Tag: CheckPoint 156-210
Welcome to download the newest Dumpsoon 1Z0-060 dumps:
Don’t leave your fate to boring books, you should sooner trust FLYDUMPS CheckPoint 156-210 exam sample questions. If you prefer the course on FLYDUMPS CheckPoint 156-210 exam sample questions, then you will need to attend their class and their classroom sessions are quite expensive. FLYDUMPS CheckPoint 156-210 pdf could be the passport for your career life since it covers everything needed to pass CheckPoint 156-210 exam. CheckPoint 156-210 Testing Engine are composed by current and active Information Technology experts, who use their experience in preparing you for your future CheckPoint 156-210 exam sample questions available at FLYDUMPS will save you money, and get you started on the right road to making more with your new found skills.
QUESTION 177
When you disable a rule the rule is NOT disabled until you verify your Security Policy.
A. True
B. False
Correct Answer: B
QUESTION 178
Static Source NAT translates public internal source IP addresses to private external source IP addresses.
A. True
B. False.
Correct Answer: B
QUESTION 179
What is the command that lists the interfaces to which VPN-1/FireWall-1 bound?
A. Fw ct1 iflist
B. Ifconfig -a
C. Ifconfig \all
D. Netstat -m
E. Cp bind -all
Correct Answer: A
QUESTION 180
Your customer has created a rule so that every time a user wants to go to Internet, that user must be authenticated. Which if the following is the best authentication method for roaming users, such as doctors updating patient records at various floor stations in a hospital?
A. Session
B. User
C. Client
D. Connection
E. None of the above.
Correct Answer: B QUESTION 181
Which command utility allows verification of the Security Policy installed on a firewall module?
A. Fw ct1 pstat.
B. Fw printlic.
C. Fw stat.
D. Fw ver.
E. Fw pol.
Correct Answer: C QUESTION 182
You are a firewall administrator with one Management Server managing 3 different Enforcement Modules. One of the Enforcement Modules does NOT show up in the dialog box when attempting to install a Security Policy. Which of the following is the most likely cause?
A. No master file was created.
B. License for multiple firewalls has expired.
C. The firewall has NOT been rebooted.
D. The firewall was NOT listed in the Install On column of the rule.
E. The firewall is listed as “Managed by another Management Module (external)” in the Workstation Properties dialog box.
Correct Answer: E QUESTION 183
In the Install On column of a rule, when you select a specific firewall object as the only configuration object, that rule is enforced on all firewalls with in the network, with related configurations.
A. True
B. False.
Correct Answer: B QUESTION 184
As an administrator, you want to force your users to authenticate. You have selected Client Authentication as your authentication scheme. Users will be using a Web browser to authenticate. On which TCP port will authentication be performed?
A. 23
B. 80
C. 259
D. 261
E. 900
Correct Answer: E QUESTION 185
Once installed the VPN-1/FireWall-1 NG resides directly below what layer of the TCP/IP stack?
A. Data
B. Transport
C. Physical
D. Application
E. Network
Correct Answer: E QUESTION 186
Client Authentication rules should be placed above the Stealth rule, so users can authenticate to the firewall.
A. True
B. False
Correct Answer: A QUESTION 187
The following rule base tells you any automatically created NAT rules have simply hidden but have not been deleted from the Rule Base.
A. True
B. False
Correct Answer: B QUESTION 188
You are using static Destination NAT. You have VPN-1/FireWall-1 NG running on Windows NT/Solaris platform. By default, routing occurs after the address translation when the packet is passing form the client towards the server.
A. True
B. False
Correct Answer: B QUESTION 189
Which if the following statements are FALSE?
A. Dynamic NAT cannot be used for protocols where the port number cannot be changed.
B. Dynamic NAT cannot be used when an external server must distinguish between clients bases on their IP addresses.
C. With Dynamic NAT, packet’s source port numbers are modified.
D. In Dynamic NAT, public internal addresses are hidden behind a single private external address using dynamically assigned port numbers to distinguish between them.
E. Dynamically assigned post numbers are used to distinguish between hidden private addresses.
Correct Answer: D QUESTION 190
When you modify a User Template, any users already operating under that template will be updates to the new template properties.
A. True
B. False
Correct Answer: B QUESTION 191
Installation time for creating network objects will decrease if you list machine names and IP addresses in the hosts files.
A. True
B. False
Correct Answer: A QUESTION 192
Consider the following network: No Original Packet Translated Packet Source Destination Service Source Destination Service The administrator wants to take all the local and DMZ hosts behind the gateway except the HTTP server
192.9.200.9. The http server will be providing public services and must be accessible from Internet. Select the best NAT solution below that meets these requirements.
A. Use automatic NAT that creates a static NAT to the HTTP server.
B. To hide the private addresses set the address translation for Private Net.
C. To hide the private address set the address translation for 192.9.200.0.
D. Use automatic NAT rule creation to hide NAT Local net and private Net.
E. Both A and D.
Correct Answer: E QUESTION 193
What NAT made is necessary if you want to start and HTTP session on a Reserved or Illegal IP address?
A. Static Source.
B. Static destination.
C. Dynamic
D. None of the above.
Correct Answer: B
QUESTION 194
With SecureUpdate you are able to: (Select all that apply)
A. Change Central Licenses to Local Licenses
B. Track current installed versions of Check Point and OPSEC products
C. Update Check Point and OPSEC software remotely from a central location
D. Centrally manage Licenses
E. Perform a new installation of VPN-1/FW-1 remotely
Correct Answer: BCD
QUESTION 195
Which is false about SIC communications?
A. A.VPN Certificates, such as those for IKE are used for secure communications
B. B.The Policy Editior initiates an SSL based connection with the Management Server
C. The Policy Editor must be defined as being authorised to use the Management Server
D. The Management Server verifies that the Clients IP address belongs to an authorised Policy Editor Client
Correct Answer: A
Looking to become a certified Adobe professional? Would you like to reduce or minimize your CheckPoint 156-210 certification cost? Do you want to pass all of the Microsoft certification? If you answered YES, then look no further. Flydumps.com offers you the best CheckPoint 156-210 exam certification test questions which cover all core topics and certification requirements.
Welcome to download the newest Dumpsoon 1Z0-060 dumps: http://www.dumpsoon.com/1Z0-060.html
http://www.i-tec.org/aruba-accp-v6-practise-questions-the-most-effective-aruba-accp-v6-actual-test-on-our-store/
Welcome to download the newest Examwind JN0-360 dumps:
Each Answers in CheckPoint 156-210 study guides are checked by the concerned professional to provide you the best quality dumps. If you are looking to get certified in short possible time, you will never find quality product than Flydumps.
QUESTION 127
As a firewall administrator you encounter the following you error message:
Authentication for command failed.
What is the most logical reasoning for thus type of error message?
A. The Rule Base has been corrupted.
B. The kernel cannot communicate with the management module.
C. The administrator does not have the ability to push the policy.
D. Remote encryption keys cannot be fetched.
E. Client authentication has failed.
Correct Answer: B
QUESTION 128
Your customer has created a rule so that every time a user wants to go to the Internet, that user must be authenticated. Firewall load is a concern for the customer. Which authentication method does not result in any additional connections to the firewall?
A. Session
B. User
C. Client
D. Connection
E. None of the above.
Correct Answer: A
QUESTION 129
What variable is used to extend the interval of the Timeout in a NAT to prevent a hidden UDP connection from losing its port?
A. Fwx_udp_todefaultextend.
B. Fwx_udp_expdefaultextend.
C. Fwx_udp_todefaultext
D. Fwx_udp_timeout.
E. Fwx_udp_expiration.
Correct Answer: D
QUESTION 130
To hide data filed in the log viewer:
A. Select Hide from the Log Viewer menu.
B. Right-click anywhere in a column of the Log Viewer GUI and select Show Details.
C. Right-click anywhere in the column of the Log Viewer GUI and select Disable.
D. Right-click anywhere in the column of the Log Viewer GUI and select Hide.
E. Select Hide from the Log Viewer tool bar.
Correct Answer: D
QUESTION 131
You are following the procedure to setup user authentication for TELNET to prompt for a distinct destination. This allows the firewall to simulate a TELNET Proxy. After you defined the user on the Firewall and use VPN-1/FireWall-1 Authentication, you would:
A. Stop the Firewall.
B. Restart the Firewall.
C. Start the Policy Editor and go to Manage service, and edit TELNET service.
D. Ensure that the Authentication method is enabled in the firewall object.
E. Ensure that there are no existing rules already allowing TELNET.
Correct Answer: D
QUESTION 132
You have the VPN-1/Firewall-1 NG product installed. The following Rule Base order correctly implements Implicit Client Authentication fort HTTP. No. SOURCE DESTINATION SERVICE ACTION 1 All *Any TCP ftp User Auth Users@localnet 2 All Users@localnet *Any TCP http User Auth
A. True
B. False
Correct Answer: B
QUESTION 133
What is the software package through which all Check Point products use infrastructure services?
