CheckPoint Checkpoint Certifications 156-215.81.20 Questions & Answers

• Question 511:

  Fill in the blank: A new license should be generated and installed in all of the following situations EXCEPT when ________ .

  A. The license is attached to the wrong Security Gateway

  B. The existing license expires

  C. The license is upgraded

  D. The IP address of the Security Management or Security Gateway has changed

  Correct Answer: A

  There is no need to generate new license in this situation, just need to detach license from wrong Security Gateway and attach it to the right one.

• Question 512:

  What is the default shell for the command line interface?

  A. Expert

  B. Clish

  C. Admin

  D. Normal

  Correct Answer: B

  The default shell of the CLI is called clish Reference: https://sc1.checkpoint.com/documents/R76/CP_R76_Gaia_WebAdmin/75697.htm

• Question 513:

  When you upload a package or license to the appropriate repository in SmartUpdate, where is the package or license stored

  A. Security Gateway

  B. Check Point user center

  C. Security Management Server

  D. SmartConsole installed device

  Correct Answer: C

  SmartUpdate installs two repositories on the Security Management server:

  1.

  License and Contract Repository, which is stored on all platforms in the directory $FWDIR\conf\.

  2.

  Package Repository, which is stored:

  - on Windows machines in C:\SUroot.

  - on UNIX machines in /var/suroot.

  The Package Repository requires a separate license, in addition to the license for the Security Management server. This license should stipulate the number of nodes that can be managed in the Package Repository.

  Reference: https://sc1.checkpoint.com/documents/R76/CP_R76_Installation_and_Upgrade_Guide-webAdmin/13128.htm#o13527

• Question 514:

  Fill in the blank: The tool _______ generates a R80 Security Gateway configuration report.

  A. infoCP

  B. infoview

  C. cpinfo

  D. fw cpinfo

  Correct Answer: C

  CPInfo is an auto-updatable utility that collects diagnostics data on a customer's machine at the time of execution and uploads it to Check Point servers (it replaces the standalone cp_uploader utility for uploading files to Check Point servers).

  The CPinfo output file allows analyzing customer setups from a remote location. Check Point support engineers can open the CPinfo file in a demo mode, while viewing actual customer Security Policies and Objects. This allows the in-depth

  analysis of customer's configuration and environment settings.

  When contacting Check Point Support, collect the cpinfo files from the Security Management server and Security Gateways involved in your case. Reference: https://supportcenter.checkpoint.com/supportcenter/portal?

  eventSubmit_doGoviewsolutiondetails=andsolutionid=sk92739

• Question 515:

  Which of the following commands can be used to remove site-to-site IPSEC Security Associations (SA)?

  A. vpn tu

  B. vpn ipsec remove -l

  C. vpn debug ipsec

  D. fw ipsec tu

  Correct Answer: A

  vpn tu Description Launch the TunnelUtil tool which is used to control VPN tunnels. Usage vpn tu vpn tunnelutil Example vpn tu Output

  

  Reference: https://sc1.checkpoint.com/documents/R76/CP_R76_CLI_WebAdmin/12467.htm#o12627

• Question 516:

  Which of the following is NOT an authentication scheme used for accounts created through SmartConsole?

  A. Security questions

  B. Check Point password

  C. SecurID

  D. RADIUS

  Correct Answer: A

  Authentication Schemes :- Check Point Password

  -Operating System Password

  -RADIUS

  -SecurID

  -TACAS

  - Undefined If a user with an undefined authentication scheme is matched to a Security Rule with some form of authentication, access is always denied. Reference: http://dl3.checkpoint.com/paid/71/ How_to_Configure_Client_Authentication.pdf?HashKey=1479692369_23bc7cdfbeb67c147ec7bb882d557fd4andxtn=.pdf

• Question 517:

  Which pre-defined Permission Profile should be assigned to an administrator that requires full access to audit all configurations without modifying them?

  A. Auditor

  B. Read Only All

  C. Super User

  D. Full Access

  Correct Answer: B

  To create a new permission profile:

  1.

  In SmartConsole, go to Manage and Settings > Permissions and Administrators > Permission Profiles.

  2.

  Click New Profile.

  The New Profile window opens.

  3.

  Enter a unique name for the profile.

  4.

  Select a profile type:

  Read/Write All - Administrators can make changes

  Auditor (Read Only All) - Administrators can see information but cannot make changes

  Customized - Configure custom settings

  5.

  Click OK.

  Reference: https://sc1.checkpoint.com/documents/R80/CP_R80_SecMGMT/html_frameset.htm?topic=documents/R80/CP_R80_SecMGMT/124265

• Question 518:

  Packages and licenses are loaded from all of these sources EXCEPT

  A. Download Center Web site

  B. UserUpdate

  C. User Center

  D. Check Point DVD

  Correct Answer: B

  Packages and licenses are loaded into these repositories from several sources:

  1.

  the Download Center web site (packages)

  2.

  the Check Point DVD (packages)

  3.

  the User Center (licenses)

  4.

  by importing a file (packages and licenses)

  5.

  by running the cplic command line Reference: https://sc1.checkpoint.com/documents/R76/CP_R76_Installation_and_Upgrade_Guide-webAdmin/13128.htm

• Question 519:

  Which of the following technologies extracts detailed information from packets and stores that information in state tables?

  A. INSPECT Engine

  B. Stateful Inspection

  C. Packet Filtering

  D. Application Layer Firewall

  Correct Answer: B

  Reference: https://www.checkpoint.com/smb/help/utm1/8.2/7080.htm

• Question 520:

  On the following graphic, you will find layers of policies.

  

  What is a precedence of traffic inspection for the defined polices?

  A. A packet arrives at the gateway, it is checked against the rules in the networks policy layer and then if implicit Drop Rule drops the packet, it comes next to IPS layer and then after accepting the packet it passes to Threat Prevention layer.

  B. A packet arrives at the gateway, it is checked against the rules in the networks policy layer and then if there is any rule which accepts the packet, it comes next to IPS layer and then after accepting the packet it passes to Threat Prevention layer

  C. A packet arrives at the gateway, it is checked against the rules in the networks policy layer and then if there is any rule which accepts the packet, it comes next to Threat Prevention layer and then after accepting the packet it passes to IPS layer.

  D. A packet arrives at the gateway, it is checked against the rules in IPS policy layer and then it comes next to the Network policy layer and then after accepting the packet it passes to Threat Prevention layer.

  Correct Answer: B

  To simplify Policy management, R80 organizes the policy into Policy Layers. A layer is a set of rules, or a Rule Base.

  For example, when you upgrade to R80 from earlier versions:

  Gateways that have the Firewall and the Application Control Software Blades enabled will have their Access Control Policy split into two ordered layers: Network and Applications.

  When the gateway matches a rule in a layer, it starts to evaluate the rules in the next layer.

  Gateways that have the IPS and Threat Emulation Software Blades enabled will have their Threat Prevention policies split into two parallel layers: IPS and Threat Prevention.

  All layers are evaluated in parallel

  Reference: https://sc1.checkpoint.com/documents/R80/CP_R80_SecMGMT/html_frameset.htm?topic=documents/R80/CP_R80_SecMGMT/126197