Author: newcertskey
Welcome to download the newest Flydumps Cisco 300-115 PDF dumps: http://www.flydumps.com/300-115.html
No doubt, Cisco 300-115 exam is worth challenging task but you should not feel hesitant against the confronting difficulties. Get a complete hold on Cisco 300-115 exam syllabus through Flydumps training and boost up your skills.What’s more,all the brain dumps are the latest.
QUESTION 38
A network engineer is extending a LAN segment between two geographically separated data centers. Which enhancement to a spanning-tree design prevents unnecessary traffic from crossing the extended LAN segment?
A. Modify the spanning-tree priorities to dictate the traffic flow.
B. Create a Layer 3 transit VLAN to segment the traffic between the sites.
C. Use VTP pruning on the trunk interfaces.
D. Configure manual trunk pruning between the two locations.
Correct Answer: C Explanation
Explanation/Reference:
Explanation:
Pruning unnecessary VLANs from the trunk can be performed with one of two methods:
Manual pruning of the unnecessary VLAN on the trunk–This is the best method, and it avoids the use of the spanning tree. Instead, the method runs the pruned VLAN on trunks.
VTP pruning–Avoid this method if the goal is to reduce the number of STP instances. VTP- pruned VLANs on a trunk are still part of the spanning tree.
Therefore, VTP-pruned VLANs do not reduce the number of spanning tree port instances. Since the question asked for the choice that is an enhancement to the STP design, VTP pruning is the best choice. Reference: http://www.cisco.com/en/US/tech/tk389/tk689/technologies_tech_note09186a0080890613.shtml
QUESTION 39
The network manager has requested that several new VLANs (VLAN 10, 20, and 30) are allowed to traverse the switch trunk interface. After the command switchport trunk allowed vlan 10,20,30 is issued, all other existing VLANs no longer pass traffic over the trunk. What is the root cause of the problem?
A. The command effectively removed all other working VLANs and replaced them with the new VLANs.
B. VTP pruning removed all unused VLANs.
C. ISL was unable to encapsulate more than the already permitted VLANs across the trunk.
D. Allowing additional VLANs across the trunk introduced a loop in the network.
Correct Answer: A Explanation
Explanation/Reference:
Explanation: The “switchport trunk allowed vlan” command will only allow the specified VLANs, and overwrite any others that were previously defined. You would also need to explicitly allow the other working VLANs to this configuration command, or use the “issue the switchport trunk allowed vlan add vlan-list” command instead to add these 3 VLANS to the other defined allowed VLANs. Reference: https://supportforums.cisco.com/document/11836/how-define-vlans-allowed-trunk- link
QUESTION 40
When you design a switched network using VTPv2, how many VLANs can be used to carry user traffic?
A. 1000
B. 1001
C. 1024
D. 2048
E. 4095
F. 4096
Correct Answer: B Explanation
Explanation/Reference:
Explanation:
VTP versions 1 and 2 Supports normal VLAN numbers (1-1001). Only VTP version 3 supports extended VLANs (1-4095).
Reference: http://cciememo.blogspot.com/2012/11/difference-between-vtp-versions.html
QUESTION 41
What does the command vlan dot1q tag native accomplish when configured under global configuration?
A. All frames within the native VLAN are tagged, except when the native VLAN is set to 1.
B. It allows control traffic to pass using the non-default VLAN.
C. It removes the 4-byte dot1q tag from every frame that traverses the trunk interface(s).
D. Control traffic is tagged.
Correct Answer: D Explanation
Explanation/Reference:
Explanation:
The “vlan dot1q tag native” will tag all untagged frames, including control traffic, with the defined native VLAN.
QUESTION 42
A network engineer has just deployed a non-Cisco device in the network and wants to get information about it from a connected device. Cisco Discovery Protocol is not supported, so the open standard protocol must be configured. Which protocol does the network engineer configure on both devices to accomplish this?
A. IRDP
B. LLDP
C. NDP
D. LLTD
Correct Answer: B Explanation
Explanation/Reference:
Explanation:
The Link Layer Discovery Protocol (LLDP) is a vendor-neutral link layer protocol in the Internet Protocol Suite used by network devices for advertising their identity,
capabilities, and neighbors on an IEEE 802 local area network, principally wired Ethernet. LLDP performs functions similar to several proprietary protocols, such
as the Cisco Discovery Protocol (CDP). Reference: http://en.wikipedia.org/wiki/Link_Layer_Discovery_Protocol
QUESTION 43
A manager tells the network engineer to permit only certain VLANs across a specific trunk interface. Which option can be configured to accomplish this?
A. allowed VLAN list
B. VTP pruning
C. VACL
D. L2P tunneling
Correct Answer: A Explanation
Explanation/Reference:
Explanation:
When a trunk link is established, all of the configured VLANs are allowed to send and receive traffic across the link. VLANs 1 through 1005 are allowed on each
trunk by default. However, VLAN traffic can be removed from the allowed list. This keeps traffic from the VLANs from passing over the trunk link.
Note: The allowed VLAN list on both the ends of the trunk link should be the same. For Integrated Cisco IOS Software based switches, perform these steps:
1.To restrict the traffic that a trunk carries, issue the switchport trunk vlan-list interface configuration command.
This removes specific VLANs from the allowed list.
Reference: https://supportforums.cisco.com/document/11836/how-define-vlans-allowed-trunk- link
QUESTION 44
For client server failover purposes, the application server team has indicated that they must not have the standard 30 second delay before their switchport enters a forwarding state. For their disaster recovery feature to operate successfully, they require the switchport to enter a forwarding state immediately. Which spanning-tree feature satisfies this requirement?
A. Rapid Spanning-Tree
B. Spanning-Tree Timers
C. Spanning-Tree FastPort
D. Spanning-Tree PortFast
E. Spanning-Tree Fast Forward
Correct Answer: D Explanation
Explanation/Reference:
Explanation: In order to allow immediate transition of the port into forwarding state, enable the STP PortFast feature. PortFast immediately transitions the port into STP forwarding mode upon linkup. The port still participates in STP. So if the port is to be a part of the loop, the port eventually transitions into STP blocking mode. Example configuration: Switch-C# configure terminal Switch-C(config)# interface range fa0/3 – 24 Switch-C(config-if-range)# spanning-tree portfast Reference: http://www.informit.com/library/content.aspx? b=CCNP_Studies_Switching&seqNum=36
QUESTION 45
Which command does a network engineer use to verify the spanning-tree status for VLAN 10?
A. switch# show spanning-tree vlan 10
B. switch# show spanning-tree bridge
C. switch# show spanning-tree brief
D. switch# show spanning-tree summary
E. switch# show spanning-tree vlan 10 brief
Correct Answer: A Explanation
Explanation/Reference:
Explanation:
Command Description
show spanning-tree Displays information about the spanning-tree state.
Example output:
SW2#show spanning-tree vlan 10
VLAN0010
Spanning tree enabled protocol rstp
Root ID Priority 24586
Address 0014.f2d2.4180 Cost 9 Port 216 (Port-channel21) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32778 (priority 32768 sys-id-ext 10) Address 001c.57d8.9000 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type ——————- —- — ——— ——– ————————— Po21 Root FWD 9 128.216 P2p Po23 Altn BLK 9 128.232 P2p
Reference: http://www.cisco.com/en/US/docs/ios/lanswitch/command/reference/lsw_s2.html
QUESTION 46
A new network that consists of several switches has been connected together via trunking interfaces. If all switches currently have the default VTP domain name “null”, which statement describes what happens when a domain name is configured on one of the switches?
A. The switch with the non-default domain name restores back to “null” upon reboot.
B. Switches with higher revision numbers does not accept the new domain name.
C. VTP summary advertisements are sent out of all ports with the new domain name.
D. All other switches with the default domain name become VTP clients.
Correct Answer: C Explanation
Explanation/Reference:
Explanation:
By default, a switch will have a domain name of NULL and no password. If the switch hears a VTP advertisement it will automatically learn the VTP domain name,
VLANs, and the configuration revision number.
Summary advertisements sent out every 300 seconds and every time a change occurs on the VLAN database. Contained in a summary advertisement:
VTP version
Domain name
Configuration revision number
Time stamp
MD5 encryption hash code
Reference: https://rowell.dionicio.net/configuring-cisco-vtp/
QUESTION 47
A network engineer is setting up a new switched network. The network is expected to grow and add many new VLANs in the future. Which Spanning Tree Protocol should be used to reduce switch resources and managerial burdens that are associated with multiple spanning-tree instances?
A. RSTP
B. PVST
C. MST
D. PVST+
E. RPVST+
Correct Answer: C Explanation
Explanation/Reference:
Explanation:
Multiple Spanning Tree (MST) extends the IEEE 802.1w RST algorithm to multiple spanning
trees. The main purpose of MST is to reduce the total number of spanning-tree instances to
match the physical topology of the network and thus reduce the CPU cycles of a switch.
PVRST+ runs STP instances for each VLAN and does not take into consideration the physical
topology that might not require many different STP topologies. MST, on the other hand, uses a
minimum number of STP instances to match the number of physical topologies present.
Figure 3-15 shows a common network design, featuring an access Switch A, connected to two
Building Distribution submodule Switches D1 and D2. In this setup, there are 1000 VLANs, and
the network administrator typically seeks to achieve load balancing on the access switch uplinks
based on even or odd VLANs–or any other scheme deemed appropriate.
Figure 3-15: VLAN Load Balancing Figure 3-15 illustrates two links and 1000 VLANs. The 1000 VLANs map to two MST in-stances. Rather than maintaining 1000 spanning trees, each switch needs to maintain only two
spanning trees, reducing the need for switch resources.
Reference: http://ciscodocuments.blogspot.com/2011/05/chapter-03-implementing-spanning- tree_19.html
QUESTION 48
Which statement about the use of SDM templates in a Cisco switch is true?
A. SDM templates are used to configure system resources in the switch to optimize support for specific features, depending on how the switch is used in the network.
B. SDM templates are used to create Layer 3 interfaces (switch virtual interfaces) to permit hosts in one VLAN to communicate with hosts in another VLAN.
C. SDM templates are used to configure ACLs that protect networks and specific hosts from unnecessary or unwanted traffic.
D. SDM templates are used to configure a set of ACLs that allows the users to manage the flow of traffic handled by the route processor.
E. SDM templates are configured by accessing the switch using the web interface.
Correct Answer: A Explanation
Explanation/Reference:
Explanation: You can use SDM templates to configure system resources in the switch to optimize support for specific features, depending on how the switch is used in the network. You can select a template to provide maximum system usage for some functions; for example, use the default template to balance resources, and use access template to obtain maximum ACL usage. To allocate hardware resources for different usages, the switch SDM templates prioritize system resources to optimize support for certain features. Reference: http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/12.2_55_s e/configuration/guide/swsdm.pdf
QUESTION 49
Which SDM template disables routing and supports the maximum number of unicast MAC addresses?
A. VLAN
B. access
C. default
D. routing
Correct Answer: A Explanation
Explanation/Reference:
Explanation:
To allocate ternary content addressable memory (TCAM) resources for different usages, the switch SDM templates prioritize system resources to optimize support
for certain features. You can select SDM templates to optimize these features:
Access–The access template maximizes system resources for access control lists (ACLs) to accommodate a large number of ACLs.
Default–The default template gives balance to all functions.
Routing–The routing template maximizes system resources for IPv4 unicast routing, typically required for a router or aggregator in the center of a network.
VLANs–The VLAN template disables routing and supports the maximum number of unicast MAC addresses. It would typically be selected for a Layer 2
switch. Reference: http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_55_se/config uration/guide/swsdm.pdf
QUESTION 50
Which SDM template is the most appropriate for a Layer 2 switch that provides connectivity to a large number of clients?
A. VLAN
B. default
C. access
D. routing
Correct Answer: A Explanation
Explanation/Reference:
Explanation:
To allocate ternary content addressable memory (TCAM) resources for different usages, the switch SDM templates prioritize system resources to optimize support
for certain features. You can select SDM templates to optimize these features:
Access–The access template maximizes system resources for access control lists (ACLs) to accommodate a large number of ACLs.
Default–The default template gives balance to all functions.
Routing–The routing template maximizes system resources for IPv4 unicast routing, typically required for a router or aggregator in the center of a network.
VLANs–The VLAN template disables routing and supports the maximum number of unicast MAC addresses (clients). It would typically be selected for a Layer
2 switch. Reference: http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_55_se/config uration/guide/swsdm.pdf
QUESTION 51
In a Cisco switch, what is the default period of time after which a MAC address ages out and is discarded?
A. 100 seconds
B. 180 seconds
C. 300 seconds
D. 600 seconds
Correct Answer: C Explanation
Explanation/Reference:
Explanation:
To configure the aging time for all MAC addresses, perform this task:
Command Purpose
Step 1 switch# configure ter- Enters configuration mode.
minal
Step 2 switch(config)# mac-ad- Specifies the time before an entry ages out and is dis- dress-table aging-time carded from the MAC address table. The range is
from seconds [vlan vlan_id] 0 to 1000000; the default is 300 seconds. Entering the value 0 disables the MAC aging. If a VLAN is not
specified, the aging specification applies to all VLANs.
Reference:
http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli/M ACAddress.html
QUESTION 52
If a network engineer applies the command mac-address-table notification mac-move on a Cisco switch port, when is a syslog message generated?
A. A MAC address or host moves between different switch ports.
B. A new MAC address is added to the content-addressable memory.
C. A new MAC address is removed from the content-addressable memory.
D. More than 64 MAC addresses are added to the content-addressable memory. Correct Answer: A
Explanation Explanation/Reference:
Explanation:
mac-address-table notification mac-move
To enable MAC-move notification, use the mac-address-table notification mac-move com- mand in global configuration mode. To disable MAC-move notification,
use the no form of this command.
mac-address-table notification mac-move [counter [syslog]] no mac-address-table notification mac-move [counter [syslog]] Syntax Description
counter (Optional) Specifies the MAC-move counter feature. syslog (Optional) Specifies the syslogging facility when the MAC-move notification detects the first
instance of the MAC move.
Usage Guidelines
MAC-move notification generates a syslog message whenever a MAC address or host moves between different switch ports.
Reference: http://www.cisco.com/en/US/docs/ios/lanswitch/command/reference/lsw_m1.html
QUESTION 53
Which option is a possible cause for an errdisabled interface?
A. routing loop
B. cable unplugged
C. STP loop guard
D. security violation Correct Answer: D
Explanation Explanation/Reference:
Explanation:
There are various reasons for the interface to go into errdisable. The reason can be:
Duplex mismatch
Port channel misconfiguration
BPDU guard violation
UniDirectional Link Detection (UDLD) condition
Late-collision detection
Link-flap detection
Security violation
Port Aggregation Protocol (PAgP) flap
Layer 2 Tunneling Protocol (L2TP) guard
DHCP snooping rate-limit
Incorrect GBIC / Small Form-Factor Pluggable (SFP) module or cable Address Resolution Protocol (ARP) inspection
Inline power Reference: http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00806cd87b.shtml
QUESTION 54
What is the default value for the errdisable recovery interval in a Cisco switch?
A. 30 seconds
B. 100 seconds
C. 300 seconds
D. 600 seconds Correct Answer: C
Explanation Explanation/Reference:
Explanation:
After you fix the root problem, the ports are still disabled if you have not configured errdisable recovery on the switch. In this case, you must reenable the ports
manually. Issue the shutdown command and then the no shutdown interface mode command on the associated interface in order to manually reenable the ports.
The errdisable recovery command allows you to choose the type of errors that automatically reenable the ports after a specified amount of time. The show errdisable recovery command shows the default error-disable recovery state for all the possible conditions. cat6knative#show errdisable recovery ErrDisable Reason Timer Status
udld Disabled
bpduguard Disabled
security-violatio Disabled
channel-misconfig Disabled
pagp-flap Disabled
dtp-flap Disabled
link-flap Disabled
l2ptguard Disabled
psecure-violation Disabled
gbic-invalid Disabled
dhcp-rate-limit Disabled
mac-limit Disabled
unicast-flood Disabled
arp-inspection Disabled
Timer interval: 300 seconds
Interfaces that will be enabled at the next timeout:
Note: The default timeout interval is 300 seconds and, by default, the timeout feature is disabled.
Reference:
http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00806cd87b.shtml
QUESTION 55
Which statement about LLDP-MED is true?
A. LLDP-MED is an extension to LLDP that operates between endpoint devices and network devices.
B. LLDP-MED is an extension to LLDP that operates only between network devices.
C. LLDP-MED is an extension to LLDP that operates only between endpoint devices.
D. LLDP-MED is an extension to LLDP that operates between routers that run BGP.
Correct Answer: A Explanation
Explanation/Reference:
Explanation:
LLDP for Media Endpoint Devices (LLDP-MED) is an extension to LLDP that operates between endpoint devices such as IP phones and network devices such as
switches. It specifically provides support for voice over IP (VoIP) applications and provides additional TLVs for capabilities discovery, network policy, Power over
Ethernet, and inventory management.