A. Cpstart/cpstop.
B. Check Point Registry.
C. CPD
D. Watch Dog for critical services.
E. SVN Foundation.
Correct Answer: E
QUESTION 134
Choose the BEST response to finish this statement. A Firewall:
A. Prevents unauthorized to or from a secured network.
B. Prevents unauthorized to or from a unsecured network.
C. Prevents authorized access to or from an Intranet.
D. Prevents authorized access to or from an Internet.
E. Prevents macro viruses from infecting the network.
Correct Answer: A
QUESTION 135
Where is the external if file located in VPN1/Firewall-1 NG?
A. FWDIR conf directory.
B. Database directory.
C. State directory.
D. Temp Directory.
E. Not used in VPN1/Firewall-1 NG.
Correct Answer: E
QUESTION 136
Which log viewer mode allows you to actually see the contents of the files HTTP-ed by the corporation’s Chief Executive Officer?
A. Security Log.
B. Active Connections Log.
C. Accounting Log.
D. Administrative Log.
E. None of the above.
Correct Answer: E
QUESTION 137
When you select the alert radio button on the topology tab of the interface properties window:
A. The action specified in the Action element of the Rule Base is taken.
B. The action specified in the Anti-Spoofing Alert field in the Global properties window is taken.
C. The action specified in the Pop up Alter Command in the Global properties window is taken.
D. Both A and B.
E. Both B and C.
Correct Answer: E
QUESTION 138
You are the firewall administrator with one management server managing one firewall. The system status displays a computer icon with a ‘!’ symbol in the status column. Which of the following is the most likely cause?
A. The destination object has been defined as external.
B. The Rule Base is unable to resolve the IP address.
C. The firewall has been halted.
D. The firewall is unprotected, no security policy is loaded.
E. Nothing is wrong.
Correct Answer: D
QUESTION 139
System Administrators use session authentication when they want users to:
A. Authenticate each time they use a supported service.
B. Authenticate all services.
C. Use only TENET, FTP, RLOGIN, and HTTP services.
D. Authenticate once, and then be able to use any service until logging off.
E. Both B and D
Correct Answer: B
QUESTION 140
Your customer has created a rule so that every time a user wants to go to Internet, that user must be authenticated. The customer requires an authentication scheme that provides transparency for the user and granular control for the administrator. User must also be able to log in from any location. Based on this information, which authentication schemes meets the customer’s needs?
A. Session
B. User
C. Client
D. Dual
E. Reverse
Correct Answer: B QUESTION 141
Implementing Dynamic NAT would enable an internal machine behind the firewall to act as an FTP Server for external clients.
A. True
B. False
Correct Answer: B QUESTION 142
The Enforcement Module (part if the VPN-1/FireWall-1 Module):
A. Examines all communications according to an Enterprise Security Policy.
B. Is installed on a host enforcement point.
C. Can provide authentication and Content Security features at the application level.
D. Us usually installed on a multi-homed machine.
E. All of the above.
Correct Answer: E QUESTION 143
In most cases when you are building the Rule Base you should place the Stealth Rule above all other rules except:
A. Clean up rules.
B. Implicit Riles.
C. Client Authentication Rules.
D. Pseudo Rules.
E. Default Rules.
Correct Answer: C QUESTION 144
If you change the inspection order of any of the implied rules under the Security Policy Setup, does it change the order in which the rules are enforced?
A. True
B. False
Correct Answer: A QUESTION 145
The fw fetch command allows an administrator to specify which Security Policy a remote enforcement module retrieves.
A. True
B. False
Correct Answer: A
QUESTION 146
You can edit VPE objects before they are actualized (translated from virtual network objects to real).
A. True
B. False.
Correct Answer: B
QUESTION 147
Stateful inspection is a firewall technology introduced in Checkpoint VPN-1/Firewall-1 software. It is designed to meet which if the following security requirements?
1.
Scan information from all layers in the packet.
2.
Save state information derived from previous communications, such as the outgoing Port command of an FTP session, so that incoming data communication can be verified against it.
3.
Allow state information derived from other applications access through the firewall for authorized services only, such as previously authenticated users.
4.
Evaluate and manipulate flexible expressions based on communication and application derived state information.
A. 1, 2, 3
B. 1, 3, 4
C. 1, 2, 4
D. 2, 3, 4
E. 1, 2, 3, 4
Correct Answer: E
QUESTION 148
If the security policy editor or system status GUI is open, you can open the log viewer GUI from the window menu.
A. True
B. False
Correct Answer: A
QUESTION 149
NAT can NOT be configured on which of the objects?
A. Hosts
B. Gateways
C. Networks
D. Users
E. Routers
Correct Answer: D
QUESTION 150
Your customer has created a rule so that every user wants to go to Internet, that user must be authenticated. Which is the best method of authentication for users who must use specific computers for Internet access?
A. Session
B. User
C. Client
D. Connection
E. None of the above.
Correct Answer: C
QUESTION 151
Which of the following describes the behavior of VPN-1/Firewall-1 NG?
A. Traffic not expressly prohibited is permitted.
B. Traffic not expressly permitted is prohibited.
C. TELNET, SMTP and HTTP are allowed by default.
D. Secure connections are authorized by default, unsecured connections are not.
E. All traffic is controlled by explicit rules.
Correct Answer: B
QUESTION 152
New users are created from templates. What is the name of the standard template from which you would create a new user?
A. New
B. User
C. Group
D. Standard User.
E. Default
Correct Answer: E
QUESTION 153
In a distributed management environment, the firewall administrator has removed the default check from Accept VPN-1/Firewall-1 control connections under the Security Policy tab of the properties setup dialogue box. In order for the management module and the Firewall to communicate, you must create a rule to allow the Management Module to communicate to the firewall on which port?
A. 80
B. 256
C. 259
D. 900
E. 23
Correct Answer: B
QUESTION 154
What is the command for installing a Security Policy from a *.W file?
A. Fw gen and then the name of the .W file.
B. Fw load and then the name of .W file.
C. Fw regen and then the name of the .W file.
D. Fw reload and then the directory location of the .W file.
E. Fw import and then the name of the .W file.
Correct Answer: B
QUESTION 155
In the Check Point Configuration Too, you create a GUI administrator with Read Only privileges. This allows the Firewall-1 administrator for the authorized GUI client (GUI workstation) privileges to change network object, and create and install rules.
A. True
B. False
Correct Answer: B QUESTION 156
Hybrid Authentication allows VPN-1/Firewall-1 NG to authenticate SecuRemote/SecureClient, using which of the following?
A. RADIUS
B. 3DES
C. TACACS
D. Any authentication method supported by VPN-1/Firewall-1.
E. Both A and C.
Correct Answer: D QUESTION 157
In order to install a new Security Policy on a remote firewall, what command must be issued on the remote firewall?
A. Fw unload all all.
B. Fw load new.
C. Cp clear policy.
D. None of the above, the command cp policy remove is issued from the manager.
E. None of the above, the new policy will automatically overwrite the existing policy.
Correct Answer: E QUESTION 158
As a firewall administrator if you want to log packets dropped by “implicit drop anything not covered” rules, you must explicitly define a Clean-up rule. This must be the last rule in the rule base.
A. True
B. False
Correct Answer: A QUESTION 159
Fully Automatic Client authentication provides authentication for all protocols, whether supported by these protocols or not.
A. True
B. False
Correct Answer: A QUESTION 160
VPN-1/Firewall-1 NG differs from Packet filtering and Application Layer Gateways, because?
A. VPN-1/Firewall-1 NG provides only minimal logging and altering mechanism.
B. VPN-1/Firewal-1 NG uses Stateful inspection which allows packet to be examined at the top of the layers of the OSI model.
C. VPN-1/Firewall-1 NG has access to a limited part of the packet header only.
D. VPN-1/Firewall-1NG requires a connection from a client to a firewall and firewall to a server.
E. VPN-1/Firewall-1 NG has access to packets passing through key locations in a network.
Correct Answer: B
QUESTION 161
AlphaBravo Corp has 72 privately addressed internal addresses. Each network is a piece of the 10-net subnetted to a class C address. AlphaBravo uses Dynamic NAT and hides all of the internal networks behind the external IP addresses of the Firewall. The Firewall administrator for AlphaBravo has noticed that policy installation takes significantly longer since adding all 72 internal networks to the address translation rule. What should the Firewall administrator do to reduce the time it takes to install a policy?
A. Create an object for the entire 10-net and use the object for the translation rule instead of the individual network objects.
B. Use automatic NAT rule creation on each network object. Hide the network behind the firewall’s external IP addresses.
C. Match packets to the state table, so packets are not dropped. Increase the size of the NAT tables.
D. Reinstall the Firewall and Security Policy Editor. The policy is corrupting Firewall’s binaries.
E. Increase the size of state table. Use automatic NAT rule creation to hide the networks behind an IP address other than firewall’s external IP.
Correct Answer: A
QUESTION 162
How does VPN-1/Firewall-1 NG implement Transparent authentication?
A. Unknown user receive error messages indicating that the firewalled gateway does not know the user names on the gateway.
