What is the port used for SmartConsole to connect to the Security Management Server:
- A . CPMI port 18191/TCP
- B . CPM port / TCP port 19009
- C . SIC port 18191/TCP
- D . https port 4434/TCP
Which is the correct order of a log flow processed by SmartEvents components:
- A . Firewall > Correlation Unit > Log Server > SmartEvent Server Database > SmartEvent Client
- B . Firewall > SmartEvent Server Database > Correlation unit > Log Server > SmartEvent Client
- C . Firewall > Log Server > SmartEvent Server Database > Correlation Unit > SmartEvent Client
- D . Firewall > Log Server > Correlation Unit > SmartEvent Server Database > SmartEvent Client
In SmartEvent, what are the different types of automatic reactions that the administrator can configure?
- A . Mail, Block Source, Block Event Activity, External Script, SNMP Trap
- B . Mail, Block Source, Block Destination, Block Services, SNMP Trap
- C . Mail, Block Source, Block Destination, External Script, SNMP Trap
- D . Mail, Block Source, Block Event Activity, Packet Capture, SNMP Trap
A
Explanation:
These are the types of Automatic Reactions:
– Mail – tell an administrator by email that the event occurred. See Create a Mail Reaction.
– Block Source – instruct the Security Gateway to block the source IP address from which this event was detected for a configurable period of time . Select a period of time from one minute to more than three weeks. See Create a Block Source Reaction
– Block Event activity – instruct the Security Gateway to block a distributed attack that emanates from multiple sources, or attacks multiple destinations for a configurable period of time. Select a period of time from one minute to more than three weeks). See Create a Block Event Activity Reaction.
– External Script – run a script that you provide. See Creating an External Script Automatic Reaction to write a script that can exploit SmartEvent data.
– SNMP Trap – generate an SNMP Trap. See Create an SNMP Trap Reaction.
Reference: https://sc1.checkpoint.com/documents/R80/CP_R80_LoggingAndMonitoring/html_frameset.htm?topic=documents/R80/CP_R80_LoggingAndMonitoring/131915
Which components allow you to reset a VPN tunnel?
- A . vpn tucommand or SmartView monitor
- B . delete vpn ike saor vpn she11 command
- C . vpn tunnelutilor delete vpn ike sa command
- D . SmartView monitor only
When synchronizing clusters, which of the following statements is FALSE?
- A . The state of connections using resources is maintained in a Security Server, so their connections cannot be synchronized.
- B . Only cluster members running on the same OS platform can be synchronized.
- C . In the case of a failover, accounting information on the failed member may be lost despite a properly working synchronization.
- D . Client Authentication or Session Authentication connections through a cluster member will be lost if the cluster member fails.
Which of the following is a new R80.10 Gateway feature that had not been available in R77.X and older?
- A . The rule base can be built of layers, each containing a set of the security rules. Layers are inspected in the order in which they are defined, allowing control over the rule base flow and which security functionalities take precedence.
- B . Limits the upload and download throughout for streaming media in the company to 1 Gbps.
- C . Time object to a rule to make the rule active only during specified times.
- D . Sub Policies are sets of rules that can be created and attached to specific rules. If the rule is matched, inspection will continue in the sub policy attached to it rather than in the next rule
A
Explanation:
Reference: http://slideplayer.com/slide/12183998/
In R80.10, how do you manage your Mobile Access Policy?
- A . Through the Unified Policy
- B . Through the Mobile Console
- C . From SmartDashboard
- D . From the Dedicated Mobility Tab
C
Explanation:
Reference: http://dl3.checkpoint.com/paid/f7/f78b067c6838c747e1568f139b6e6e8d/ CP_R80.10_MobileAccess_AdminGuide.pdf? HashKey=1522170407_805ae0a295fd6664fa23700cc1482686&xtn=.pdf
You find one of your cluster gateways showing “Down” when you run the “cphaprob stat” command. You then run the “clusterXL_admin up” on the down member but unfortunately the member continues to show down.
What command do you run to determine the case?
- A . cphaprob Cf register
- B . cphaprob CdCs report
- C . cpstatCf-all
- D . cphaprob Ca list
D
Explanation:
Reference: http://dl3.checkpoint.com/paid/63/6357d81e3b75b5a09a422d715c3b3d79/ CP_R80.10_ClusterXL_AdminGuide.pdf? HashKey=1522170580_c51bd784a86600b5f6141c0f1a6322fd&xtn=.pdf
SandBlast offers flexibility in implementation based on their individual business needs.
What is an option for deployment of Check Point SandBlast Zero-Day Protection?
- A . Smart Cloud Services
- B . Load Sharing Mode Services
- C . Threat Agent Solution
- D . Public Cloud Services
C
Explanation:
Reference: https://www.checkpoint.com/products/threat-emulation-sandboxing/
Which of the following is NOT a valid way to view interface’s IP address settings in Gaia?
- A . Using the command sthtoolin Expert Mode
- B . Viewing the file / config/ active
- C . Via the Gaia WebUl
- D . Via the command show configurationin CLISH
Check Point recommends configuring Disk Space Management parameters to delete old log entities when available disk space is less than or equal to?
- A . 50%
- B . 75%
- C . 80%
- D . 15%
What API command below creates a new host with the name “New Host” and IP address of “192.168.0.10”?
