Introducing The New!
Surepassexam Collection
Get Unlimited Access to all
Surepassexam's PREMIUM files
Q1. - (Topic 2)
Your perimeter Security Gateway's external IP is 200.200.200.3. Your network diagram shows:
RequireD. Allow only network 192.168.10.0 and 192.168.20.0 to go out to the Internet, using 200.200.200.5.
The local network 192.168.1.0/24 needs to use 200.200.200.3 to go out to the Internet.
Assuming you enable all the settings in the NAT page of Global Properties, how could you achieve these requirements?
A. Create a network object 192.168.0.0/16. Enable Hide NAT on the NAT page. Enter
200.200.200.5 as the hiding IP address. Add an ARP entry for 200.200.200.5 for the MAC address of 200.200.200.3.
B. Create network objects for 192.168.10.0/24 and 192.168.20.0/24. Enable Hide NAT on both network objects, using 200.200.200.5 as hiding IP address. Add an ARP entry for
200.200.200.3 for the MAC address of 200.200.200.5.
C. Create an Address Range object, starting from 192.168.10.1 to 192.168.20.254. Enable Hide NAT on the NAT page of the address range object. Enter Hiding IP address
200.200.200.5. Add an ARP entry for 200.200.200.5 for the MAC address of
200.200.200.3.
D. Create two network objects: 192.168.10.0/24 and 192.168.20.0/24. Add the two network objects to a group object. Create a manual NAT rule like the following: Original source -group object; Destination - any; Service - any; Translated source - 200.200.200.5; Destination - original; Service - original.
Answer: C
Q2. - (Topic 1)
How can you most quickly reset Secure Internal Communications (SIC) between a Security Management Server and Security Gateway?
A. From the Security Management Server's command line, type fw putkey -p <shared key> <IP Address of Security Gateway>.
B. Run the command fwm sic_reset to reinitialize the Security Management Server Internal Certificate Authority (ICA). Then retype the activation key on the Security Gateway from SmartDashboard.
C. Use SmartUpdate to retype the Security Gateway activation key. This will automatically sync SIC to both the Security Management Server and Gateway.
D. From cpconfig on the Gateway, choose the Secure Internal Communication option and retype the activation key. Next, retype the same key in the Gateway object in SmartDashboard and reinitialize Secure Internal Communications (SIC).
Answer: D
9. - (Topic 1)
Several Security Policies can be used for different installation targets. The Firewall protecting Human Resources' servers should have its own Policy Package. These rules must be installed on this machine and not on the Internet Firewall. How can this be accomplished?
A. A Rule Base is always installed on all possible targets. The rules to be installed on a Firewall are defined by the selection in the Rule Base row Install On.
B. A Rule Base can always be installed on any Check Point Firewall object. It is necessary to select the appropriate target directly after selecting Policy > Install on Target.
C. When selecting the correct Firewall in each line of the Rule Base row Install On, only this Firewall is shown in the list of possible installation targets after selecting Policy > Install on Target.
D. In the menu of SmartDashboard, go to Policy > Policy Installation Targets and select the correct firewall via Specific Targets.
Q3. - (Topic 1)
Peter is your new Security Administrator. On his first working day, he is very nervous and enters the wrong password three times. His account is locked. What can be done to unlock Peter's account? Give the BEST answer.
A. It is not possible to unlock Peter's account. You have to install the firewall once again or abstain from Peter's help.
B. You can unlock Peter's account by using the command fwm unlock_admin -u Peter on the Security Gateway.
C. You can unlock Peter's account by using the command fwm lock_admin -u Peter on the Security Management Server.
D. You can unlock Peter's account by using the command fwm unlock_admin -u Peter on the Security Management Server
Answer: C
Q4. - (Topic 2)
Your shipping company uses a custom application to update the shipping distribution database. The custom application includes a service used only to notify remote sites that the distribution database is malfunctioning. The perimeter Security Gateway's Rule Base includes a rule to accept this traffic. Since you are responsible for multiple sites, you want notification by a text message to your cellular phone, whenever traffic is accepted on this
rule. Which of the following would work BEST for your purpose?