B. VPN-1/Firewall-1 NG prompts for user names even through the authentication data may not be recognized by the firewall’s user database.
C. VPN-1/Firewall-1 NG allows connections, but hides the firewall from authenticated users.
D. Unknown users error messages indicating that the host does not know the users names on the server.
E. VPN-1/Firewall-1 NG does not allow connections from users who do not know the name of the firewall.
Correct Answer: C
QUESTION 163
When creating user authentication rule, select intersect with user database for source and destination to allow access according to the source specified in the rules.
A. True
B. False
Correct Answer: B
QUESTION 164
A connection initiated by the client in the figure below will be hidden behind the IP address of the interface
through which the connection was routed on the server side if the gateway (behind either interface 2 or
interface 3). Specifying 0.0.0.0 as the address is convenient because of network address translation (NAT)
is performed dynamically. And if the IP addresses of the gateway are changed, it is not necessary to
reconfigure the NAT parameters.
Which of the following is true about the following figure?
A. A connection initiated by the client will be hidden behind the IP address of the exit interface.
B. A connection initiated by the server will be hidden behind the IP address of the exit interface.
C. A connection initiated by the server will be hidden by the IP address of the client.
D. Source addresses of outbound packets from the client will be translated to 0.0.0.0.
E. Source addresses of outbound packets from the server will be translated to 0.0.0.0.
Correct Answer: A QUESTION 165
Which if the following statements about Client Authentication are FALSE?
A. In contrast to User Authentication, which allows access per user, Client Authentication allows access per ID address.
B. Authentication is by user name and password, but is the host machine (client) that is granted access.
C. Client Authentication is more secure than User Authentication, because it allows multiple users and connections from an authorized IP address or host.
D. Client Authentication enables administration to grant access privileges to a specific IP address after successful authentication.
Correct Answer: C QUESTION 166
When you make a rule, the rule is not enforces as part of your Security Policy.
A. True
B. False
Correct Answer: B QUESTION 167
Which of the following user actions would you insert as an INTERNAL Authentication scheme?
A. The user enters the security dynamics passcode.
B. The user prompted for a response from the RADIUS server.
C. The user prompted for a response from the AXENT server.
D. The user prompted for a response from the TACACS server.
E. The user enters an operating system account password.
Correct Answer: E QUESTION 168
When configuring Static NAT, you cannot map the routable IP address to the external IP address of the Firewall if attempted, the security policy installation fails with the following error “rule X conflicts with rule Y”.
A. True
B. False
Correct Answer: A QUESTION 169
The advantage of client authentication is that it can be used for any number of connections and for any services, but authentication is only valid for a specified length of time.
A. True
B. False Correct Answer: B QUESTION 170
You have set up Static NAT on a VPN-1/Firewall-1 to allow Internet traffic to an internal web server. You notice that any HTTP attempts to that machine being dropped in the log due to rule 0. Which of the following is the most likely cause?
A. Spoofing on the internal interface us set to Network defined by Interface IP and Net Mask.
B. Spoofing on the external interface is set to Not Defined.
C. You do NOT have a rule that allows HTTP access to the internal Web Server.
D. You do NOT have a rule that allows HTTP from the Web Server to Any destination.
E. None of the above.
Correct Answer: C QUESTION 171
As a firewall administrator, you are required to create VPN-1/Firewall-1 users for authentication. When you create a user for user authentication, the data is stored in the?
A. Inspect Engine.
B. Rule base.
C. Users database
D. Rulebase fws file
E. Inspect module.
Correct Answer: C QUESTION 172
If users authenticated successfully, they have matched the User and Authentication rule restriction of the user group to which they belong.
A. True
B. False
Correct Answer: A QUESTION 173
The only way to unblock BLOCKED connections by deleting all the blocking rules from the Rule base.
A. True
B. False
Correct Answer: B QUESTION 174
When you perform a cp fetch, what can you expect from this command?
A. Firewall retrieves the user database from the tables on the Management Module.
B. Firewall retrieves the inspection code from the remote Management Module and installs it to the kernel.
C. Management module retrieves the IP address of the target specified in the command.
D. Management module retrieves the interface information for the target specified in the command.
E. None of the above.
Correct Answer: B QUESTION 175
Each incoming UDP packet is locked up in the list of pending connections. Packets are delivered if they are _________.
A. A request.
B. A response to a request.
C. Source routed.
D. Allowed by the Rule Base.
E. Both B and D.
Correct Answer: E
QUESTION 176
Assume an NT system. What is the default expiration for a Dynamic NAT connection NOT showing any TCP activity?
A. 30 Seconds.
B. 60 Seconds.
C. 330 Seconds.
D. 660 Seconds.
E. 3600 Seconds.
Correct Answer: E
Buying all CheckPoint 156-210 exam sample questions can guarantee you to pass your first CheckPoint 156-210 exam. If you do not pass the exam,FLYDUMPS will full refund to you. You can also free online download the part of FLYDUMPS’s CheckPoint 156-210 exam practice questions and answers as a try. After your understanding of our reliability, I believe you will quickly add FLYDUMPS’s CheckPoint 156-210 exam sample questions to your cart. FLYDUMPS will achieve your dream. FLYDUMPS is a website to achieve dreams of many IT people. FLYDUMPS provide candidates participating in the IT certification exams the information they want to help them pass the CheckPoint 156-210 exam.
Welcome to download the newest Examwind JN0-360 dumps: http://www.examwind.com/jn0-360.html
http://www.maeeonline.org/sap-c-hanatec-1-preparation-materials-provides-best-sap-c-hanatec-1-test-engine-with-100-pass-rate/
Welcome to download the newest Pass4itsure ns0-155 Practice Test dumps: http://www.pass4itsure.com/ns0-155.html
You can pass CheckPoint 156-210 exam if you get a complete hold of CheckPoint 156-210 dumps. What’s more, all the CheckPoint 156-210 Certification exams Q and A provided by Flydumps is the latest.
QUESTION 101
You are working with multiple firewalls that have extensive Rule Bases. To simplify administration task, which of the following should you choose to do?
A. Create Network range objects that restrict all applicable rules to only certain networks.
B. Run separate GUI clients for external and internal firewalls.
C. Eliminate all possible contradictory rules such as stealth and clean-up rules.
D. Save a different Rule Base for each remote firewall.
E. None of the above.
Correct Answer: D
QUESTION 102
Currently, the Accounting Department is FTP-ing a file in the bank. Which Log Viewer Module would show you the activity occurring at the present time?
A. Security Log.
B. Active Connections Log.
C. Accounting Log-
D. Administrative Log.
E. None of the above.
Correct Answer: B
QUESTION 103
With Blocking Scope default settings, a selected connection is terminated:
A. And all further attempts to establish a connection from the same source IP address to the same destination IP address and port will be blocked.
B. But all further attempts to establish connections from this specific source IP address will be authenticated before being denied.
C. And all further attempts to establish connections to this specific destination IP address will be denied.
D. And all further attempts to establish a connection from the same source IP address to the firewall’s IP address will be blocked.
E. Both A and D.
Correct Answer: A
QUESTION 104
Consider the following Rule Base for VPN-1/Firewall-1 NG. Assuming the default settings in global properties have NOT changed, ICMP would be allowed through the firewall. No SOURCE SERVICE ACTION TRACK
DESTINATION
1 Any Web_Server http Accept Long
2 Any Any Any Any Long
A. True
B. False
Correct Answer: B
QUESTION 105
Which is the correct rule in the following Rule Base? No SOURCE SERVICE ACTION TRACK DESTINATION
1 Any Any Session Log Auth AllUsers@Chicago
2 Chicago Any Session Log Auth AllUsers@Chicago
3 Any Any Session Log Auth AllUsers@Any
4 Any Any User Log Auth AllUsers@Chicago
A. Rule 2
B. Rule 1
C. Rule 3
D. Rule 4
E. None of the rules allow access.
Correct Answer: B
QUESTION 106
In the Client Authentication Action Properties window (below), for the required Sign On Method section, Manual is selected.
This means:
A. If a connection matches the Rule Base the service is an authenticated service, the client is signed on after a successful authentication.
B. The user must initiate the Client Authentication Session to the gateway.
C. If a connection using any service matches Rule Base, the client is authenticated.
D. If authentication is successful, access is granted from the network that initiated the connection.
E. The user must TELNET to the target server on port 259.
Correct Answer: B
QUESTION 107
Changes made to the Security Policy do not take effect on the Enforcement Module until the administrator performs which of the following actions?
A. Saves the policy.
B. Verifies the policy.
C. Install the policy.
D. Stops firewall services on the Enforcement Module.
E. Stops firewall services on the Management module.
Correct Answer: C
QUESTION 108
Consider the following network: The public servers are a web form. Since the web servers accepts and initiate connections Dynamic translation is required.