- A . new host name “New Host” ip-address “192.168.0.10”
- B . set host name “New Host” ip-address “192.168.0.10”
- C . create host name “New Host” ip-address “192.168.0.10”
- D . add host name “New Host” ip-address “192.168.0.10”
D
Explanation:
Sample Command with SmartConsole CLI You can use the add host command to create a new host and then publish the changes. > add host name "Sample_Host" ip-address "192.0.2.3" > publish
Reference: http://dl3.checkpoint.com/paid/29/29532b9eec50d0a947719ae631f640d0/ CP_R80_CheckPoint_API_ReferenceGuide.pdf? HashKey=1522171823_f53d2a32a77bde441b88d53824dcb893&xtn=.pdf
What are types of Check Point APIs available currently as part of R80.10 code?
- A . Security Gateway API, Management API, Threat Prevention API and Identity Awareness Web Services API
- B . Management API, Threat Prevention API, Identity Awareness Web Services API and OPSEC SDK API
- C . OSE API, OPSEC SDK API, Threat Extraction API and Policy Editor API
- D . CPMI API, Management API, Threat Prevention API and Identity Awareness Web Services API
B
Explanation:
Reference: http://dl3.checkpoint.com/paid/29/29532b9eec50d0a947719ae631f640d0/ CP_R80_CheckPoint_API_ReferenceGuide.pdf? HashKey=1522171994_d7bae71a861bbc54c18c61420e586d77&xtn=.pdf
Which of the following is NOT an internal/native Check Point command?
- A . fwaccel on
- B . fw ct1 debug
- C . tcpdump
- D . cphaprob
What is the SandBlast Agent designed to do?
- A . Performs OS-level sandboxing for SandBlast Cloud architecture
- B . Ensure the Check Point SandBlast services is running on the end user’s system
- C . If malware enters an end user’s system, the SandBlast Agent prevents the malware form spreading with the network
- D . Clean up email sent with malicious attachments.
C
Explanation:
Reference: https://www.checkpoint.com/downloads/product-related/datasheets/ds-sandblast-agent.pdf
The SmartEvent R80 Web application for real-time event monitoring is called:
- A . SmartView Monitor
- B . SmartEventWeb
- C . There is no Web application for SmartEvent
- D . SmartView
A
Explanation:
Reference: https://sc1.checkpoint.com/documents/R80/CP_R80_LoggingAndMonitoring/ html_frameset.htm?topic=documents/R80/CP_R80_LoggingAndMonitoring/120829
What Shell is required in Gaia to use WinSCP?
- A . UNIX
- B . CPShell
- C . CLISH
- D . Bash
D
Explanation:
Reference: https://winscp.net/eng/docs/ui_login_scp
Which one of the following is true about Threat Emulation?
- A . Takes less than a second to complete
- B . Works on MS Office and PDF files only
- C . Always delivers a file
- D . Takes minutes to complete (less than 3 minutes)
What are the minimum open server hardware requirements for a Security Management Server/Standalone in R80.10?
- A . 2 CPU cores, 4GB of RAM and 15GB of disk space
- B . 8 CPU cores, 16GB of RAM and 500 GB of disk space
- C . 4 CPU cores, 8GB of RAM and 500GB of disk space
- D . 8 CPU cores, 32GB of RAM and 1 TB of disk space
C
Explanation:
Reference: http://dl3.checkpoint.com/paid/db/dbf0aa7672f1dd6031e6096b40510674/ CP_R80.10_ReleaseNotes.pdf?HashKey=1522175073_c4e7fc63c894ad28b3fbe49f9430c023&xtn=.pdf
page 16
The “MAC magic” value must be modified under the following condition:
- A . There is more than one cluster connected to the same VLAN
- B . A firewall cluster is configured to use Multicast for CCP traffic
- C . There are more than two members in a firewall cluster
- D . A firewall cluster is configured to use Broadcast for CCP traffic
D
Explanation:
Reference: https://supportcenter.checkpoint.com/supportcenter/portal? eventSubmit_doGoviewsolutiondetails=&solutionid=sk25977
The Correlation Unit performs all but which of the following actions:
- A . Marks logs that individually are not events, but may be part of a larger pattern to be identified later
- B . Generates an event based on the Event policy
- C . Assigns a severity level to the event
- D . Takes a new log entry that is part of a group of items that together make up an event, and adds it to an ongoing event
The following command is used to verify the CPUSE version:
- A . HostName:0>show installer status build
- B . [Expert@HostName:0]#show installer status
- C . [Expert@HostName:0]#show installer status build
- D . HostName:0>show installer build
A
Explanation:
Reference: http://dkcheckpoint.blogspot.com/2017/11/how-to-fix-deployment-agent-issues.html
Which statement is true regarding redundancy?
- A . System Administrator know when their cluster has failed over and can also see why it failed over by using the cphaprob f it command.
- B . ClusterXL offers three different Load Sharing solutions: Unicast, Broadcast, and Multicast.
- C . Machines in a Cluster XL High Availability configuration must be synchronized.
- D . Both Cluster XL and VRRP are fully supported by Gaia and available to all Check Point appliances, open servers, and virtualized environments.
D
Explanation:
Reference: https://www.checkpoint.com/download/public-files/gaia-technical-brief.pdf page 5
Vanessa is expecting a very important Security Report. The Document should be sent as an attachment via e-mail. An e-mail with Security_ report.pdf file was delivered to her e-mail inbox. When she opened the PDF file, she noticed that the file is basically empty and only few lines of text are in it. The report is missing some graphs, tables and links.
Which component of SandBlast protection is her company using on a Gateway?
