Exam A
QUESTION 1
You have two Nokia Appliances one IP530 and one IP380. Both Appliances have IPSO 39 and VPN-1 Pro NGX installed in a distributed deployment Can they be members of a gateway cluster?
A. No, because the Gateway versions must not be the same on both security gateways
B. Yes, as long as they have the same IPSO version and the same VPN-1 Pro version
C. No, because members of a security gateway cluster must be installed as stand-alone deployments
D. Yes, because both gateways are from Nokia, whether they have the same VPN-1 PRO version or not
E. No, because the appliances must be of the same model (Both should be IP530orIP380.)
Correct Answer: B
QUESTION 2
You want VPN traffic to match packets from internal interfaces. You also want the traffic to exit the Security Gateway, bound for all site-to-site VPN Communities, including Remote Access Communities. How should you configure the VPN match rule?
A. Internal_clear>- All_GwToGw
B. Communities >- Communities
C. Internal_clear>- External_Clear
D. Internal_clear>- Communitis
E. Internal_clear>-All_communitis
Correct Answer: E
QUESTION 3
Review the following rules and note the Client Authentication Action properties screen, as shown in the exhibit.
After being authenticated by the Security Gateway when a user starts an HTTP connection to a Web site
the user tries to FTP to another site using the command line. What happens to the user?
The….
A. FTP session is dropprd by the implicit Cleanup Rule.
B. User is prompted from the FTP site only, and does not need to enter username nad password for the Client Authentication.
C. FTP connection is dropped by rule 2.
D. FTP data connection is dropped, after the user is authenticated successfully.
E. User is prompted for authentication by the Security Gateway again.
Correct Answer: B
QUESTION 4
After being authenticated by the Security Gateway, When a user starts an HTTP connection to a Web site, the user tries to FTP to another site using the command line. What happens to the user? The:
A. FTP session is dropped by the implicit Cleanup Rule
B. user is prompted from that FTP site on~, and does not need to enter username and password for Client Authentication
C. FTP connection is dropped by rule2
D. FTP data connection is dropped, after the user is authenticated successfully
E. User is prompted for authentication by the Security Gateway aqain
Correct Answer: B
QUESTION 5
You want to upgrade a SecurePlatform NG with Application Intelligence (AI) R55 Gateway to SecurePlalform NGX R60 via SmartUpdate. Which package is needed in the repository before upgrading?
A. SVN Foundation and VPN-1 Express/Pro
B. VPN-1 and FireWall-1
C. SecurePlalform NGX R60
D. SVN Foundation
E. VPN-1 ProfExpress NGX R60
Correct Answer: C
QUESTION 6
What is the command to see the licenses of the Security Gateway Certkiller from your SmartCenter Server?
A. print Certkiller
B. fw licprint Certkiller
C. fw tab -t fwlic Certkiller
D. cplic print Certkiller
E. fw lic print Certkiller
Correct Answer: D
QUESTION 7
You set up a mesh VPN Community, so your internal network can access your partners network, and vice versa . Your Security Policy encrypts only FTP and HTTP traffic through a VPN tunnel. All traffic among your internal and partner networks is sent in clear text. How do you configure VPN Community?
A. Disable ‘accept all encrypted traffic’, and put FTP and http in the Excluded services in the Community object Add a rule in the Security Policy for services FTP and http, with the Community object in the VPN field
B. Disable “accept all encrypted traffic” in the Community, and add FTP and http services to the Security Policy, with that Community object in the VPN field
C. Enable “accept all encrypted traffic”, but put FTP and http in the Excluded services in the Community. Add a rule in the Security Policy with services FTP and http, and the Community object in theVPN field
D. Put FTP and http in the Excluded services in the Community object Then add a rule in the Security Policy to allow any as the service, with the Community object in the VPN field
Correct Answer: B
QUESTION 8
Ophelia is the security Administrator for a shipping company. Her company uses a custom application to update the distribution database. The custom application includes a service used only to notify remote sites that the distribution database is malfunctioning. The perimeter Security Gateways Rule Base includes a rule to accept this traffic. Ophelia needs to be notified, via atext message to her cellular phone, whenever traffic is accepted on this rule. Which of the following options is MOST appropriate for Ophelia’s requirement?
