156-315.77 Check Point Certified Security Expert Questions and Answers

Edit affinity.conf and change the settings

Run fw affinity and change the settings

Edit $FWDIR/conf/fwaffinity.conf and change the settings

Run sim affinity and change the settings

set bitrate 64

set edition default 64

configure edition 64-bit

set edition default 64-bit

fw ver -k

fw ctl pstat

fw ctl get kernel

fw kernel

fwaccel on

fw ctl debug

tcpdump

cphaprob

You must run an ADquery for every domain.

Identity Awareness can only manage one AD domain.

Only one ADquery is necessary to ask for all domains.

Only Captive Portal can be used.

fw purge active

fw purge policy

fw fetch policy

fw unloadlocal

NG-AI R55 HFAJ7

NGX R60

NGXR65HFA_50

NGX R71

Differentiated Services

Guarantees

Weighted Fair Queuing

Low Latency Queuing

ipconfig –a > [filename].txt

cp /etc/sysconfig/network.C [location]

netstat –rn > [filename].txt

ifconfig > [filename].txt

upgrade_export

migrate export

snapshot

backup

Identity-based enforcement for non-AD users (non-Windows and guest users)

Basic identity enforcement in the internal network

Leveraging identity in Internet application control

Identity-based auditing and logging

pdp and lad

pdp and pdp-11

pep and lad

pdp and pep

sglondon_1 because it the first configured object with the lowest IP.

sglondon_2 because sglondon_1 has highest IP.

sglondon_1, because it is up again, sglondon_2 took over during reboot.

sglondon_2 because it has highest priority.

Leveraging machine name or identity

When accuracy in detecting identity is crucial

Identity based enforcement for non-AD users (non-Windows and guest users)

Protecting highly sensitive servers

ifconfig -a

arping

telnet

ping

set static-route default nexthop gateway address 192.168.255.1 priority 1 on

set static-route 192.168.255.0/24 nexthop gateway logical ethl on

set static-route 192.168.255.0/24 nexthop gateway address 192.168.255.1 priority 1 on

set static-route nexthop default gateway logical 192.168.255.1 priority 1 on

Gateway Setting

NAT Rules

Global Properties > NAT definition

Implied Rules

To enhance connection-establishment acceleration, a mechanism attempts to “group together” all connections that match a particular service and whose sole discriminating element is the source port. To test if connection templates are enabled, use the command fwaccel stat.

To enhance connection-establishment acceleration, a mechanism attempts to “group together” all connections that match a particular service and whose sole discriminating element is the destination port. To test if connection templates are enabled, use the command fwacel templates.

To enhance connection-establishment acceleration, a mechanism attempts to “group together” all connections that match a particular service and whose sole discriminating element is the destination port. To test if connection templates are enabled, use the command fw ctl templates.

To enhance connection-establishment acceleration, a mechanism attempts to “group together” all connections that match a particular service and whose sole discriminating element is the source port. To test if connection templates are enabled, use the command fw ctl templates.

Exchange exported CA keys and use them to create a new server object to represent your partner’s Certificate Authority (CA).

Create a new logical-server object to represent your partner’s CA.

Manually import your partner’s Access Control List.

Manually import your partner’s Certificate Revocation List.

259

256

264

201

$FWDIR/VPN/route_conf.c

$FWDIR/conf/vpn_route.conf

$FWDIR/bin/vpn_route.conf

$FWDIR/conf/vpn_route.c

Firewall logging and ICA key-exchange information

RIP traffic

Outgoing traffic originating from the Security Gateway

SmartUpdate connections

You cannot configure Management HA, when either the primary or secondary SmartCenter Server is running on a VPN-1 Pro Gateway.

The new machine cannot be installed as the Internal Certificate Authority on its own.

The secondary Server cannot be installed on a SecurePlatform Pro machine alone.

Install the secondary Server on the spare machine. Add the new machine to the same network as the primary Server.

Upgrades all cluster members except one at the same time.

Treats each individual cluster member as an individual gateway.

Is not a valid upgrade method in R76.

