CheckPoint Checkpoint Certifications 156-215.81.20 Questions & Answers

• Question 571:

  Choose what BEST describes a Session.

  A. Starts when an Administrator publishes all the changes made on SmartConsole.

  B. Starts when an Administrator logs in to the Security Management Server through SmartConsole and ends when it is published.

  C. Sessions ends when policy is pushed to the Security Gateway.

  D. Sessions locks the policy package for editing.

  Correct Answer: B

  Administrator Collaboration More than one administrator can connect to the Security Management Server at the same time. Every administrator has their own username, and works in a session that is independent of the other administrators. When an administrator logs in to the Security Management Server through SmartConsole, a new editing session starts. The changes that the administrator makes during the session are only available to that administrator. Other administrators see a lock icon on object and rules that are being edited. To make changes available to all administrators, and to unlock the objects and rules that are being edited, the administrator must publish the session. Reference: https://sc1.checkpoint.com/documents/R80/CP_R80_SecMGMT/ html_frameset.htm?topic=documents/R80/CP_R80_SecMGMT/117948

• Question 572:

  Which of the following is NOT a VPN routing option available in a star community?

  A. To satellites through center only

  B. To center, or through the center to other satellites, to Internet and other VPN targets

  C. To center and to other satellites through center

  D. To center only

  Correct Answer: AD

  SmartConsole

  For simple hubs and spokes (or if there is only one Hub), the easiest way is to configure a VPN star community in R80 SmartConsole:

  1. On the Star Community window, in the:

  a.

  Center Gateways section, select the Security Gateway that functions as the "Hub".

  b.

  Satellite Gateways section, select Security Gateways as the "spokes", or satellites.

  2. On the VPN Routing page, Enable VPN routing for satellites section, select one of these options:

  a.

  To center and to other Satellites through center - This allows connectivity between the Security Gateways, for example if the spoke Security Gateways are DAIP Security Gateways, and the Hub is a Security Gateway with a static IP

  address.

  b.

  To center, or through the center to other satellites, to internet and other VPN targets - This allows connectivity between the Security Gateways as well as the ability to inspect all communication passing through the Hub to the Internet.

  3.

  Create an appropriate Access Control Policy rule.

  4.

  NAT the satellite Security Gateways on the Hub if the Hub is used to route connections from Satellites to the Internet.

  The two Dynamic Objects (DAIP Security Gateways) can securely route communication through the Security Gateway with the static IP address.

  Reference: https://sc1.checkpoint.com/documents/R80/CP_R80BC_VPN/html_frameset.htm

• Question 573:

  What is the default shell of Gaia CLI?

  A. Monitor

  B. CLI.sh

  C. Read-only

  D. Bash

  Correct Answer: B

  This chapter gives an introduction to the Gaia command line interface (CLI).

  The default shell of the CLI is called clish.

  Reference: https://sc1.checkpoint.com/documents/R76/CP_R76_Gaia_WebAdmin/75697.htm

• Question 574:

  Which of the following licenses are considered temporary?

  A. Perpetual and Trial

  B. Plug-and-play and Evaluation

  C. Subscription and Perpetual

  D. Evaluation and Subscription

  Correct Answer: B

  Should be Trial or Evaluation, even Plug-and-play (all are synonyms ). Answer B is the best choice.

• Question 575:

  Where can administrator edit a list of trusted SmartConsole clients in R80?

  A. cpconfig on a Security Management Server, in the WebUI logged into a Security Management Server.

  B. Only using SmartConsole: Manage and Settings > Permissions and Administrators > Advanced > Trusted Clients.

  C. In cpconfig on a Security Management Server, in the WebUI logged into a Security Management Server, in SmartConsole: Manage and Settings>Permissions and Administrators>Advanced>Trusted Clients.

  D. WebUI client logged to Security Management Server, SmartDashboard: Manage and Settings>Permissions and Administrators>Advanced>Trusted Clients, via cpconfig on a Security Gateway.

  Correct Answer: C

• Question 576:

  Fill in the blanks: In the Network policy layer, the default action for the Implied last rule is ________ all traffic. However, in the Application Control policy layer, the default action is ________ all traffic.

  A. Accept; redirect

  B. Accept; drop

  C. Redirect; drop

  D. Drop; accept

  Correct Answer: D

• Question 577:

  Vanessa is a Firewall administrator. She wants to test a backup of her company's production Firewall cluster Dallas_GW. She has a lab environment that is identical to her production environment. She decided to restore production backup via SmartConsole in lab environment. Which details she need to fill in System Restore window before she can click OK button and test the backup?

  A. Server, SCP, Username, Password, Path, Comment, Member

  B. Server, TFTP, Username, Password, Path, Comment, All Members

  C. Server, Protocol, Username, Password, Path, Comment, All Members

  D. Server, Protocol, Username, Password, Path, Comment, Member

  Correct Answer: C

• Question 578:

  On the following picture an administrator configures Identity Awareness:

  

  After clicking "Next" the above configuration is supported by:

  A. Kerberos SSO which will be working for Active Directory integration

  B. Based on Active Directory integration which allows the Security Gateway to correlate Active Directory users and machines to IP addresses in a method that is completely transparent to the user

  C. Obligatory usage of Captive Portal

  D. The ports 443 or 80 what will be used by Browser-Based and configured Authentication

  Correct Answer: B

  To enable Identity Awareness:

  1.

  Log in to R80 SmartConsole.

  2.

  From the Gateways and Servers view, double-click the Security Gateway on which to enable Identity Awareness.

  3.

  On the Network Security tab, select Identity Awareness. The Identity Awareness Configuration wizard opens.

  4.

  Select one or more options. These options set the methods for acquiring identities of managed and unmanaged assets. AD Query - Lets the Security Gateway seamlessly identify Active Directory users and computers.

  Browser-Based Authentication - Sends users to a Web page to acquire identities from unidentified users. If Transparent Kerberos Authentication is configured, AD users may be identified transparently.

  Terminal Servers - Identify users in a Terminal Server environment (originating from one IP address).

  Reference: https://sc1.checkpoint.com/documents/R80/CP_R80BC_IdentityAwareness/html_frameset.htm?topic=documents/R80/CP_R80BC_IdentityAwareness/62050

• Question 579:

  What does it mean if Bob gets this result on an object search? Refer to the image below. Choose the BEST answer.

  

  A. Search detailed is missing the subnet mask.

  B. There is no object on the database with that name or that IP address.

  C. There is no object on the database with that IP address.

  D. Object does not have a NAT IP address.

  Correct Answer: B

• Question 580:

  Why would an administrator see the message below?

  

  A. A new Policy Package created on both the Management and Gateway will be deleted and must be packed up first before proceeding.

  B. A new Policy Package created on the Management is going to be installed to the existing Gateway.

  C. A new Policy Package created on the Gateway is going to be installed on the existing Management.

  D. A new Policy Package created on the Gateway and transferred to the management will be overwritten by the Policy Package currently on the Gateway but can be restored from a periodic backup on the Gateway.

  Correct Answer: B