- A . SandBlast Threat Emulation
- B . SandBlast Agent
- C . Check Point Protect
- D . SandBlast Threat Extraction
Which command collects diagnostic data for analyzing customer setup remotely?
- A . cpinfo
- B . migrate export
- C . sysinfo
- D . cpview
A
Explanation:
CPInfo is an auto-updatable utility that collects diagnostics data on a customer’s machine at the time of execution and uploads it to Check Point servers (it replaces the standalone cp_uploader utility for uploading files to Check Point servers). The CPInfo output file allows analyzing customer setups from a remote location. Check Point support engineers can open the CPInfo file in a demo mode, while viewing actual customer Security Policies and Objects. This allows the in-depth analysis of customer’s configuration and environment settings.
Reference: https://supportcenter.checkpoint.com/supportcenter/portal? eventSubmit_doGoviewsolutiondetails=&solutionid=sk92739
When deploying multiple clustered firewalls on the same subnet, what does the firewall administrator need to configure to prevent CCP broadcasts being sent to the wrong cluster?
- A . Set the fwha_mac_magic_forward parameter in the $CPDIR/boot/modules/ha_boot. conf
- B . Set the fwha_mac_magic parameter in the $FWDIR/boot/fwkern.conf file
- C . Set the cluster global ID using the command “cphaconf cluster_id set <value>”
- D . Set the cluster global ID using the command “fw ctt set cluster_id <value>”
C
Explanation:
Reference: https://supportcenter.checkpoint.com/supportcenter/portal? eventSubmit_doGoviewsolutiondetails=&solutionid=sk25977
Which of these options is an implicit MEP option?
- A . Primary-backup
- B . Source address based
- C . Round robin
- D . Load Sharing
A
Explanation:
There are three methods to implement implicit MEP:
– First to Respond, in which the first Security Gateway to reply to the peer Security Gateway is chosen. An organization would choose this option if, for example, the organization has two Security Gateways in a MEP configuration – one in London, the other in New York. It makes sense for VPN-1 peers located in England to try the London Security Gateway first and the NY Security Gateway second. Being geographically closer to VPN peers in England, the London Security Gateway is the first to respond, and becomes the entry point to the internal network. See: First to Respond.
– Primary-Backup, in which one or multiple backup Security Gateways provide "high availability" for a primary Security Gateway. The remote peer is configured to work with the primary Security Gateway, but switches to the backup Security Gateway if the primary goes down. An organization might decide to use this configuration if it has two machines in a MEP environment, one of which is stronger than the other. It makes sense to configure the stronger machine as the primary. Or perhaps both machines are the same in terms of strength of performance, but one has a cheaper or faster connection to the Internet. In this case, the machine with the better Internet connection should be configured as the primary. See: Primary-Backup Security Gateways.
– Load Distribution, in which the remote VPN peer randomly selects a Security Gateway with which to open a connection. For each IP source/destination address pair, a new Security Gateway is randomly selected. An organization might have a number of machines with equal performance abilities. In this case, it makes sense to enable load distribution. The machines are used in a random and equal way. See: Random Selection.
Reference: https://sc1.checkpoint.com/documents/R77/CP_R77_VPN_AdminGuide/13812.htm
John detected high load on sync interface.
Which is most recommended solution?
- A . For short connections like http service C delay sync for 2 seconds
- B . Add a second interface to handle sync traffic
- C . For short connections like http service C do not sync
- D . For short connections like icmp service C delay sync for 2 seconds
What is the SOLR database for?
- A . Used for full text search and enables powerful matching capabilities
- B . Writes data to the database and full text search
- C . Serves GUI responsible to transfer request to the DLEserver
- D . Enables powerful matching capabilities and writes data to the database
What is a feature that enables VPN connections to successfully maintain a private and secure VPN session without employing Stateful Inspection?
- A . Stateful Mode
- B . VPN Routing Mode
- C . Wire Mode
- D . Stateless Mode
C
Explanation:
Wire Mode is a VPN-1 NGX feature that enables VPN connections to successfully fail over, bypassing Security Gateway enforcement. This improves performance and reduces downtime. Based on a trusted source and destination, Wire Mode uses internal interfaces and VPN Communities to maintain a private and secure VPN session, without employing Stateful Inspection. Since Stateful Inspection no longer takes
place, dynamic-routing protocols that do not survive state verification in non-Wire Mode configurations can now be deployed. The VPN connection is no different from any other connections along a dedicated wire, thus the meaning of "Wire Mode".
Reference: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk30974
On R80.10 the IPS Blade is managed by:
- A . Threat Protection policy
- B . Anti-Bot Blade
- C . Threat Prevention policy
- D . Layers on Firewall policy
A
Explanation:
Reference: https://www.checkpoint.com/downloads/product-related/r80.10-mgmt-architecture-overview.pdf very top of last page.
Which packet info is ignored with Session Rate Acceleration?
- A . source port ranges
- B . source ip
- C . source port
- D . same info from Packet Acceleration is used
C
Explanation:
Reference: http://trlj.blogspot.com/2015/10/check-point-acceleration.html
What is the purpose of Priority Delta in VRRP?
- A . When a box is up, Effective Priority = Priority + Priority Delta
- B . When an Interface is up, Effective Priority = Priority + Priority Delta
- C . When an Interface fail, Effective Priority = Priority C Priority Delta
- D . When a box fail, Effective Priority = Priority C Priority Delta
C
Explanation:
Each instance of VRRP running on a supported interface may monitor the link state of other interfaces. The monitored interfaces do not have to be running VRRP. If a monitored interface loses its link state, then VRRP will decrement its priority over a VRID by the specified delta value and then will send out a new VRRP HELLO packet. If the new effective priority is less than the priority a backup platform has, then the backup platform will beging to send out its own HELLO packet. Once the master sees this packet with a priority greater than its own, then it releases the VIP.
