Checkpoint 156-215.77 Check Point Certified Security Administrator Exam Practice Test

12

1

3

6

(5) Delete all IPsec SAs for a given peer (GW)

(7) Delete all IPsec+IKE SAs for a given peer (GW)

(6) Delete all IPsec SAs for a given User (Client)

(8) Delete all IPsec+IKE SAs for a given User (Client)

Weak performancE. PSK takes more time to encrypt than Diffie-Hellman.

Weak Security: PSK are static and can be brute-forced.

Weak security: PSKs can only have 112 bit length.

Weak scalability: PSKs need to be set on each and every Gateway.

vpn debug ipsec

vpn ipsec

fw ipsec tu

vpn tu

SSL

Captive Portal

RSA

PKI

Identity Awareness Agent

Full Endpoint Client

ICA Certificate

SecureClient

Symmetric IPsec keys are generated.

Each Security Gateway generates a private Diffie-Hellman (DH) key from random pools.

The DH public keys are exchanged.

Peers authenticate using certificates or preshared secrets.

Secure Internal Communications (SIC) not configured for the object.

A Gateway object created using the Check Point > Externally Managed VPN Gateway option from the Network Objects dialog box.

Anti-spoofing not configured on the interfaces on the Gateway object.

A Gateway object created using the Check Point > Security Gateway option in the network objects, dialog box, but still needs to configure the interfaces for the Security Gateway object.

WebUI

SmartView Tracker

SmartView Monitor

SmartReporter

Proxied, User, Dynamic, Session

Connection, User, Client

User, Client, Session

User, Proxied, Session

RADIUS server

Account Management Client server

UserAuthority server

LDAP server

23

264

900

259

SMTP, FTP, TELNET

SMTP, FTP, HTTP, TELNET

FTP, HTTP, TELNET

FTP, TELNET

None of these things will happen.

Eric will be authenticated and get access to the requested server.

Eric will be blocked because LDAP is not allowed in the Rule Base.

Eric will be dropped by the Stealth Rule.

A-3, B-2, C-4, D-1

A-2, B-3, C-4, D-1

A-3, B-2, C-1, D-4

A-3, B-4, C-1, D-2

Using groups within groups in the manual NAT Rule Base.

Use Automatic NAT rules instead of Manual NAT rules whenever possible.

Using domain objects in rules when possible.

Putting the least-used rule at the top of the Rule Base.

On a GAiA Security Management Server, this can only be accomplished by configuring the command fw logswitch via the cron utility.

Create a time object, and add 48 hours as the interval. Open the primary Security Management Server object’s Logs and Masters window, enable Schedule log switch, and select the Time object.

Create a time object, and add 48 hours as the interval. Open the Security Gateway object's Logs and Masters window, enable Schedule log switch, and select the Time object.

Create a time object, and add 48 hours as the interval. Select that time object’s Global Properties > Logs and Masters window, to schedule a logswitch.

Log, Active, and Audit

Log, Active, and Management

Network and Endpoint, Active, and Management

Log, Track, and Management

Define a permission profile in SmartDashboard with read/write privileges, but restrict it to all other firewalls by placing them in the Policy Targets field. Then, an administrator with this permission profile cannot install a policy on any Firewall not listed here.

Put the one administrator in an Administrator group and configure this group in the specific Firewall object in Advanced > Permission to Install.

In the object General Properties representing the specific Firewall, go to the Software Blades product list and select Firewall. Right-click in the menu, select Administrator to Install to define only this administrator.

Right-click on the object representing the specific administrator, and select that Firewall in Policy Targets.

The Global Properties setting Translate destination on client side is unchecked. But the topology on the DMZ interface is set to Internal - Network defined by IP and Mask. Check the Global Properties setting Translate destination on client side.

The Global Properties setting Translate destination on client side is unchecked. But the topology on the external interface is set to Others +. Change topology to External.

The Global Properties setting Translate destination on client side is checked. But the topology on the external interface is set to External. Change topology to Others +.

The Global Properties setting Translate destination on client side is checked. But the topology on the DMZ interface is set to Internal - Network defined by IP and Mask. Uncheck the Global Properties setting Translate destination on client side.

ifconfig

sysconfig

cpconfig

dhcp_cfg

It is not necessary to add a static route to the Gateway’s routing table.

It is necessary to add a static route to the Gateway’s routing table.

The Security Gateway’s ARP file must be modified.

