script with default parameters:
[Expert@HostName]# ./cpsizeme


How do you check the version of “CPSIZEME” on GAiA?
A. [expert@HostName]# ./cpsizeme.exe
B. [expert@HostName]# ./cpsizeme.exe version
C. [expert@HostName]# ./cpsizeme -V
D. [expert@HostName]# ./cpsizeme version

[su_spoiler title=”Answer:” style=”default”] C

Explanation: A and C are .exe – this refers to a Gaia installation. The correct switch is “-V”


How do you upload the results of “CPSIZEME” to Check Point when using a PROXY server with authentication?
A. [expert@HostName]# ./cpsizeme.exe -a username:password@proxy_address:port
B. [expert@HostName]# ./cpsizeme -p username:password@proxy_address:port
C. [expert@HostName]# ./cpsizeme -a username:password@proxy_address:port
D. [expert@HostName]# ./cpsizeme.exe -p username:password@proxy_address:port

[su_spoiler title=”Answer:” style=”default”] B

Explanation: “-p” is the correct switch to use for a proxy:

If a Proxy is used to access HTTPS servers, then run:
[Expert@HostName]# ./cpsizeme -p PROXY_IP_ADDRESS:PROXY_PORT
If a username and password are required for the Proxy, then run:


By default, what happens to the existing connections on a firewall when a new policy is installed?

A. All existing data connections will be kept open until the connections have ended.
B. Existing connections are always allowed
C. All existing control and data connections will be kept open until the connections have ended.
D. All existing connections not allowed under the new policy will be terminated.

[su_spoiler title=”Answer:” style=”default”] D


Which protocol can be used to provide logs to third-party reporting?
A. CPMI (Check Point Management Interface)
B. LEA (Log Export API)
C. AMON (Application Monitoring)
D. ELA (Event Logging API)

[su_spoiler title=”Answer:” style=”default”] B


The OPSEC LEA (Log Export API) provides the ability to pull logs from a Check Point device based on the OPSEC SDK. OPSEC LEA listens on port tcp/18184 on the device (OPSEC LEA Server) which will contain your logs. Your OPSEC LEA Client will then connect into 18184 and pull the logs.


Can the smallest appliance handle all Blades simultaneously?
A. Depends on the number of protected clients and throughput.
B. Depends on number of concurrent sessions.
C. Firewall throughput is the only relevant factor.
D. It depends on required SPU for customer environment.

[su_spoiler title=”Answer:” style=”default”] D


SPU is a new metric introduced by Checkpoint to provide more useful information on appliances’ capabilities.


The process _______ provides service to access the GAIA configuration database.
A. configdbd
B. confd
C. fwm
D. ipsrd

[su_spoiler title=”Answer:” style=”default”] B


See here


Which CLI tool helps on verifying proper ClusterXL sync?
A. fw stat
B. fw ctl sync
C. fw ctl pstat
D. cphaprob stat

[su_spoiler title=”Answer:” style=”default”] C

Explanation: fw ctl pstat outputs the ClusterXL sync statistics.


The connection to the ClusterXL member `A’ breaks. The ClusterXL member `A’ status is now `down’. Afterwards the switch admin set a port to ClusterXL member `B’ to `down’. What will happen?
A. ClusterXL member `B’ also left the cluster.
B. ClusterXL member `B’ stays active as last member.
C. Both ClusterXL members share load equally.
D. ClusterXL member `A’ is asked to come back to cluster.

[su_spoiler title=”Answer:” style=”default”] B


As B is the last member it will stay active – “Active Attention”


Which command will only show the number of entries in the connection table?
A. fw tab -t connections -s
B. fw tab -t connections -u
C. fw tab -t connections
D. fw tab

[su_spoiler title=”Answer:” style=”default”] A

Explanation: The “-s” switch shows a summary:

[Expert@gw]# fw tab -t connections -s
localhost connections 8158 67 1893 252



Which statements about Management HA are correct?