Reference: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk38524
What is the purpose of a SmartEvent Correlation Unit?
- A . The SmartEvent Correlation Unit is designed to check the connection reliability from SmartConsole to the SmartEvent Server
- B . The SmartEvent Correlation Unit’s task it to assign severity levels to the identified events.
- C . The Correlation unit role is to evaluate logs from the log server component to identify patterns/threats and convert them to events.
- D . The SmartEvent Correlation Unit is designed to check the availability of the SmartReporter Server
The CDT utility supports which of the following?
- A . Major version upgrades to R77.30
- B . Only Jumbo HFA’s and hotfixes
- C . Only major version upgrades to R80.10
- D . All upgrades
D
Explanation:
The Central Deployment Tool (CDT) is a utility that runs on an R77 / R77.X / R80 / R80.10 Security Management Server / Multi-Domain Security Management Server (running Gaia OS).
It allows the administrator to automatically install CPUSE Offline packages (Hotfixes, Jumbo Hotfix Accumulators (Bundles), Upgrade to a Minor Version, Upgrade to a Major Version) on multiple managed Security Gateways and Cluster Members at the same time.
Reference: https://community.checkpoint.com/thread/5319-my-top-3-check-point-cli-commands
The Firewall kernel is replicated multiple times, therefore:
- A . The Firewall kernel only touches the packet if the connection is accelerated
- B . The Firewall can run different policies per core
- C . The Firewall kernel is replicated only with new connections and deletes itself once the connection times out
- D . The Firewall can run the same policy on all cores
D
Explanation:
On a Security Gateway with CoreXL enabled, the Firewall kernel is replicated multiple times. Each replicated copy, or instance, runs on one processing core. These instances handle traffic concurrently, and each instance is a complete and independent inspection kernel. When CoreXL is enabled, all the kernel instances in the Security Gateway process traffic through the same interfaces and apply the same security policy.
Reference: https://sc1.checkpoint.com/documents/R77/CP_R77_PerformanceTuning_WebAdmin/6731.htm
Sticky Decision Function (SDF) is required to prevent which of the following? Assume you set up an Active-Active cluster.
- A . Symmetric routing
- B . Failovers
- C . Asymmetric routing
- D . Anti-Spoofing
Which is not a blade option when configuring SmartEvent?
- A . Correlation Unit
- B . SmartEvent Unit
- C . SmartEvent Server
- D . Log Server
B
Explanation:
On the Management tab, enable these Software Blades:
– Logging & Status
– SmartEvent Server
– SmartEvent Correlation Unit
Reference: https://sc1.checkpoint.com/documents/R80/CP_R80_LoggingAndMonitoring/ html_frameset.htm?topic=documents/R80/CP_R80_LoggingAndMonitoring/120829
What command would show the API server status?
- A . cpm status
- B . api restart
- C . api status
- D . show api status
C
Explanation:
Reference: https://www.hurricanelabs.com/blog/check-point-api-merging-management-servers-with-r80-10
You noticed that CPU cores on the Security Gateway are usually 100% utilized and many packets were dropped. You don’t have a budget to perform a hardware upgrade at this time. To optimize drops you decide to use Priority Queues and fully enable Dynamic Dispatcher.
How can you enable them?
- A . fw cti multik dynamic_dispatching on
- B . fw cti multik dynamic_dispatching set_mode 9
- C . fw cti multik set_mode 9
- D . fw cti multik pq enable
C
Explanation:
To fully enable the CoreXL Dynamic Dispatcher on Security Gateway:
You noticed that CPU cores on the Security Gateway are usually 100% utilized and many packets were dropped. You don’t have a budget to perform a hardware upgrade at this time. To optimize drops you decide to use Priority Queues and fully enable Dynamic Dispatcher.
How can you enable them?
- A . fw cti multik dynamic_dispatching on
- B . fw cti multik dynamic_dispatching set_mode 9
- C . fw cti multik set_mode 9
- D . fw cti multik pq enable
C
Explanation:
To fully enable the CoreXL Dynamic Dispatcher on Security Gateway:
You have existing dbedit scripts from R77. Can you use them with R80.10?
- A . dbedit is not supported in R80.10
- B . dbedit is fully supported in R80.10
- C . You can use dbedit to modify threat prevention or access policies, but not create or modify layers
- D . dbedit scripts are being replaced by mgmt._cli in R80.10
D
Explanation:
dbedit (or GuiDbEdit) uses the cpmi protocol which is gradually being replaced by the new R80.10 automation architecture. cpmi clients are still supported in R80.10, but there are some functionalities that cannot be managed by cpmi anymore. For example, the Access and Threat policies do not have a cpmi representation. They can be managed only by the new mgmt_cli and not by cpmi clients. There are still many tables that have an inner cpmi representation (for example, network objects, services, servers, and global properties) and can still be managed using cpmi.
Reference: https://www.checkpoint.com/downloads/product-related/r80.10-mgmt-architecture-overview.pdf
SecureXL improves non-encrypted firewall traffic throughput and encrypted VPN traffic throughput.
