CheckPoint Checkpoint Certifications 156-215.77 Questions & Answers

• Question 281:

  You have three servers located in a DMZ, using private IP addresses. You want internal users from

  10.10.10.x to access the DMZ servers by public IP addresses. Internal_net 10.10.10.x is configured for Hide NAT behind the Security Gateway's external interface.

  

  What is the best configuration for 10.10.10.x users to access the DMZ servers, using the DMZ servers' public IP addresses?

  A. When connecting to internal network 10.10.10.x, configure Hide NAT for the DMZ network behind the Security Gateway DMZ interface.

  B. When the source is the internal network 10.10.10.x, configure manual static NAT rules to translate the DMZ servers.

  C. When connecting to the Internet, configure manual Static NAT rules to translate the DMZ servers.

  D. When trying to access DMZ servers, configure Hide NAT for 10.10.10.x behind the DMZ's interface.

  Correct Answer: B

• Question 282:

  You have two rules, ten users, and two user groups in a Security Policy. You create database version 1 for this configuration. You then delete two existing users and add a new user group. You modify one rule and add two new rules to the Rule Base. You save the Security Policy and create database version 2. After awhile, you decide to roll back to version 1 to use the Rule Base, but you want to keep your user database. How can you do this?

  A. Run fwm dbexport -l filename. Restore the database. Then, run fwm dbimport -l filename to import the users.

  B. Run fwm_dbexport to export the user database. Select restore the entire database in the Database Revision screen. Then, run fwm_dbimport.

  C. Restore the entire database, except the user database, and then create the new user and user group.

  D. Restore the entire database, except the user database.

  Correct Answer: D

• Question 283:

  Which command allows Security Policy name and install date verification on a Security Gateway?

  A. fw show policy

  B. fw stat -l

  C. fw ctl pstat -policy

  D. fw ver -p

  Correct Answer: B

• Question 284:

  Which of the following is NOT useful to verify whether or not a Security Policy is active on a Gateway?

  A. fw ctl get string active_secpol

  B. fw stat

  C. cpstat fw -f policy

  D. Check the Security Policy name of the appropriate Gateway in SmartView Monitor.

  Correct Answer: A

• Question 285:

  Your main internal network 10.10.10.0/24 allows all traffic to the Internet using Hide NAT. You also have a small network 10.10.20.0/24 behind the internal router. You want to configure the kernel to translate the source address only when network 10.10.20.0 tries to access the Internet for HTTP, SMTP, and FTP services. Which of the following configurations will allow this network to access the Internet?

  A. Configure three Manual Static NAT rules for network 10.10.20.0/24, one for each service.

  B. Configure Automatic Static NAT on network 10.10.20.0/24.

  C. Configure one Manual Hide NAT rule for HTTP, FTP, and SMTP services for network 10.10.20.0/24.

  D. Configure Automatic Hide NAT on network 10.10.20.0/24 and then edit the Service column in the NAT Rule Base on the automatic rule.

  Correct Answer: C

• Question 286:

  You are a Security Administrator who has installed Security Gateway R77 on your network. You need to

  allow a specific IP address range for a partner site to access your intranet Web server. To limit the

  partner's access for HTTP and FTP only, you did the following:

  1) Created manual Static NAT rules for the Web server.

  2) Cleared the following settings in the Global Properties > Network Address Translation screen:

  -Allow bi-directional NAT

  -

  Translate destination on client side Do the above settings limit the partner's access?

  A.

  Yes. This will ensure that traffic only matches the specific rule configured for this traffic, and that the Gateway translates the traffic after accepting the packet.

  B.

  No. The first setting is not applicable. The second setting will reduce performance.

  C.

  Yes. Both of these settings are only applicable to automatic NAT rules.

  D.

  No. The first setting is only applicable to automatic NAT rules. The second setting will force translation by the kernel on the interface nearest to the client.

  Correct Answer: D

• Question 287:

  Which SmartView Tracker mode allows you to read the SMTP e-mail body sent from the Chief Executive Officer (CEO) of a company?

  A. This is not a SmartView Tracker feature.

  B. Display Capture Action

  C. Network and Endpoint Tab

  D. Display Payload View

  Correct Answer: A

• Question 288:

  Which R77 SmartConsole tool would you use to verify the installed Security Policy name on a Security Gateway?

  A. SmartView Tracker

  B. None, SmartConsole applications only communicate with the Security Management Server.

  C. SmartView Server

  D. SmartUpdate

  Correct Answer: A

• Question 289:

  How can you configure an application to automatically launch on the Security Management Server when traffic is dropped or accepted by a rule in the Security Policy?

  A. SNMP trap alert script

  B. Custom scripts cannot be executed through alert scripts.

  C. User-defined alert script

  D. Pop-up alert script

  Correct Answer: C

• Question 290:

  Secure Internal Communications (SIC) is completely NAT-tolerant because it is based on:

  A. IP addresses.

  B. SIC is not NAT-tolerant.

  C. SIC names.

  D. MAC addresses.

  Correct Answer: C