1) Primary SmartCenter describes first installed SmartCenter
2) Active SmartCenter is always used to administrate with SmartConsole
3) Active SmartCenter describes first installed SmartCenter
4) Primary SmartCenter is always used to administrate with SmartConsole

A. 1 and 4
B. 2 and 3
C. 1 and 2
D. 3 and 4

[su_spoiler title=”Anwer:” style=”default”] C

Explanation: Primary is always installed first, administration is done on the active smartcentre, irrelevant of whether primary or secondary.


Which process should you debug if SmartDashboard login fails?
A. sdm
B. cpd
C. fwd
D. fwm

[su_spoiler title=”Answer:” style=”default”] D


fwm is responsible for communication between SmartConsole applications and Security Management Server. See here.



Paul has just joined the MegaCorp security administration team. Natalie, the administrator, creates a new administrator account for Paul in SmartDashboard and installs the policy. When Paul tries to login it fails. How can Natalie verify whether Paul’s IP address is predefined on the security management server?

A. Login to Smart Dashboard, access Properties of the SMS, and verify whether Paul’s IP address is listed.
B. Type cpconfig on the Management Server and select the option “GUI client List” to see if Paul’s IP address is listed.
C. Login in to Smart Dashboard, access Global Properties, and select Security Management, to verify whether Paul’s IP address is listed.
D. Access the WEBUI on the Security Gateway, and verify whether Paul’s IP address is listed as a GUI client.

[su_spoiler title=”Answer:” style=”default”] B

[Expert@gw]# cpconfig
This program will let you re-configure
your Check Point products configuration.

Configuration Options:
(1) Licenses and contracts
(2) Administrator
(3) GUI Clients <----- .... [/su_spoiler]


MultiCorp has bought company OmniCorp and now has two active AD domains. How would you deploy Identity Awareness in this environment?
A. You must run an ADquery for every domain.
B. Identity Awareness can only manage one AD domain.
C. Only one ADquery is necessary to ask for all domains.
D. Only Captive Portal can be used.

[su_spoiler title=”Answer:” style=”default”] A


One query per AD domain is required.


Which of the following is the preferred method for adding static routes in GAiA?
A. In the CLI with the command “route add”
B. In Web Portal, under Network Management > IPv4 Static Routes
C. In the CLI via sysconfig
D. In SmartDashboard under Gateway Properties > Topology

[su_spoiler title=”Answer:” style=”default”] B

Explanation: Preferred administration with Gaia is via web gui or clish: A is a linux (expert) command, sysconfig is deprecated and there is no routing config in dashboard.


Which command will erase all CRL’s?
A. vpn crladmin
B. cpstop/cpstart
C. vpn crl_zap
D. vpn flush

[su_spoiler title=”Answer:” style=”default”] C

Explanation: vpn crl_zap

This command is used to erase all Certificate Revocation Lists (CRLs) from the cache, see the VPN admin guide.


Which of the following is NOT an advantage of SmartLog?
A. SmartLog has a “Top Results” pane showing things like top sources, rules, and users.
B. SmartLog displays query results across multiple log files, reducing the need to open previous files to view results.
C. SmartLog requires less disk space by consolidating log entries into fewer records.
D. SmartLog creates an index of log entries, increasing query speed.

[su_spoiler title=”Answer:” style=”default”] C

Explanation: See here for details.


Write the full fw command and syntax that you would use to troubleshoot ClusterXL sync issues.

[su_spoiler title=”Answer:” style=”default”] fw ctl pstat [/su_spoiler]


Type the full cphaprob command and syntax that will show full synchronization status.

[su_spoiler title=”Answer:” style=”default”] cphaprob -i list

Explanation: Somewhat ambiguous – cphaprob -i list will show a list of all devices, cphaprob synstat will show all statistics but not necessarily *status*


Type the full fw command and syntax that will show full synchronization status.

[su_spoiler title=”Answer:” style=”default”] fw ctl pstat [/su_spoiler]


Type the full fw command and syntax that allows you to disable only sync on a cluster firewall member.

[su_spoiler title=”Answer:” style=”default”] fw ctl setsync off [/su_spoiler]

Explanation: fw ctl setsync off and fw ctl setsync on will turn sync off and on respectively [/su_spoiler]


Type the command and syntax you would use to verify that your Check Point cluster is functioning correctly.

[su_spoiler title=”Answer:” style=”default”] cphaprob state [/su_spoiler]