- A . This statement is true because SecureXL does improve all traffic
- B . This statement is false because SecureXL does not improve this traffic but CoreXL does
- C . This statement is true because SecureXL does improve this traffic
- D . This statement is false because encrypted traffic cannot be inspected
C
Explanation:
SecureXL improved non-encrypted firewall traffic throughput, and encrypted VPN traffic throughput, by nearly an order-of-magnitude- particularly for small packets flowing in long duration connections.
Reference: https://downloads.checkpoint.com/fileserver/SOURCE/direct/ID/10001/FILE/ SecureXL_and_Nokia_IPSO_White_Paper_20080401.pdf
What are the three components for Check Point Capsule?
- A . Capsule Docs, Capsule Cloud, Capsule Connect
- B . Capsule Workspace, Capsule Cloud, Capsule Connect
- C . Capsule Workspace, Capsule Docs, Capsule Connect
- D . Capsule Workspace, Capsule Docs, Capsule Cloud
D
Explanation:
Reference: https://www.checkpoint.com/solutions/mobile-security/check-point-capsule/
Using mgmt_cli, what is the correct syntax to import a host object called Server_1 from the CLI?
- A . mgmt_cli add-host “Server_1” ip_ address “10.15.123.10” C format txt
- B . mgmt_ cli add host name “Server_ 1” ip-address “10.15.123.10” C format json
- C . mgmt_ cli add object-host “Server_ 1” ip-address “10.15.123.10” C format json
- D . mgmt_cli add object “Server_ 1” ip-address “10.15.123.10” C format json
B
Explanation:
Example: mgmt_cli add host name "New Host 1" ip-address "192.0.2.1" –format json
• "–format json" is optional. By default the output is presented in plain text.
Reference: https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/add-host~v1.1%20
When defining QoS global properties, which option below is not valid?
- A . Weight
- B . Authenticated timeout
- C . Schedule
- D . Rate
C
Explanation:
Reference: https://sc1.checkpoint.com/documents/R76/CP_R76_QoS_AdminGuide/14871.htm
Check Point APIs allow system engineers and developers to make changes to their organization’s security policy with CLI tools and Web Services for all of the following except?
- A . Create new dashboards to manage 3rd party task
- B . Create products that use and enhance 3rd party solutions.
- C . Execute automated scripts to perform common tasks.
- D . Create products that use and enhance the Check Point Solution.
A
Explanation:
Check Point APIs let system administrators and developers make changes to the security policy with CLI tools and web-services.
You can use an API to:
– Use an automated script to perform common tasks
– Integrate Check Point products with 3rd party solutions
– Create products that use and enhance the Check Point solution
Reference: http://dl3.checkpoint.com/paid/29/29532b9eec50d0a947719ae631f640d0/ CP_R80_CheckPoint_API_ReferenceGuide.pdf? HashKey=1522190468_125d63ea5296b7dadd3e4fd81c708cc5&xtn=.pdf
What happen when IPS profile is set in Detect-Only Mode for troubleshooting?
- A . It will generate Geo-Protection traffic
- B . Automatically uploads debugging logs to Check Point Support Center
- C . It will not block malicious traffic
- D . Bypass licenses requirement for Geo-Protection control
C
Explanation:
It is recommended to enable Detect-Only for Troubleshooting on the profile during the initial installation of IPS. This option overrides any protections that are set to Prevent so that they will not block any traffic. During this time you can analyze the alerts that IPS generates to see how IPS will handle network traffic, while avoiding any impact on the flow of traffic.
Reference: https://sc1.checkpoint.com/documents/R76/CP_R76_IPS_AdminGuide/12750.htm
When simulating a problem on CLusterXL cluster with cphaprob Cd STOP Cs problem Ct 0 register, to initiate a failover on an active cluster member, what command allows you remove the problematic state?
- A . cphaprob Cd STOP unregister
- B . cphaprob STOP unregister
- C . cphaprob unregister STOP
- D . cphaprob Cd unregister STOP
A
Explanation:
esting a failover in a controlled manner using following command;
# cphaprob -d STOP -s problem -t 0 register
This will register a problem state on the cluster member this was entered on;
If you then run;
# cphaprob list
this will show an entry named STOP.
to remove this problematic register run following;
# cphaprob -d STOP unregister
Reference: https://fwknowledge.wordpress.com/2013/04/04/manual-failover-of-the-fw-cluster/
You are investigating issues with two gateway cluster members that are not able to establish the first initial cluster synchronization.
What service is used by the FWD daemon to do a Full Synchronization?
- A . TCP port 443
- B . TCP port 257
- C . TCP port 256
- D . UDP port 8116
C
Explanation:
Synchronization works in two modes:
– Full sync transfers all Security Gateway kernel table information from one cluster member to another. It is handled by the fwd daemon using an encrypted TCP connection.
– Delta sync transfers changes in the kernel tables between cluster members. Delta sync is handled by the Security Gateway kernel using UDP multicast or broadcast on port 8116.
Full sync is used for initial transfers of state information, for many thousands of connections. If a cluster member is brought up after being down, it will perform full sync. After all members are synchronized, only updates are transferred via delta sync. Delta sync is quicker than full sync.
Reference: https://sc1.checkpoint.com/documents/R76/CP_R76_ClusterXL_AdminGuide/7288.htm Port info:
https://www.cpug.org/forums/archive/index.php/t-12704.html
Which command shows the current connections distributed by CoreXL FW instances?
- A . fw ctl multik stat
- B . fw ctl affinity Cl
- C . fw ctl instances Cv
- D . fw ctl iflist
A
Explanation:
The fw ctl multik stat and fw6ctl multik stat (multi-kernel statistics) commands show information for each kernel instance.
