CheckPoint Checkpoint Certifications 156-115.77 Questions & Answers

• Question 241:

  Which command can be used to see all active modules on the Security Gateway:

  A. fw ctl zdebug drop

  B. fw ctl debug -h

  C. fw ctl chain

  D. fw ctl debug -m

  Correct Answer: C

• Question 242:

  The "Hide internal networks behind the Gateway's external IP" option is selected. What defines what traffic will be NATted?

  A. The Firewall policy of the gateway

  B. The network objects configured for the network

  C. The VPN encryption domain of the gateway object

  D. The topology configuration of the gateway object

  Correct Answer: D

• Question 243:

  With the default ClusterXL settings what will be the state of an active gateway upon using the command ClusterXL_admin up?

  A. Ready

  B. Down

  C. Standby

  D. Active

  Correct Answer: C

• Question 244:

  In a production environment, your gateway is configured to apply a Hide NAT for all internal traffic destined to the Internet. However, you are setting up a VPN tunnel with a remote gateway, and you are concerned about the encryption domain that you need to define on the remote gateway. Does the remote gateway need to include your production gateway's external IP in its encryption domain?

  A. No all packets destined through a VPN will leave with original source and destination packets without translation.

  B. No all packets destined to go through the VPN tunnel will have the payload encapsulated in an ESP packet and after decryption at the remote site, will have the same internal source and destination IP addresses.

  C. Yes all packets destined to go through the VPN tunnel will have the payload encapsulated in an ESP packet and after decryption at the remote site, the packet will contain the source IP of the Gateway because of Hide NAT.

  D. Yes The gateway will apply the Hide NAT for this VPN traffic.

  Correct Answer: B

• Question 245:

  Ann wants to hide FTP traffic behind the virtual IP of her cluster. Where is the relevant file table.def located to make this modification?

  A. $FWDIR/log/table.def

  B. $FWDIR/conf/table.def

  C. $FWDIR/bin/table.def

  D. $FWDIR/lib/table.def

  Correct Answer: D

• Question 246:

  While troubleshooting a connectivity issue with an internal web server, you know that packets are getting to the upstream router, but when you run a tcpdump on the external interface of the gateway, the only traffic you observe is ARP requests coming from the upstream router. Does the problem lie on the Check Point Gateway?

  A. Yes This could be due to a misconfigured route on the firewall.

  B. No This is a layer 2 connectivity issue and has nothing to do with the firewall.

  C. No The firewall is not dropping the traffic, therefore the problem does not lie with the firewall.

  D. Yes This could be due to a misconfigured Static NAT in the firewall policy.

  Correct Answer: D

• Question 247:

  By default, the size of the fwx_alloc table is:

  A. 65535

  B. 65536

  C. 25000

  D. 1024

  Correct Answer: C

• Question 248:

  Given the screen configuration shown, the failure's probable cause is: A. Packet 1 Proposes SA life Type , Sa Life Duration, Authentication and Encapsulation Algorithm.

  

  B. Packet 1 proposes a symmetrical key.

  C. Packet 1 proposes a subnet and host ID, an encryption and hash algorithm.

  D. Packet 1 proposes either a subnet or host ID, an encryption and hash algorithm, and ID data.

  Correct Answer: D

• Question 249:

  Which file should be edited to modify ClusterXL VIP Hide NAT rules, and where?

  A. $FWDIR/lib/base.def on the cluster members

  B. $FWDIR/lib/table.def on the SMC

  C. $FWDIR/lib/table.def on the cluster members

  D. $FWDIR/lib/base.def on the SMC

  Correct Answer: B

• Question 250:

  When viewing a NAT Table, What represents the second hexadecimal number of the 6-tuple:

  A. Source port

  B. Protocol

  C. Source IP

  D. Destination port

  Correct Answer: C