A. True
B. False
Correct Answer: B QUESTION 109
The fw fetch command perform the following function:
A. Attempts to fetch the policy from the Management Server.
B. Fetches users from the Management server.
C. Produces an output screen of the Rule Base.
D. Fetches the logs.
E. Fetches the systems status.
Correct Answer: A QUESTION 110
Inclement weather and a UPS-failure cause a firewall to reboot. Earlier that day a tornado destroyed the building where the firewall’s Management Module was located. The Management Module was not recovered and has not been replaced. Bases on the scenario, which of the following statements is FALSE?
A. The firewall will continue to enforce the last rule base installed.
B. The firewall will log locally.
C. The firewall will fetch the last installed policy form local host and install it.
D. Communication between the firewall and the replacement Management Module must be established before the replacement Management Module can install a policy on the firewall.
E. Because the firewall cannot contact the Management Module, no policy will be installed.
Correct Answer: E QUESTION 111
When configuring Anti-Spoofing for VPN-1/FireWall-1 NG on the firewall interfaces, all of the following are valid address choices except:
A. Network defined by Interface IP and Net Mask.
B. Not Defined.
C. Security Policy Installed.
D. Specific
E. None of the above.
Correct Answer: C
QUESTION 112
The security administrator for the following configuration only allows members of the localnet managers group access files in BigBen (the FTP Server)
Select below the rule that allows local managers to access the FTP server from any location. No SOURCE SERVICE ACTION
DESTINATION
1 BigBen ftp User Auth LocalManagers@Any
2 BigBen ftp Client Auth LocalManagers@Net_London
3 BigBen ftp Session Auth LocalManagers@Any 4 BigBen ftp User Auth LocalManagers@Net_Tokyo
A. Rule 1.
B. Rule 2.
C. Rule 3.
D. Rule 4.
E. None of these rules allow access.
Correct Answer: A QUESTION 113
Assume that you are working on a Windows NT operating system. What is the default expiration for a Dynamic NAT connection NOT showing any UDP activity?
A. 30 Seconds.
B. 60 Seconds.
C. 40 Seconds.
D. 600 Seconds.
E. 3000 Seconds.
Correct Answer: C QUESTION 114
Assume there has been no change made to default policy properties. To allow a telnet connection into your
network, you must create two rules.
One to allow the initial Telnet connection in.
One to allow the destination machine to send information back to the client.
A. True
B. False
Correct Answer: B QUESTION 115
In Windows NT to force log entries other than the default directory.
A. You must use the cpconfig command.
B. Change the fwlog environment variable.
C. Modify the registry.
D. Change the directory in log viewer.
E. Use the fw log switch command.
Correct Answer: C QUESTION 116
For most installations, the Clean-Up rule should be the last rule in Rule Base.
A. True
B. False
Correct Answer: A QUESTION 117
What complements are necessary for VPN-1/FireWall-1 NG to scan e-mail, passing through the firewall, for macro viruses?
A. UFP and OPSEC-certified scanning product.
B. CVP and OPSEC-certified virus scanning product.
C. UFP and CVP.
D. UFP, CVP and OPSEC-certified content filter.
E. None of the above, VPN-1/FireWall-1 NG scans for macro viruses by default.
Correct Answer: B QUESTION 118
Why would you want to verify a Security Policy before installation?
A. To install Security Policy cleanly.
B. To check up the enforcement-point firewall for errors.
C. To identify conflicting rules in your Security Policy.
D. To compress the Rule Base for faster installation
E. There us no benefit verifying a Security Policy before installing it.
Correct Answer: C
QUESTION 119
To completely setup Static NAT, you ONLY have to select Add Automatic Address Translation rules on the NAT tab, and specify a public NAT IP address.
A. True
B. False
Correct Answer: B
QUESTION 120
If you configure the Minutes interval for a firewall in the User Authentication session timeout box, as shown below on the Authentication Tab of the Workstations properties window, users of one time password must re-authenticate for each request during this time period.
A. True
B. False
Correct Answer: B
QUESTION 121
What does a status of Untrusted tell you?
A. A VPN-1/Firewall-1 NG firewall module has been compromised.
B. A gateway cannot be reached.
C. A module is installed and responding to status checks, but the status is problematic.
D. A gateway is connected, but the management module is not the master of the module installed on the gateway.
E. None of the above.
Correct Answer: D
QUESTION 122
Omanan Enterprises has the premier reclamation system for scrap aluminum in the western hemisphere. Then phenomenal growth over the last 10 years has led to the decision to establish a presence in the Internet in order to their customers. To that end, Omanan Enterprise network administrator, Jason has acquired a Web Server, and email server and 14 IP addresses from their ISP. Jason also purchased a Checkpoint VPN-1/FireWall-1 stand alone gateway module, with these interfaces, to protect Omanan enterprises’ corporate data their ISP will be providing DNS services. The Web Server and email server must have Static routable IP addresses. The eight member executive counsel of Omanan Enterprises would to have routable IP addresses also, so that they can video-conference with the company’s suppliers. Omanan Enterprises’ remaining 200 employees would like to have access to Internet, and the executive counsel believe that granting them access might improve company morale. Jason installs and configured Checkpoint VPN-1/FireWall1 stand alone Gateway module at the perimeter of Omanan Enterprises corporate LAN. He uses the 3rd NIC in the stand alone firewall gateway module to create DMZ. Jason installs the Web server and the email server on the DMZ. He creates tools and objects on the checkpoint VPN-1/FireWall-1 stand alone gateway module to allow HTTP, POP3 and SMTP from the Internet to the DMZ. He Creates objects to represent the web and email server and configures them for Static NAT. Jason reconfigures his DHCP server so that each of the members of the executive counsel has reserved IP address. He then sues those reservations co create Statically NAT-ed objects on the Checkpoint VPN/ Firewall-1 Standalone Gateway module. Jason creates another object represents the internal network he
configures this object for Dynamic NAT. He adds a rule allowing HTTP traffic from the internal network to
any destination. Jason created an additional rule to allow POP3 and SMTP traffic between the internal
networks and DMZ.
Choose the one phrase below that best describes Jason’s proposal.
A. The proposed solution meets the required objectives and none of the desired objectives.
B. The proposed solution meets the required objectives and only one of the desired objectives.
C. The proposed solution meets the required objectives and all desired objectives.
D. The proposed solution does not meet the required objective.
Correct Answer: C
QUESTION 123
Anna is a security administrator setting up User Authentication for the first time. She has correctly configured her Authentication rule, but authentication still does not work. What is the Check Point recommended way to troubleshoot this issue?
A. Verify the properties of the user attempting authentication and the authentication method selected in the Authentication Properties of your firewall object.
B. Verify the firewall settings of your firewall object, and the properties for the user attempting encryption and authentication.
C. Verify the properties for the user attempting authentication and make sure that the file Stealth Authentication method is selected in the Authentication properties of both the peer gateway object and your firewall object.
D. Verify both Client and User Authentication, and the authentication method selected in the Authentication properties of your Firewall object.
E. Re-import Schema from the VPN-1/FireWall-1 NG installation CD.
Correct Answer: A
QUESTION 124
Session authentication provides an authentication method NOT supported by protocols that can be integrated with any application. No. Source Service Action Track Install On Destination
1.
Any Local_Net telnet Accept Long Gateways
2.
Any Accept Long Gateways Pub Pub Server1 Server2
A. True
B. False
Correct Answer: A
QUESTION 125
How do recover communications between your management module and enforcement module if you lock yourself out via a rule policy that is configured incorrectly?
A. Cp delete all all.
B. Cp pause all all.
C. Cp stop all all.
D. Cp unload all all.
E. Cp push all all.
Correct Answer: D QUESTION 126
You have set up a firewall and management module on one NT box and a remote module on a different location. You receive only sporadic logs from the local firewall and only and control message from remote firewall. All rules on both firewalls are logging and you know the traffic is flowing through the firewall using these rules. All the firewall related services are running and you are using NAT and you receive few logs from the local firewall. What actions from the choices below would you perform to find out why you cannot see logs?
A. Make sure there is no masters file in SFWDIR/conf on the remote module.
B. Make sure there is no masters file in SFWDIR/conf on the local NT box.
C. See if you can do a fwfetch from the module.
D. Run the fw logexport -t -n from the command line prompt on the remote module.
E. Use pulist.exe from the Windows NT resource kit.
Correct Answer: C
Flydumps is a website to improve the pass rate of CheckPoint 156-210 exam. Senior IT experts in the Passcert constantly developed a variety of successful programs of passing CheckPoint 156-210 exam, so the results of their research can 100% guarantee you CheckPoint 156-210 exam for one time. Flydumps CheckPoint 156-210 are very effective and many people who have passed a number of IT certification exams used the CheckPoint 156-210 dumps provided by Flydumps. Some of them who have passed the CheckPoint 156-210 also use Passcert products. Selecting Flydumps means choosing a success.
Welcome to download the newest Pass4itsure ns0-155 Practice Test dumps: http://www.pass4itsure.com/ns0-155.html
CheckPoint 156-210 Exam Questions, Valid and updated CheckPoint 156-210 Certification Exams Online
Flydumps practice test training resources are versatile and highly compatible with Microsoft exam formats. We provide up to date resources and comprehensive coverage on CheckPoint 156-210 exam dumps help you to advance your skills.