The state and processing core number of each instance is displayed, along with:
– The number of connections currently being handled.
– The peak number of concurrent connections the instance has handled since its inception.
Reference: https://sc1.checkpoint.com/documents/R76/ CP_R76_PerformanceTuning_WebAdmin/6731.htm
What is the most ideal Synchronization Status for Security Management Server High Availability deployment?
- A . Lagging
- B . Synchronized
- C . Never been synchronized
- D . Collision
B
Explanation:
The possible synchronization statuses are:
– Never been synchronized – immediately after the Secondary Security Management server has been installed, it has not yet undergone the first manual synchronization that brings it up to date with the Primary Security Management server.
– Synchronized – the peer is properly synchronized and has the same database information and installed Security Policy.
– Lagging – the peer SMS has not been synchronized properly.
For instance, on account of the fact that the Active SMS has undergone changes since the previous synchronization (objects have been edited, or the Security Policy has been newly installed), the information on the Standby SMS is lagging.
– Advanced – the peer SMS is more up-to-date.
For instance, in the above figure, if a system administrators logs into Security Management server B before it has been synchronized with the Security Management server A, the status of the Security Management server A is Advanced, since it contains more up-to-date information which the former does not have. In this case, manual synchronization must be initiated by the system administrator by changing the Active SMS to a Standby SMS. Perform a synch me operation from the more advanced server to the Standby SMS. Change the Standby SMS to the Active SMS.
– Collision – the Active SMS and its peer have different installed policies and databases. The administrator must perform manual synchronization and decide which of the SMSs to overwrite.
Reference: https://sc1.checkpoint.com/documents/R76/CP_R76_SecMan_WebAdmin/html_frameset.htm? topic=documents/R76/CP_R76_SecMan_WebAdmin/13132
What GUI client would you use to view an IPS packet capture?
- A . SmartView Monitor
- B . SmartView Tracker
- C . Smart Update
- D . Smart Reporter
B
Explanation:
Reference: https://sc1.checkpoint.com/documents/R76/CP_R76_IPS_AdminGuide/12766.htm
What is the valid range for VRID value in VRRP configuration?
- A . 1 C 254
- B . 1 C 255
- C . 0 C 254
- D . 0 C 255
B
Explanation:
Virtual Router ID – Enter a unique ID number for this virtual router. The range of valid values is 1 to 255.
Reference: https://sc1.checkpoint.com/documents/R76/CP_R76_Gaia_WebAdmin/87911.htm
Which one of these features is NOT associated with the Check Point URL Filtering and Application Control Blade?
- A . Detects and blocks malware by correlating multiple detection engines before users are affected.
- B . Configure rules to limit the available network bandwidth for specified users or groups.
- C . Use UserCheck to help users understand that certain websites are against the company’s security policy.
- D . Make rules to allow or block applications and Internet sites for individual applications, categories, and risk levels.
A
Explanation:
Use the URL Filtering and Application Control Software Blades to:
– Create a Granular Policy – Make rules to allow or block applications and Internet sites for individual
applications, categories, and risk levels. You can also create an HTTPS policy that enables Security
Gateways to inspect HTTPS traffic and prevent security risks related to the SSL protocol.
– Manage Bandwidth Consumption – Configure rules to limit the available network bandwidth for specified users or groups. You can define separate limits for uploading and downloading.
– Keep Your Policies Updated – The Application Database is updated regularly, which helps you makes sure that your Internet security policy has the newest applications and website categories. Security Gateways connect to the Check Point Online Web Service to identify new social networking widgets and website categories.
– Communicate with Users – UserCheck objects add flexibility to URL Filtering and Application Control and let the Security Gateways communicate with users. UserCheck helps users understand that certain websites are against the company’s security policy. It also tells users about the changes in Internet policy related to websites and applications.
Reference: https://sc1.checkpoint.com/documents/R80/CP_R80_SecMGMT/html_frameset.htm? topic=documents/R80/CP_R80_SecMGMT/126197
Which command will reset the kernel debug options to default settings?
- A . fw ctl dbg Ca 0
- B . fw ctl dbg resetall
- C . fw ctl debug 0
- D . fw ctl debug set 0
C
Explanation:
Explanation:
Reset the debugs to the default.
In case someone changed the setting in the past and since then the firewall was not rebooted we should set all back to the defaults.
Reference: https://itsecworks.com/2011/08/09/checkpoint-firewall-debugging-basics/
You need to change the number of firewall instances used by CoreXL.
How can you achieve this goal?
- A . edit fwaffinity.conf; reboot required
- B . cpconfig; reboot required
- C . edit fwaffinity.conf; reboot not required
- D . cpconfig: reboot not required
B
Explanation:
Reference: https://sc1.checkpoint.com/documents/R76/CP_R76_PerformanceTuning_WebAdmin/6731.htm#o94530
As a valid Mobile Access Method, what feature provides Capsule Connect/VPN?
- A . that is used to deploy the mobile device as a generator of one-time passwords for authenticating to an RSA Authentication Manager
- B . Full Layer4 VPN CSSL VPN that gives users network access to all mobile applications
- C . Full layer3 VPN CIPSec VPN that gives users network access to all mobile applications
- D . You can make sure that documents are sent to the intended recipients only
C
Explanation:
Reference: https://sc1.checkpoint.com/documents/R77/CP_R77_Mobile_Access_WebAdmin/82201.htm
What does the command vpn crl__zapdo?