Reference:
http://www.cisco.com/en/US/docs/switches/metro/me3400/software/release/12.2_58_se/configur ation/guide/swlldp.pdf
QUESTION 56
Which statement about Cisco devices learning about each other through Cisco Discovery Protocol is true?
A. Each device sends periodic advertisements to multicast address 01:00:0C:CC:CC:CC.
B. Each device broadcasts periodic advertisements to all of its neighbors.
C. Each device sends periodic advertisements to a central device that builds the network topology.
D. Each device sends periodic advertisements to all IP addresses in its ARP table.
Correct Answer: A Explanation
Explanation/Reference:
Explanation:
Cisco devices send periodic CDP announcements to the multicast destination address 01-00-0c- cc-cc-cc, out each connected network interface. These multicast
packets may be received by Cisco switches and other networking devices that support CDP into their connected network interface.
Reference: http://network.spravcesite.net/subdom/network/index.php?id=cdp
QUESTION 57
Which option lists the information that is contained in a Cisco Discovery Protocol advertisement?
A. native VLAN IDs, port-duplex, hardware platform
B. native VLAN IDs, port-duplex, memory errors
C. native VLAN IDs, memory errors, hardware platform
D. port-duplex, hardware platform, memory errors
Correct Answer: A Explanation
Explanation/Reference:
Explanation:
Type-Length-Value fields (TLVs) are blocks of information embedded in CDP advertisements. Table 21 summarizes the TLV definitions for CDP advertisements.
Table 21 Type-Length-Value Definitions for CDPv2
TLV Definition
Device-ID TLV Identifies the device name in the form of a character string.
Address TLV Contains a list of network addresses of both receiving and sending devices.
Port-ID TLV Identifies the port on which the CDP packet is sent.
Capabilities TLV Describes the functional capability for the device in the form of a de- vice type, for example, a switch.
Version TLV Contains information about the software release version on which the device is running.
Platform TLV Describes the hardware platform name of the device, for example, Cisco 4500.
IP Network Prefix Contains a list of network prefixes to which the sending device can TLV forward IP packets. This information is in the form of the interface protocol and port number, for example, Eth 1/0.
VTP Management Advertises the system’s configured VTP management domain name- Domain TLV string. Used by network operators to verify VTP domain configuration in adjacent network nodes.
Native VLAN TLV Indicates, per interface, the assumed VLAN for untagged packets on the interface. CDP learns the native VLAN for an interface. This fea- ture is implemented only for interfaces that support the IEEE 802.1Q protocol.
Full/Half Duplex Indicates status (duplex configuration) of CDP broadcast interface. TLV Used by network operators to diagnose connectivity problems be- tween adjacent network elements.
Reference: http://www.cisco.com/en/US/docs/ios/12_2/configfun/configuration/guide/fcf015.html
QUESTION 58
Which option describes a limitation of LLDP?
A. LLDP cannot provide information about VTP.
B. LLDP does not support TLVs.
C. LLDP can discover only Windows servers.
D. LLDP can discover up to two devices per port.
Correct Answer: A Explanation
Explanation/Reference:
Explanation:
LLDP Versus Cisco Discovery Protocol TLV Comparison Function Description LLDP TLV Cisco Discovery Protocol TLV
IP network prefix support-Used to send the net- No IP Network Prefix work prefix and used for ODR TLV
Hello piggybacking-Can be used to piggy back No Protocol Hello TLV hello messages from other protocols
Maximum-transmission-unit (MTU) sup- No MTU TLV port-Specifies the size of the MTU
External port support-Used to identify the card No External Port-ID terminating the fiber in the case of wave- TLV length-division multiplexing (WDM)
VTP management support No VTP Management Domain TLV
Port unidirectional mode-Used in fiber, where No Port UniDirectional the connection may be unidirectional Mode TLV
Management address Management Ad- Management-Ad-dress TLV dressTLV
Allows for organizational unique TLVs Yes No Reference: http://www.cisco.com/en/US/technologies/tk652/tk701/technologies_white_paper0900aecd804c d46d.html
QUESTION 59
Which statement about the UDLD protocol is true?
A. UDLD is a Cisco-proprietary Layer 2 protocol that enables devices to monitor the physical status of links and detect unidirectional failures.
B. UDLD is a Cisco-proprietary Layer 2 protocol that enables devices to advertise their identity, capabilities, and neighbors on a local area network.
C. UDLD is a standardized Layer 2 protocol that enables devices to monitor the physical status of links and detect unidirectional failures.
D. UDLD is a standardized Layer 2 protocol that enables devices to advertise their identity, capabilities, and neighbors on a local area network.
Correct Answer: A Explanation
Explanation/Reference:
Explanation:
The Cisco-proprietary UDLD protocol monitors the physical configuration of the links between devices and ports that support UDLD. UDLD detects the existence
of unidirectional links. When a unidirectional link is detected, UDLD puts the affected port into the errdisabled state and alerts the user.
Reference:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/udl d.html
QUESTION 60
Which option lists the modes that are available for configuring UDLD on a Cisco switch?
A. normal and aggressive
B. active and aggressive
C. normal and active
D. normal and passive
E. normal and standby
Correct Answer: A Explanation
Explanation/Reference:
Explanation:
The Cisco-proprietary UDLD protocol monitors the physical configuration of the links between devices and ports that support UDLD. UDLD detects the existence
of unidirectional links. When a unidirectional link is detected, UDLD puts the affected port into the errdisabled state and alerts the user. UDLD can operate in either
normal or aggressive mode.
Reference: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/udl d.html
QUESTION 61
What is the default interval at which Cisco devices send Cisco Discovery Protocol advertisements?
A. 30 seconds
B. 60 seconds
C. 120 seconds
D. 300 seconds
Correct Answer: B Explanation
Explanation/Reference:
Explanation: Cisco Discovery Protocol is a Layer 2, media-independent, and network-independent protocol that networking applications use to learn about nearby, directly connected devices. Cisco Discovery Protocol is enabled by default. Each device configured for Cisco Discovery Protocol advertises at least one address at which the device can receive messages and sends periodic advertisements (messages) to the well-known multicast address 01:00:0C:CC:CC:CC. Devices discover each other by listening at that address. They also listen to messages to learn when interfaces on other devices are up or go down. Advertisements contain time-to-live information, which indicates the length of time a receiving device should hold Cisco Discovery Protocol information before discarding it. Advertisements supported and configured in Cisco software are sent, by default, every 60 seconds. Reference: http://www.cisco.com/en/US/docs/ ios-xml/ios/cdp/configuration/15-mt/nm-cdp- discover.html
QUESTION 62
Which statement about Cisco Discovery Protocol configuration on a Cisco switch is true?
A. CDP is enabled by default and can be disabled globally with the command no cdp run.
B. CDP is disabled by default and can be enabled globally with the command cdp enable.
C. CDP is enabled by default and can be disabled globally with the command no cdp enable.
D. CDP is disabled by default and can be enabled globally with the command cdp run.
Correct Answer: A Explanation
Explanation/Reference:
Explanation:
CDP is enabled on your router by default, which means the Cisco IOS software will receive CDP information. CDP also is enabled on supported interfaces by
default. To disable CDP on an interface, use the “no cdp enable interface” configuration command. To disable it globally, use the “no cdp run” command.
Reference:
http://www.cisco.com/en/US/docs/ios/12_2/configfun/command/reference/frf015.html#wp10175
QUESTION 63
Which VTP mode is needed to configure an extended VLAN, when a switch is configured to use VTP versions 1 or 2?
A. transparent
B. client
C. server
D. Extended VLANs are only supported in version 3 and not in versions 1 or 2.
Correct Answer: D Explanation
Explanation/Reference:
Explanation:
VTP version 1 and version 2 support VLANs 1 to 1000 only. Extended-range VLANs are supported only in VTP version 3. If converting from VTP version 3 to VTP
version 2, VLANs in the range 1006 to 4094 are removed from VTP control.
Reference:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/vtp.
html
QUESTION 64
What is the size of the VLAN field inside an 802.1q frame?
A. 8-bit
B. 12-bit
C. 16-bit
D. 32-bit
Correct Answer: B Explanation
Explanation/Reference:
Explanation: The VLAN field is a 12-bit field specifying the VLAN to which the frame belongs. The hexadecimal values of 0x000 and 0xFFF are reserved. All other values may be used as VLAN identifiers, allowing up to 4,094 VLANs Reference: http://en.wikipedia.org/wiki/IEEE_802.1Q
QUESTION 65
What is the maximum number of VLANs that can be assigned to an access switchport without a voice VLAN?
A. 0
B. 1
C. 2
D. 1024
Correct Answer: B Explanation Explanation/Reference:
Explanation:
A standard (non-voice VLAN port) access switch port can belong to only a single VLAN. If more than one VLAN is needed, the port should be configured as a
trunk port.
QUESTION 66
Refer to the exhibit.
Which option shows the expected result if a show vlan command is issued?
A. Exhibit A
B. Exhibit B
C. Exhibit C
D. Exhibit D
Correct Answer: A Explanation
Explanation/Reference:
Explanation:
In this case, the port has been configured both as a trunk and as a switchport in data vlan 10. Obviously, a port can not be both, so even though Cisco IOS will
accept both, the port will actually be used as a trunk, ignoring the switchport access VLAN 10 command.
QUESTION 67
Which feature is automatically enabled when a voice VLAN is configured, but not automatically disabled when a voice VLAN is removed?
A. portfast
B. port-security
C. spanning tree D. storm control
Correct Answer: A Explanation
Explanation/Reference:
Explanation:
Voice VLAN Configuration Guidelines
You should configure voice VLAN on switch access ports.
The voice VLAN should be present and active on the switch for the IP phone to correctly communicate on the voice VLAN. Use the show vlan privileged EXEC command to see if the VLAN is present (listed in the display).
The Port Fast feature is automatically enabled when voice VLAN is configured. When you disable voice VLAN, the Port Fast feature is not automatically
disabled. Reference: http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_22_ea11x/co nfiguration/guide/swvoip.html
QUESTION 68
In which portion of the frame is the 802.1q header found?
A. within the Ethernet header
B. within the Ethernet payload
C. within the Ethernet FCS
D. within the Ethernet source MAC address
Correct Answer: A Explanation
Explanation/Reference:
Explanation: Frame format
Insertion of 802.1Q tag in an Ethernet frame 802.1Q does not encapsulate the original frame. Instead, for Ethernet frames, it adds a 32-bit field between the source MAC address and the EtherType/length fields of the original frame Reference: http://en.wikipedia.org/wiki/IEEE_802.1Q
QUESTION 69
Which VLAN range is eligible to be pruned when a network engineer enables VTP pruning on a switch?
A. VLANs 1-1001
B. VLANs 1-4094
C. VLANs 2-1001
D. VLANs 2-4094
Correct Answer: C Explanation
Explanation/Reference:
Explanation:
VTP pruning should only be enabled on VTP servers, all the clients in the VTP domain will automatically enable VTP pruning. By default, VLANs 2 1001 are
pruning eligible, but VLAN 1 can’t be pruned because it’s an administrative VLAN. Both VTP versions 1 and 2 supports pruning.
Reference: http://www.orbit-computer-solutions.com/VTP-Pruning.php
QUESTION 70
Which feature must be enabled to eliminate the broadcasting of all unknown traffic to switches that are not participating in the specific VLAN?
A. VTP pruning
B. port-security
C. storm control
D. bpdguard
Correct Answer: A Explanation
Explanation/Reference:
Explanation: VTP ensures that all switches in the VTP domain are aware of all VLANs. However, there are occasions when VTP can create unnecessary traffic. All unknown unicasts and broadcasts in a VLAN are flooded over the entire VLAN. All switches in the network receive all broadcasts, even in situations in which few users are connected in that VLAN. VTP pruning is a feature that you use in order to eliminate or prune this unnecessary traffic. Reference: http://www.cisco.com/c/en/us/ support/docs/lan-switching/vtp/10558- 21.html#vtp_pruning
QUESTION 71
Refer to the exhibit.
The users in an engineering department that connect to the same access switch cannot access the network. The network engineer found that the engineering
VLAN is missing from the database.
Which action resolves this problem?
A. Disable VTP pruning and disable 802.1q.
B. Update the VTP revision number.
C. Change VTP mode to server and enable 802.1q.
D. Enable VTP pruning and disable 802.1q.
Correct Answer: C Explanation
Explanation/Reference:
Explanation:
Only VTP servers can add new VLANs to the switched network, so to enable vlan 10 on this switch you will first need to change the VTP mode from client to
server. Then, you will need to enable 802.1Q trunking to pass this new VLAN along to the other switches.
QUESTION 72
Refer to the exhibit.
The network switches for two companies have been connected and manually configured for the required VLANs, but users in company A are not able to access network resources in company B when DTP is enabled. Which action resolves this problem?
A. Delete vlan.dat and ensure that the switch with lowest MAC address is the VTP server.
B. Disable DTP and document the VTP domain mismatch.
C. Manually force trunking with switchport mode trunk on both switches.
D. Enable the company B switch with the vtp mode server command.
Correct Answer: C Explanation
Explanation/Reference:
Explanation:
Since the number of existing VLANs differ on the switches (9 on A and 42 on B) we know that there is a problem with VTP or the trunking interfaces. The VTP
domain names do match and they are both VTP servers so there are no issues there. The only viable solution is that there is a DTP issues and so you must
instead manually configure the trunk ports between these two switches so that the VLAN information can be sent to each switch.
QUESTION 73
A network engineer must implement Ethernet links that are capable of transporting frames and IP traffic for different broadcast domains that are mutually isolated. Consider that this is a multivendor environment. Which Cisco IOS switching feature can be used to achieve the task?
A. PPP encapsulation with a virtual template
B. Link Aggregation Protocol at the access layer
C. dot1q VLAN trunking
D. Inter-Switch Link
Correct Answer: C Explanation
Explanation/Reference:
Explanation:
Here the question asks for transporting “frames and IP traffic for different broadcast domains that are mutually isolated” which is basically a long way of saying
VLANs so trunking is needed to carry VLAN information. There are 2 different methods for trunking, 802.1Q and ISL. Of these, only 802.1Q is supported by
multiple vendors since ISL is a Cisco proprietary protocol.
QUESTION 74
Which statement about using native VLANs to carry untagged frames is true?
A. Cisco Discovery Protocol version 2 carries native VLAN information, but version 1 does not.
B. Cisco Discovery Protocol version 1 carries native VLAN information, but version 2 does not.
C. Cisco Discovery Protocol version 1 and version 2 carry native VLAN information.
D. Cisco Discovery Protocol version 3 carries native VLAN information, but versions 1 and 2 do not.
Correct Answer: A Explanation
Explanation/Reference:
Explanation:
Cisco Discovery Protocol (CDP) version 2 passes native VLAN information between Cisco switches. If you have a native VLAN mismatch, you will see CDP error
messages on the console output.
Reference: http://www.ciscopress.com/articles/article.asp?p=29803&seqNum=3
QUESTION 75
Refer to the exhibit.
A multilayer switch has been configured to send and receive encapsulated and tagged frames. VLAN 2013 on the multilayer switch is configured as the native VLAN. Which option is the cause of the spanning-tree error?
A. VLAN spanning-tree in SW-2 is configured.
B. spanning-tree bpdu-filter is enabled.
C. 802.1q trunks are on both sides, both with native VLAN mismatch.
D. VLAN ID 1 should not be used for management traffic because its unsafe.
Correct Answer: C Explanation
Explanation/Reference:
Here we see that the native VLAN has been configured as 2013 on one switch, but 1 (the default native VLAN) on the other switch. If you use 802.1Q trunks, you must ensure that you choose a common native VLAN for each port in the trunk. Failure to do this causes Cisco switches to partially shut down the trunk port because having mismatched native VLANs can result in spanning-tree loops. Native VLAN mismatches are detected via spanning tree and Cisco Discovery Protocol (CDP), not via DTP messages. If spanning tree detects a native VLAN mismatch, spanning tree blocks local native VLAN traffic and the remote switch native VLAN traffic on the trunk; however, the trunk still remains up for other VLANs. Reference: http://www.informit.com/library/content.aspx? b=CCNP_Studies_Switching&seqNum=25
QUESTION 76
A network engineer must improve bandwidth and resource utilization on the switches by stopping the inefficient flooding of frames on trunk ports where the frames
are not needed.
Which Cisco IOS feature can be used to achieve this task?