QUESTION 55
Which Block Intruder options block suspicious connections? (Choose three)
A. Block Connections by Packet Size.
B. Block Access from that Source.
C. Block Connections using Specific Services.
D. Block Access to the Destination.
E. Block Selected Connection.
Correct Answer: BDE
QUESTION 56
Which of the following denial-of-service attacks does SmartDefense defeat? (Choose three)
A. Ping of Death
B. Rouge Applets
C. Teardrop
D. Host System Hogging
E. LAND
Correct Answer: ACE
QUESTION 57
What are the benefit of Stateful Inspection? (Choose two) Stateful Inspection:
A. Shuts down the upper-range ports, to secure an internal network.
B. Uses state information derived from past communications and other applications, to make control decisions for new communication attempts.
C. Leaves the upper range of ports (greater than 1023) open, to allow for file-transfer sessions.
D. Duplicates the number of sessions, acting as a proxy broker between a client and server.
E. Examines every packet, and applies a defined Security Policy to each.
Correct Answer: BE
QUESTION 58
Which of the following are core functions of Application Intelligence? (Choose two)
A. Validating compliance to standards.
B. Validating simple protocols, without controlling application logic.
C. Validating Data and Physical Layer attacks.
D. Limiting the ability of applications to carry malicious data.
E. Allowing Application Layer operations.
Correct Answer: AD
QUESTION 59
One of the functions of the SmartDefense console is to:
A. Add rules to block and log attacks.
B. Configure user options for tracking attacks.
C. Display real-time information about attacks.
D. Configure logging options for attack forensics.
E. Configure auditing and reporting options.
Correct Answer: C
QUESTION 60
The SANS Dshield.org Storm center integrates with SmartDefense, by: (Choose two)
A. Reviewing VPN-1/FireWall-1 logs.
B. Providing Storm Center audit trails.
C. Setting up the SmartDefense Subscription service.
D. Adding the Storm Center Block List report to the Security Policy.
E. Updating SmartDefense attack signatures in real time.
Correct Answer: AD
QUESTION 61
Systems needing to be accessed from the Internet should use which type of address translation?
A. IP Pool NAT
B. Hide NAT
C. NAT cannot be used
D. Static NAT
E. Dynamic NAT
Correct Answer: D
QUESTION 62
VPN-1/FireWall-1 logs are exportable to other applications, such as spreadsheets or databases, using which of the following?
A. FW Log Unification Engine
B. Secure Internal Communications (SIC)
C. Check Point logs are not exportable
D. Log Export Application (LEA)
E. Log Identification Unique ID (LUUID)
Correct Answer: D
QUESTION 63
Which of the following is NOT configured under Application Intelligence in SmartDefense?
A. FTP
B. DNS
C. Dynamic Ports
D. Rlogin
E. VoIP
Correct Answer: C
QUESTION 64
Which type of rule should be placed above the Stealth Rule?
A. User Authentication
B. Client Authentication
C. Network Address Translation
D. Cleanup
E. Session Authentication
Correct Answer: B
QUESTION 65
Bad weather and a UPS failure caused your remote Enforcement Module to reboot. Earlier that day, a tornado destroyed the building where the SmartCenter Server was located. You have not yet recovered or replaced the SmartCenter Server. Which of the following statements is false? (Choose two) Because the Enforcement Module cannot connect to the SmartCenter Server.
A. The Enforcement Module will log locally.
B. The Enforcement Module will continue to enforce the last Security Policy installed.
C. No Security Policy is installed, and all traffic will be dropped.
D. No Security Policy is installed, and all traffic will be allowed.
E. The Enforcement Module attempts to fetch a Security Policy from the SmartCenter Server, and install it.
Correct Answer: AB
QUESTION 66
Which of the following is NOT included in Application Intelligence Web Security?
A. HTTP Worm Catcher
B. Peer-to-Peer traffic over HTTP
C. Cross-Site Scripting
D. HTTP Format Size
E. HTTP Java Blocker
Correct Answer: E
QUESTION 67
Which of the following statements are TRUE of VPN-1/FireWall-1 groups? (Choose two)
A. Groups can be nested in groups.
B. The contents of one group can be imported into another group.
C. Services and network objects can be placed in the same group.
D. User groups can be nested, but network-object groups cannot.
E. Users and services can be placed in the same group.
Correct Answer: AB
QUESTION 68
You have locked yourself out, with a rule or an incorrectly configured Security Policy. What would you do to recover communication between your SmartCenter Server and Enforcement Module?
A. fw push localhost
B. pw unloadlocal
C. fw unlocklocal
D. cpstop localhost
E. cpdelete localhost
Correct Answer: B
QUESTION 69
How does SmartDefense Integrate with network Storm Centers? (Choose two)
A. Security Administrators can decide to send logs to a Storm Center to help other organizations.
B. The SmartDefense Storm Center Module downloads the Block List Report directly, adding it to the Security Policy.
C. Security Administrators must manually compile log files before sending them to Storm Centers.
D. Security Administrators must create network objects for each of the systems on the Storm Center Block List, then install a new Security Policy.
E. By default, logs are automatically delivered to a Storm Center.
Correct Answer: AB
QUESTION 70
Which of the following statements is TRUE of transparent authentication in NG with Application Intelligence? (Choose three)
A. Unknown users are prompted three times for a password, and are then disconnected.
B. Unknown users receive error messages, indicating that the Enforcement Module does not recognize user names.
C. NG with Application Intelligence does not allow connections from users who do not know the name or IP address of the Enforcement Module.
D. NG with Application Intelligence prompts for user names, event though authentication data may not be recognized by the Enforcement Module.
E. NG with Application Intelligence allows connections from authenticated users, and does not require that users know the IP address or name of the firewall.
Correct Answer: ADE
QUESTION 71
At Certkiller , auditors are Check Point Security Administrators with a customized permissions profile.
Auditors must have the ability to review information from SmartView Tracker, SmartView Status, and
SmartView Monitoring, but they may not make changes to the information. Auditors are not permitted to
view security Policies or the objects database.
Which of the following settings grants auditors the MOST appropriate set of permissions, based on the
corporate environment, described above for Certkiller ?
A. Read-Only SmartView Reporter
B. Read-Only Monitoring
C. Read-Only Security Policy
D. Read-Only SmartUpdate
E. Read-Only Log Consolidator
Correct Answer: A
QUESTION 72
When are Anti-Spoofing Rules enforced during packet inspection?
A. Before the Cleanup Rule is applied.
B. After the Stealth Rule is applied.
C. Before any rule in the Rule Base is applied.
D. When the packet is authorized by an Accept or Encrypt rule.
Correct Answer: C
QUESTION 73
Which of the following objects are allowed in the Source components of the Rule Base? (Choose two)
A. Host-Node Objects
B. Time Objects
C. LDAP Account Units
D. Services
E. User Groups
Correct Answer: AE
QUESTION 74
Which of the following is TRUE, if you change the inspection order of implied rules?
A. You must stop and start the Enforcement Module, before the changes can take place.
B. After the Security Policy is installed, the order in which rules are enforced changes.
C. You cannot change the inspection order of implied rules.
D. You must stop and start the SmartCenter Server, before the changes can take place.
E. Security Policy installation will fail.
Correct Answer: B
QUESTION 75
Security Administrators use Session Authentication when they want users to: (Choose two)
A. Authenticate for all services.
B. Use only TELNET, FTP, Rlogin, and HTTP services.
C. Use only HTTP and HTTPS services.
D. Authenticate once, and then be able to use any service, until logging off.
E. Log authentication actions locally.
Correct Answer: AD
QUESTION 76
Which of the following statements is TRUE concerning how NG with Application Intelligence handles the authentication of users?
A. Users may have different VPN-1 & FireWall-1 passwords, on Enforcement Modules managed by the same SmartCenter Server.
B. All users on the same gateway must use the same authentication method.
C. All imported users must use the same authentication method and hash.
D. All users in the same group must use the same authentication method and hash.
E. Users may be required to use different authentication methods for different services.
Correct Answer: A
QUESTION 77
Spoofing is a method of: A. Making packets appear as if they came from an authorized source IP address.
B. Hiding your Enforcement Module from unauthorized users.
C. Disguising an invalid IP address behind an authorized IP address.
D. Detecting when someone is attacking your network.
E. Detecting users logging in using false or wrong authentication logins.
Correct Answer: A
QUESTION 78
Which of the following statements is TRUE when modifying user templates?
A. If the user template is modified, all active user connections will be dropped when the modifier user database is installed.
B. All users subsequently created with that template will have the new properties.
C. You must always create new templates. Existing user templates cannot be modified.
D. All users previously created using the template are automatically modified with the new properties.
E. If the user template is modified, you must manually re-establish user-group membership.
Correct Answer: B
QUESTION 79
As a Security Administrator, you want to force users to authenticate. You have selected Client Authentication for the type of authentication. Users will be using a Web browser to authenticate. Which of the following TCP ports will authenticate users?