- A . Nothing, it is not a valid command
- B . Erases all CRL’s from the gateway cache
- C . Erases VPN certificates from cache
- D . Erases CRL’s from the management server cache
B
Explanation:
Reference: https://indeni.com/check-point-firewalls-certification-revocation-list-crl-check-mechanism-on-acheck-point-gateway/
Firewall policies must be configured to accept VRRP packets on the GAiA platform if it runs Firewall software.
The Multicast destination assigned by the Internet Assigned Numbers Authority (IANA) for VRRP is:
- A . 224.0.0.18
- B . 224.0.0.5
- C . 224.0.0.102
- D . 224.0.0.22
A
Explanation:
Reference: https://www.iana.org/assignments/multicast-addresses/multicast-addresses.xhtml
Full synchronization between cluster members is handled by Firewall Kernel.
Which port is used for this?
- A . UDP port 265
- B . TCP port 265
- C . UDP port 256
- D . TCP port 256
D
Explanation:
Synchronization works in two modes:
– Full Sync transfers all Security Gateway kernel table information from one cluster member to another. It is handled by the fwd daemon using an encrypted TCP connection on port 256.
– Delta Sync transfers changes in the kernel tables between cluster members. Delta sync is handled by the Security Gateway kernel using UDP connections on port 8116.
Reference: https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_ClusterXL_AdminGuide/html_frameset.htm?topic=documents/R80.10/WebAdminGuides/EN/CP_R80.10_ClusterXL_AdminGuide/7288
GAiA greatly increases operational efficiency by offering an advanced and intuitive software update agent, commonly referred to as the:
- A . Check Point Upgrade Service Engine.
- B . Check Point Software Update Agent
- C . Check Point Remote Installation Daemon (CPRID)
- D . Check Point Software Update Daemon
Which one of these is NOT a firewall chain?
- A . RTM packet in (rtm)
- B . VPN node add (vpnad)
- C . IP Options restore (in) (ipopt_res)
- D . Fw SCV inbound (scv)
B
Explanation:
Reference: http://dkcheckpoint.blogspot.com/2016/07/chapter-2-chain-module.html
Which is a suitable command to check whether Drop Templates are activated or not?
- A . fw ctl get int activate _drop_ templates
- B . fwaccel stat
- C . fwaccel stats
- D . fw ctl templates Cd
Which directory below contains log files?
- A . /opt/CPSmartlog-R80/log
- B . /opt/CPshrd-R80/log
- C . /opt/CPsuite-R80/fw1/log
- D . /opt/CPsuite-R80/log
What is the responsibility of SOLR process on R80.10 management server?
- A . Validating all data before it’s written into the database
- B . It generates indexes of data written to the database
- C . Communication between SmartConsole applications and the Security Management Server
- D . Writing all information into the database
VPN Tunnel Sharing can be configured with any of the options below, EXCEPT One:
- A . Gateway-based
- B . Subnet-based
- C . IP range based
- D . Host-based
C
Explanation:
VPN Tunnel Sharing provides interoperability and scalability by controlling the number of VPN tunnels created between peer Security Gateways.
There are three available settings:
– One VPN tunnel per each pair of hosts
– One VPN tunnel per subnet pair
– One VPN tunnel per Security Gateway pair
Reference: https://sc1.checkpoint.com/documents/R77/CP_R77_VPN_AdminGuide/14018.htm
You want to store the GAiA configuration in a file for later reference.
What command should you use?
- A . write mem <filename>
- B . show config Cf <filename>
- C . save config Co <filename>
- D . save configuration <filename>
D
Explanation:
Reference: https://supportcenter.checkpoint.com/supportcenter/portal? eventSubmit_doGoviewsolutiondetails=&solutionid=sk102234
What can you do to see the current number of kernel instances in a system with CoreXL enabled?
- A . Browse to Secure Platform Web GUI
- B . Only Check Point support personnel can access that information
- C . Execute SmarDashboard client
- D . Execute command cpconfig
D
Explanation:
Reference: https://sc1.checkpoint.com/documents/R76/CP_R76_PerformanceTuning_WebAdmin/6731.htm
When Dynamic Dispatcher is enabled, connections are assigned dynamically with the exception of
- A . Threat Emulation
- B . HTTPS
- C . QOS
- D . VolP
D
Explanation:
The following types of traffic are not load-balanced by the CoreXL Dynamic Dispatcher (this traffic will always be handled by the same CoreXL FW instance):
– VoIP
– VPN encrypted packets
Reference: https://supportcenter.checkpoint.com/supportcenter/portal? eventSubmit_doGoviewsolutiondetails=&solutionid=sk105261
Why would you not see a CoreXL configuration option in cpconfig?
- A . The gateway only has one processor
- B . CoreXL is not licenses
- C . CoreXL is disabled via policy
- D . CoreXL is not enabled in the gateway object
In SPLAT the command to set the timeout was idle. In order to achieve this and increase the timeout for Gaia, what command do you use?
- A . set idle <value>
- B . set inactivityCtimeout <value>
- C . set timeout <value>
- D . set inactivity <value>
B
Explanation:
Reference: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk95447
What makes Anti-Bot unique compared to other Threat Prevention mechanisms, such as URL Filtering, Anti-Virus, IPS, and Threat Emulation?