A. VTP pruning
B. access list
C. switchport trunk allowed VLAN
D. VLAN access-map
Correct Answer: A Explanation
Explanation/Reference:
Explanation:
Cisco advocates the benefits of pruning VLANs in order to reduce unnecessary frame flooding. The “vtp pruning” command prunes VLANs automatically, which
stops the inefficient flooding of frames where they are not needed.
Reference: http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series- switches/24330-185.html
QUESTION 77
Which action allows a network engineer to limit a default VLAN from being propagated across all trunks?
A. Upgrade to VTP version 3 for advanced feature set support.
B. Enable VTP pruning on the VTP server.
C. Manually prune default VLAN with switchport trunk allowed vlans remove.
D. Use trunk pruning vlan 1.
Correct Answer: C Explanation
Explanation/Reference:
Explanation:
Manaully pruning the default VLAN (1) can only be done with the “switchport trunk allowed vlans remove” command. VLAN 1 is not VTP pruning eligible so it
cannot be done via VTP pruning. The “trunk pruning vlan 1” option is not a valid command.
QUESTION 78
What is required for a LAN switch to support 802.1q Q-in-Q encapsulation?
A. Support less than 1500 MTU
B. Support 1504 MTU or higher
C. Support 1522 layer 3 IP and IPX packet
D. Support 1547 MTU only
Correct Answer: B Explanation Explanation/Reference:
Explanation:
The default system MTU for traffic on Catalyst switches is 1500 bytes. Because the 802.1Q tunneling (Q-in-Q) feature increases the frame size by 4 bytes when
the extra tag is added, you must configure all switches in the service-provider network to be able to process maximum frames by increasing the switch system
MTU size to at least 1504 bytes.
Explanation:
http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_13_ea1/confi guration/guide/swtunnel.html
QUESTION 79
Refer to the exhibit.
How many bytes are added to each frame as a result of the configuration?
A. 4-bytes except the native VLAN
B. 8-bytes except the native VLAN
C. 4-bytes including native VLAN
D. 8-bytes including native VLAN
Correct Answer: A Explanation
Explanation/Reference:
Explanation:
In 802.1Q trunking, all VLAN packets are tagged on the trunk link, except the native VLAN. A VLAN tag adds 4 bytes to the frame. Two bytes are used for the tag
protocol identifier (TPID), the other two bytes for tag control information (TCI).
QUESTION 80
A network engineer configured a fault-tolerance link on Gigabit Ethernet links G0/1, G0/2, G0/3, and G0/4 between two switches using Ethernet port-channel. Which action allows interface G0/1 to always actively forward traffic in the port-channel?
A. Configure G0/1 as half duplex and G0/2 as full duplex.
B. Configure LACP port-priority on G0/1 to 1.
C. Configure LACP port-priority on G0/1 to 65535.
D. LACP traffic goes through G0/4 because it is the highest interface ID.
Correct Answer: B Explanation
Explanation/Reference:
Explanation:
A LACP port priority is configured on each port using LACP. The port priority can be configured automatically or through the CLI. LACP uses the port priority with
the port number to form the port identifier. The port priority determines which ports should be put in standby mode when there is a hardware limitation that
prevents all compatible ports from aggregating. The higher the number, the lower the priority. The valid range is from 1 to 65535. The default is 32768.
Reference:
http://www.cisco.com/c/en/us/td/docs/ios/12_2sb/feature/guide/gigeth.html#wp1081491
QUESTION 81
Which statement about the use of PAgP link aggregation on a Cisco switch that is running Cisco IOS Software is true?
A. PAgP modes are off, auto, desirable, and on. Only the combinations auto-desirable, desirable- desirable, and on-on allow the formation of a channel.
B. PAgP modes are active, desirable, and on. Only the combinations active-desirable, desirable- desirable, and on-on allow the formation of a channel.
C. PAgP modes are active, desirable, and on. Only the combinations active-active, desirable- desirable, and on-on allow the formation of a channel.
D. PAgP modes are off, active, desirable, and on. Only the combinations auto-auto, desirable- desirable, and on-on allow the formation of a channel.
Correct Answer: A Explanation
Explanation/Reference:
Explanation:
PAgP modes are off, auto, desirable, and on. Only the combinations auto-desirable, desirable- desirable, and on-on will allow a channel to be formed.
The PAgP modes are explained below.
1.
on: PAgP will not run. The channel is forced to come up.
2.
off: PAgP will not run. The channel is forced to remain down.
3.
auto: PAgP is running passively. The formation of a channel is desired; however, it is not initiated.
4.
desirable: PAgP is running actively. The formation of a channel is desired and ini- tiated.
Only the combinations of auto-desirable, desirable-desirable, and on-on will allow a channel to be formed. If a device on one side of the channel does not support
PAgP, such as a router, the device on the other side must have PAgP set to on.
Reference: http://www.cisco.com/c/en/us/support/docs/switches/catalyst-2900-xl-series- switches/21041-131.html
QUESTION 82
Refer to the exhibit.
Which EtherChannel negotiation protocol is configured on the interface f0/13 f0/15?
A. Link Combination Control Protocol
B. Port Aggregation Protocol
C. Port Combination Protocol
D. Link Aggregation Control Protocol
Correct Answer: B Explanation
Explanation/Reference:
Explanation:
PAgP modes are off, auto, desirable, and on. Only the combinations auto-desirable, desirable- desirable, and on-on will allow a channel to be formed. .
1.
on: PAgP will not run. The channel is forced to come up.
2.
off: PAgP will not run. The channel is forced to remain down.
3.
auto: PAgP is running passively. The formation of a channel is desired; however, it is not initiated.
4.
desirable: PAgP is running actively. The formation of a channel is desired and ini- tiated.
The Link Aggregate Control Protocol (LACP) trunking supports four modes of operation: On: The link aggregation is forced to be formed without any LACP negotiation .In other words, the switch neither sends the LACP packet nor processes any inbound LACP packet. This is similar to the on state for PAgP.
Off: The link aggregation is not formed. We do not send or understand the LACP packet.
This is similar to the off state for PAgP.
Passive: The switch does not initiate the channel but does understand inbound LACP packets. The peer (in active state) initiates negotiation (when it sends out an LACP packet) which we receive and answer, eventually to form the aggregation channel with the peer. This is similar to the auto mode in PAgP.
Active: We can form an aggregate link and initiate the negotiation. The link aggregate is formed if the other end runs in LACP active or passive mode. This is
similar to the desir- able mode of PAgP. In this example, we see that fa 0/13, fa0/14, and fa0/15 are all in Port Channel 12, which is operating in desirable mode, which is only a PAgP mode.
QUESTION 83
Refer to the exhibit.
Users of PC-1 experience slow connection when a webpage is requested from the server. To increase bandwidth, the network engineer configured an EtherChannel on interfaces Fa1/0 and Fa0/1 of the server farm switch, as shown here:
Server_Switch#sh etherchannel load-balance EtherChannel Load-Balancing Operational State (src-mac): Non-IP: Source MAC address IPv4: Source MAC address IPv6: Source IP address Server_Switch#
However, traffic is still slow. Which action can the engineer take to resolve this issue?
A. Disable EtherChannel load balancing.
B. Upgrade the switch IOS to IP services image.
C. Change the load-balance method to dst-mac.
D. Contact Cisco TAC to report a bug on the switch.
Correct Answer: C Explanation
Explanation/Reference:
Explanation:
Since this traffic is coming from PC-1, the source MAC address will always be that of PC-1, and since the load balancing method is source MAC, traffic will only be
using one of the port channel links. The load balancing method should be changed to destination MAC, since the web server has two NICs traffic will be load
balanced across both MAC addresses.
QUESTION 84
A network engineer changed the port speed and duplex setting of an existing EtherChannel bundle that uses the PAgP protocol. Which statement describes what happens to all ports in the bundle?
A. PAgP changes the port speed and duplex for all ports in the bundle.
B. PAgP drops the ports that do not match the configuration.
C. PAgP does not change the port speed and duplex for all ports in the bundle until the switch is rebooted.
D. PAgP changes the port speed but not the duplex for all ports in the bundle.
Correct Answer: A Explanation
Explanation/Reference:
Explanation:
PAgP aids in the automatic creation of EtherChannel links. PAgP packets are sent between EtherChannel-capable ports in order to negotiate the formation of a
channel. Some restrictions are deliberately introduced into PAgP. The restrictions are:
PAgP does not form a bundle on ports that are configured for dynamic VLANs. PAgP requires that all ports in the channel belong to the same VLAN or are configured as trunk ports. When a bundle already exists and a VLAN of a port is modified, all ports in the bundle are modified to match that VLAN.
PAgP does not group ports that operate at different speeds or port duplex. If speed and duplex change when a bundle exists, PAgP changes the port speed and duplex for all ports in the bundle.
PAgP modes are off, auto, desirable, and on. Only the combinations auto-desirable, desirable- desirable, and on-on allow the formation of a channel. The device on the other side must have PAgP set to on if a device on one side of the channel does not support PAgP, such as a router. Reference: http:// www.cisco.com/c/en/us/support/docs/lan-switching/etherchannel/12023-4.html
QUESTION 85
Which statement about using EtherChannel on Cisco IOS switches is true?
A. A switch can support up to eight compatibly configured Ethernet interfaces in an EtherChannel. The EtherChannel provides full-duplex bandwidth up to 800 Mbps only for Fast EtherChannel or 8 Gbps only for Gigabit EtherChannel.
B. A switch can support up to 10 compatibly configured Ethernet interfaces in an EtherChannel. The EtherChannel provides full-duplex bandwidth up to 1000 Mbps only for Fast EtherChannel or 8 Gbps only for Gigabit EtherChannel.
C. A switch can support up to eight compatibly configured Ethernet interfaces in an EtherChannel. The EtherChannel provides full-duplex bandwidth up to 800 Mbps only for Fast EtherChannel or 16 Gbps only for Gigabit EtherChannel.
D. A switch can support up to 10 compatibly configured Ethernet interfaces in an EtherChannel. The EtherChannel provides full-duplex bandwidth up to 1000 Mbps only for Fast EtherChannel or 10 Gbps only for Gigabit EtherChannel.
Correct Answer: A Explanation
Explanation/Reference:
Explanation: An EtherChannel consists of individual Fast Ethernet or Gigabit Ethernet links bundled into a single logical link. The EtherChannel provides full-duplex bandwidth up to 800 Mbps (Fast EtherChannel) or 8 Gbps (Gigabit EtherChannel) between your switch and another switch or host. Each EtherChannel can consist of up to eight compatibly configured Ethernet interfaces. All interfaces in each EtherChannel must be the same speed, and all must be configured as either Layer 2 or Layer 3 interfaces. Reference: http://www.cisco.com/c/en/us/support/docs/lan-switching/etherchannel/12023-4.html
QUESTION 86
Refer to the exhibit.
Which statement about switch S1 is true?
A. Physical port Fa0/13, Fa0/14, and Fa0/15 successfully formed a Layer 2 port-channel interface using an open standard protocol.
B. Logical port Fa0/13, Fa0/14, and Fa0/15 successfully formed a Layer 2 physical port-channel interface using a Cisco proprietary protocol.
C. Physical port Fa0/13, Fa0/14, and Fa0/15 successfully formed a Layer 3 port-channel interface using a Cisco proprietary protocol.
D. Logical port Fa0/13, Fa0/14, and Fa0/15 successfully formed a Layer 3 physical port-channel interface using an open standard protocol.
Correct Answer: A Explanation
Explanation/Reference:
Explanation:
These three ports show that they are in Port Channel 1, and the (SU) means they are in use and operating at layer 2. The protocol used for this port channel
shows as LACP, which is a standards based protocol, as opposed to PAgP, which is Cisco proprietary.
QUESTION 87
What happens on a Cisco switch that runs Cisco IOS when an RSTP-configured switch receives 802.1d BPDU?
A. 802.1d does not understand RSTP BPDUs because they are different versions, but when a RSTP switch receives an 802.1d BPDU, it responds with an 802.1d BPDU and eventually the two switches run 802.1d to communicate.
B. 802.1d understands RSTP BPDUs because they are the same version, but when a RSTP switch receives a 802.1d BPDU, it responds with a 802.1d BPDU and eventually the two switches run 802.1d to communicate.
C. 802.1d does not understand RSTP BPDUs because they are different versions, but when a RSTP switch receives a 802.1d BPDU, it does not respond with a 802.1d BPDU.
D. 802.1d understands RSTP BPDUs because they are the same version, but when a RSTP switch receives a 802.1d BPDU, it does not respond with a 802.1d BPDU and eventually the two switches run 802.1d to communicate.
Correct Answer: A Explanation
Explanation/Reference:
Explanation: For backward compatibility with 802.1D switches, RSTP selectively sends 802.1D configuration BPDUs and TCN BPDUs on a per-port basis. When a port is initialized, the migrate-delay timer is started (specifies the minimum time during which RSTP BPDUs are sent), and RSTP BPDUs are sent. While this timer is active, the switch processes all BPDUs received on that port and ignores the protocol type. If the switch receives an 802.1D BPDU after the port migration-delay timer has expired, it assumes that it is connected to an 802.1D switch and starts using only 802.1D BPDUs. However, if the RSTP switch is using 802.1D BPDUs on a port and receives an RSTP BPDU after the timer has expired, it restarts the timer and starts using RSTP BPDUs on that port. Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12- 2SX/configuration/guide/book/spantree.html
QUESTION 88
When two MST instances (MST 1 and MST 2) are created on a switch, what is the total number of spanning-tree instances running on the switch?
A. 1
B. 2
C. 3
D. 4
Correct Answer: C Explanation
Explanation/Reference:
Explanation:
Unlike other spanning tree protocols, in which all the spanning tree instances are independent, MST establishes and maintains IST, CIST, and CST spanning trees:
An IST is the spanning tree that runs in an MST region.
Within each MST region, MST maintains multiple spanning tree instances. Instance 0 is a special instance for a region, known as the IST. All other MST instances are numbered from 1 to 4094. In the case for this question, there will be the 2 defined MST instances, and the special 0 instance, for a total of 3 instances.
The IST is the only spanning tree instance that sends and receives BPDUs. All of the other span- ning tree instance information is contained in MSTP records (M-
With Flydumps.com complete study guide for the Cisco 300-115 exam you will find questions and answers from previous exams as well as ones that our experts believe will be on the upcoming exams due to upgrades and new releases. This gives you the resources you actually need to pass the exam instead of just studying material without any knowledge of what might be on a test. If you want a career in the IT world, a certification is the only answer to ensure you get your dream job.
Welcome to download the newest Flydumps Cisco 300-115 VCE dumps: http://www.flydumps.com/Cisco 300-115.html
Cisco 300-115 Exam Dumps, Provides Best Cisco 300-115 PDF Material On Sale
Welcome to download the newest Pass4itsure eada10 VCE dumps: http://www.pass4itsure.com/eada10.html
Are you struggling for the CheckPoint 156-510 exam? Good news,Flydumps IT technical experts have collected and certified 445 questions and answers which are updated to cover the knowledge points and enhance candidates’abilities.With CheckPoint 156-510 preparation tests you can pass the exam easily and go further on Microsoft career path.
QUESTION 101
When using the cphaprob command to list the interfaces on the local machine and their status, which form would you use?
A. cphaprob -I
B. cphaprob if
C. cphaprob ports
D. cphaprob list if
Correct Answer: B
QUESTION 102
If you have previously started debugging on the firewall, how would you cancel debugging?
A. fw ctl debug 0
B. fw ctl debug can
C. fw ctl debug stop
D. fw ctl dbstop
Correct Answer: A
QUESTION 103
In a fully overlapping encryption domain, a SecuRemote client will encrypt with the first gateway to reply. All subsequent connections will remain with that gateway for a set period. How long is that period?
A. 60 secs
B. 5 mins
C. 10 mins
D. 30 secs
Correct Answer: A
QUESTION 104
Which is NOT a valid entity in the LDAP tree structure?
A. OU
B. C
C. CN
D. CU
Correct Answer: D
QUESTION 105
Checkpoint provides several command line utilities to assist with the integration of LDAP servers. Which of the following is NOT one of them?
A. ldapsearch
B. ldapcompare
C. ldapmodify
D. ldapfind
Correct Answer: D
QUESTION 106
If you have a Unix core dump, in which directory will the dump be created?
A. In the directory from which the executable that caused the dump is running
B. In the directory given by the command “# find / -name core”
C. In a directory named /dump
D. in the root directory
Correct Answer: AB QUESTION 107
What command would you use to check the current status of high availability gateways within a cluster?
A. cphaprob list
B. cphaprob report
C. cphaprob state
D. cphaprob register
Correct Answer: C QUESTION 108
If you run the “fw debug fwd on” command, where is the output directed to?