A. 23
B. 261
C. 80
D. 900
E. 259
Correct Answer: D
QUESTION 80
Which of the following is NOT a step in the Session Authentication process?
A. If authentication is successful, the VPN-1/FireWall-1 Enforcement Module allows connections to pass.
B. The Session Agent prompts users for an authentication password, after Phase 1 of IKE negotiations is complete.
C. Users initiate connections directly to a server.
D. The Session Agent prompts users for authenticated data, and returns the information to the Enforcement Module.
E. The VPN-1/FireWall-1 Enforcement Module intercepts connections, and connects to t he Session Agent.
Correct Answer: C
QUESTION 81
With VPN-1/FireWall-1 central licensing, a license is linked to which of the following?
A. Domain name of the SmartCenter Server.
B. IP address of the Enforcement Module.
C. IP address of the SmartCenter Server.
D. IP address of the SmartConsole
E. Domain name of the Enforcement Module.
Correct Answer: C QUESTION 82
Your organization’s internal programming team developed a proprietary application for accessing the time-
management system. The application uses a custom-designed protocol. As the Security Administrator, you
must control user access to the time-management system.
Which is the BEST authentication method for this scenario?
A. NG with Application Intelligence authentication methods can only be applied to protocols included in the standard, pre-defined suite.
B. Implicit User Authentication
C. User Authentication
D. Session Authentication
Correct Answer: D
QUESTION 83
Which of the following is the BEST authentication for roaming users, such as doctors updating patient records via HTTP at various workstations in a hospital?
A. Client
B. Session
C. User
Correct Answer: C
QUESTION 84
Which of the following statements is specifically TRUE of user groups?
A. Non-authentication rules require a user group in the Source field.
B. Authentication rules require a user group in the Source field.
C. User groups must be created, in order to implement authentication.
D. Authentication rules require a user group in both the Source and Destination field.
E. User groups cannot be used in authentication rules.
Correct Answer: C
QUESTION 85
You have created a SmartConsole Administrator with Read Only privileges in the Check Point
Configuration Tool.
Which of the following actions can this administrator perform? (Choose three)
A. Filter log files in the SmartView Tracker.
B. Review saved policies.
C. Change network object properties.
D. Install policies
E. Log in to the SmartDashboard.
Correct Answer: ABE
QUESTION 86
VPN-1/FireWall-1 supports User Authentication for which of the following services? Select the response below that contains the MOST complete list of supported services.
A. FTP, FTPS, HTTP, HTTPS
B. Rlogin, TELNET, HTTP, FTP
C. POP3, SMTP, HTTPS, FTPS
D. TELNET, HTTP, FTP, SMTP
E. Rlogin, TELNET, HTTP, SMTP
Correct Answer: B QUESTION 87
User Authentication supports all of the following services, EXCEPT:
A. SSH
B. FTP
C. HTTP
D. RLOGIN
E. TELNET
Correct Answer: A QUESTION 88
In the diagram, a group of users in the QA Department requires frequent access to the Palace Server.
Access to Palace is allowed from localnet hosts. Each user can log in at the beginning of the day, and can
use the service for a specified time period and number of sessions. If a user forgets to log out, the
connection to Palace is closed at the end of the authorization period.
Which of the following rules allows access to the Palace Server, from QA users on the local network? QA
users’ source (un the Rule Base) is QA@Localnet.
A. Rule 3
B. Rule 4
C. None of these rules allows access
D. Rule 1
E. Rule 2
Correct Answer: D
QUESTION 89
Which authentication method could be used for H.323 services? (Choose two)
A. Client Authentication
B. VoIP Authentication
C. User Authentication
D. No Authentication can be used for H.323
E. Session Authentication
Correct Answer: AE
QUESTION 90
Which authentication method could be used for SIP services? (Choose two)
A. Client Authentication
B. No authentication can be used for SIP
C. VoIP Authentication
D. Session Authentication
E. User Authentication
Correct Answer: AD
QUESTION 91
When the Client Authentication method requires Manual Sign On, users must connect to which of the following ports?
A. TELNET to port 70, or HTTP to port 443
B. TELNET to port 161, or HTTP to port 136
C. TELNET to port 21, or HTTP to port 80
D. TELNET to port 165, or HTTP to port 514
E. TELNET to port 259, or HTTP to port 900
Correct Answer: E
QUESTION 92
In the Client Authentication Action Properties dialog box, the Manual Sign On method is selected. This means:
A. If a connection matches the Rule Base and the service is an authenticated service, the client is signed on after a successful authentication.
B. The user must TELNET to the target server on port 250.
C. If a connection using any service matches the Rule Base, the client is authenticated.
D. If authentication is successful, access is granted from the network that initiated the connection.
E. the user must initiate a Client Authentication session to the gateway.
Correct Answer: E
QUESTION 93
Which of the following responses is TRUE about creating user templates? (Choose two)
A. By default, users can authenticate 24 hours a day, 7 days a week.
B. If not specific source or destination is selected users can authenticate to any source or destination.
C. If no password options are selected, users will still be able to authenticate, by creating their passwords during login.
D. When you create new users, you must create a new template for each user.
E. If no encryption method is selected, users will only be able to authenticate when they receive their Certificate Authority.
Correct Answer: AB
QUESTION 94
What is the advantage of using VPN-1/FireWall-1 Password for the authentication scheme, rather than using OS Password?
A. The OS Password authentication scheme can only be used with services available to user’s local machine.
B. There is not advantage, because VPN-1/FireWall-1 Password can only be used, if a user has an operating-system account on the network.
C. The OS Password authentication scheme can only be used with users who are present on the local network protected by the Enforcement Module. No external users can be configured for OS Password authentication.
D. VPN-1/FireWall-1 Passwords can be cached on the Enforcement Module. If a user in the user database attempts a connection, that user will not be prompted to re-enter the password.
E. VPN1-/FireWall-1 Passwords can be used, even if a user does not have an operating-system account on the network.
Correct Answer: E
QUESTION 95
Which of the following statements accurately describes VPN-1/FireWall-1 Session Authentication? (Choose three)
A. Session Authentication allows unlimited connections from a single host or IP address.
B. Session Authentication does not result in any additional connections to the Enforcement Module.
C. Session Authentication is restricted to a limited number of service.
D. Session Authentication requires that an authentication agent be installed on client computers.
E. Session Authentication requires an authentication procedure for each connection.
Correct Answer: ABD
QUESTION 96
You have created a rule so that every time a user wants to connect to the Internet using HTTP, that user must be authenticated. You want an authentication scheme that provides transparency for the user, and administrative control for you. The user must be able to log in from any location.
Which authentication scheme meets your needs?
A. Client
B. Session
C. Users
Correct Answer: C
QUESTION 97
The VPN-1/Firewall-1 NG User Interface consists of which of the following elements?
A. Security Policy Editor, Visual Policy Editor and Object tree view.
B. Management Server and VPN-1/FireWall-1 Module.
C. Visual Policy Editor, Object Tree view and inspection Module.
D. Security Policy Server, System GUI and Module Log Viewer.
E. VPN-1/FireWall-1 Module, Inspection Module and Security Server.
Correct Answer: A
QUESTION 98
You are attempting to implement Client Authentication for FTP. You have the accept firewall control connection option unchecked in the Policies and Properties dialog box. In the following Rule base, which rule would prevent a user from performing Client Authentication? No SOURCE DESTINATION SERVICE ACTION 1 Any fw.chicago.com Any drop 2 [email protected] Any ftp Client Encrypt 3 Any localNet http Accept telnet 4 Any Any Any drop
A. Rule 1
B. Rule 2
C. Rule 3
D. Rule 4
Correct Answer: A
QUESTION 99
As a VPN-1/Firewall-1 administrator, you have an undistributed range of IP addresses for which you want to perform address translation. You can simplify your efforts through the use of ADDRESS RANGE.
A. True
B. False
Correct Answer: A
QUESTION 100
In the figure below, Localnet is an internal network with private addresses A corresponding set of public addresses is available as follows: Public IP addresses Private IP addresses 199.203.73.15-199.203.73.115 200.0.0.100-200.0.0.200 The private addresses are translated to public addresses by specifying addresses Translation in the NAT tab of Localnet’s network properties window. Source addresses for the outbound packets from hosts in Localnet will be translated to 199.203.73.12 as shown in the figure below.
A. True
B. False
Correct Answer: B
Well-regarded for its level of detail, assessment features, and challenging review questions and hands-on exercises, CheckPoint 156-210 helps you master the concepts and techniques that will enable you to succeed on the CheckPoint 156-210 exam the first time.
Flydumps is one of the leading exam preparation material providers.We have a complete range of exams offered by the top vendors of their respective industries. You can download CheckPoint 156-210 free demos in PDF files that are the latest.QUESTION 11
What function does the Audit mode of SmartView Tracker perform?