A. User-defined alert script
B. Logging implied rules
C. SmartViewMonitor
D. Pop-up API
E. SNMP trap
Correct Answer: A QUESTION 9
You are reviewing SmartView Tracker entries, and see a Connection Rejection on a Check Point QoS rule. What causes the Connection Rejection?
A. No QoS rule exists to match the rejected traffic
B. The number of guaranteed connections is exceeded. The rule’s action properties are not set to accept additional connections
C. The Constant Bit Rate for a Low Latency Class has been exceeded by greater than 10%, and the Maximal Delay is set below requirements
D. Burst traffic matching the Default Rule is exhausting the Check Point QoS global packet buffers
E. The guarantee of one of the rule’s sub-rules exceeds the guarantee in the rule itself
Correct Answer: B
QUESTION 10
Choose the BEST sequence for configuring user management on Smart Dash board, for use with an LDAP server
A. Enable LDAP in Global Properties, configure a host-node object for the LDAP Server, and configure a server object for the LDAP Account Unit
B. Configure a workstation object for the LDAP server, configure a server object for the LDAP Account Unit, and enable LDAP in Global Properties
C. Configure a server object for the LDAP Account Unit, enable LDAP in Global Properties, and create an LDAP server using an OPSEC application
D. Configure a server object for the LDAP Account Unit, enable LDAP in Global Properties, and create an LDAP resource object
E. Configure a server object for the LDAP Account Unit, and create an LDAP resource object
Correct Answer: A
Exam A
QUESTION 1
Which of the following can function as a Management Server for a VSX Gateway?
A. Check Point Integrity
B. SiteManager-1 NGX: Multi-Domain Server
C. Security Management Portal
D. VPN-1/FireWall-1 Small Office
E. Provider-1 NGX: Multi-Domain Server
Correct Answer: E
QUESTION 2
You are configuring source-based routing in a VSX Gateway deployment with both External and Internal Virtual Routers. Which of the following functions cannot be configured for the Virtual Systems?
A. Virtual System clustering
B. Anti-spoofing measures
C. Network Address Translation
D. Remote access VPNs
E. Intranet VPNs
Correct Answer: B
QUESTION 3
During MDS installation, you must configure at least one VSX Administrator. After creating the Administrator, you are prompted to perform which task?
A. Grant VSX-specific privileges to the Administrator
B. Assign the Administrator to manage a specific Virtual System
C. Add the Administrator to a group
D. Assign the Administrator to manage a specific interface on the VSX Gateway
E. Assign the Administrator to manage a specific CMA
Correct Answer: C
QUESTION 4
In a VSX Gateway cluster, which of the following objects are available by default as installation targets for the Management Virtual System?
A. Individual Management Virtual Systems (MVS) for each cluster member
B. MVS cluster object
C. Individual External Virtual Routers for each cluster member
D. Virtual Switch cluster object
E. Individual Virtual Switch Members
Correct Answer: B
QUESTION 5
Which of the following MDS types allows you to create and manage a VSX Gateway?
A. MDS CLM
B. MDS Manager station
C. MDS VSX Integrator
D. MDS MLM
E. MDS Manager + Container station
Correct Answer: E
QUESTION 6
What are the two levels of VSX Gateway clustering?
A. INSPECT and database level
B. Database and VSX Gateway levels
C. Virtual device and database levels
D. INSPECT and configuration levels
E. Virtual device and VSX Gateway levels
Correct Answer: E
QUESTION 7
When deploying a VSX Gateway managed by a SmartCenter Server, which of the following statements is TRUE?
A. VSX Administrators can configure different domains for each Virtual System.
B. Multiple Administrators can simultaneously connect to the same database, to manage multiple Customers.
C. All Customer objects, rules, and users are shared in a single database.
D. Each Virtual System has its own unique Certificate Authority.
E. VSX superuser Administrators can configure granular permissions for each Customer Administrator.
Correct Answer: C
QUESTION 8
What is the difference between Single-Context and Multi-Context processes?
A. Single-Context processes are implemented in standard firewall deployments, while only Multi-Context processes are implemented in VSX Gateway deployments.
B. Single-Context processes are shared between VSX Gateways in an HA configuration, while Multi-Context processes are shared between VSX Gateways in a Load Sharing environment.
C. Single-Context processes are ones in which all Virtual Systems share, while Multi-Context processes are unique to each Virtual System.