A. The kernel buffer
B. The screen
C. To a file called $FWDIR/log/fwd.elg
D. To a file called $FWDIR/conf/fwd_output.log
Correct Answer: C QUESTION 109
On a Unix system, what is the output from the command “# file core”
A. The size of the file named core
B. A textual listing of the contents of the file named core
C. The name of the executable that generated the core dump
D. The location of the file named core
Correct Answer: C QUESTION 110
What is true about high availability management modules?
A. Primary and secondary modules can be on different platforms, but must run the same build of FW1
B. Primary and Secondary modules must be on the same platform
C. The active primary module cannot be manually switched to secondary
D. They are only supported on distributed installations
Correct Answer: BD QUESTION 111
Which command would you use to enable debugging of IKE only?
A. fw debug ikeon
B. fwm debug ikeon
C. vpn debug ikeon
D. vpn debug on ikeon
Correct Answer: C QUESTION 112
In a proper subset encryption domain, to which gateway will SecuRemote attempt to create an encrypted connection?
A. SecuRemote will chose the gateway with the lowest cost
B. SecuRemote will prefer its primary gateway if both respond
C. SecuRemote will choose the gateway closest to the server
D. SecuRemote will use the first gateway to respond
Correct Answer: C QUESTION 113
Which type of overlapping encryption domain can be described as one domain being entirely contained within another domain?
A. Full overlap
B. Partial overlap
C. Proper subset
D. Partial subset
Correct Answer: C QUESTION 114
Where can a User Authority Server be installed?
A. A Windows machine with just a FW-1 enforcement module installed
B. A Solaris machine with just a FW-1 management module installed
C. A Solaris or Windows machine with any FW-1 module installed
D. A Windows Domain Controller
Correct Answer: CD QUESTION 115
If VPN-1/FW-1 has a blue screen crash on a Windows NT platform, there is an extra file you should include in those sent to Checkpoint for analysis. Which is that extra file?
A. WINNT\system.dmp
B. WINNT\user.dmp
C. WINNT\memory.dmp
D. WINNT\core.dmp
Correct Answer: C QUESTION 116
In the following DN, which part is the root?
CN= John Doe, ou= Sales, o= Acme Corp, C= US
A. Acme Corp
B. John Doe
C. Sales
D. US
Correct Answer: D QUESTION 117
Which files are useful in the case of a Windows NT Dr. Watson error?
A. WINNT\memory.dmp
B. WINNT\drwtsn32.log
C. WINNT\system.dmp
D. WINNT\user.dmp Correct Answer: ABD
QUESTION 118
Why is a sniffer a security risk?
A. It can create a DOS attack
B. It can cause a firewall to crash
C. It can emulate an authorized workstation
D. It can record traffic, which may include clear text passwords
Correct Answer: D
QUESTION 119
When exporting a user database using the “fw dbexport” command. What is the default file used?
A. $FWDIR/user/def_file
B. $FWDIR/conf/user_def_file
C. $FWDIR/bin/user_def_file
D. $FWDIR/conf/user_export_file
Correct Answer: B
QUESTION 120
How can you analyze a file captured by the fw monitor utility?
A. Snoop
B. Snort
C. Spock
D. Sniff
Correct Answer: A
QUESTION 121
What is the name of the protocol analyzer that ships with WindowsNT/SMS?
A. Tcpdump
B. Network monitor
C. Snoop
D. Sniffer
Correct Answer: B
QUESTION 122
From where would you enable load sharing in an MEP configuration?
A. Global properties > VPN-1 Net > Advanced then select “enable load sharing in MEP configuration”
B. Global properties > Remote Access > Advanced then select “enable load sharing in MEP configuration”
C. Cluster properties > general tab >, select “enable load sharing in MEP configuration”
D. Global properties > VPN-1 Pro > Advanced then select “enable load sharing in MEP configuration”
Correct Answer: D
QUESTION 123
How would FW-1 communicate securely with an LDAP server?
A. SIC
B. Certificates
C. RDP
D. SSL
Correct Answer: D
QUESTION 124
What is meant by a promiscuous mode network capture tool?
A. It can run on any platform
B. It can monitor all traffic on the network not just that intended
C. for the adapter in the device
D. It can put traffic onto the network
E. It can emulate any other device on the network
Correct Answer: B
QUESTION 125
Which parameter would you use on the “fw dbexport” command in order to specify that exported users are to be added under the “o=Acme Corp, c=US” branch?
A. -s “o=Acme Corp, c=US”
B. -a “o=Acme Corp, c=US”
C. -k “o=Acme Corp, c=US”
D. -b “o=Acme Corp, c=US”
Correct Answer: A
QUESTION 126
What is not included in the output of the “fw ctl pstat” command?
A. System memory statistics
B. Policy name
C. Encryption statistics
D. Hash memory statistics
E. Translation statistics
Correct Answer: B
The importance of certification in the field of IT cannot be denied, so FLYDUMPS CheckPoint 156-510 practice test would be the best guide for you. We are so surprised to see countless opportunities after passing the HDI exam. FLYDUMPS proved to be the best source of help for me and the products offered by FLYDUMPS enabled me to achieve the desired results. If you want to pass the HDI Certified Specialist exam, the most reliable source is FLYDUMPS CheckPoint 156-510 practice test. CheckPoint 156-510 practice test supplied by IBM which can be very helpful support materials and can provide great amount of help, while preparing for CheckPoint 156-510 test.
Pass4itsure eada10 dumps with PDF + Premium VCE + VCE Simulator: http://www.pass4itsure.com/eada10.html
CheckPoint 156-510 Dumps PDF, Prepare for the CheckPoint 156-510 Exam
Welcome to download the newest Pass4itsure c2180-374 VCE dumps: http://www.pass4itsure.com/C2180-374.html
Flydumps is the best place for preparing IT Certifications as we are providing latest and guaranteed questions for all certifications. We offer you the ultimate preparation resource of CheckPoint 156-315 exam question. Wondering what could be this effective? It is our training material which serves as a guide to achieving your dream as a certified professional.
QUESTION 98
What is a Consolidation Policy?
A. The collective name of the Security Policy, Address Translation, and SmartDefense Policies
B. The specific Policy used by Eventia Reporter to configure log-management practices
C. The state of the Policy once installed on a Security Gateway
D. A Policy created by Eventia Reporter to generate logs
E. The collective name of the logs generated by Eventia Reporter
Correct Answer: B
QUESTION 99
To change an existing ClusterXL cluster object from Multicast to Unicast mode, what configuration change must be made?
A. Change the cluster mode to Unicast on the cluster object Reinstall the Security Policy
B. Reset Secure Internal Communications (SIC) on the cluster-member objects. Reinstall the Security Policy
C. Run cpstop and cpstart, to reenable High Availability on both objects. Select Pivot mode in cpconfig
D. Change the cluster mode to Unicast on the cluster-member object
E. Switch the internal network’s default Security Gateway to the pivot machine’s IP address
Correct Answer: A
QUESTION 100
You have two Nokia Appliances: one IP530 and on IP380. Both appliances have IPSO 3.9 and VPN-1 Pro NGX installed in a distributed deployment. Can they be members of a gateway cluster?
A. No, because the Gateway versions must be the same on both security gateways.
B. Yes, as long as they have the same IPSO version and the same VPN-1 Pro version
C. No, because members of a security gateway cluster must be in installed as stand-alone deployments.
D. Yes, because both gateways are from Nokia, whether they have the same VPN-1 PRO version or not.
E. No, because the appliances must be of the same model (Both should be IP530 or IP380).
Correct Answer: B
QUESTION 101
Which Security Server can perform authentication tasks, but CANNOT perform content security tasks?
A. Telnet
B. HTTP
C. rlogin
D. FTP
E. SMTP
Correct Answer: AC
QUESTION 102
Which operating system is NOT supported by VPN-1 SecureClient?
A. IPSO 3.9
B. Windows XP SP2
C. Windows 2000 Professional
D. RedHat Linux 8.0
E. MacOS X
Correct Answer: A
QUESTION 103
Problems sometimes occur when distributing IPSec packets to a few machines in a Load Sharing Multicast mode cluster, even though the machines have the same source and destination IP addresses. What is the best Load Sharing method for preventing this type of problem?
A. Load Sharing based on IP addresses, ports, and serial peripheral interfaces (SPI)
B. Load Sharing based on SPIs only.
C. Load Sharing based on IP addresses only
D. Load Sharing based on SPIs and ports only
E. Load Sharing based on IP addresses and ports
Correct Answer: C
QUESTION 104
Your primary SmartCenter Server is installed on a SecrePlatform Pro machine, which is also a VPN-1 Pro Gateway. You want to implement Management High Availability (HA). You have a spare machine to configure as the secondary SmartCenter Server. How do you configure the new machine to be the standby SmartCenter Server, without making any changes to the existing primary SmartCenter Server? (changes can include uninstalling and reinstalling)
A. You cannot configure Mangement HA, when either the primary or secondary SmartCenter Server is running on a VPN-1 Pro Gateway.
B. The new machine cannot be installed as the Internal Certificate Authority on its own.
C. The secondary Server cannot be installed on a SecurePlatform Pro machine alone.
D. Install the secondary Server on a spare machine. Add the new machine to the same network as the primary Server.
Correct Answer: A
QUESTION 105
VPN-1 NGX supports VoIP traffic in all of the following environments, EXCEPT which environment?
A. H.323
B. SIP
C. MEGACO
D. SCCP
E. MGCP
Correct Answer: C
QUESTION 106
Certkiller is a Security Administrator preparing to implement a VPN solution for her multi-site organization Certkiller .com. To comply with industry regulations, Mrs. Bill VPN solution must meet the following requirements:
*
Portability: standard
*
Key management: Automatic, external PKI
*
Session keys: Changed at configured times during a connection’s lifetime
*
key length: No less than 128-bit
*
Data integrity: Secure against inversion and brute-force attacks
What is the most appropriate setting Jack should choose?
A. IKE VPNs: AES encryption for IKE Phase 1, and DES encryption for Phase 2; SHA1 ash
B. IKE VPNs: SHA1 encryption for IKE Phase 1, and MD5 encryption for Phase 2; AES hash
C. IKE VPNs: CAST encryption IKE Phase 1, and SHA1 encryption for Phase 2; DES hash
D. IKE VPNs: AES encryption for IKE Phase 1, and AES encryption for Phase 2; SHA1 hash
E. IKE VPNs: DES encryption for IKE Phase 1, and 3DES encryption for Phase 2; MD5 hash
Correct Answer: D
QUESTION 107
Which Security Server can perform content-security tasks, but CANNOT perform authentication tasks?
A. FTP
B. SMTP
C. Telnet
D. HTTP
E. rlogin
Correct Answer: B Exam B
QUESTION 1
You work a network administrator for Certkiller .com. You configure a Check Point QoS Rule Base with two rules: an H.323 rule with a weight of 10, and the Default Rule with a weight of 10. The H.323 rule includes a per-connection guarantee of 384 Kbps, and a per-connection limit of 512 Kbps. The per-connection guarantee is for four connections, and no additional connections are allowed in the Action properties. If traffic passing through the QoS Module matches both rules, which of the following is true?
A. Neither rule will be allocated more than 10% of available bandwidth.
B. The H.323 rule will consume no more than 2048 Kbps of available bandwidth.
C. 50% of available bandwidth will be allocated to the H.323 rule.
D. 50% of available bandwidth will be allocated to the Default Rule
E. Each H.323 connection will receive at least 512 Kbps of bandwidth.
Correct Answer: B
QUESTION 2
Certkiller .com has many VPN-1 Edge gateways at various branch offices, to allow VPN-1 SecureClient users to access Certkiller .com resources. For security reasons, Certkiller .com’s Secure policy requires all Internet traffic initiated behind the VPN-1 Edge gateways first be inspected by your headquarters’ VPN-1 Pro Security Gateway. How do you configure VPN routing in this star VPN Community?
A. To the Internet an other targets only
B. To the center and other satellites, through the center
C. To the center only
D. To the center, or through the center to other satellites, then to the Internet and other VPN targets
Correct Answer: D
QUESTION 3
You are preparing to configure your VoIP Domain Gatekeeper object. Which two other object should you have created first?
A. An object to represent the IP phone network, AND an object to represent the host on which the proxy is installed.
B. An object to represent the PSTN phone network, AND an object to represent the IP phone network
C. An object to represent the IP phone network, AND an object to represent the host on which the gatekeeper is installed.
D. An object to represent the Q.931 service origination host, AND an object to represent the H.245 termination host
E. An object to represent the call manager, AND an object to represent the host on which the transmission router is installed.
Correct Answer: C
QUESTION 4
Which Check Point QoS feature is used to dynamically allocate relative portions of available bandwidth?
A. Guarantees
B. Differentiated Services
C. Limits
D. Weighted Fair Queuing
E. Low Latency Queing
Correct Answer: D
QUESTION 5
Which operating system is NOT supported by VPN-1 SecureClient?
A. IPSO 3.9
B. Windows XP SP2
C. Windows 2000 Professional
D. RedHat Linux 8.0
E. MacOS X
Correct Answer: A
QUESTION 6
You want to upgrade a SecurePlatform NG with Application Intelligence (AI) R55 Gateway to SecurePlatform NGX R60 via SmartUpdate.Which package is needed in the repository before upgrading?
A. SVN Foundation and VPN-1 Express/Pro
B. VNP-1 and FireWall-1
C. SecurePlatform NGX R60
D. SVN Founation
E. VPN-1 Pro/Express NGX R60
Correct Answer: C
QUESTION 7
Exhibit:
The exhibit displays the cphaprob state command output from a New Mode High Availability cluster member. Which machine has the highest priority?
A. 192.168.1.2, since its number is 2.
B. 192.168.1.1, because its number is 1.
C. This output does not indicate which machine has the highest priority.
D. 192.168.1.2, because its stats is active
Correct Answer: B QUESTION 8
Exhibit: Certkiller tries to configure Directional VPN Rule Match in the Rule Base. But the Match column does not have the option to see the Directional Match. Certkiller sees the screen displayed in the exhibit. What is the problem?
A. Jack must enable directional_match(true) in the object_5_0.c file on SmartCenter server.
B. Jack must enable Advanced Routing on each Security Gateway
C. Jack must enable VPN Directional Match on the VPN Advanced screen, in Global properties.
D. Jack must enable a dynamic-routing protocol, such as OSPF, on the Gateways.
E. Jack must enable VPN Directional Match on the gateway object’s VPN tab.
Correct Answer: C
QUESTION 9
Where can a Security Administator adjust the unit of measurement (bps, Kbps or Bps), for Check Point QoS bandwidth?
A. Global Properties
B. QoS Class objects
C. Check Point gateway object properties
D. $CPDIR/conf/qos_props.pf
E. Advanced Action options in each QoS rule.
Correct Answer: A
QUESTION 10
Certkiller is the Security Administrator for Certkiller .com. Certkiller .com FTP servers have old hardware and software. Certain FTP commands cause the FTP servers to malfunction. Upgrading the FTP Servers is not an option this time. Which of the following options will allow Certkiller to control which FTP commands pass through the Security Gateway protecting the FTP servers?
A. Global Properties->Security Server ->Security Server->Allowed FTP Commands
B. SmartDefense->Application Intelligence->FTP Security Server
C. Rule Base->Action Field->Properties
D. Web Intelligence->Application Layer->FTP Settings
E. FTP Service Object->Advanced->Blocked FTP Commands
Correct Answer: B
QUESTION 11
You want VPN traffic to match packets from internal interfaces. You also want the traffic to exit the Security Gateway, bound for all site-to-site VPN Communities, including Remote Access Communities. How should you configure the VPN match rule?
A. internal_clear>All-GwToGw
B. Communities>Communities
C. Internal_clear>External_Clear
D. Internal_clear>Communities
E. Internal_clear>All_communities
Correct Answer: E
QUESTION 12
You receive an alert indicating a suspicious FTP connection is trying to connect to one of your internal hosts. How do you block the connection in real time and verify the connection is successfully blocked?
A. Highlight the suspicious connection in SmartView Tracker>Active mode. Block the connection using Tools>Block Intruder menu. Use the active mode to confirm that the suspicious connection does not reappear.
B. Highlight the suspicious connection in SmartView Tracker>Log mode. Block the connection using Tools>Block Intruder menu. Use the Log mode to confirm that the suspicious connection does not reappear.
C. Highlight the suspicious connection in SmartView Tracker>Active mode. Block the connection using Tools>Block Intruder menu. Use the active mode to confirm that the suspicious connection is dropped.
D. Highlight the suspicious connection in SmartView Tracker>Log mode. Block the connection using Tools>Block Intruder menu. Use the Log mode to confirm that the suspicious connection is dropped.
Correct Answer: C
QUESTION 13
Exhibit: Certkiller is using a mesh VPN Community to create a site-to-site VPN. The VPN properties in this mesh Community is displayed in the exhibit. Which of the following statements are true?