- A . Anti-Bot is the only countermeasure against unknown malware
- B . Anti-Bot is the only protection mechanism which starts a counter-attack against known Command & Control Centers
- C . Anti-Bot is the only signature-based method of malware protection
- D . Anti-Bot is a post-infection malware protection to prevent a host from establishing a connection to a Command & Control Center
D
Explanation:
Reference: https://sc1.checkpoint.com/documents/R76/CP_R76_AntiBotAntiVirus_AdminGuide/index.html
SmartEvent does NOT use which of the following procedures to identify events?
- A . Matching a log against each event definition
- B . Create an event candidate
- C . Matching a log against local exclusions
- D . Matching a log against global exclusions
C
Explanation:
Events are detected by the SmartEvent Correlation Unit. The Correlation Unit task is to scan logs for criteria that match an Event Definition.
SmartEvent uses these procedures to identify events:
– Matching a Log Against Global Exclusions
– Matching a Log Against Each Event Definition
– Creating an Event Candidate
– When a Candidate Becomes an Event
Reference: https://sc1.checkpoint.com/documents/R76/CP_R76_SmartEvent_AdminGuide/17401.htm
In Gaia, if one is unsure about a possible command, what command lists all possible commands.
- A . show all |grep commands
- B . show configuration
- C . show commands
- D . get all commands
C
Explanation:
Reference: https://sc1.checkpoint.com/documents/R76/CP_R76_Gaia_WebAdmin/75697.htm
In which case is a Sticky Decision Function relevant?
- A . Load Sharing C Multicast
- B . Load Balancing C Forward
- C . High Availability
- D . Load Sharing C Unicast
The Security Gateway is installed on GAiA R80. The default port for the Web User Interface is _______.
- A . TCP 18211
- B . TCP 257
- C . TCP 4433
- D . TCP 443
When doing a Stand-Alone Installation, you would install the Security Management Server with which other Check Point architecture component?
- A . None, Security Management Server would be installed by itself
- B . SmartConsole
- C . SecureClient
- D . SmartEvent
Fill in the blank: The tool ___________ generates a R80 Security Gateway configuration report.
- A . infoCP
- B . infoview
- C . cpinfo
- D . fw cpinfo
Fill in the blank: The R80 utility fw monitoris used to troubleshoot __________.
- A . User data base corruption
- B . LDAP conflicts
- C . Traffic issues
- D . Phase two key negotiation
You are working with multiple Security Gateways enforcing an extensive number of rules.
To simplify security administration, which action would you choose?
- A . Eliminate all possible contradictory rules such as the Stealth or Cleanup rules.
- B . Create a separate Security Policy package for each remote Security Gateway.
- C . Create network objects that restrict all applicable rules to only certain networks.
- D . Run separate SmartConsole instances to login and configure each security Gateway directly.
Tom has been tasked to install Check Point R80 in a distributed deployment.
Before Tom installs the systems this way, how many machines will be need if he does NOT include a SmartConsole machine in his calculations?
- A . One machine, but it needs to be installed using SecurePlatform for compatibility purposes.
- B . One machine
- C . Two machines
- D . Three machines
Fill in the blank: The command _______________ provides the most complete restoration of a R80 configuration.
- A . upgrade_import
- B . cpconfig
- C . fwm dbimport Cp <export file>
- D . cpinfo Crecover
Which of the following statements is TRUE about R80 management plug-ins?
- A . The plug-in is a package installed on the Security Gateway.
- B . Installing a management plug-in requires a Snapshot, just like any upgrade process.
- C . A management plug-in interacts with a Security Management Server to provide new features and support for new products.
- D . Using a plug-in offers full central management only if special licensing is applied to specific features of the plug-in.
Fill in the blank: The R80 feature ________ permits blocking specific IP addresses for a specified time period.
- A . Block Port Overflow
- B . Local Interface Spoofing
- C . Suspicious Activity Monitoring
- D . Adaptive Threat Prevention
In R80 spoofing is defined as a method of:
- A . Disguising an illegal IP address behind an authorized IP address through Port Address Translation.
- B . Hiding your firewall from unauthorized users.
- C . Detecting people using false or wrong authentication logins
- D . Making packets appear as if they come from an authorized IP address.
D
Explanation:
IP spoofing replaces the untrusted source IP address with a fake, trusted one, to hijack connections to your network. Attackers use IP spoofing to send malware and bots to your protected network, to execute DoS attacks, or to gain unauthorized access.
Reference: http://dl3.checkpoint.com/paid/74/74d596decb6071a4ee642fbdaae7238f/CP_R80_SecurityManagement_AdminGuide.pdf? HashKey=1479584563_6f823c8ea1514609148aa4fec5425db2&xtn=.pdf
Which features are only supported with R80.10 Gateways but not R77.x?
- A . Access Control policy unifies the Firewall, Application Control & URL Filtering, Data Awareness, and Mobile Access Software Blade policies.
- B . Limits the upload and download throughput for streaming media in the company to 1 Gbps.
- C . The rule base can be built of layers, each containing a set of the security rules. Layers are inspected in the order in which they are defined, allowing control over the rule base flow and which security functionalities take precedence.
- D . Time object to a rule to make the rule active only during specified times.
C
Explanation:
Reference: http://slideplayer.com/slide/12183998/
For best practices, what is the recommended time for automatic unlocking of locked admin accounts?
- A . 20 minutes
- B . 15 minutes
- C . Admin account cannot be unlocked automatically
- D . 30 minutes at least
What scenario indicates that SecureXL is enabled?
- A . Dynamic objects are available in the Object Explorer
- B . SecureXL can be disabled in cpconfig
- C . fwaccel commands can be used in clish
- D . Only one packet in a stream is seen in a fw monitor packet capture