D. Single-Context processes are implemented in a single VSX Gateway environment, while Multi-Context processes are only implemented in VSX Gateway High Availability (HA).
E. Single-Context processes are unique to each Virtual System on a Gateway, while Multi-Context processes are ones in which all Virtual Systems share.
Correct Answer: E
QUESTION 9
A Warp Link is a virtual point-to-point connection between a:
A. Virtual Router and Virtual System.
B. Virtual Router and Virtual Switch.
C. Virtual System and the management interface.
D. Virtual Router and a physical interface.
E. Virtual System and another Virtual System.
Correct Answer: A
QUESTION 10
Which of the following statements is true concerning the default Security Policy of the External Virtual Router?
A. The External Virtual Router automatically performs Hide NAT behind its external interface for all Virtual Systems connected to it.
B. The default Policy of the External Virtual Router denies all traffic going to or coming from it.
C. The default policy of the External Virtual Router cannot be changed.
D. All traffic coming from networks protected by a VSX Gateway is accepted. All other traffic is dropped.
E. The External Virtual Router always enforces the same Policy as the Management Virtual System.
Correct Answer: B
Exam A
QUESTION 1
VSX clusters are defined at two levels:
A. VSX cluster and physical device
B. VSX cluster and virtual device
C. VSX Gateway and physical device
D. VSX cluster and VSX Gateway
E. VSX Gateway and Virtual device
Correct Answer: E
QUESTION 2
What is the term used to describe a port or interface that shares traffic from more than one VLAN?
A. VLAN riding
B. VLAN trunking
C. Frame-Strata enabled
D. Comprehensive Layer-2 label support
E. Comprehensive VLAN Tag support
Correct Answer: B
QUESTION 3
TRUE or FALSE. A Virtual System in Bridge Mode can enforce anti-spoofing definitions.
A. False, anti-spoofing can’t be configured for Virtual systems in Bridge Mode
B. True, as long as the Virtual System has more than two interfaces defined
C. True, anti-spoofing must be manually defined in bridge mode
D. True, as long as Network Address Translation is performed
E. True, anti-spoofing measures are defined automatically is Bridge mode
Correct Answer: C
QUESTION 4
The ____________ interface is configured in a VLAN environment, to allow multiple Virtual systems to share a single physical interface on a VSX Gateway.
A. Synchronization
B. Warp
C. Symbolic
D. Virtual
E. Physical
Correct Answer: D
QUESTION 5
At installation, the __________ is bound to all configured physical interfaces of a VSX Gateway, UNLESS the interfaces are specifically assigned to another component.
A. VSX Management Server
B. Synchronization Network
C. Internal Virtual Router
D. External Virtual Router
E. Management Virtual System
Correct Answer: E
QUESTION 6
The provisioning and network configuration channel does NOT:
A. Create Virtual Systems and Virtual Routers on a Gateway
B. Install Administrator defined Security Policies
C. Install a default Security Policy blocking all traffic
D. Create a SCI Certificate for new objects and transfer the Certificate to an object on the VSX Gateway
E. Configure interface and routing information on the Gateway
Correct Answer: B
QUESTION 7
Which of the following is a type of VLAN membership?
A. Port-based
B. Time-based
C. Session-based
D. Protocol-based
E. Application-based
Correct Answer: D
QUESTION 8
Which of the following is NOT a type of physical interface seen in a VSX Gateway?
A. Dedicated management
B. Synchronization
C. External
D. Internal
E. Warp
Correct Answer: E
QUESTION 9
A Virtual System in Bridge Mode is a Virtual System that implements:
A. Dynamic IP Routing
B. Network Address Translation
C. IP Routing
D. Native Layer-2 Communications
E. VLAN Tagging
Correct Answer: D
QUESTION 10
Which of the following virtual devices will NOT fail over, if its interface fails in a VSX High Availability configuration?
A. Management Virtual System Interfaces
B. External Virtual Router
C. Virtual Switch
D. Virtual System with VLAN Interfaces
E. Virtual System with dedicated interfaces
Correct Answer: C QUESTION 11
The _____________ interface is configured in a VLAN environment, to allow multiple Virtual Systems to share a single physical interface on a VSX Gateway.
A. Synchronization
B. Symbolic
C. Warp
D. Physical
E. Virtual
Correct Answer: E