A. If Jack changes the settings, “Perform key exchange encryption with” from “3DES” to “DES”, she will enhance the VPN Community’s security and reduce encryption overhead.
B. Mrs Bill must change the data-integrity settings for this VPN Community. MD5 is incompatible with AES.
C. If Certkiller changes the setting “Perform IPSec data encryption with” from “AES-128” to “3DES”, Jack will increase the encryption overhead.
D. Her VPN Community will perform IKE Phase 1 key-exchange encryption, using the longest key VPN-1 NGX supports.
Correct Answer: C
QUESTION 14
Exhibit: You are preparing computers for a new ClusterXL deployment. For your cluster, you plan to use three machines with the configurations displayed in the exhibit. Are these machines correctly configured for a ClusterXL deployment?
A. Yes, these machines are configured correctly for a ClusterXL deployment.
B. No, QuadCards are not supported with ClusterXL.
C. No, all machines in a cluster must be running on the same OS.
D. No, al cluster must have an even number of machines.
E. No, ClusterXL is not supported on Red Hat Linux.
Correct Answer: C
QUESTION 15
You want only RAS signals to pass through H.323 Gatekeeper and other H.323 protocols, passing directly between end points. Which routing mode in the VoIP Domain Gatekeeper do you select?
A. Direct
B. Direct and Call Setup
C. Call Setup
D. Call Setup and Call Control
Correct Answer: A
QUESTION 16
Certkiller is concerned that a denial-of-service (DoS) attack may affect her VPN Communities. She decides to implement IKE DoS protection. Jack needs to minimize the performance impact of implementing this new protectdion. Which of the following configurations is MOST appropriate for Mrs. Bill?
A. Set Support IKE DoS protection from identified source to “Puzzles”, and Support IKE DoS protection from unidentified source to “Stateless”
B. Set Support IKE DoS protection from identified source, and Support IKE DoS protection from unidentified soruce to “Puzzles”
C. Set Support IKE DoS protection from identified source to “Stateless”, and Support IKE DoS protection from unidentified source to “Puzzles”.
D. Set Support IKE DoS protection from identified source, and “Support IKE DoS protection” from unidentified source to “Stateless”.
E. Set Support IKE DoS protection from identified source to “Stateless”, and Support IKE DoS protection from unidentified source to “None”.
Correct Answer: D
QUESTION 17
You have a production implementation of Management High Availability, at Version VPN-1 NG with application Intelligence R55. You must upgrade two SmartCenter Servers to VPN-1. What is the correct procedure?
A. 1. Synchronize the two SmartCenter Servers
2.
Upgrade the secondary SmartCenter Server.
3.
Upgrade the primary SmartCenter Server.
4.
Configure both SmartCenter Server host objects version to VPN-1 NGX
5.
Synchronize the Servers again.
B. 1. Synchronize the two SmartCenter Servers 2. Perform an advanced upgrade the primary SmartCenter Server.
3.
Upgrade the secondary SmartCenter Server.
4.
Configure both SmartCenter Server host objects to version VPN-1 NGX.
5.
Synchronize the Servers again
C. 1. Perform an advanced upgrade on the primary SmartCenter Server.
2.
Configure the primary SmartCenter Server host object to version VPN.1 NGX.
3.
Synchronize the primary with the secondary SmartCenter Server.
4.
Upgrade the secondary SmartCenter Server.
5.
Configure the secondary SmartCenter Server host object to version VPN-1 NGX.
6.
Synchronize the Servers again.
D. 1. Synchronize the two SmartCenter Servers.
2.
Perform an advanced upgrade on the primary SmartCenter Server.
3.
Configure the primary SmartCenter Server host object to version VPN-1 NGX.
4.
Synchronize the two servers again.
5.
Upgrade the secondary SmartCenter Server.
6.
Configure the secondary SmartCenter Server host object to version VPN-1 NGX.
7.
Synchronize the Servers again.
Correct Answer: A
QUESTION 18
In a distributed VPN-1 Pro NGX environment, where is the Internal Certificate Authority (ICA) installed?
A. On the Security Gateway
B. Certificate Manager Server
C. On the Policy Server
D. On the Smart View Monitor
E. On the primary SmartCenter Server
Correct Answer: E
QUESTION 19
Assume an intruder has compromised your current IKE Phase 1 and Phase 2 keys. Which of the following options will end the intruder’s access, after the next Phase 2 exchange occurs?
A. Phase 3 Key Revocation
B. Perfect Forward Secrecy
C. MD5 Hash Completion
D. SH1 Hash Completion
E. DES Key Reset
Correct Answer: B
QUESTION 20
You set up a mesh VPN community, so your internal networks can access your partner’s network, and vice versa. Your Security Policy encrypts only FTP and HTTP traffic through a VPN tunnel. All other traffic among your internal and partner networks is sent in clear text. How do you configure the VPN community?
A. Disable “accept all encrypted traffic”, and put FTP and HTTP in the Excluded services in the Community object. Add a rule in the Security Policy for services FTP and http, with the Community object in the VPN field.
B. Disable “accept all encrypted traffic” in the Community, and add FTP and HTTP services to the Security Policy, with that Community object in the VPN field.
C. Enable “accept all encrypted traffic”, but put FTP and HTTP in the Excluded services in the Community. Add a rule in the Security Policy, with services FTP and http, and the Community object in the VPN field.
D. Put FTP and HTTP in the Excluded services in the Community object. Then add a rule in the Security Policy to allow Any as the service with the Community object in the VPN field.
Correct Answer: B
QUESTION 21
To change an existing ClusterXL cluster object from Multicast to Unicast mode, what configuration change must be made?
A. Change the cluster mode to Unicast on the cluster object. Reinstall the Security Policy.
B. Restart Secure Internal Communications (SIC) on the cluster-member objects. Reinstall the Security Policy.
C. Run cpstop and cpstart, to re-enable High Availability on both projects. Select Pivot mode in cpconfig.
D. Change the cluster mode to Unicast on the cluster-member object.
E. Switch the internal network’s default Security Gateway to the pivot machine’s IP address.
Correct Answer: A
QUESTION 22
Certkiller is notified by blacklist.org that her site has been reported as a spam relay, due to her SMTP server being unprotected. Mrs. Bill decides to implement an SMTP Security Server, to prevent the server from being a spam relay. Which of the following is the most efficient configuration method?
A. Configure the SMTP Security Server to perform MX resolving.
B. Configure the SMTP Security Server to perform filtering, based on IP address and SMTP protocols.
C. Configure the SMTP Security Server to work with an OPSEC based product, for content checking.
D. Configure the SMTP Security Server to apply a generic “from” address to all outgoing mail.
E. Configure the SMTP Security Server to allow only mail to or from names, within Jack’s corporate domain.
Correct Answer: E
QUESTION 23
You have an internal FTP server, and you allow downloading, but not uploading.
Assume Network Address Translation is set up correctly, and you want to add an inbound rule with:
Source: Any
Destination: FTP Server
Service: an FTP resource object.
How do you configure the FTP resource object and the action column in the rule to achieve this goal?
A. Enable only the “Get” method in the FTP Resource Properties, and use this method in the rule, with action accept.
B. Enable only the “Get” method in the FTP Resource Properties, and use it in the rule, with action drop.
C. Enable both “Put” and “Get” methods in the FTP Resource Properties and use them in the rule, with action drop.
D. Disable “Get” and “Put” methods in the FTP Resource Properties and use it in the rule, with action accept.
E. Enable only the “Put” method in the FTP Resource Properties and use it in the rule, with action accept.
Correct Answer: A
QUESTION 24
If you check the box “Use Aggressive Mode”, in the IKE properties dialog box:
A. The standard three-packet IKE Phase 1 exchange is replaced by a six-packet exchange.
B. The standard six-packet IKE Phase 2 exchange is replaced by a three-packet exchange.
C. The standard three-packet IKE Phase 2 exchange is replaced by a six-packet exchange.
D. The standard six-packet IKE Phase 1 exchange is replaced by a three-packet exchange.
E. The standard six-packet IKE Phase 1 exchange is replaced by a twleve-packet exchange.
Correct Answer: D
QUESTION 25
Which of the following commands shows full synchronization status?
A. cphaprob -i list
B. chpastop
C. fw ctl pstat
D. cphaprob -a if
E. fw hastat
Correct Answer: C
QUESTION 26
Which VPN community object is used to configure VPN routing within the SmartDashboard?
A. star
B. mesh
C. Remote access
D. Map
Correct Answer: A
QUESTION 27
The following rule contains an FTP resource object in the Service field:
Source: local_net Destination: Any Service: FTP-resource object Action: Accept
How do you define the FTP Resource Properties>Match tab to prevent internal users from sending corporate files to external FTP servers, while allowing users to retrieve files?
A. Enable the “Get” method on the match tab.
B. Disable “Get” and “Put” methods on the Match tab.
C. Enable the “Put” and “Get” methods.
D. Enable the “Put” method only on the match tab.
E. Disable the “Put” method globally.
Correct Answer: A
QUESTION 28
What is the consequence of clearing the “Log VoIP Connection” box in the Global Properties?
A. Dropped VoIP traffic is logged, but accepted VoIP traffic is not logged.
B. VoIP protocol-specific log fields are not included in SmartView Tracker entries.
C. The log field setting in rules for VoIP protocols are ignored.
D. IP addresses are used, instead of object names, in log entries that reference VoIP Domain objects.
E. The SmartCenter Server stops importing logs from VoIP servers.
Correct Answer: B QUESTION 29
Exhibit:
The exhibit is a cphaprob state command output from a ClusterXL New mode high Availability member. When a member 192.168.1.2 fails over and restarts, which member will become active?
A. 192.168.1.2
B. 192.168.1.1
C. Both members’ state will be standby.
D. Both members’ state will be active.
Correct Answer: B
QUESTION 30
Which of the following actions is most likely to improve the performance of Check Point QoS?
A. Turn “per rule guarantees” into “peer connection guarantees”.
B. Install Check Point QoS only on the external interfaces of the QoS Module.
C. Put the most frequently used rules at the bottom of the QoS Rule Base.
D. Turn “per rule limits” into “per connection limits”
E. Define weights in the Default Rule in multiples of 10.
Correct Answer: B
QUESTION 31
How would you configure a rule in a Security Policy to allow SIP traffic from end point Net_A to end point Net_B, through an NGX Security Gateway?
A. Net_A/Net_B/sip/accept
B. Net_A/Net_B/sip and sip_any/accept
C. Net_A/Net_B/VoIP_any/accept
D. Net_A/Net_B/VoIP /accept
Correct Answer: A
QUESTION 32
You want to upgrade a cluster with two members to VPN-1 NGX. The SmartCenter Server and both members are version VPN-1/FireWall-1 NG FP3, with the latest Hotfix. What is the correct upgrade procedure?
1.
Change the version, in the General Properties of the gateway-cluster object.
2.
Upgrade the SmartCenter Server, and reboot after upgrade
3.
Runt cpstop on one member, while leaving the other member running. Upgrade one member at a time, and reboot after upgrade.
4.
Reinstall the Security Policy
A. 3, 2, 1, 4
B. 2, 4, 3, 1
C. 1, 3, 2, 4
D. 2, 3, 1, 4
E. 1, 2, 3, 4
Correct Answer: D
QUESTION 33
How can you completely tear down a specific VPN tunnel in an intranet IKE VPN deployment?
A. Run the command vpn tu on the Security Gateway, and choose the option “Delete all IPSec+IKE SAs for ALL peers and users”.
B. Run the command vpn tu on the SmartCenter Server, and choose the option “Delete all IPSec+IKE SAs for ALL peers and users”.
C. Run the command vpn tu on the Security Gateway, and choose the option “Delete all IPSec+IKE SAs for a given peer (GW)”.
D. Run the command vpn tu on the Security Gateway, and choose the option “Delete all IPSec SAs for a given user (Client)”.
E. Run the command vpn tu on the Security Gateway, and choose the option “Delete all IPSec SAs for ALL peers and users”.
Correct Answer: A
QUESTION 34
You are preparing to deploy a VPN-1 Pro Gateway for VPN-1 NGX. You have five systems to choose from for the new Gateway, and you must conform to the following requirements:
*
Operating-System vendor’s license agreements
*
Check Point’s license agreement
*
Minimum operating-system hardware specification
*
Minimum Gateway hardware specification
*
Gateway installed on a supported operating system (OS)
Which machine meets ALL of the requirements?
A. Processor 1.1 GHz RAM: 512 MB Hard disk: 10 GB OS: Windows 2000 Workstation
B. Processor 2.0 GHz RAM: 512 MB Hard disk: 10 GB OS: Windows ME
C. Processor 1.5 GHz RAM: 256 MB Hard disk: 20 GB OS: Red Hat Linux 8.0
D. Processor 1.67 GHz RAM: 128 MB Hard disk: 5 GB OS: FreeBSD
E. Processor 2.2 GHz RAM: 256 MB Hard disk: 20 GB OS: Windows 2000 Server
Correct Answer: E
QUESTION 35
You are configuring the VoIP Domain object for an H.323 environment, protected by VPN-1 NGX. Which VoIP Domain object type can you use?
A. Transmission Router
B. Gatekeeper
C. Call Manager
D. Proxy
E. Call Agent
Correct Answer: B
QUESTION 36
Certkiller has configured a Common Internet File System (CIFS) resource to allow access to the public partition of Certkiller .com’s file server, on \\Certkiller 13\logigame\files\public. Mrs. Bill receives reports that users are unable to access the shared partition, unless they use the file server’s IP address. Which of the following is a possible cause?
A. Mapped shares do not allow administrative locks.
B. The CIFS resource is not configured to use Windows name resolution.
C. Access violations are not logged.
D. Remote registry access is blocked.
E. Null CIFS sessions are blocked.
Correct Answer: B
QUESTION 37
Certkiller is creating rules and objects to control VoIP traffic in her organization ( Certkiller .com), through a VPN-1 NGX Security Gateway. Mrs. Bill creates VoIP Domain SIP objects to represent each of Certkiller .com’s three SIP gateways. Jack then creates a simple group to contain the VoIP Domain SIP objects. When Jack attempts to add the VoIP Domain SIP objects to the group, they are not listed. What is the problem?
A. The related end-points domain specifies an address range.
B. VoIP Domain SIP objects cannot be placed in simple groups.
C. The installed VoIP gateways specify host objects.
D. The VoIP gateway object must be added to the group, before the VoIP Domain SIP object is eligible to be added to the group.
E. The VoIP Domain SIP object’s name contains restricted characters.
Correct Answer: B
QUESTION 38
You have two Nokia Appliances: one IP530 and on IP380. Both appliances have IPSO 3.9 and VPN-1 Pro NGX installed in a distributed deployment. Can they be members of a gateway cluster?
A. No, because the Gateway versions must be the same on both security gateways.
B. Yes, as long as they have the same IPSO version and the same VPN-1 Pro version
C. No, because members of a security gateway cluster must be in installed as stand-alone deployments.
D. Yes, because both gateways are from Nokia, whether they have the same VPN-1 PRO version or not.
E. No, because the appliances must be of the same model (Both should be IP530 or IP380).
Correct Answer: B
QUESTION 39
Exhibit: You work as a network administrator at Certkiller .com. Your network includes ClusterXL running Multicast mode on two members, as shown in this topology exhibit. Your network is expanding, and you need to add new interfaces: 10.10.10.1/24 on Member A, and 10.10.10.2/24 on Member B. The virtual IP address for interface 10.10.10.0/24 is 10.10.10.3. What is the correct procedure to add these interfaces?
A. 1. Use the ifconfig command to configure and enable the new interface.
2.
Run cpstop and cpstart on both members at the same time.
3.
Update the topology in the cluster object for the cluster and both members.
4.
Install the Security Policy.
B. 1. Disable “cluster membership” from one Gateway via cpconfig.
2.
Configure the new interface via sysconfig from the “non-member” Gateway.
3.
Re-enable “Cluster membership” on the Gateway.
4.
Perform the same step on the other Gateway.
5.
Update the topology in the cluster object for the cluster and members.
6.
Install the Security Policy
C. 1. Run cpstop on one member, and configure the new interface via sysconfig.
2.
Run cpstart on the member. Repeat the same steps on another member.
3.
Update the new topology in the cluster object for the cluster and members.
4.
Install the Security Policy.
D. 1. Use sysconfig to configure the new interfaces on both members.
2.
Update the topology in the cluster object for the cluster and both members.
3.
Install the Security Policy.
Correct Answer: C
QUESTION 40
Problems sometimes occur when distributing IPSec packets to a few machines in a Load Sharing Multicast mode cluster, even though the machines have the same source and destination IP addresses. What is the best Load Sharing method for preventing this type of problem?
