CheckPoint Checkpoint Certifications 156-215.81.20 Questions & Answers

• Question 391:

  The technical-support department has a requirement to access an intranet server. When configuring a User Authentication rule to achieve this, which of the following should you remember?

  A. You can only use the rule for Telnet, FTP, SMPT, and rlogin services.

  B. The Security Gateway first checks if there is any rule that does not require authentication for this type of connection before invoking the Authentication Security Server.

  C. Once a user is first authenticated, the user will not be prompted for authentication again until logging out.

  D. You can limit the authentication attempts in the User Properties' Authentication tab.

  Correct Answer: B

• Question 392:

  As a Security Administrator, you must refresh the Client Authentication authorized time-out every time a new user connection is authorized. How do you do this? Enable the Refreshable Timeout setting:

  A. in the user object's Authentication screen.

  B. in the Gateway object's Authentication screen.

  C. in the Limit tab of the Client Authentication Action Properties screen.

  D. in the Global Properties Authentication screen.

  Correct Answer: C

• Question 393:

  When using GAiA, it might be necessary to temporarily change the MAC address of the interface eth 0 to 00:0C:29:12:34:56. After restarting the network the old MAC address should be active. How do you configure this change?

  A. As expert user, issue these commands: # IP link set eth0 down # IP link set eth0 addr 00:0C:29:12:34:56 # IP link set eth0 up

  B. Edit the file /etc/sysconfig/netconf.C and put the new MAC address in the field (conf :(conns :(conn :hwaddr ("00:0C:29:12:34:56")

  C. As expert user, issue the command: # IP link set eth0 addr 00:0C:29:12:34:56

  D. Open the WebUI, select Network > Connections > eth0. Place the new MAC address in the field Physical Address, and press Apply to save the settings.

  Correct Answer: C

• Question 394:

  John Adams is an HR partner in the ACME organization. ACME IT wants to limit access to HR servers to designated IP addresses to minimize malware infection and unauthorized access risks. Thus, the gateway policy permits access only

  from John's desktop which is assigned a static IP address 10.0.0.19.

  John received a laptop and wants to access the HR Web Server from anywhere in the organization. The IT department gave the laptop a static IP address, but that limits him to operating it only from his desk. The current Rule Base contains a

  rule that lets John Adams access the HR Web Server from his desktop with a static IP (10.0.0.19). He wants to move around the organization and continue to have access to the HR Web Server.

  To make this scenario work, the IT administrator:

  1) Enables Identity Awareness on a gateway, selects AD Query as one of the Identity Sources installs the policy.

  2) Adds an access role object to the Firewall Rule Base that lets John Adams PC access the HR Web Server from any machine and from any location.

  3) Changes from static IP address to DHCP for the client PC.

  What should John request when he cannot access the web server from his laptop?

  A. John should lock and unlock his computer

  B. Investigate this as a network connectivity issue

  C. The access should be changed to authenticate the user instead of the PC

  D. John should install the Identity Awareness Agent

  Correct Answer: C

• Question 395:

  Review the rules. Assume domain UDP is enabled in the implied rules.

  

  What happens when a user from the internal network tries to browse to the internet using HTTP? The user:

  A. can connect to the Internet successfully after being authenticated.

  B. is prompted three times before connecting to the Internet successfully.

  C. can go to the Internet after Telnetting to the client authentication daemon port 259.

  D. can go to the Internet, without being prompted for authentication.

  Correct Answer: D

• Question 396:

  Which component functions as the Internal Certificate Authority for R77?

  A. Security Gateway

  B. Management Server

  C. Policy Server

  D. SmartLSM

  Correct Answer: B

• Question 397:

  Check Point APIs allow system engineers and developers to make changes to their organization's security policy with CLI tools and Web Services for all of the following except:

  A. Create new dashboards to manage 3rd party task

  B. Create products that use and enhance 3rd party solutions

  C. Execute automated scripts to perform common tasks

  D. Create products that use and enhance the Check Point Solution

  Correct Answer: A

  Reference: http://dl3.checkpoint.com/paid/29/29532b9eec50d0a947719ae631f640d0/CP_R80_CheckPoint_API_ReferenceGuide.pdf?HashKey=1517081623_70199443034f806cf2dd0a7ba15f201candxtn=.pdf

• Question 398:

  In what way are SSL VPN and IPSec VPN different?

  A. SSL VPN is using HTTPS in addition to IKE, whereas IPSec VPN is clientless

  B. SSL VPN adds an extra VPN header to the packet, IPSec VPN does not

  C. IPSec VPN does not support two factor authentication, SSL VPN does support this

  D. IPSec VPN uses an additional virtual adapter, SSL VPN uses the client network adapter only

  Correct Answer: D

• Question 399:

  Which command can you use to enable or disable multi-queue per interface?

  A. cpmq set

  B. Cpmqueue set

  C. Cpmq config

  D. Set cpmq enable

  Correct Answer: A

  Reference: https://sc1.checkpoint.com/documents/R76/CP_R76_PerformanceTuning_WebAdmin/93689.htm

• Question 400:

  Which limitation of CoreXL is overcome by using (mitigated by) Multi-Queue?

  A. There is no traffic queue to be handled

  B. Several NICs can use one traffic queue by one CPU

  C. Each NIC has several traffic queues that are handled by multiple CPU cores

  D. Each NIC has one traffic queue that is handled by one CPU

  Correct Answer: C

  Reference: https://sc1.checkpoint.com/documents/R76/CP_R76_PerformanceTuning_WebAdmin/93689.htm