Is only supported in major releases (R70 to R71, R75 to R76).

UNIX

CPShell

CLISH

Bash

There is more than one cluster connected to the same VLAN

A firewall cluster is configured to use Multicast for CCP traffic

There are more than two members in a firewall cluster

A firewall cluster is configured to use Broadcast for CCP traffic

Only Sub Tree

Only Group in Branch

OU Accept and select appropriate domain

All Account-Unit’s Users

Group Agnostic

All Account-Unit's Users

Only Sub Tree

Only Group in Branch

fwm

fwd

vpnd

cvpnd

A PDF file that contains the following textYarkon1 can be the code name for the new product.Yardens list of protected sites

An MS Excel file that contains the following text Mort resources for Yarkon project..Are you certain this is about Yarden?

A word file that contains the following text will match:AyalonayalonAYALON

A password protected MS Excel file that contains the following text AyalonYarkonYarden

Only Group in Branch

Only Sub Tree

OU Auth and select Group Name

All Account-Unit's Users

Choosing Accept control connections in Implied Rules includes Management Portal access

Management Portal requires a license

Default Port for Management Portal access is 4433

Management Portal could be reconfigured for using HTTP instead of HTTPS

AMON status pull from the Gateway

Management High Availability (HA) sync

SIC (Secure Internal Communication) functions

Policy installation

Anti-Virus settings, Anti-Bot settings, Threat Emulation settings.

Anti-Virus settings, Anti-Bot settings, Threat Emulation settings, Intrusion-prevention settings.

Anti-Virus settings, Anti-Bot settings, Threat Emulation settings, Intrusion-prevention settings, HTTPS inspection settings.

Anti-Bot settings, Threat Emulation settings, Intrusion-prevention settings, HTTPS inspection settings

There is no dynamic update at reboot.

No. The revert will most probably not match to hard disk.

Yes. Everything is dynamically updated at reboot.

No. At installation the necessary hardware support is selected. The snapshot saves this state.

Legacy Mode HA

Pivot Mode Load Sharing

New Mode HA

Multicast Mode Load Sharing

Type, Severity, Confidence level, Performance impact, Geo information.

Severity, Confidence level, Performance impact, Protection type.

Type, Severity, Confidence level, Performance impact.

Type, Severity, Confidence level, Performance impact, Protection type.

Via protection levels

To implement Integrity Clientless Security

To force the user to re-authenticate at login

Without a special setting. Secure Workspace is automatically configured.

1 and 4

2 and 3

1 and 2

3 and 4

No, the Security Management Servers must reside on the same network.

No, the Security Management Servers do not have the same number of NICs.

No, the Security Management Servers must be installed on the same operating system.

No, a R77 Security Management Server cannot run on Red Hat Linux 9.0.

Change the cluster mode to Unicast on the cluster object. Reinstall the Security Policy.

Change the cluster mode to Unicast on each of the cluster-member objects.

Run cpstop and cpstart, to re-enable High Availability on both objects. Select Pivot mode in cpconfig.

Reset Secure Internal Communications (SIC) on the cluster-member objects. Reinstall the Security Policy.

Transparent upgrades

Zero downtime for mission-critical environments with State Synchronization

Enhanced throughput in all ClusterXL modes (2 gateway cluster compared with 1 gateway)

Transparent failover in case of device failures

RSA ACE/Authentication Manager

Radius

NT Domain

LDAP

Generate a threat analysis report from the Analyzer database.

Display received threats and tune the Events Policy.

Assign severity levels to events.

Analyze log entries, looking for Event Policy patterns.

Depends on the number of protected clients and throughput.

Depends on number of concurrent sessions.

Firewall throughput is the only relevant factor.

It depends on required SPU for customer environment.