A. Load Sharing based on IP addresses, ports, and serial peripheral interfaces (SPI)
B. Load Sharing based on SPIs only.
C. Load Sharing based on IP addresses only
D. Load Sharing based on SPIs and ports only
E. Load Sharing based on IP addresses and ports
Correct Answer: C
QUESTION 41
Exhibit:
State synchronization is enabled on both members in a cluster, and the Security Policy is successfully installed. No protocols or services have been unselected for “selective sync”. The exhibit is the fw tab -t connections -s output from both members. Is State synchronization working properly between the two members?
A. Members Certkiller 1 and Certkiller 2 are synchronized, because ID for both members are identical in the connection table
B. The connections-table output is incomplete. You must run the cphaprob state command, to determine if members Certkiller 1 and Certkiller 2 are synchronized.
C. Members Certkiller 1 and Certkiller 2 are not synchronized, because #PEAK for both members is not close in the connections table.
D. Members Certkiller 1 and Certkiller 2 are synchronized, because #SLINKS are identical in the connections table.
E. Members Certkiller 1 and Certkiller 2 are not synchronized, because #VALS in the connection table are not close.
Correct Answer: E
QUESTION 42
Exhibit:
The exhibit illustrates how a VPN-1 SecureClient user tries to establish a VPN host in the external_net and internal_net from the Internet. How is the Security Gateway VPN Domain created?
A. Internal Gateway VPN domain = internal_net, External VPN Domain = external net + external gateway object + internal_net.
B. Internal Gateway VPN domain = internal_net, External Gateway VPN Domain = external net + internal gateway object
C. Internal Gateway VPN domain = internal_net, External Gateway VPN Domain = internal_net + external net
D. Internal Gateway VPN domain = internal_net, External Gateway VPN Domain = internal VPN domain + internal gateway object + external net
Correct Answer: D
QUESTION 43
Regarding QoS guarantees and limits, which of the following statements is FALSE?
A. The guarantee of a sub-rule cannot be greater than the guarantee defined for the rule above it.
B. If the guarantee is defined in a sub-rule, a guarantee must be defined for the rule above it.
C. A rule guarantee must not be less than the sum defined in the guarantees’ sub-rules.
D. If both a rule and per-connection limit are defined for a rule, the per-connection limit must not be greater than the rule limit.
E. If both a limit and guarantee per rule are defined in a QoS rule, the limit must be smaller than the guarantee.
Correct Answer: E
QUESTION 44
You plan to install a VPN-1 Pro Gateway for VPN-1 NGX at Certkiller .com’s headquarters. You have a single Sun SPARC Solaris 9 machines for VPN-1 Pro enterprise implementation. You need this machine to inspect traffic and keep configuration files. Which Check Point software package do you install?
A. VPN-1 Pro Gateway and primary SmartCenter Server
B. Policy Server and primary SmartCenter Server
C. ClusterXL and SmartCenter Server
D. VPN-1 Pro Gateway
E. SmartCenter Server
Correct Answer: A
QUESTION 45
By default, a standby SmartCenter Server is automatically synchronized by an active SmartCenter Server, when:
A. The Security Policy is installed.
B. The Security Policy is saved.
C. The user database is installed.
D. The Security Administrator logs in to the standby SmartCenter server, for the first time.
E. The standby SmartCenter Server starts for the first time.
Correct Answer: A
QUESTION 46
Your primary SmartCenter Server is installed on a SecrePlatform Pro machine, which is also a VPN-1 Pro Gateway. You want to implement Management High Availability (HA). You have a spare machine to configure as the secondary SmartCenter Server. How do you configure the new machine to be the standby SmartCenter Server, without making any changes to the existing primary SmartCenter Server? (changes can include uninstalling and reinstalling)
A. You cannot configure Mangement HA, when either the primary or secondary SmartCenter Server is running on a VPN-1 Pro Gateway.
B. The new machine cannot be installed as the Internal Certificate Authority on its own.
C. The secondary Server cannot be installed on a SecurePlatform Pro machine alone.
D. Install the secondary Server on a spare machine. Add the new machine to the same network as the primary Server.
Correct Answer: A
QUESTION 47
Certkiller configures an HTTP Security Server to work with the content vectoring protocol to screen forbidden sites. Jack has created a URI resource object using CVP with the following settings:
*
Use CVP
*
Allow CVP server to modify content
*
Return data after content is approved
Mrs. Bill adds two rules to her Rule Base: one to inspect HTTP traffic going to known forbidden sites, the other to allow all other HTTP traffic. Certkiller sees HTTP traffic going to those problematic sites is not prohibited. What could cause this behavior?
A. The Security Server Rule is after the general HTTP Accept Rule.
B. The Security Server is not communicating with the CVP server.
C. The Security Server is not configured correctly.
D. The Security Server is communicating with the CVP server, but no restriction is defined in the CVP server.
Correct Answer: A
QUESTION 48
You must set up SIP with proxy for your network. IP phones are in the 172.16.100.0 network. The Rigistrar and proxy are installed on host 172.16.100.100. To allow handover enforcement for outbound calls from SIP-net to network Net_B on the Internet, you have defined the following object:
*
Network object: SIP-net 172.16.100.0/24
*
SIP-gateway: 172.16.100.100
*
VoIP Domain Object: VoIP_domain_A
1.
End-point domain: SIP-net
2.
VoIP gateway installed at: SIP-gateway host object
How should you configure the rule`?
A. SIP-Gateway/Net_B/sip_any/accept
B. VoIP_domain/Net_B/sip/accept
C. SIP-Gateway/Net_B/sip/accept
D. VoIP_domain_A/Net_B/sip_any; and sip/accept
E. VoIP_Gateway_A/Net_B/sip_any/accept
Correct Answer: A
QUESTION 49
How does a standby SmartCenter Server receive logs from all Security Gateways, when an active SmartCenter Server fails over?
A. The remote Gateways must set up SIC with the secondary SmartCenter Server, for logging.
B. Establish Secure Internal Communictions (SIC) between the primary and secondary Servers. The secondary Server can then receive logs from the Gateways, when the active Server fails over.
C. On the Log Server screen (from the Logs and Master tree on the gateway object’s General Properties screen), add the secondary SmartCenter Server object as the additional log server. Reinstall the Security Policy.
D. Create a Check Point host object to represent the standby SmartCenter Server. Then select “Secondary SmartCenter Server” and “Log Server”, from the list of Check Point Products on the General properties screen.
E. The secondary Server’s host name and IP address must be added to the Masters file, on the remote Gateways.
Correct Answer: C QUESTION 50
Exhibit:
You are preparing a lab for a ClusterXL environment, with the topology shown in the exhibit.
*
Vip internal cluster IP=172.16.10.1; Vip external cluster IP=192.168.10.3
*
Cluster Member 1: four NICs, three enabled: qfe0: 192.168.10.1/24, qfe1: 10.10.10.1/24, qfe2: 172.16.10.1/24
*
Cluster Member 2: five NICs, three enabled: hme0: 192.168.10.2/24, eth1: 10.10.10.2/24, eth2: 172.16.10.2/24
*
Member Network tab on internal-cluster interfaces: is 10.10.10.0, 255.255.255.0
*
SmartCenter Pro Server: 172.16.10.3
External interfaces 192.168.10.1 and 192.168.10.2 connect to a Virtual Local Area Network (VLAN) switch. The upstream router connects to the same VLAN switch. Internal interfaces 10.10.10.1 and 10.10.10.2 connect to a hub. There is no other machine in the 10.10.01.0 network. 172.19.10.0 is the synchronization network. What is the problem with this configuration?
A. The SmartCenter Pro Server cannot be in synchronization network.
B. There is no problem with configuration. It is correct.
C. Members do not have the same number of NICs.
D. The internal network does not have a third cluster member.
E. Cluster members cannot use the VLAN switch. They must use hubs.
Correct Answer: B
QUESTION 51
Your VPN Community includes three Security Gateways. Each Gateway has its own internal network defined as a VPN Domain. You must test the VPN-1 NGX route-based VPN feature, without stopping the VPN. What is the correct order of steps?
A. 1. Add a new interface on each Gateway.
2.
Remove the newly added network from the current VPN domain for each Gateway.
3.
Create VTIs on each Gateway, to point to the other two peers
4.
Enable advanced routing on all three Gateways.
B. 1. Add a new interface on each Gateway.
2.
Remove the newly added network from the current VPN domain in each gateway object.
3.
Create VTIs on each gateway object, to point to the other two peers
4.
Add static routes on three Gateways, to route the new network to each peer’s VTI interface..
C. 1. Add a new interface on each Gateway.
2.
Add the newly added network into the existingVPN domain for each Gateway.
3.
Create VTIs on each gateway object, to point to the other two peers
4.
Enable advanced routing on all three Gateways.
D. 1. Add a new interface on each Gateway.
2.
Add the newly added network into the existingVPN domain for each Gateway.
3.
Create VTIs on each Gateway, to point to the other two peers
4.
Add static routes on three Gateways, to route the new network to each peer’s VTI interface
Correct Answer: B
QUESTION 52
How does ClusterXL Unicast mode handle new traffic?
A. The pivot machine receives and inspects all new packets, and synchronizes the connections with other members.
B. Only the pivot machine receives all packets. It runs an algorithm to determine which member should process the packets.
C. All members receive packets. The SmartCenter Server decides which member will process the packets. Other members simply drop the packets.
D. All cluster members process all packets, and members synchronize with each other.
Correct Answer: B
QUESTION 53
You are configuring the VoIP Domain object for a SIP environment, protected by VPN-1 NGX. Which VoIP Domain object type can you use?
A. Call Manager
B. Gateway
C. Call Agent
D. Gatekeeper
E. Proxy
Correct Answer: E
QUESTION 54
VPN-1 NGX supports VoIP traffic in all of the following environments, EXCEPT which environment?
A. H.323
B. SIP
C. MEGACO
D. SCCP
E. MGCP
Correct Answer: C
QUESTION 55
You plan to incorporate OPSEC servers, such as Websense and Trend Micro, to do content filtering. Which segments is the BEST location for these OPSEC servers, when you consider Security Server performance and data security?
A. On the Security Gateway
B. Internal network, where users are located
C. On the Internet
D. DMZ network, where application servers are located
E. Dedicated segment of the network
Correct Answer: E
QUESTION 56
You are reviewing SmartView Tracker entries, and see a Connection Rejection on a Check Point QoS rule., What causes the Connection Rejection?
A. No QoS rule exist to match the rejected traffic.
B. The number of guaranteed connections is exceeded. The rule’s properties are not set to accept additional connections.
C. The Constant Bit Rate for a Low Latency Class has been exceeded by greater than 10%, and the Maximal Delay is set below requirements.
D. Burst traffic matching the Default Rule is exhausting the Check Point QoS global packet buffers.
E. The guarantee of one of the rule’s sub-rules exceeds the guarantee in the rule itself.
Correct Answer: B
QUESTION 57
Which of the following QoS rule-action properties is an Advanced action type, only available in Traditional mode?
A. Guarantee Allocation
B. Rule weight
C. Apply rule only to encrypted traffic
D. Rule limit
E. Rule guarantee
Correct Answer: A
QUESTION 58
Which Check Point QoS feature marks the Type of Service (ToS) byte in the IP header?
A. Guarantees
B. Low Latency Queuing
C. Differentiated Services
D. Weighted Fair Queing
E. Limits
Correct Answer: C
QUESTION 59
Which of the following TCP port numbers is used to connect the VPN-1 Gateway to the Content Vector Protocol (CVP) server?
A. 18182
B. 18180
C. 18181
D. 17242
E. 1456
Correct Answer: C QUESTION 60
VPN-1 NGX includes a resource mechanism for working with the Common Internet File System (CIFS). However, this service only provides a limited level of actions for CIFs security. Which of the following services is NOT provided by a CIFS resource?
A. Long access share
B. Block Remote Registry Access
C. Log mapped shares
D. Allow MS print shares
Correct Answer: A
QUESTION 61
How can you prevent delay-sensitive applications, such as video and voice traffic, from being dropped due to long queues when using a Check Point QoS solution?
A. Low latency class
B. DiffServ rule
C. Guaranteed per connection
D. Weighted Fair Queuing
E. Guaranteed per VoIP rule
Correct Answer: D
QUESTION 62
Certkiller is a Security Administrator preparing to implement a VPN solution for her multi-site organization Certkiller .com. To comply with industry regulations, Mrs. Bill VPN solution must meet the following requirements:
*
Portability: standard
*
Key management: Automatic, external PKI
*
Session keys: Changed at configured times during a connection’s lifetime
*
key length: No less than 128-bit
*
Data integrity: Secure against inversion and brute-force attacks
What is the most appropriate setting Jack should choose?
A. IKE VPNs: AES encryption for IKE Phase 1, and DES encryption for Phase 2; SHA1 ash
B. IKE VPNs: SHA1 encryption for IKE Phase 1, and MD5 encryption for Phase 2; AES hash
C. IKE VPNs: CAST encryption IKE Phase 1, and SHA1 encryption for Phase 2; DES hash
D. IKE VPNs: AES encryption for IKE Phase 1, and AES encryption for Phase 2; SHA1 hash
E. IKE VPNs: DES encryption for IKE Phase 1, and 3DES encryption for Phase 2; MD5 hash
Correct Answer: D
QUESTION 63
Your current VPN-1 NG Application Intelligence (AI) R55 stand-alone VPN-1 Pro Gateway and SmartCenter Server run on SecurePlatform. You plan to implement VPN-1 NGX in a distributed environment, where the existing machine will be the SmartCenter Server, and a new machine will be the VPN-1 Pro Gateway only. You need to migrate the NG with AI R55 SmartCenter Server configuration, including such items as Internal Certificate Authority files, databases, and Security Policies. How do you request a new license for this VPN-1 NGX upgrade?
A. Request a VPN-1 NGX SmartCenter Server license, using the new machine’s IP addres. Request a new local license for the NGX VPN-1 Pro Gateway.
B. Request a VPN-1 NGX SmartCenter Server license, using the new machine’s IP addres. Request a new central license for the NGX VPN-1 Pro Gateway.
C. Request a new VPN-1 NGX SmartCenter Server license, using the NG with AI SmartCenter Server IP address. Request a new central license for the NGX VPN-1 Pro Gateway.
D. Request a VPN-1 NGX SmartCenter Server license, using the NG with AI SmartCenter Server IP address. Request a new central license for the NGX VPN-1 Pro Gateway, licenses for the existing SmartCenter Server IP address.
Correct Answer: C
QUESTION 64
Certkiller is a Security Administrator for Certkiller .com. Certkiller .com has two sites using pre-shared secrets in its VPN. The two sites are Boston and New York. Jack has just been informed that a new office is opening in Houston, and she must enable all three sites to connect via the VPN to each other. Three Security Gateways are managed by the same SmartCenter Server, behind the New York Security Gateway.
Mrs. Bill decides to switch from a pre-shared secrets to Certificates issued by the Internal Certificate Authority (ICA). After creating the Houston gateway object with the proper VPN domain, what are Certkiller’s remaining steps?
1.
Disable “Pre-shared Secret” on the Boston and New York gateway objects.
2.
Add the Houston gateway object into the New York and Boston’s mesh VPN Community.
3.
Manually generate ICA Certificates for all three Security Gateways.
4.
Configure “Traditional mode VPN configuration” in the Houston gateway object’s VPN screen.
5.
Reinstall the Security Policy on all three Security Gateways
A. 1, 2, 5
B. 1, 3, 4, 5
C. 1, 2, 3, 5
D. 1, 2, 4, 5
E. 1, 2, 3, 4
Correct Answer: C
QUESTION 65
Which component functions as the Internal Cerrificate Authority for VPN-1 NGX?
A. VPN-1 Certificate Manager
B. SmartCenter Server
C. SmartLSM
D. Policy Server
E. Security Gateway
Correct Answer: B
QUESTION 66
Which Security Server can perform content-security tasks, but CANNOT perform authentication tasks?
A. FTP
B. SMTP
C. Telnet
D. HTTP
E. rlogin
Correct Answer: B
QUESTION 67
Certkiller .com has two headquarters, one in Los Angeles and one in Mumbai. Each headquarter includes several branch offices. The branch office only need to communicate with the headquarter in their country, not with each other, and only the headquarters need to communicate directly. What is the BEST configuration for VPN communities among the branch offices and their headquarters, and between the two headquarters? VNP communities comprised of:
A. two star and one mesh community; each start Community is set up for each site, with headquarters as the center of the Community, and branches as satellites. The mesh Communities are between Mumbai and Los Angeles headquarters.
B. Three mesh Communities: one for Los Angeles and its branches, one for Mumbai headquarters and its branches, and one for Los Angeles and Mumbai headquarters.
C. Two mesh Communities, one for each headquarters; and one start Community, in which Los Angeles is the center of the Community and Mumbai is the satellite.
