Matt wants to upgrade his old Security Management server to R81.x using the Advanced Upgrade with Database Migration. What is one of the requirements for a successful upgrade?
A. Size of the /var/log folder of the source machine must be at least 25% of the size of the /var/log directory on the target machine
B. Size of the /var/log folder of the target machine must be at least 25% of the size of the /var/log directory on the source machine
C. Size of the $FWDIR/log folder of the target machine must be at least 30% of the size of the $FWDIR/log directory on the source machine
D. Size of the /var/log folder of the target machine must be at least 25GB or more
Correct Answer: B
One of the requirements for a successful upgrade using the Advanced Upgrade with Database Migration is that the size of the /var/log folder of the target machine must be at least 25% of the size of the /var/log directory on the source machine. This is to ensure that there is enough space to copy the log files from the source machine to the target machine during the upgrade process. References: Advanced Upgrade with Database Migration
Question 332:
What technologies are used to deny or permit network traffic?
A. Stateful Inspection, Firewall Blade, and URL/Application Blade
B. Packet Filtering, Stateful Inspection, and Application Layer Firewall
C. Firewall Blade, URL/Application Blade, and IPS
D. Stateful Inspection, URL/Application Blade, and Threat Prevention
Correct Answer: B
Packet filtering, stateful inspection, and application layer firewall are technologies used to deny or permit network traffic based on different criteria. Packet filtering is a basic firewall technology that examines the header of each packet and compares it to a set of rules to decide whether to allow or drop it. Stateful inspection is an advanced firewall technology that tracks the state and context of each connection and applies security rules based on the connection information. Application layer firewall is a firewall technology that inspects the content and behavior of applications and protocols at the application layer of the OSI model and enforces granular policies based on the application identity, user identity, and content type. References: Check Point R81 Firewall Administration Guide, page 9-10
Question 333:
True or False: In R81, more than one administrator can login to the Security Management Server with write permission at the same time.
A. False, this feature has to be enabled in the Global Properties.
B. True, every administrator works in a session that is independent of the other administrators.
C. True, every administrator works on a different database that is independent of the other administrators.
D. False, only one administrator can login with write permission.
Correct Answer: B
In R81, more than one administrator can login to the Security Management Server with write permission at the same time. This feature is enabled by default and allows concurrent administration of the security policy. Every administrator works in a session that is independent of the other administrators. Changes made by one administrator are not visible to others until they are published. Administrators can also lock objects to prevent others from editing them until they are unlocked. References: R81 Security Management Administration Guide, page 43.
Question 334:
What kind of information would you expect to see when using the "sim affinity -I" command?
A. Overview over SecureXL templated connections
B. The VMACs used in a Security Gateway cluster
C. Affinity Distribution
D. The involved firewall kernel modules in inbound and outbound packet chain
Correct Answer: C
The "sim affinity -I" command is a command that displays the affinity distribution of the Security Gateway's interfaces. Affinity distribution is the assignment of CPU cores to handle the traffic from different interfaces. The "sim affinity -I"
command shows the following information for each interface:
The interface name, such as eth0, eth1, etc.
The interface index, such as 0, 1, 2, etc.
The interface type, such as physical, bond, VLAN, etc.
The interface state, such as up or down
The interface speed, such as 1000 Mbps, 10000 Mbps, etc.
The interface MTU, such as 1500, 9000, etc.
The interface MAC address, such as 00:11:22:33:44:55 The interface IP address, such as 192.168.1.1, 10.0.0.1, etc. The interface affinity mask, such as 0x00000001, 0x00000002, etc. The affinity mask is a hexadecimal value that
represents the CPU cores that are assigned to handle the traffic from the interface. For example, 0x00000001 means that only CPU core 0 is assigned, 0x00000003 means that CPU cores 0 and 1 are assigned, and so on. The "sim affinity -I"
command can help you to monitor and optimize the performance of your Security Gateway by showing you how the traffic load is distributed among the CPU cores. You can also use the "sim affinity" command with other options to change the
affinity settings of the interfaces or the firewall instances. For more information, you can refer to the Check Point R81.20 (Titan) Resolved Issues and Enhancements1 or the Solved: Sim Affinity - Check Point CheckMates2.
Question 335:
How many versions, besides the destination version, are supported in a Multi-Version Cluster Upgrade?
A. 1
B. 3
C. 2
D. 4
Correct Answer: B
Multi-Version Cluster Upgrade (MVCLU) is a feature that allows you to upgrade a cluster of Security Gateways from one major version to another, without downtime1. MVCLU supports upgrading a cluster that runs on different versions, as long as the versions are compatible with the destination version1. The number of versions, besides the destination version, that are supported in a MVCLU depends on the destination version. For example, if the destination version is R81, then MVCLU supports up to three versions besides R81, which are R80.40, R80.30, and R80.202. Therefore, the correct answer is B, as three versions are supported in a MVCLU besides the destination version. References: 1: ClusterXL upgrade methods and paths - Check Point Software 2: Check Point R81 - Check Point Software
Question 336:
What are the main stages of a policy installation?