Global properties > Authentication > Use SmartDirectory (LDAP) for Security Gateways is checked

Gateway properties > Smart Directory (LDAP) > Use SmartDirectory (LDAP) for Security Gateways is checked

Gateway properties > Authentication > Use SmartDirectory (LDAP) for Security Gateways is checked

Global properties > Smart Directory (LDAP) > Use SmartDirectory (LDAP) for Security Gateways is checked

Log Sequence Policy

Report Policy

Log Consolidator Policy

Consolidation Policy

[expert@HostName]#>./cpsizeme -h

[expert@HostName]# ./cpsizeme -R

This is not possible on SPLAT

[expert@HostName]# ./cpsizeme

FWSD

FWD

In.httpd

FWSSD

fwm

vpnd

cpd

cvpnd

$FWDIR/conf/fwauthd.conf

$FWDIR/conf/AMT.conf

$FWDIR/conf/fwopsec.conf

$FWDIR/conf/Fwauth.c

cpd

cvpnd

fwm

vpnd

Cn=john_doe,ca=Sales,ou=acmecorp,dc=com

Cn=john_doe,ou=Sales,ou=acmecorp,dc=com

Cn=john_doe,ou=Sales,dc=acmecorp,dc=com

Cn=john_doe,ca=Sales,dc=acmecorp,dc=com

set user admin shell bash

set user admin shell /bin/bash

set user admin shell = /bin/bash

set user admin /bin/bash

IPSec SA

RSA Exchange

ISAKMP SA

Diffie-Hellman exchange

LEA

URI

UFP

AMON

CVP

Set the Management Portal to use HTTP instead of HTTPS

Configure Management Portal to bypass authentication when connecting from a specific IP address

Restrict hosts / networks that can access the portal

Run the Management Portal on a port other than the default port 4433

fwm

vpnd

cvpnd

cpd

do nothing, the conversion is automatic.

delete the device and re-install it in Smart Provisioning.

reset SIC and re-establish communication with the new Smart Provisioning.

convert a Security Gateway or UTM-1 Edge Gateway managed with Smart Dashboard to a Smart

LSM Security Gateway managed with Smart Provisioning.

SmartDashboard, SmartView Tracker and SmartView Monitor logins and logouts

Security Policies and the Rule Base, Network Objects, Network Services, VPN Communities.

Users, Administrators, Groups and VPN Communities

Security Policies and the Rule Base, Network Objects, Network Services, Resources, Users, Administrators, Groups, VPN Communities and Servers and OPSEC Applications.

Another administrator pushed a SmartProvisioning profile to the firewall

Another administrator issued a new backup command through the command line

Another administrator logged in to the WebUI and changed the setting without your knowledge

Another administrator updated the Backup Schedule using SmartUpdate

Upgrade Smartcenter to R77 first.

Upgrade R60-Gateways to R65.

Upgrade every unit directly to R77.

Check the ReleaseNotes to verify that every step is supported.

Login to Smart Dashboard, access Properties of the SMS, and verify whether Paul’s IP address is listed.

Type cpconfig on the Management Server and select the option “GUI client List” to see if Paul’s IP address is listed.

Login in to Smart Dashboard, access Global Properties, and select Security Management, to verify whether Paul’s IP address is listed.

Access the WEBUI on the Security Gateway, and verify whether Paul’s IP address is listed as a GUI client.

Download Migration Tool R77 for IPSO and Splat/Linux from Check Point website.

Use already installed Migration Tool.

Use Migration Tool from CD/ISO

Fetch Migration Tool R71 for IPSO and Migration Tool R77 for Splat/Linux from CheckPoint website

Assign links to use Dynamic DNS.

Use Load Sharing to distribute VPN traffic.

Use links based on Day/Time.

Use links based on authentication method.

by authentication.

via both private and public keys, without the use of digital Certificates.

by Certificate Authorities, digital certificates, and public key encryption.

by Certificate Authorities, digital certificates, and two-way symmetric-key encryption.

Assign links to specific VPN communities.

Probe links for availability.

Use links based on authentication method.

Use links based on Day/Time.

The VPN Client is assigned a Security Gateway to connect to based on a priority list, should the first connection fail.

MEP VPN’s are not restricted to the location of the gateways.

MEP Security Gateways cannot be managed by separate Management Servers.

State synchronization between Security Gateways is required.