D. Two mesh Communities, one for each headquarters; and one start Community, in which Mumbai is the center of the Community and Los Angeles is the satellite.
Correct Answer: A
QUESTION 68
Certkiller wants to protect internal users from malicious Java code, but Jack does not want to strop Java scripts. Which is the best configuration option?
A. Use the URI resource to block Java code
B. Use CVP in the URI resource to block Java code
C. Use the URI resource to strop ActiveX tags
D. Use the URI resource to strop applet tags
E. Use the URI resource to strop script tags
Correct Answer: A
QUESTION 69
Which Security Server can perform authentication tasks, but CANNOT perform content security tasks?
A. Telnet
B. HTTP
C. rlogin
D. FTP
E. SMTP
Correct Answer: AC
QUESTION 70
Which service type does NOT invoke a Security Server?
A. HTTP
B. FTP
C. Telnet
D. CIFS
E. SMTP
Correct Answer: D
QUESTION 71
Which operating system is NOT supported by VPN-1 SecureClient?
A. IPSO 3.9
B. Windows XP SP2
C. Windows 2000 Professional
D. RedHat Linux 8.0
E. MacOS X
Correct Answer: A
QUESTION 72
You are preparing computers for a new ClusterXL deployment. For your cluster, you plan to use three machines with the configurations displayed in the exhibit. Are these machines correctly configured for a ClusterXL deployment?
A. Yes, these machines are configured correctly for a ClusterXL deployment.
B. No, QuadCards are not supported with ClusterXL.
C. No, all machines in a cluster must be running on the same OS.
D. No, al cluster must have an even number of machines.
E. No, ClusterXL is not supported on Red Hat Linux.
Correct Answer: C
QUESTION 73
Certkiller is notified by blacklist.org that her site has been reported as a spam relay, due to her SMTP server being unprotected. Mrs. Bill decides to implement an SMTP Security Server, to prevent the server from being a spam relay. Which of the following is the most efficient configuration method?
A. Configure the SMTP Security Server to perform MX resolving.
B. Configure the SMTP Security Server to perform filtering, based on IP address and SMTP protocols.
C. Configure the SMTP Security Server to work with an OPSEC based product, for content checking.
D. Configure the SMTP Security Server to apply a generic “from” address to all outgoing mail.
E. Configure the SMTP Security Server to allow only mail to or from names, within Jack’s corporate domain.
Correct Answer: E
QUESTION 74
The exhibit is a cphaprob state command output from a ClusterXL New mode high Availability member.
When a member 192.168.1.2 fails over and restarts, which member will become active?
A. 192.168.1.2
B. 192.168.1.1
C. Both members’ state will be standby.
D. Both members’ state will be active.
Correct Answer: B
QUESTION 75
You work as a network administrator at Certkiller.com. Your network includes ClusterXL running Multicast mode on two members, as shown in this topology exhibit.
Your network is expanding, and you need to add new interfaces: 10.10.10.1/24 on Member A, and 10.10.10.2/24 on Member B. The virtual IP address for interface 10.10.10.0/24 is 10.10.10.3.
What is the correct procedure to add these interfaces?
A. 1. Use the ifconfig command to configure and enable the new interface.
2.
Run cpstop and cpstart on both members at the same time.
3.
Update the topology in the cluster object for the cluster and both members.
4.
Install the Security Policy.
B. 1. Disable “cluster membership” from one Gateway via cpconfig.
2.
Configure the new interface via sysconfig from the “non-member” Gateway.
3.
Re-enable “Cluster membership” on the Gateway.
4.
Perform the same step on the other Gateway.
5.
Update the topology in the cluster object for the cluster and members.
6.
Install the Security Policy
C. 1. Run cpstop on one member, and configure the new interface via sysconfig.
2.
Run cpstart on the member. Repeat the same steps on another member.
3.
Update the new topology in the cluster object for the cluster and members.
4.
Install the Security Policy.
D. 1. Use sysconfig to configure the new interfaces on both members.
2.
Update the topology in the cluster object for the cluster and both members.
3.
Install the Security Policy.
Correct Answer: C
QUESTION 76
VPN-1 NGX includes a resource mechanism for working with the Common Internet File System (CIFS).
However, this service only provides a limited level of actions for
CIFs security. Which of the following services is NOT provided by a CIFS resource?
A. Long access share
B. Block Remote Registry Access
C. Log mapped shares
D. Allow MS print shares
Correct Answer: A
QUESTION 77
Which service type does NOT invoke a Security Server?
A. HTTP
B. FTP
C. Telnet
D. CIFS
E. SMTP
Correct Answer: D
QUESTION 78
Jack’s project is to define the backup and restore section of his organization’s disaster recovery plan for his organization’s distributed NGX installation. Jack must meet the following required and desired objectives.
*
Required Objective The security policy repository must be backed up no less frequent~ than every 24 hours
*
Desired Objective The NGX components that enforce the Security Policies should be backed up no less frequently than once a week
*
Desired Objective Back up NGX logs no less frequently than once a week Jack’s disaster recovery plan is as follows. See exhibit.
Jack’s plan:
A. Meets the required objective but does not meet either desired objective
B. Does not meet the required objective
C. Meets the required objective and only one desired objective
D. Meets the required objective and both desired objectives
Correct Answer: D
QUESTION 79
Which VPN Community object is used to configure VPN routing within the SmartDashboard?
A. Star
B. Mesh
C. Remote Access
D. Map
Correct Answer: A
We also provide FLYDUMPS CheckPoint 156-315 practice test download in case there is an update by the vendor. Our team of experts keeps the exam updated and accurate. Before decide to take FLYDUMPS CheckPoint 156-315 test, just check the free demo we offer. FLYDUMPS CheckPoint 156-315 test are written to the highest standards of technical accuracy, using only certified subject matter experts and published authors for development. If you prepare for the exam using our FLYDUMPS CheckPoint 156-315 practice test, we guarantee your success in the first attempt.
Pass4itsure C2180-374 dumps with PDF + Premium VCE + VCE Simulator: https://www.pass4itsure.com/c2180-374.html
CheckPoint 156-315 VCE Files, The Most Recommended CheckPoint 156-315 Dumps PDF Online Store
Welcome to download the newest Jumpexam C2090-611 VCE dumps: http://www.jumpexam.com/C2090-611.html
Flydumps guarantee your Checkpoint 156-215 exam success with our Exam Resources. Checkpoint 156-215 exam are the latest and developed by experience’s IT certification Professionals working in today’s prospering companies and data centers.All our Checkpoint 156-215 exam dumps including Checkpoint 156-215 exam questions which guarantee you can 100% success Checkpoint 156-215 exam in your first try exam.
QUESTION 90
Certkiller is the Security Administrator for an online bookstore. Customers connect to a variety of Web servers to place orders, change orders, and check status of their orders. Mrs. Bill checked every box in the Web Intelligence tab, and installed the Security Policy, She ran penetration test through the Security Gateway, to determine if the Web servers were protected from cross-site scripting attacks. The penetration test indicated the Web servers were still vulnerable. Which of the following might correct the problem?
A. The penetration software Certkiller is using is malfunctioning and is reporting a false-positive.
B. Certkiller must create resource objects, and use them in the rule allowing HTTP traffic to the Web servers.
C. Certkiller needs to check the “Products > Web Server” box on the host node objects representing his Web servers.
D. Certkiller needs to check the “Web Intelligence” box in the SmartDefense > HTTP Properties.
E. Certkiller needs to configure the Security Gateway protecting the Web servers as a Web server.
Correct Answer: C
QUESTION 91
You create two Policy Packages for two NGX Security Gateways. For the first Policy Package, you select Security and Address Translation and QoS Policy. For the second Policy Package, you selected Security and Address Translation and Desktop Security Policy. In the first Policy Package, you enable host-based port scan from the SmartDefense tab. You save and install the policy to the relevant Gateway object. How is the port scan configured on the second Policy Package’s SmartDefense tab?
A. Host-based port scan is disabled by default.
B. Host-based port scan is enabled, because SmartDefense settings are global.
C. Host-based port scan is enabled but it is not highlighted.
D. There is no SmartDefense tab in the second Policy Package.
Correct Answer: B
QUESTION 92
A digital signature:
A. Uniquely encodes the receiver of the key.
B. Provides a secure key exchange mechanism over the Internet.
C. Guarantees the authenticity and integrity of a message.
D. Automatically changes the shared keys.
E. Decrypts data to its original form.
Correct Answer: C
QUESTION 93
You are setting up a Virtual Private Network, and must select an encryption scheme. Your data is extremely business sensitive and you want maximum security for your data communications. Which encryption scheme would you select?
A. Tunneling mode encryption
B. In-place encryption
C. Either one will work without compromising performance
Correct Answer: A
QUESTION 94
You have just started a new job as the Security Administrator for Certkiller . Your boss has asked you to ensure that peer-to-peer file sharing is not allowed past the corporate Security Gateway. Where should you configure this?
A. SmartDashboard > SmartDefense
B. SmartDashboard > WebDefense
C. By editing the file $FWDIR/conf/application_intelligence.C
D. SmartDashboard > Policy > Global Properties > Malicious Activity Detection
E. SmartDashboard > Web Intelligence
Correct Answer: A
QUESTION 95
Amy is configuring a User Authentication rule for the technical-support department to access an intranet server. What is the correct statement?
A. The Security Server first checks if there is any rule tat does not require authentication for this type of connection.
B. The User Authentication rule must be placed above the Stealth Rule.
C. Once a user is first authenticated, the user will not be prompted for authentication again until logging out.
D. Amy can only use the rule for Telnet, FTP, and rlogin services.
E. Amy can limit the authentication attempts in the Authentication tab of the User Properties screen.
Correct Answer: A
QUESTION 96
How can you unlock an administrator’s account, which was been locked due to SmartCenter Access settings in Global Properties?
A. Type fwm lock_admin -ua from the command line of the SmartCenter Server.
B. Clear the “locked” box from the user’s General Properties in SmartDashboard.
C. Type fwm unlock_admin -ua from the command line of the SmartCenter Server.
D. Type fwm unlock_admin -ua from the command line of the Security Gateway.
E. Delete the file admin.lock in the $FWDIR/tmp/ directory of the SmartCenter Server.
Correct Answer: A
QUESTION 97
How many administrators can be created during installation of the SmartCenter Server?
A. Only one
B. Only one with full access and one with read-only access
C. As many as you want
D. Depends on the license installed on the SmartCenter Server
E. Specified in the Global Properties
Correct Answer: A
QUESTION 98
Which SmartConsole tool verifies the installed Security Policy name?
A. SmartView Status
B. Eventia Reporter
C. SmartView Server
D. SmartUpdate
E. SmartView Tracker
Correct Answer: E
QUESTION 99
Ilse manages a distributed NGX installation for Certkiller .com. Ilse needs to know which Security Gateways have licenses that will expire within the next 30 days. Which SmartConsole application should Ilse use to gather this information?
A. SmartView Monitor
B. SmartUpdate
C. SmartDashboard
D. SmartView Tracker
E. SmartView Status
Correct Answer: B
QUESTION 100
Herman is attempting to configure a site-to-site VPN with one of his firm’s business partner. Herman thinks Phase 2 negotiations are failing. Which SmartConsole application should Herman use to confirm his suspicions?
A. SmartUpdate
B. SmartView Tracker
C. SmartView Monitor
D. SmartDashboard
E. SmartView Status
Correct Answer: C
QUESTION 101
How can you reset the password of the Security Administrator, which was created during initial installation of the SmartCenter Server on SecurePlatform?
A. Launch cpconfig and select “Administrators”.
B. Launch SmartDashboard, click the admin user account, and overwrite the existing Check Point Password.
C. Type cpm -a, and provide the existing administration account name. Reset the Security Administrator’s password.
D. Export the user database into an ASCII file with fwm dbexport. Open this file with an editor, and delete the “Password” portion of the file. The log in to the account without password. You will be prompted to assign a new password.
E. Launch cpconfig and delete the Administrator’s account. Recreate the account with the same name.
Correct Answer: E
QUESTION 102
What happens when you select File > Export from the SmartView Tracker menu?
A. It is not possible to export an old log file, only save and switch in SmartView Tracker.
B. Current logs are exported to a new *.log file.
C. Exported log entries are still viewable in SmartView Tracker.
D. Exported log entries are deleted from fw.log.
E. Logs in fw.log are exported to a file that can be opened by Microsoft Excel.
Correct Answer: C
QUESTION 103
Which type of TCP attack is a bandwidth attack, where a client fools a server into sending large amount of data, using small packets?
A. SMURF
B. Small PMTU
C. Host System Hogging
D. LAN
E. SYN-Flood
Correct Answer: B
QUESTION 104
What is the proper command for exporting users in LDAP format?
A. fw dbexport -f c:\temp\users.txt
B. fw dbimport -f c:\temp\users.ldif -l -s “o=YourCity.com,c=YourCountry”
C. fw dbimport -f c:\temp\users.ldap
D. fw dbexport -f c:\temp\users.ldap -l -s
E. fw dbexport -f c:\temp\users.ldif -l -s “o=YourCity.com,c=YourCountry”
Correct Answer: E
QUESTION 105
Shauna is troubleshooting a Security Gateway that is dropping all traffic whenever the most recent Security Policy is installed. Working at the Security Gateway, Shauna needs to uninstall the Policy, but keep the processes running so she can see if there is an issue with the Gateway’s firewall tables. Which of the following commands will do this?
A. fw dbload 10.1.1.5
B. fw unload 10.1.1.5
C. cprestart
D. fw tab -x -u
E. cpstop
Correct Answer: D
QUESTION 106
You have blocked an IP address via the Block Intruder feature of SmartView Tracker. How can you see the addresses you have blocked?
A. In SmartView Status click the Blocked Intruder tab.
B. Run fwm blocked_view.
C. Run fw sam -va.
D. Run fw tab -t sam_blocked_ips.
E. In SmartView Tracker, click the Active tab, and the actively blocked connections display.
Correct Answer: D
QUESTION 107
Your internal Web server in the DMZ has IP address 172.16.10.1/24. A particular network from the Internet tries to access this Web server. You need to set up some type of Network Address Translation (NAT), so that NAT occurs only from the HTTP service, and only from the remote network as the source. The public IP address for the Web server is 200.200.200.1. All properties in the NAT screen of Global Properties are
enabled.
Select the correct NAT rules, so NAT happens ONLY between “web_dallas” and the remote network.
A. 1. Create another node object named “web_dallas_valid”, and enter “200.200.200.1” in the General Properties screen.
2.
Create two manual NAT rules above the automatic Hide NAT rules for the 172.16.10.0 network.
3.
Select “HTTP” in the Service column of both manual NAT rules.
4.
Enter an ARP entry and route on the Security Gateway’s OS.
B. 1. Enable NAT on the web_dallas object, select “static”, and enter “200.200.200.1” in the General Properties screen.
2.
Specify “HTTP” in the automatic Static Address Translation rules.
3.
Create incoming and outgoing rules for the web_dallas server, for the HTTP service only.
C. 1. Enable NAT on the web_dallas object, select “hide”, and enter “200.200.200.1” for the Hide NAT IP address.
2.
Specify “HTTP” in the Address Translation rules that are generated automatically.
3.
Create incoming and outgoing rules for the web_dallas server, for the HTTP service only.
D. 1. Create another node object named “web_dallas_valid”, and enter “200.200.200.1” in the General Properties screen.
2.
Create two manual NAT rules below the Automatic Hide NAT rules for network 172.16.10.0, in the Address Translation Rule Base.
3.
Select “HTTP” in the Service column of both manual NAT rules.
4.
Enter an ARP entry and route on the Security Gateway’s OS.
Correct Answer: A
QUESTION 108
Using SmartDefense how do you notify the Security Administrator that malware is scanning specific ports? By enabling:
A. Network Port scan
B. Host Port scan
C. Malware Scan protection
D. Sweep Scan protection
E. Malicious Code Protector
Correct Answer: D
QUESTION 109
Jack’s project is to define the backup and restore section of his organization’s disaster recovery plan for his
organization’s distributed NGX installation. Jack must meet the following required and desired objectives:
Required objective: The security policy repository must be backed up no less frequently than every 24
hours.
Desired objective: The NGX components that enforce the Security Policies should be backed up no less
frequently than once a week.
Desired objective: Back up NGX logs no less frequently than once a week. Administrators should be able
to view backed up logs in SmartView Tracker.
Jack’s disaster recovery plan is as follows:
Use the cron utility to run the upgrade_export command each night on the SmartCenter Servers. Configure
the organization’s routine backup software to back up the files created by the upgrade_export command.
Configure the SecurePlatform backup utility to back up the Security Gateways every Saturday night.
Use the cron utility to run the upgrade_export command each Saturday night on the Log Servers.