A. Initiation, Conversion and FWD REXEC
B. Verification, Commit, Installation
C. Initiation, Conversion and Save
D. Verification Compilation, Transfer and Commit
Correct Answer: D
The main stages of a policy installation are Verification, Compilation, Transfer, and Commit. Verification is the stage where the policy is checked for syntax errors and conflicts. Compilation is the stage where the policy is translated into a binary format that can be executed by the Security Gateway. Transfer is the stage where the policy is sent from the Security Management Server to the Security Gateway. Commit is the stage where the policy is activated on the Security Gateway3. References: Check Point R81 Security Management Guide
Question 337:
Fill in the blank: Permanent VPN tunnels can be set on all tunnels in the community, on all tunnels for specific gateways, or ______ .
A. On all satellite gateway to satellite gateway tunnels
B. On specific tunnels for specific gateways
C. On specific tunnels in the community
D. On specific satellite gateway to central gateway tunnels
Correct Answer: C
Permanent VPN tunnels can be set on all tunnels in the community, on all tunnels for specific gateways, or on specific tunnels in the community. Permanent VPN tunnels are always active and prevent VPN tunnel negotiation failures due to idle time or traffic volume. You can configure permanent VPN tunnels in SmartConsole by selecting the Permanent Tunnel option in the VPN Community Properties window.
Question 338:
Which of the following Central Deployment is NOT a limitation in R81.20 SmartConsole?
A. Security Gateway Clusters in Load Sharing mode
B. Dedicated Log Server
C. Dedicated SmartEvent Server
D. Security Gateways/Clusters in ClusterXL HA new mode
Correct Answer: A
Security Gateway Clusters in Load Sharing mode are not supported by the Central Deployment feature in R81.20 SmartConsole. According to the Check Point R81.20 Known Limitations article1, Central Deployment in SmartConsole does not support: Connection from SmartConsole Client to the Management Server through a proxy server. In this case, use the applicable API command ClusterXL in Load Sharing mode VRRP Cluster Installation of a package on a VSX VSLS Cluster that contains more than 3 members. On Multi-Domain Servers: Global Domain, or the MDS context Standalone server Standby Security Management Server or Multi-Domain Security Management Scalable Platforms 40000 / 60000 SMB Appliances The other options are supported by the Central Deployment feature in R81.20 SmartConsole. Dedicated Log Server, Dedicated SmartEvent Server, and Security Gateways/Clusters in ClusterXL HA new mode can be selected as targets for installing packages using the Central Deployment wizard.
Question 339:
What needs to be configured if the NAT property `Translate destination or client side' is not enabled in Global Properties?
A. A host route to route to the destination IP.
B. Use the file local.arp to add the ARP entries for NAT to work.
C. Nothing, the Gateway takes care of all details necessary.
D. Enabling `Allow bi-directional NAT' for NAT to work correctly.
Correct Answer: C
The NAT property `Translate destination or client side' is used to determine whether the destination IP address of a packet should be translated on the client side or the server side of a connection. If this property is not enabled, then the destination IP address is translated on the server side, which means that the gateway takes care of all details necessary for NAT to work. The gateway will send an ARP request for the translated IP address and will reply to any ARP requests for that address. Therefore, there is no need to configure a host route, use the local.arp file, or enable bi-directional NAT for NAT to work correctly. References: R81 Security Management Administration Guide, page 1010.
Question 340:
Which of the following statements about SecureXL NAT Templates is true?
A. NAT Templates are generated to achieve high session rate for NAT. These templates store the NAT attributes of connections matched by rulebase so that similar new connections can take advantage of this information and do NAT without the expensive rulebase lookup. These are enabled by default and work only if Accept Templates are enabled.
B. DROP Templates are generated to achieve high session rate for NAT. These templates store the NAT attributes of connections matched by rulebase so that similar new connections can take advantage of this information and do NAT without the expensive rulebase lookup. These are disabled by default and work only if NAT Templates are disabled.
C. NAT Templates are generated to achieve high session rate for NAT. These templates store the NAT attributes of connections matched by rulebase so that similar new connections can take advantage of this information and do NAT without the expensive rulebase lookup. These are disabled by default and work only if Accept Templates are disabled.
D. ACCEPT Templates are generated to achieve high session rate for NAT. These templates store the NAT attributes of connections matched by rulebase so that similar new connections can take advantage of this information and do NAT without the expensive rulebase lookup. These are disabled by default and work only if NAT Templates are disabled.
Correct Answer: A
NAT Templates are generated to achieve high session rate for NAT. These templates store the NAT attributes of connections matched by rulebase so that similar new connections can take advantage of this information and do NAT without the expensive rulebase lookup. These are enabled by default and work only if Accept Templates are enabled1. According to the web search results, NAT Templates are a feature of SecureXL that accelerates the performance of the Security Gateway by offloading CPU-intensive operations to the SecureXL device2. NAT Templates are supported for Static NAT and Hide NAT using the existing SecureXL Templates mechanism1. NAT Templates are disabled by default on Check Point Security Gateway R80.10 and below, but they are not relevant to SecureXL in versions R80.20 and above, as all template handling has moved to the Firewall1. NAT Templates can be enabled or disabled by setting the relevant kernel parameters in $FWDIR/boot/modules/fwkern.conf file1. References: SecureXL NAT Templates in R80.20 and lower - Check Point Software, SecureXL - Check Point Software
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only CheckPoint exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your 156-315.81 exam preparations and CheckPoint certification application, do not hesitate to visit our Vcedump.com to find your solutions here.