A. It tracks detailed information about packets traversing the Enforcement Modules.
B. It maintains a detailed log of problems with VPN-1/FireWall-1 services on the SmartCenter Server.
C. It is used to maintain a record of the status of each Enforcement Module and SmartCenter server.
D. It maintains a detailed record of status of each Enforcement Module and SmartCenter Server.
E. It tracks changes and Security Policy installations, per Security Administrator, performed in SmartDashboard.
Correct Answer: E
QUESTION 12
In the SmartView Tracker, what is the difference between the FireWall-1 and VPN-1 queries? Choose three.
A. A VPN-1 query only displays encrypted and decrypted traffic.
B. A FireWall-1 query displays all traffic matched by rules, which have logging activated.
C. A FireWall-1 query displays all traffic matched by all rules.
D. A FireWall-1 query also displays encryption and decryption information.
E. Implied rules, when logged, are viewed using the VPN-1 query.
Correct Answer: ABD
QUESTION 13
Network topology exhibit
You want hide all localnet and DMZ hosts behind the Enforcemenet Module, except for the HTTP Server
(192.9.200.9). The HTTP Server will be providing public services, and must be accessible from the
Internet.
Select the two BEST Network Address Translation (NAT) solutions for this scenario,
A. To hide Local Network addresses, set the address translation for 192.9.0.0
B. To hide Local Network addresses, set the address translation for 192.9.200.0
C. Use automatic NAT rule creation to hide both DMZ and Local Network.
D. To hide Local Network addresses, set the address translation for privatenet.
E. Use automatic NAT rule creation, to statically translate the HTTP Server address.
Correct Answer: CE
QUESTION 14
The SmartDefense Storm Center Module agent receives the Dshield.org Block List, and:
A. Populates CPDShield with blocked address ranges, every three hours.
B. Generates logs from rules tracking internal traffic.
C. Submits the number of authentication failures, and drops, rejects, and accepts.
D. Generates regular and compact log digest.
E. Populates the firewall daemon with log trails.
Correct Answer: A QUESTION 15
What are the advantages of central licensing? Choose three.
A. Only the IP address of a SmartCenter Server is needed for all licences.
B. A central licence can be removed from one Enforcement Module, and installe don another Enforcement Module.
C. Only the IP address of an Enforcement Module is needed for all licences.
D. A central license remains valid, when you change the IP address of an Enforcemente Module.
E. A central license can be converted into a local license.
Correct Answer: ABD
QUESTION 16
A security Administrator wants to review the number of packets accepted by each of the Enforcement modules. Which of the following viewers is the BEST source for viewing this information?
A. SmartDashboard
B. SmartUpdate
C. SmartMap
D. SmartView Status
E. SmartView Tracker
Correct Answer: D
QUESTION 17
Hidden (or masked) rules are used to:
A. Hide rules from administrators with lower privileges.
B. View only a few rules, without distraction of others.
C. Temporarily disable rules, without having to reinstall the Security Policy.
D. Temporarily convert specifically defined rules to implied rules.
E. Delete rules, without having to reinstall the Security Policy.
Correct Answer: B
QUESTION 18
Which of the following characteristics BEST describes the behaviour of Check Point NG with Application Intelligence?
A. Traffic not expressly permitted is prohibited.
B. All traffic is expressly permitted by explicit rules.
C. Secure connections are authorized by default. Unsecured connectdions are not.
D. Traffic is filtered using controlled ports.
E. TELNET, HTTP; and SMTP are allowed by default.
Correct Answer: A
QUESTION 19
SmartUpdate CANNOT be used to:
A. Track installed versions of Check Point and OPSEC products.
B. Manage licenses centrally.
C. Update installed Check Point and OPSEC software remotely, from a centralized location.
D. Uninstall Check Point and OPSEC software remotely, from a centralized location.
E. Remotely install NG with Application Intelligence for the first time, on a new machine.
Correct Answer: E
QUESTION 20
Which of the following statements about Client Authentication is FALSE?
A. In contrast to User Authentication that allows access per user. Client Authentication allows access per IP address.
B. Client Authentication is more secure than User Authentication, because it allows multiple users and connections from an authorized IP address or host.
C. Client Authentication enables Security Administrators to grant access privileges to a specific IP address, after successful authentication.
D. Authentication is by user name and password, but it is the host machine (client) that is granted access.
E. Client Authentication is not restricted to a limited set of protocols.
Correct Answer: B
QUESTION 21
Why is Application Layer particularly vulnerable to attacks? Choose three
A. Malicious Java, ActiveX, and VB Scripts can exploit host system simply by browsing.
B. The application Layer performs access-control and legitimate-use checks.
C. Defending against attacks at the Application Layer is more difficult, than at lower layers of the OSI model.
D. The Application Layer does not perform unauthorized operations.
E. The application Layer supports many protocols.
Correct Answer: ACE
QUESTION 22
You have created a rule that requires users to be authenticated, when connecting to the Internet using HTTP. Which is the BEST authentication method for users who must use specific computers for Internet access?
A. Client
B. Session
C. User
Correct Answer: A
QUESTION 23
What function does the Active mode of SmartView Tracker perform?
A. It displays the active Security Policy.
B. It displays active Security Administrators currently logged into a SmartCenter Server.
C. It displays current active connections traversing Enforcement Modules.
D. It displays the current log file, as it is stored on a SmartCenter Server.
E. It displays only current connections between VPN-1/FireWall-1 modules.
Correct Answer: C
QUESTION 24
You are importing product data from modules, during a VPN-1/Firwall-1 Enforcement Module upgrade. Which of the following statements are true? Choose two.
A. Upgrading a single Enforcement Module is recommended by Check Point, since there is no chance of mismatch between installed product versions.
B. SmartUpdate queries license information, from the SmartConsole runging locally on the Enforcement Module.
C. SmartUpdate queries the SmartCenter Server and Enforcement Module for product information.
D. If SmartDashboard and all SmartConsoles must be open during input, otherwise the product-data retrieval process will fail
Correct Answer: AC
QUESTION 25
Which if the following components functions as the Internal Certificate Authority for all modules in the VPN-1/FireWall-1 configuration?
A. Enforcement Module
B. INSPECT Engine
C. SmartCenter Server
D. SmartConsole
E. Policy Server
Correct Answer: C
QUESTION 26
Which of the following is NOT a security benefit of Check Point’s Secure Internal Communications (SIC)?
A. Generates VPN certificates for IKE clients.
B. Allows the Security Administrator to confirm that the Security Policy on an Enforcement Module came from an authorized Management Server.
C. Confirms that a SmartConsole is authorized to connect a SmartCenter Server
D. Uses SSL for data encryption.
E. Maintains data privacy and integrity.
Correct Answer: A
QUESTION 27
You are administering one SmartCenter Server that manages three Enforcement Modules. One of the Enforcement Modules does not appear as a target in the Install Policy screen, when you attempt to install the Security Policy. What is causing this to happen?
A. The license for the Enforcement Module has expired.
B. The Enforcement Module requires a reboot.
C. The object representing the Enforcement Module was created as a Node->Gateway.
D. The Enforcement Module was not listed in the Install On column of its rule.
E. No Enforcement Module Master filer was created, designating the SmartCenter Server
Correct Answer: C
QUESTION 28
You are the Security Administrator with one SmartCenter Server managing one Enforcement Moduel. SmartView Status displayes a computer icon with an “I” in the Status column. What does this mean?
A. You have entered the wrong password at SmartView Status login.
B. Secure Internal Communications (SIC) has not been established between the SmartCenter Server and the Enforcement Module.
C. The SmartCenter Server cannot contact a gateway.
D. The VPN-1/Firewall-1 Enforcement Module has been compromised and is no longer controlled by this SmartCenter Sever.
E. The Enforcement Module is installed and responding to status checks, but the status is problematic.
Correct Answer: E
QUESTION 29
Check Point’s NG with Application Intelligence protects against Network and Transport layer attacks by: (Choose two)
A. Preventing protocol-anomaly detection-
B. Allowing IP fragmentation-
C. Preventing validation of compliance to standards.
D. Preventing non-TCP denial-of-service attacks, and port scanning.
E. Preventing malicious manipulation of Network Layer protocols.
Correct Answer: DE
QUESTION 30
Which of the following locations is Static NAT processed by the Enforcement Module on packets from an external source to an internal statically translated host? Static NAT occurs.
A. After the inbound kernel, and before routing.
B. After the outbound kernel, and before routing.
C. After the inbound kernel, and aftter routing.
D. Before the inbound kernel, and after routing.
E. Before the outbound kernel, and before routing.
Correct Answer: C
QUESTION 31
Which of the following does a Check Point security gateway access, analyze, and use? Choose three.
A. Communications information
B. Communication-derivec state
C. Packet sniffing
D. Information mapping
E. Application-derived state
Correct Answer: ABE
QUESTION 32
Which NG with Application Intelligence feature allows a Security Administrator to granularly control acceptable FTP commands?
