156-215.77 Check Point Certified Security Administrator Questions and Answers

None of these things will happen.

Eric will be authenticated and get access to the requested server.

Eric will be blocked because LDAP is not allowed in the Rule Base.

Eric will be dropped by the Stealth Rule.

fw printver

fw ver

fw ver -k

cpstat -gw

Source Network

Source Machine

Source User

Source Server

Manual copies of the directory $FWDIR/conf

GAiA back up utilities

upgrade_export and upgrade_import commands

Database Revision Control

Modify the Rule Base to drop these connections from the network.

In SmartView Tracker, select Tools > Block Intruder.

In SmartView Monitor, select Tools > Suspicious Activity Rules.

In SmartDashboard, select IPS > Network Security > Denial of Service.

Asymmetric encryption

Dynamic encryption

Certificate-based encryption

Symmetric encryption

All options are valid.

On a Security Gateway using the command fw log.

On a Security Management Server, using SmartView Tracker.

On a Security Gateway Console interface; it gives you detailed access to log files and state table information.

Reboot the system and call the start menu. Select the option Snapshot Management, provide the Expert password and select [L] for a restore from a local file. Then, provide the correct file name.

As expert user, type the command snapshot -r MySnapshot.tgz.

As expert user, type the command revert --file MySnapshot.tgz.

As expert user, type the command snapshot - R to restore from a local file. Then, provide the correct file name.

Users being authenticated by Client Authentication have to re-authenticate.

All connections are reset, so a policy install is recommended during announced downtime only.

All FTP downloads are reset; users have to start their downloads again.

Site-to-Site VPNs need to re-authenticate, so Phase 1 is passed again after installing the Security Policy.

Host@Any

User@Network

User_group@Network

User@Any

Run a cpstop on the Security Gateway.

Run a cpstop on the Security Management Server.

Close all GUI clients.

Run cpconfig and set yourself up as a GUI client.

When selecting the correct firewall in each line of the row Install On of the Rule Base, only this firewall is shown in the list of possible installation targets after selecting Policy > Install.

A Rule Base can always be installed on any Check Point firewall object. It is necessary to select the appropriate target directly after selecting Policy > Install.

In the SmartDashboard policy, select the correct firewall to be the Specific Target of the rule.

A Rule Base is always installed on all possible targets. The rules to be installed on a firewall are defined by the selection in the row Install On of the Rule Base.

Secure Internal Communications (SIC) not configured for the object.

A Gateway object created using the Check Point > Externally Managed VPN Gateway option from the Network Objects dialog box.

Anti-spoofing not configured on the interfaces on the Gateway object.

A Gateway object created using the Check Point > Security Gateway option in the network objects, dialog box, but still needs to configure the interfaces for the Security Gateway object.

Telnet

SSH

FTP

HTTPS

John should install the Identity Awareness Agent

The firewall admin should install the Security Policy

John should lock and unlock the computer

Investigate this as a network connectivity issue

The firewall has failed to sync with the Security Management Server for 60 minutes.

The firewall object has been created but SIC has not yet been established.

The firewall is not listed in the Policy Installation Targets screen for this policy package.

The license for this specific firewall has expired.

Configure a server object for the LDAP Account Unit, enable LDAP in Global Properties, and create an LDAP resource object.

Configure a workstation object for the LDAP server, configure a server object for the LDAP Account Unit, and enable LDAP in Global Properties.

Enable User Directory in Global Properties, configure a host-node object for the LDAP server, and configure a server object for the LDAP Account Unit.

Configure a server object for the LDAP Account Unit, and create an LDAP resource object.

Select Tunnels view, and generate a report on the statistics.

Configure a Suspicious Activity Rule which triggers an alert when HTTP traffic passes through the Gateway.

Use Traffic settings and SmartView Monitor to generate a graph showing the total HTTP traffic for the day.

View total packets passed through the Security Gateway.

John should lock and unlock his computer

Investigate this as a network connectivity issue

The access should be changed to authenticate the user instead of the PC

John should install the Identity Awareness Agent

SmartLog has been an option since release R71.10.

SmartLog is not a Check Point product.

SmartLog and SmartView Tracker are mutually exclusive.

SmartLog is a client of SmartConsole that enables enterprises to centrally track log records and security activity with Google-like search.

SIC Certificates

Licenses

Route tables

Global properties

Change the Rule Base and install the Policy to all Security Gateways

Block Intruder feature of SmartView Tracker

Intrusion Detection System (IDS) Policy install

SAM - Suspicious Activity Rules feature of SmartView Monitor

The Cleanup rule must be the last rule in a policy

The Cleanup rule is an example of an Implied rule

The Cleanup rule is important for blocking unwanted connections

The Cleanup rule should not be logged

Run fwm dbexport -l filename. Restore the database. Then, run fwm dbimport -l filename to import the users.

Run fwm_dbexport to export the user database. Select restore the entire database in the Database Revision screen. Then, run fwm_dbimport.

Restore the entire database, except the user database, and then create the new user and user group.

Restore the entire database, except the user database.

514

257

256

258

in the SmartView Monitor client

in the SmartView Tracker client

since R75.40 release

only if you have the IPS blade enabled at least in one gateway

Allow bi-directional NAT

Automatic ARP configuration

Translate destination on client-side

Enable IP Pool NAT

The collective name of the Security Policy, Address Translation, and IPS Policies.