VLAN tagging cannot be defined for any hosts protected by the Gateway.

No extra configuration is needed.

A proxy ARP entry, to ensure packets destined for the public IP address will reach the Security Gateway's external interface.

The NAT IP address must be added to the external Gateway interface anti-spoofing group.

A static route, to ensure packets destined for the public NAT IP address will reach the Gateway's internal interface.

upgrade_export/upgrade_import

fwm dbexport/fwm dbimport

Database Revision Control

Policy Package management

SmartView Monitor > Gateway Status > Threshold Settings

SmartView Tracker > Audit Tab > Gateway Counters

SmartView Monitor > Gateway Status > System Information > Thresholds

This can only be monitored by a user-defined script.

Hide

Static Destination

Static Source

Dynamic Destination

client side NAT

source NAT

destination NAT

None of these

Delete the file admin.lock in the Security Management Server directory $FWDIR/tmp/.

Reinstall the Security Management Server and restore using upgrade_import.

Type fwm lock_admin -ua from the Security Management Server command line.

Login to SmartDashboard as the special cpconfig_admin user account; right-click on each administrator object and select unlock.

Policy Package Management

Copying the directories $FWDIR\conf and $CPDIR\conf to another server

Execute command upgrade_export

Database Revision Control

Type fwm unlock_admin from the Security Management Server command line.

Type fwm unlock_admin -u from the Security Gateway command line.

Type fwm lock_admin -u from the Security Management Server command line.

Delete the file admin.lock in the Security Management Server directory $FWDIR/tmp/.

You need to start SSL Network Extender first, then use Visitor Mode.

Set Visitor Mode in Policy > Global Properties > Remote-Access > VPN - Advanced.

Office mode is not configured.

The WebUI on GAiA runs on port 443 (HTTPS). When you configure Visitor Mode it cannot bind to default port 443, because it's used by another program (WebUI). With multi-port no additional changes are necessary.

SmartUpdate only allows you to update Check Point and OPSEC certified products.

SmartUpdate only allows you to manage product licenses.

SmartUpdate allows you to update Check Point and OPSEC certified products and to manage product licenses.

SmartUpdate is not a Check Point product.

Log mode. Block it using Tools > Block Intruder menu. Observe in the Log mode that the suspicious connection does not appear again in this SmartView Tracker view.

Log mode. Block it using Tools > Block Intruder menu. Observe in the Log mode that the suspicious connection is listed in this SmartView Tracker view as “dropped.”

Active mode. Block it using Tools > Block Intruder menu. Observe in the Active mode that the suspicious connection does not appear again in this SmartView Tracker view.

Active mode. Block it using Tools > Block Intruder menu. Observe in the Active mode that the suspicious connection is listed in this SmartView Tracker view as “dropped.”

Check Point Password

RADIUS

TACACS

SecurID

show interface (interface) - chain

tcpdump

tcpdump/ snoop

fw monitor

Select Ignore Database in the Action Properties window.

Permit access to Finance_net.

Select Intersect with user database in the Action Properties window.

Select Intersect with user database or Ignore Database in the Action Properties window.

SmartView Tracker, SmartDashboard, CPINFO, SmartUpdate, SmartView Status

SmartView Tracker, SmartDashboard, SmartLSM, SmartView Monitor

SmartView Tracker, CPINFO, SmartUpdate

Security Policy Editor, Log Viewer, Real Time Monitor GUI

SmartView Monitor > Tunnels > VPN History

SmartView Monitor > System Counters > VPN History

SmartView Monitor > System Counters > Firewall Security History

SmartView Monitor > System Counters > VPN

Change the Rule Base and install the Policy to all Security Gateways

Block Intruder feature of SmartView Tracker

Intrusion Detection System (IDS) Policy install

SAM - Suspicious Activity Rules feature of SmartView Monitor

Yes, seeing user activity is enabled when using the Identity Awareness blade.

No, a Check Point Gateway can only see IP addresses.

Yes, but you have to enable the option: See user information in SmartView Tracker.

Yes, but you need to use the SPLAT operating system.

Client Authentication with Partially Automatic Sign On

Client Authentication with Manual Sign On

User Authentication

Session Authentication

Standard Sign On allows the user to be automatically authorized for all services that the rule allows. Specific Sign On requires that the user re-authenticate for each service specifically defined in the window Specific Action Properties.

Standard Sign On allows the user to be automatically authorized for all services that the rule allows, but re-authenticate for each host to which he is trying to connect. Specific Sign On requires that the user re-authenticate for each service.