A. SmartView Monitor Threshold
B. SNMP trap
C. Logging implied rules
D. User-defined alert script
Answer: D
Q5. - (Topic 3)
You have created a Rule Base for firewall, websydney. Now you are going to create a new policy package with security and address translation rules for a second Gateway. What is TRUE about the new package’s NAT rules?
Exhibit:
A. Rules 1, 2, 3 will appear in the new package.
B. Only rule 1 will appear in the new package.
C. NAT rules will be empty in the new package.
D. Rules 4 and 5 will appear in the new package.
Answer: A
Q6. - (Topic 2)
You have detected a possible intruder listed in SmartView Tracker's active pane. What is the fastest method to block this intruder from accessing your network indefinitely?
A. In SmartView Monitor, select Tools > Suspicious Activity Rules.
B. Modify the Rule Base to drop these connections from the network.
C. In SmartView Tracker, select Tools > Block Intruder.
D. In SmartDashboard, select IPS > Network Security > Denial of Service.
Answer: C
Q7. - (Topic 1)
You intend to upgrade a Check Point Gateway from R71 to R77. Prior to upgrading, you want to back up the Gateway should there be any problems with the upgrade. Which of the following allows for the Gateway configuration to be completely backed up into a manageable size in the least amount of time?
A. upgrade_export
B. snapshot
C. backup
D. database revision
Answer: C
Q8. - (Topic 2)
You enable Automatic Static NAT on an internal host node object with a private IP address
of 10.10.10.5, which is NATed into 216.216.216.5. (You use the default settings in Global Properties / NAT.)
When you run fw monitor on the R77 Security Gateway and then start a new HTTP connection from host 10.10.10.5 to browse the Internet, at what point in the monitor output will you observe the HTTP SYN-ACK packet translated from 216.216.216.5 back into 10.10.10.5?
A. O=outbound kernel, after the virtual machine
B. i=inbound kernel, before the virtual machine
C. I=inbound kernel, after the virtual machine
D. o=outbound kernel, before the virtual machine
Answer: C
Q9. - (Topic 2)
A Cleanup rule.
A. drops packets without logging connections that would otherwise be dropped and logged by default.
B. logs connections that would otherwise be accepted without logging by default.
C. drops packets without logging connections that would otherwise be accepted and logged by default.
D. logs connections that would otherwise be dropped without logging by default.
Answer: D
Q10. - (Topic 1)
Your company is running Security Management Server R77 on GAiA, which has been migrated through each version starting from Check Point 4.1. How do you add a new administrator account?
A. Using cpconfig on the Security Management Server, choose Administrators
B. Using SmartDashboard, under Users, select Add New Administrator
C. Using the Web console on SecurePlatform under Product configuration, select Administrators
D. Using SmartDashboard or cpconfig
Answer: B
Q11. - (Topic 3)
What type of traffic can be re-directed to the Captive Portal?
A. FTP B. All of the above
C. SMTP
D. HTTP
Answer: D
Q12. - (Topic 3)
A _______ rule is used to prevent all traffic going to the R77 Security Gateway.
A. IPS
B. Cleanup
C. Reject
D. Stealth
Answer: D
Q13. - (Topic 1)
Which SmartConsole component can Administrators use to track changes to the Rule Base?
A. SmartView Monitor
B. SmartReporter
C. WebUI
D. SmartView Tracker
Answer: D
Q14. - (Topic 3)
How many packets does the IKE exchange use for Phase 1 Main Mode?
A. 6
B. 12
C. 1
D. 3
Answer: A
Q15. - (Topic 3)
Complete this statement from the options provided. Using Captive Portal, unidentified users may be either; blocked, allowed to enter required credentials, or required to download the _____________.
A. ICA Certificate
B. SecureClient
C. Full Endpoint Client
D. Identity Awareness Agent
Answer: D