The specific Policy written in SmartDashboard to configure which log data is stored in the SmartReporter database.

The collective name of the logs generated by SmartReporter.

A global Policy used to share a common enforcement policy for multiple Security Gateways.

Objects_5_0.C

Internal Certificate Authority (ICA) certificate

Rule Bases_5_0.fws

fwauth.NDB

Verify that Security Gateway > General Properties > Authentication > Use UserDirectory (LDAP) for Security Gateways is checked

Verify that Global Properties > Authentication > Use UserDirectory (LDAP) for Security Gateways is checked

Verify that Security Gateway > General Properties > UserDirectory (LDAP) > Use UserDirectory (LDAP) for Security Gateways is checked

Verify that Global Properties > UserDirectory (LDAP) > Use UserDirectory (LDAP) for Security Gateways is checked

Placing frequently accessed rules before less frequently accessed rules

Grouping IPS rules with dynamic drop rules

Adding SAM rules at the top of the Rule Base

Grouping rules by date of creation

C1>F6; C2>F4; C3>F2; C4>F5

C1>F2; C2>F1; C3>F6; C4>F4

C1>F2; C2>F4; C3>F1; C4>F5

C1>F4; C2>F6; C3>F3; C4>F2

1, 2, and 3

2 and 3

1 and 2

1 and 3

LDAP

Radius

SecureID

NT Domain

WebUI

SmartView Tracker

SmartView Monitor

SmartReporter

Create a new logical-server object to represent your partner’s CA.

Exchange exported CA keys and use them to create a new server object to represent your partner’s Certificate Authority (CA).

Manually import your partner’s Certificate Revocation List.

Manually import your partner’s Access Control List.

Grouping rules by date of creation

Grouping reject and drop rules after the Cleanup Rule

Grouping authentication rules with address-translation rules

Grouping functionally related rules together

12

1

3

6

The Gateway was not rebooted, which is necessary to change the SIC key.

You must first initialize the Gateway object in SmartDashboard (i.e., right-click on the object, choose Basic Setup > Initialize).

The Check Point services on the Gateway were not restarted because you are still in the cpconfig utility.

The activation key contains letters that are on different keys on localized keyboards. Therefore, the activation can not be typed in a matching fashion.

Manual Sign On

Agent Automatic Sign On

Partially Automatic Sign On

Standard Sign On

Saves the current log file, names the log file by date and time, and starts a new log file.

Purges the current log file, and starts a new log file.

Prompts you to enter a filename, and then saves the log file.

Purges the current log file, and prompts you for the new log’s mode.

fw ctl get string active_secpol

fw stat

cpstat fw -f policy

Check the Security Policy name of the appropriate Gateway in SmartView Monitor.

Use Hide NAT for network 10.1.1.0/24 behind the external IP address of your perimeter Gateway.

Use Hide NAT for network 10.1.1.0/24 behind the internal interface of your perimeter Gateway.

Use automatic Static NAT for network 10.1.1.0/24.

Do nothing, as long as 10.1.1.0 network has the correct default Gateway.

SmartView Tracker

None, SmartConsole applications only communicate with the Security Management Server.

SmartView Server

SmartUpdate

SmartView Tracker and SmartView Monitor

SmartLSM and SmartUpdate

SmartDashboard and SmartView Tracker

SmartView Monitor and SmartUpdate

Distributed Installation

Unsupported configuration

Hybrid Installation

Stand-Alone Installation

Hide

Static Destination

Static Source

Dynamic Destination

Translates many destination IP addresses into one destination IP address

One-to-one NAT which implements PAT (Port Address Translation) for accomplishing both Source and Destination IP address translation

Translates many source IP addresses into one source IP address

Many-to-one NAT which implements PAT (Port Address Translation) for accomplishing both Source and Destination IP address translation

On a GAiA Security Management Server, this can only be accomplished by configuring the command fw logswitch via the cron utility.

Create a time object, and add 48 hours as the interval. Open the primary Security Management Server object’s Logs and Masters window, enable Schedule log switch, and select the Time object.

Create a time object, and add 48 hours as the interval. Open the Security Gateway object's Logs and Masters window, enable Schedule log switch, and select the Time object.

Create a time object, and add 48 hours as the interval. Select that time object’s Global Properties > Logs and Masters window, to schedule a logswitch.

Policy Package Management

Copying the directories $FWDIR\conf and $CPDIR\conf to another server

Execute command upgrade_export

Database Revision Control

ethtool

set interface

mii_tool

ifconfig -a

You create them in SmartDashboard.

The Gateway enforces implicit rules that enable outgoing packets only.

Changes to the Security Gateway’s default settings do not affect implicit rules.

They are derived from Global Properties and explicit object properties.

upgrade_export is operating system independent and can be used when backup or snapshot is not available.

upgrade_export will back up routing tables, hosts files, and manual ARP configurations, where backup and snapshot will not.

The commands backup and snapshot can take a long time to run whereas upgrade_export will take a much shorter amount of time.

upgrade_export has an option to back up the system and SmartView Tracker logs while backup and snapshot will not.

Bridge

Load Sharing

High Availability

Fail Open

Security Management Server

Check Point Gateway

SmartConsole

SmartUpdate upgrading/patching