Standard Sign On allows the user to be automatically authorized for all services that the rule allows. Specific Sign On requires that the user re-authenticate for each service and each host to which he is trying to connect.

Standard Sign On requires the user to re-authenticate for each service and each host to which he is trying to connect. Specific Sign On allows the user to sign on only to a specific IP address.

To edit Implied rules you go to: Launch Button > Policy > Global Properties > Firewall.

Implied rules are fixed rules that you cannot change.

You can directly edit the Implied rules by double-clicking on a specific Implicit rule.

You can edit the Implied rules but only if requested by Check Point support personnel.

SIC revoke certificate event

Destination IP address

Most accessed Rule Base rule

Number of concurrent IKE negotiations

Compliance information compiled from network activity is recorded in logs

Administrator network activity observed and logged by gateways

Accounting information gathered on network activity as recorded in logs

Administrator login and logout, object manipulation, and rule base changes

Eliminate all possible contradictory rules such as the Stealth or Cleanup rules.

Run separate SmartConsole instances to login and configure each Security Gateway directly.

Create network objects that restrict all applicable rules to only certain networks.

Create a separate Security Policy package for each remote Security Gateway.

Export setup

DHCP Server configuration

GUI Clients

Time & Date

database revision

snapshot

upgrade_export

backup

ipsofwd on admin

echo 0 > /proc/sys/net/ipv4/ip_forward

clish -c set routing active enable

echo 1 > /proc/sys/net/ipv4/ip_forward

Security Management Server

Check Point Gateway

SmartConsole

SmartUpdate upgrading/patching

No, it only works with FTP

No, it only works with FTP and HTTP

Yes

No, it only works with HTTP

logs connections that would otherwise be dropped without logging by default.

drops packets without logging connections that would otherwise be dropped and logged by default.

logs connections that would otherwise be accepted without logging by default.

drops packets without logging connections that would otherwise be accepted and logged by default.

Users being authenticated by Client Authentication have to re-authenticate.

All connections are reset, so a policy install is recommended during announced downtime only.

All FTP downloads are reset; users have to start their downloads again.

Site-to-Site VPNs need to re-authenticate, so Phase 1 is passed again after installing the Security Policy.

Check if some intermediate network device has a wrong routing table entry, VLAN assignment, duplex-mismatch, or trunk issue.

Test the IP address assignment and routing settings of the Security Management Server, Gateway, and console client.

Verify the SIC initialization.

Verify that the Rule Base explicitly allows management connections.

TCP 18211

TCP 443

TCP 4433

TCP 257

Verify that Security Gateway > General Properties > Authentication > Use UserDirectory (LDAP) for Security Gateways is checked

Verify that Global Properties > Authentication > Use UserDirectory (LDAP) for Security Gateways is checked

Verify that Security Gateway > General Properties > UserDirectory (LDAP) > Use UserDirectory (LDAP) for Security Gateways is checked

Verify that Global Properties > UserDirectory (LDAP) > Use UserDirectory (LDAP) for Security Gateways is checked

Check for matching OS and product versions of the Security Management Server and the client. Then, ping the Gateways to verify connectivity. If successful, scan the log files for any denied management packets.

Verify basic network connectivity to the local Gateway, service provider, remote Gateway, remote network and target machine. Then, test for firewall rules that deny management access to the target. If successful, verify that pcosaka is a valid client IP address.

Check the allowed clients and users on the Security Management Server. If pcosaka and your user account are valid, check for network problems. If there are no network related issues, this is likely to be a problem with the server itself. Check for any patches and upgrades. If still unsuccessful, open a case with Technical Support.

Call Tokyo to check if they can ping the Security Management Server locally. If so, login to sgtokyo, verify management connectivity and Rule Base. If this looks okay, ask your provider if they have some firewall rules that filters out your management traffic.

From cpconfig on the Gateway, choose the Secure Internal Communication option and retype the activation key. Next, retype the same key in the Gateway object in SmartDashboard and reinitialize Secure Internal Communications (SIC).

Use SmartUpdate to retype the Security Gateway activation key. This will automatically sync SIC to both the Security Management Server and Gateway.

From the Security Management Server’s command line, type fw putkey -p .

Run the command fwm sic_reset to reinitialize the Security Management Server Internal Certificate Authority (ICA). Then retype the activation key on the Security Gateway from SmartDashboard.