A. FTP Security Server object settings
B. Check Point Gateway object, Security Server settings
C. SmartDefense, FTP Security Server settings
D. Rule Base Service field
E. Global Properties, Security Server settings.
Correct Answer: C
QUESTION 33
You are Security Administrator preparing to deploy a new hot-fix to ten Enforcement Modules at five geographically separated locations. What is the BEST method to implement this hot-fix?
A. Use SmartView installer to deploy the hot-fix to each Enforcement Module.
B. Send a CDROM with the hot-fix to each location, and have local personnel install it.
C. Send a Certified Security Engineer to each site to perform the update.
D. Use SmartInstaller to install the packages to each of the Enforcement Models remotely.
E. Use SmartUpdate to install the packages to each of the Enforcement Models remotely.
Correct Answer: E QUESTION 34
Implicit rules do NOT allow what types of VPN-1/FireWall-1 Control Connections by default?
A. Outgoing traffic, originating from the gateway
B. RIP for routing configuration
C. IKE and RDP-traffic, for communication and encryption
D. VPN-1/Firewall-1 specific traffic, such as logging, management, and key exchange
E. RADIOUS; CVP, UFP, and LDAP
Correct Answer: B
QUESTION 35
In Secure Internal Communicators (SIC), the SmartCenter Server and its components are identified by a (n):
A. SIC entry in the host file
B. Random seed
C. Port number
D. Distinguished Name
E. IP address
Correct Answer: D
QUESTION 36
Which of the following statements BEST describes Dynamic Network Address Translation (Hide NAT)?
A. Allow you to hide an entire network behind one IP address.
B. Translates private external IP addresses to public IP addresses.
C. Allows you to hide an entire network behind public IP addresses.
D. Translates public internal IP addresses to private IP addresses.
E. Allow you to hide an entire network behind random IP addresses.
Correct Answer: A
QUESTION 37
What type of TCP attack is a bandwidth attack, where a client fools a server into sending large amount of data, using small packets?
A. SMURF
B. SYN-Flood
C. Host System Hogging
D. Small PMTU
E. LAND
Correct Answer: D
QUESTION 38
How is the Block Intruder request used?
A. It is used in place of the HTTP Security Server.
B. SmartDefense automatically uses this capability.
C. It is used in the Log mode of SmartView Tracker to kill active connections.
D. It is activated in SmartDashboard through the Security Policy.
E. It blocks access from a Source, or to a Destination, for a specified amount of time, or indefinitely.
Correct Answer: E QUESTION 39
A conflict between anti-spoofing and Network Address Translation (NAT) occurs when:
A. The Translate destination on the client-side option is not enabled when using Static NAT:
B. NAT is performed on the client side.
C. Manual NAT rules are used.
D. The Translate destination on the client-side option is enabled.
E. The Translate destination on the server-side option is enabled.
Correct Answer: A
QUESTION 40
One of the most important tasks Security Adminstrators perform is log maintenance. By default, when an administrator clicks File > Switch Active file from SmartView Tracker, the SmartCenter server:
A. Purges the current log file, and prompts the Security Administrator for the mode of the new log.
B. Opens a new window with a previously saved log for viewing.
C. Saves the current log file, names the save file by date and time and starts a new log.
D. Prompts the Security Administrator for the name of the current log, saves it, and then prompts the Security Administrator for the mode of the new log.
E. Purges the current log file, and starts a new log.
Correct Answer: C
QUESTION 41
A VPN-1/FireWall-1 SmartDashboard is used to perform which of the following tasks? Choose two.
A. Allows the Security Administrator to configure Network Address Translation.
B. Stores VPN-1/Firewall-1 logs
C. Compiles the Rule Base into an enforceable Security Policy.
D. Stores the User Database.
E. It is used to crate and define a Security Policy.
Correct Answer: AE
QUESTION 42
Assuming the default settings in the Global Properties have not changed, which of the following types of traffic will be allowed through a firewall with the Rule Base displayed in the exhibit?
A. VPN-1/Firewall-1 Control Connections.
B. HTTP from anywhere to Web Server.
C. HTTP from network out.
D. FTP from anywhere to Web Server.
E. RIP traffic to the gateway.
Correct Answer: AB
QUESTION 43
In SmartView Status, what does a status of Untrusted tell you?
A. The Enforcement Module is offline.
B. The Security Administrator has entered the wrong password at SmartView Status login.
C. Secure Internal Communications (SIC) has not been established between the SmartCenter Server and the Enforcement Module
D. The SmartCenter Server cannot contact a gateway
E. An Enforcement Module is installed and responding to status checks, but the status is problematic.
Correct Answer: C
QUESTION 44
For which of the following objectd types can Network Address Translation be configured?
A. Domains, host nodes, network.
B. Domains, networks, users
C. Host nodes, networks, OSE devices
D. Host nodes, networks, address ranges
E. Networks, OSE Devices logical servers.
Correct Answer: D
QUESTION 45
Howa CK Storm Center Block Lists activated? Choose the correction order.
1.
Security Adminstrators define a CPDShield object and place it in the Rule Base appropriately.
2.
The Storm Center Module agent on the Enforcement Module retrieves the Block list, and replaces the CPDSHield object with a list of blocked IP addresses.
3.
The Storm Center Module agent periodically checks for updates to the Block list.
A. 3, 2, 1
B. 1, 2, 3
C. 2, 3, 1
D. 3, 1, 2
E. 2, 1, 3
Correct Answer: B
QUESTION 46
Network topology exhibit In the network displayed in the exhibit, the public servers accept and initiate connections from the Internet. The public servers must:
A. Be moved to the other side of the Enforcement Module, and give public addresses.
B. Use Reverse Network Address Translation.
C. Use Static Network Address Translation.
D. Use Dynamic Network Address Translation
E. Network Address Translation is not required.
Correct Answer: C
QUESTION 47
What Blocking Scope options are available when using Block Intruder? Choose three.
A. Block access from this Source.
B. Block source and destination
C. Block access to this Destination.
D. Block only this connection
E. Block all traffic
Correct Answer: ACD
QUESTION 48
TO be MOST effective, where should Anti-Spoofing be configured?
A. Only on interfaces facing internal networks.
B. Only on external and DMZ interfaces.
C. Only on DMZ interfaces
D. Only on external interfaces.
E. On all interfaces.
Correct Answer: E QUESTION 49
Choose the two responses that BEST describe a VPN-1/Firewall-1 Rule Base. A Rule Base is:
A. A collection of corporate guidelines used to structure the network Security Policies for users operating behind the firewall.
B. A collection of system settings that make up implicit rules defining network security.
C. The process by which secure communications are established between different VPN-1/Firewall-1 Modules, operating within an enterprise security environment.
D. A repository of DLL files, each provides a specific security function.
E. A set of explicitly and implicitly defined rules used to define network security.
Correct Answer: AE
QUESTION 50
When defining objects, why should you NOT change the name or IP address of the system-created SmartCenter Server objects? Choose two.
A. Changes the certificate of the system-created object
B. Causes a fault-tolerance error on the VPN-1/Firewall-1 Enforcement Module
C. Interferes with Security Policy Installation
D. Does not change the object name in the Rule Base.
E. Negatively affects the Internal Certificate Authority.
Correct Answer: AE
QUESTION 51
You are the Security Administrator with one SmartCenter Server managing one Enforcement Module.
SmartView Status displays a computer icon with an “?” in the Status column.
What does this mean?
A. The VPN-1/FireWall-1 Enforcement Module has been compromised and is no longer controlled by this SmartCenter Server.
B. Secure Internal Communications (SIC) has not been established between the SmartCenter Server and the Enforcement Module.
C. The Enforcement Module is installed and responding to status checks, but the status is problematic.
D. You have entered the wrong password at SmartView Status login.
E. The SmartCenter Server cannot contact the gateway.
Correct Answer: E
QUESTION 52
Which statement below BEST describes how VPN-1/FireWall-1 handles hidden rules? Hidden rules are:
A. Not included when the Security Policy is installed.
B. Removed from the existing Security Policy.
C. Enforced when the Security Policy is installed.
D. Automatically installed, when the Unhide All option is selected from the Hide Rules menu.
E. Enforced as implied rules, before the explicitly defined Rule Base.
Correct Answer: C
QUESTION 53
Which of the following is NOT included in SVN Foundation?
A. Watch Dog for Critical Services
B. License Utilities
C. CPShared Daemon
D. SmartDefense
E. SNMP Daemon
Correct Answer: D
QUESTION 54
Which of the following BEST describes the function of Dynamic Network Address Translation (Dynamic
NAT)?
Dynamic NAT:
A. Allows you to configure more public IP addresses than you have hosts.
B. Reduces the load on the Enforcement Module.
C. Limits the number of internal hosts that may access the Internet.
D. Reduces the number of connections to your Web server.
E. Allows you to configure for more hosts than you have public IP addresses.
Correct Answer: E
The CheckPoint 156-210 certification can make you a competent person.It may enable a technician to know about the CheckPoint 156-210 configurations,get information about the CheckPoint 156-210 data center products and hardware and knowledge about CheckPoint 156-210 united computing systems.