Configure an automatic, nightly logexport. Configure the organization’s routine backup software to back up
the export log every night.
Jack’s plan:
A. Meets the required objective but does not meet either desired objective.
B. Meets the required objective and both desired objectives.
C. Meets the required objective and only one desired objective.
D. Does not meet the required objective.
Correct Answer: B
QUESTION 110
Anna is working at Certkiller .com, together with three other Security Administrators. Which SmartConsole tool should she use to check changes to rules or object properties other administrators made?
A. SmartDashboard
B. SmartView Tracker
C. Eventia Tracker
D. Eventia Monitor
E. SmartView Monitor
Correct Answer: B
QUESTION 111
When you find a suspicious connection from a problematic host, you want to block everything from that whole network, not just the host. You want to block this for an hour, but you do not want to add any rules to the Rule Base. How do you achieve this?
A. Create a Suspicious Activity rule in SmartView Tracker.
B. Create a Suspicious Activity Rule in SmartView.
C. Create an “FW SAM” rule in SmartView Monitor.
D. Select “block intruder” from the Tools menu in the SmartView Tracker.
Correct Answer: B
QUESTION 112
Your internal network is using 10.1.1.0/24. This network is behind your perimeter NGX VPN-1 Gateway, which connects to your ISP provider. How do you configure the Gateway to allow this network to go out to the Internet?
A. Use automatic Static NAT for network 10.1.1.0/24.
B. Use Hide NAT for network 10.1.1.0/24 behind the internal interface of your perimeter Gateway.
C. Use manual Static NAT on the client side for network 10.1.1.0/24
D. Use Hide NAT for network 10.1.1.0/24 behind the external IP address of your perimeter Gateway.
E. Do nothing, as long as 10.1.1.0 network has the correct default Gateway.
Correct Answer: D
QUESTION 113
Which of these changes to a Security Policy optimizes Security Gateway performance?
A. Using domain objects in rules when possible
B. Using groups within groups in the manual NAT Rule Base
C. Putting the least-used rule at the top of the Rule Base
D. Logging rules as much as possible
E. Removing old or unused Security Policies from Policy Packages
Correct Answer: E
QUESTION 114
Nelson is a consultant. He is at a customer’s site reviewing configuration and logs as a part of a security audit. Nelson sees logs accepting POP3 traffic, but he does not see a rule allowing POP3 traffic in the Rule Base. Which of the following is the most likely cause? The POP3:
A. service is a VPN-1 Control Connection.
B. rule is hidden.
C. service is accepted in Global Properties.
D. service cannot be controlled by NGX.
E. rule is disabled.
Correct Answer: B
QUESTION 115
When you hide a rule in a Rule Base, how can you then disable the rule?
A. Open the Rule Menu, and select Hide and View hidden rules. Select the rule, right-click, and select Disable.
B. Uninstall the Security Policy, and the disable the rule.
C. When a rule is hidden, it is automatically disabled. You do not need to disable the rule again.
D. Run cpstop and cpstart on the SmartCenter Server, then disable the rule.
E. Clear Hide from Rules drop-down menu, then right-click and select “Disable Rule(s)”.
Correct Answer: E
QUESTION 116
Mary is the IT auditor for a bank. One of her responsibilities is reviewing the Security Administrators activity and comparing it to the change log. Which application should Mary use to view Security Administrator activity?
A. NGX cannot display Security Administrator activity
B. SmartView Tracker in Real-Time Mode
C. SmartView Tracker in Audit Mode
D. SmartView Tracker in Log Mode
E. SmartView Tracker in Activity Mode
Correct Answer: C
QUESTION 117
Andrea has created a new gateway object that she will be managing at a remote location. She attempts to install the Security Policy to the new gateway object, but the object does not appear in the “install on” box. Which of the following is the most likely cause?
A. Andrea has created the object using “New Check Point > VPN-1 Edge Embedded Gateway”
B. Andrea created the gateway object using the “New Check Point > Externally Managed VPN Gateway” option from the Network Objects dialog box.
C. Andrea has not configured anti-spoofing on the interfaces on the gateway object.
D. Andrea has not configure Secure Internal Communications (SIC) for the oject.
E. Andrea created the Object using “New Check Point > VPN-1 Pro/Express Security Gateway” option in the network objects, dialog box, but still needs to configure the interfaces for the Security Gateway object.
Correct Answer: B
QUESTION 118
Certkiller is recently hired as the Security Administrator for Certkiller .com. Jack Bill’s manager has asked
her to investigate ways to improve the performance of the firm’s perimeter Security Gateway. Certkiller
must propose a plan based on the following required and desired results:
Required Result #1: Do not purchase new hardware.
Required Result #2: Use configuration changes the do not reduce security. Desired Result #1: Reduce the
number of explicit rules in the Rule Base.
Desired Result #2: Reduce the volume of logs.
Desired Result #3: Improve the Gateway’s performance.
Proposed solution:
*
Replace all domain objects with network and group objects.
*
Check “Log implied rules” and “Accept ICMP requests” in Global Properties.
*
Use Global Properties, instead of explicit rules, to control ICMP, VRRP, and RIP. Does Certkiller’s
proposed solution meet the required and desired results?
A. The solution meets all required and desired results.
B. The solution meets all required, and one of the desired results.
C. The solution meets all required, and two of the desired results.
D. The solution meets all required, and none of the desired results.
E. The solution does not meet the required results.
Correct Answer: E
It is not easy to achieve success in the field of information technology. This is because Checkpoint 156-215 competition is very rampant in the industry. In order for you to acquire a successful career in this industry, acquiring the best Checkpoint 156-215 certification is the best thing to do. When selecting an information technology Checkpoint 156-215 certification, it is very significant to look for the right Checkpoint 156-215 that can help you succeed. Make sure that it relates to your career. Do not just select Checkpoint 156-215 certification without reviewing the Checkpoint 156-215 certification if it can help you or not.
Jumpexam C2090-611 dumps with PDF + Premium VCE + VCE Simulator: http://www.jumpexam.com/C2090-611.html
Checkpoint 156-215 Demo Exam, Useful Checkpoint 156-215 PDF Latest Version PDF&VCE
Welcome to download the newest Pass4itsure 117-201 VCE dumps: http://www.pass4itsure.com/117-201.html
100% valid Apple 9L0-400 Flydumps with more new added questions.By training the Apple 9L0-400 questions, you will save a lot time in preparing the exam.Visit www.Flydumps.com to get the 100% pass Apple 9L0-400 ensure!
QUESTION 55
Network users often have multiple passwords, a distinct password for each network service they caccess.
Which is NOT a valid way to simplify this situation for users in Mac OS X v10.3?
A. Set up a Kerberos environment on the network.
B. Have users store their login information for different server in Keychain.
C. Set up a directory service to make user and password information available to all computers.
D. Have users access network servers without authentication, using the Network icon in the Finder -rather than using the Connect to Server command, which requires users to authenticate.
Correct Answer: D
QUESTION 56
What are two ways to configure Mac OS X v10.3 to get LDAP information? Choose two.
A. Use Directory Access to configure Mac OS X v10.3 to get LDAP information from a DNS server.
B. Use Directory Access to configure Mac OS X v10.3 to use DHCP-supplied LDAP server information.
C. Use Directory Access to configure Mac OS X v10.3 with the IP address, type, and search base of a specific LDAP server.
D. Use the Sharing pane of System Preferences to configure Mac OS X v10.3 to use an Active Directory server as an LDAP server.
Correct Answer: BC
QUESTION 57
Authentication is ______________.
A. The system feature that determines whether you can access a file as Owner, Group, or Other.
B. The process whereby you prove your claimed identity to the computer system.
C. The association between your claimed user name and UID.
D. Used as a substitute for a password.
Correct Answer: B
QUESTION 58
Which statements are true of Kerberos? (Choose all that apply.)
A. Kerberos uses tickets.
B. Kerberos requires LDAP.
C. Kerberos requires service discovery.
D. Kerberos is a way to perform authentication.
E. Your computer presents your user name and password to each server.
Correct Answer: AD
QUESTION 59
In Mac OS X v10.3, you cannot use the Finder’s “Connection to Server” command to select ______________.
A. WebDAV servers
B. SSH servers
C. AFP servers
D. Your iDisk
Correct Answer: B
QUESTION 60
Dynamic service discovery protocols on Mac OS X v10.3 include ____________. Choose all that apply.
A. Active Directory
B. Rendezvous
C. AppleTalk
D. Netinfo
E. LDAP
F. SMB
Correct Answer: BCF
QUESTION 61
Some computers on a subnet have statically assigned IP addresses that start with “10”. And others are using the built-in Rendezvous protocol to self-assign link-local IP addresses. All the computers have file sharing turned on. What statement is FALSE?
A. A user on a computer with a link-local address can browse a computer with a static address.
B. A user on a computer with a static address can browse a computer with a link-local address.
C. A user on a computer with a link-local address can browse a computer with a link-local address.
D. A user on a computer with a static address can browse a computer with a static address by specifying the IP address.
E. A user on a computer with a link-local address can connect to a computer with a static address by specifying the IP address.
Correct Answer: A
QUESTION 62
Which can you NOT do using the Kerberos application in Mac OS X v10.3?
A. View a ticket.
B. Renew a ticket.
C. Force a network service to accept a ticket.
D. Change the password you sue to get a ticket.
Correct Answer: C
QUESTION 63
Using Directory Access, you can configure your computer to__________.
A. Use a specific WINS server for SMB service discovery.
B. Be a member of more than one Windows workgroup.
C. Disable Finder’s Connect to Server feature.
D. Use AppleTalk to discover SMB services.
Correct Answer: A
QUESTION 64
Over which three of these protocols can network volumes be mounted using the “Connect to Server” command from the Finder? Choose three.
A. SMB
B. POP
C. FTP
D. DSL
E. NFS
F. IPP
Correct Answer: ACE QUESTION 65
In Mac OS X v10.3, the default permission for Group and Others on the Drop Box folder in a user’s Public folder are ____________.
A. Read only
B. Write only
C. No Access
D. Read & Write
Correct Answer: B QUESTION 66
The Accounts pane of System Preferences lets you configure an account to __________.
A. Have Read only access.
B. Use a Simple Finder environment
C. Recognize multiple valid passwords
D. Log in to the computer only via FTP
Correct Answer: B QUESTION 67
Which statement about FileVault is TRUE?
A. Once a user enables FileVault, it cannot be disabled.
B. FileVault can only be enabled for non-administrator user accounts.
C. There is no way to recover a FileVault-protected account user’s data if the password is lost.
D. When a user enables FileVault, that user’s home directory is transferred into an encrypted disk image.
Correct Answer: D QUESTION 68
In Mac OS X v10.3, where can a non-administrator user named “ann” store her files?
A. /System
B. /Users/ann
C. /Applications
D. /Users/Home/ann
Correct Answer: B QUESTION 69
Which statement about file and folder permissions is TRUE Mac OS X v10.3?
A. Any user can delete a file from another user’s Drop Box.
B. A file’s permissions are always identical to its enclosing folder’s permissions.
C. A user Read only permissions to a folder cannot view any files in that folder.
D. A user with Read & Write permissions to a folder cannot delete any files in that folder.
E. A user with Read only permissions to a folder cannot rename any files in that folder.
Correct Answer: E QUESTION 70
When you delete a user named “Certkiller” using the graphical user interface in Mac OS X v10.3, the contents of Certkiller’s home folder can be ______________. (Choose all that apply.)
A. Deleted immediately
B. Moved to a folder named “Certkiller Deleted”
C. Converted to a .sit file and moved to the Deleted Users folder.
D. Converted to a .zip file and moved to the Deleted Users folder.
E. Converted to a .dmg file and moved to the Deletes Users folder.
Correct Answer: AE
QUESTION 71
How does an administrator user delete another user in Mac OS X v10.3 OS X v10.3?
A. Open Terminal and use the du command to delete the selected user.
B. Open the Users control panel, select a user to delete, and click the Delete button.
C. Open the Accounts pane of System Preferences, select a user to delete, and click the Delete (minus sign) button.
D. Open the /Users folder, select a user’s folder to delete, drag the folder to the Trash, and choose Empty Trash from the finder menu.
Correct Answer: C
QUESTION 72
By default in Mac OS X v10.3, the contents of which folders in a user’s home directory can be accessed by all other user accounts? Choose all that apply.
A. Documents
B. Library
C. Public
D. Music
E. Sites
Correct Answer: CE
QUESTION 73
What permissions can you set on file named ” Certkiller .rtf” using Ownership & Permissions section of the file’s Info window? Choose all that apply.
A. Delete
B. Read only
C. Write only
D. No access
E. Execute only
F. Read & Write
Correct Answer: BDF
QUESTION 74
During the Mac OS X v10.3 startup sequence, a Macintosh checks for a pressed C key, which tells the computer to start up from a CD volume rather than from a hard disk volume. This checks occurs immediately after _______________.
A. BootX loads
B. Open Firmware is initialzed.
C. The Kernel environment loads
D. The POST (Power On Self Test) passes
Correct Answer: B
QUESTION 75
How do you boot a Mac OS X v10.3 computer in a single-user mode?
A. Restart while holding down the S key.
B. Restart while holding down Command-S.
C. Restart while holding down Command-Option-S.
D. Choose “Restart in single-user mode” from the Apple menu.
E. Click the Single User checkbox in the Startup Disk pane of System Preferences, and restart.
Correct Answer: B
QUESTION 76
Booting Mac OS X v10.3 in verbose mode is most useful as a troubleshooting tool when _____________.
A. The system repeatedly crashes during startup
B. You repeatedly encounter application crashes.
C. The computer cannot communicate with a printer
D. You repeatedly encounter system crashes after logging in
Correct Answer: A
QUESTION 77
After the mach_init and BSD init processes execute successfully, init runs the rc scripts located in _________ to perform basic system initialization tasks.
A. /etc
B. /var
C. /init
D. /System/Library
Correct Answer: A
QUESTION 78
Which application provides the most detail about system processes in Mac OS X v10.3?
A. Process Viewer
B. System Profiler
C. Activity Monitor
D. CPU Monitor Expanded Window
Correct Answer: C
QUESTION 79
The Classic pane of System Preferences lets you____________.
A. Install Mac OS X v10.3 OS 9 applications.
B. Run Mac OS X v10.3 OS 9 Software Updates.
C. Prevent Mac OS 8 applications from being started.
D. Monitor the memory usage of Classic applications and processes.
Correct Answer: D
QUESTION 80
UNIX-based applications that require the X Windows System server can be opened in Mac OS X v10.3 using ________________.
A. FreeX98 for Mac OS X.
B. WIN-X for Mac OS X
C. X11 for Mac OS X
D. Console
Correct Answer: C
QUESTION 81
Which are ways to force quite an open Mac OS X v10.3 application? Choose all that apply.
A. Use the forcequit command in Terminal.
B. Press Command-Option-Escape and select the application from the list.
C. Press Command-Control-Escape and select the application from the list.
D. Select the application in System Profiler and click the Force Quit button.
E. Choose Force Quit from the Apple menu and select the application from the list.
Correct Answer: BE
QUESTION 82
The function of journaling in the Mac OS Extended file system is to _______________.
A. Provide support for file forks
B. Make the file system case-sensitive
C. Make the file system compatible with the Windows (MS-DOS) format
D. Provide the user with a journal that lists recently created files and directories
E. Help protect the file system integrity in the case of power outages or unforeseen system failures
Correct Answer: E
QUESTION 83
Mac OS X v10.3 administrator users can enable a personal firewall by clicking the Start button in the Firewall pane of _________________.
A. Network Utility
B. NetInfo Manager
C. The Network pane of System Preferences
D. The Sharing pane of System Preferences
Correct Answer: D
QUESTION 84
Which statement about FileVault is TRUE?
A. Once a user enables FileVault, it cannot be disabled.
B. FileVault can only be enabled for non-administrator user accounts.
C. There is no way to recover a FileVault-protected account user’s data if the password is lost.
D. When a user enables FileVault, that user’s home directory is transferred into an encrypted disk image.
Correct Answer: D
QUESTION 85
By default in Mac OS X v10.3, the contents of which folders in a user’s home directory can be accessed by all other user accounts? Choose all that apply.
A. Documents
B. Library
C. Public
D. Music
E. Sites
Correct Answer: CE
Therefore candidates who are non-native they must understand the questions first and then answer it. Reading exam questions twice can be very helpful for you.Due to this you can earn high salary packages and it can also increase your chances of getting promotions. With this certification you can direct your career towards a more specific path which contributes in your professional growth.
Pass4itsure 117-201 dumps with PDF + Premium VCE + VCE Simulator: http://www.pass4itsure.com/117-201.html
Apple 9L0-400 Answers, 100% Pass Apple 9L0-400 Prep Guide Are The Best Materials