Host-based VPN

Route-based VPN

Domain-based VPN

Subnet-based VPN

IPsec

CRL

PKCS

S/MIME

gated

There's no separate process, but the Linux default router can take care of that.

routerd

arouted

CPD

FWSYNC

CPLMD

FWM

Install policy and exit SmartDashboard.

Disconnect all GUI clients.

Run a cpstop on the Security Management Server.

Run a cpstop on the Security Gateway.

CPD

FWM

FWD

FWSSD

NAT_dst_any_list

NAT_alloc

NAT_src_any_list

fwx_alloc

sim affinity

splat proc

set proc

fw fat path nic

Put the most frequently used rules at the bottom of the QoS Rule Base.

Define Check Point QoS only on the external interfaces of the QoS Module.

Turn per rule limits into per connection limits

Turn per rule guarantees into per connection guarantees.

Secure Platform back up utilities

Manual copies of the directory $FWDIR/conf

Database Revision Control

Commands upgrade_export and upgrade_import

This can be solved by running the command Sticky VPN on the Check Point CLI. This keeps the VPN Sticky to one member and the problem is resolved.

This is surely a problem in the ISPs network and not related to the VPN configuration.

This can be solved when using clusters; they have to use single firewalls.

This can easily be solved by using the Sticky decision function in ClusterXL.

Upgrade the SmartCenter Server and the five remote Gateways via Smart Update, at the same time.

1. Copy the $FWDIR\conf directory from the SmartCenter Server.2. Save directory contents to another directory.3. Uninstall the SmartCenter Server, and install a new SmartCenter Server.4. Move directory contents to $FWDIR\conf.5. Reinstall all gateways using NGX and install a policy.

1. From the VPN-1 NGX CD in the SmartCenter Server, select "advance upgrade".2. After importing the SmartCenter configuration into the new NGX SmartCenter, reboot.3. Upgrade all licenses and software on all five remote Gateways via SmartUpdate.

1. Upgrade the five remote Gateways via SmartUpdate.2. Upgrade the SmartCenter Server, using the VPN-1 NGX CD.

1. Upgrade the SmartCenter Server, using the VPN-1 NGX CD.2. Reinstall and update the licenses of the five remote Gateways.

cp /etc/sysconfig/network.C [location]

ipconfig -a > [filename].txt

ifconfig > [filename].txt

netstat -m > [filename].txt

Run cpconfig, supply the Login Name. Profile Properties, Name, Access Applications and Permissions.

In Smart Dashboard, click Smart Workflow/ Enable Smart Workflow and the Enable SmartWorkflow wizard will start. Supply the Login Name, Profile Properties, Name, Access Applications and Permissions when prompted.

On the Provider-1 primary MDS, run cpconfig, supply the Login Name, Profile Properties, Name, Access Applications and Permissions.

In Smart Dashboard, click Users and Administrators right click Administrators / New Administrator and supply the Login Name. Profile Properties, Name, Access Applications and Permissions.

If the DLP Policy is applied to HTTP traffic.

If there are one or more Inform Rules.

If there are one or more Ask User rules.

If the action of all rules is Detect and no Data Owners are configured.

Assign a severity level to an event.

Display the received events.

Analyze each IPS log entry as it enters the Log server.

Forward what is known as an event to the SmartEvent Server.

Verify if another rule exists.

Verify if any logging or alerts are defined.

Verify if the packet should be moved through the TCP/IP stack.

Verify if the packet should be rejected.

No. SmartCenter SIC will interfere with the function of SmartEvent.

No. If SmartCenter is already under stress, the use of a separate server for SmartEvent is recommended.

No, SmartEvent and Smartcenter cannot be installed on the same machine at the same time.

Yes. SmartEvent must be installed on your SmartCenter Server.

fw monitor was restricted to the wrong interface.

Like SmartView Tracker only the first packet of a connection will be captured by fw monitor.

By default only SYN pakets are captured.

Acceleration was turned on and therefore fw monitor sees only SYN.

fw stat

fw ctl sync

fw ctl pstat

cphaprob stat