CheckPoint 156-315.81 Online Practice Questions and Exam Preparation

CheckPoint 156-315.81 Online Questions & Answers

• Question 481:

  Mobile Access Gateway can be configured as a reverse proxy for Internal Web Applications Reverse proxy users browse to a URL that is resolved to the Security Gateway IP address. Which of the following Check Point command is true for enabling the Reverse Proxy:

  A. ReverseCLIProxy
  B. ReverseProxyCLI
  C. ReverseProxy
  D. ProxyReverseCLI
  C. ReverseProxy

  ---

  Explanation/Reference:

  Mobile Access Gateway can be configured as a reverse proxy for internal web applications. Reverse proxy users browse to a URL that is resolved to the Security Gateway IP address. The Security Gateway then forwards the requests to the

  internal web servers and returns the responses to the users. To enable reverse proxy mode on the Mobile Access Gateway, the administrator needs to run the ReverseProxy command on the command line interface of the Security Gateway5.

  Therefore, the correct answer is C.

  References: 5: Reverse Proxy Mode

• Question 482:

  RADIUS protocol uses _______ to communicate with the gateway.

  A. TDP
  B. CCP
  C. HTTP
  D. UDP
  D. UDP

  ---

  Explanation/Reference:

• Question 483:

  Full synchronization between cluster members is handled by Firewall Kernel. Which port is used for this?

  A. UDP port 265
  B. TCP port 265
  C. UDP port 256
  D. TCP port 256
  D. TCP port 256

  ---

  Explanation/Reference:

  Full synchronization between cluster members is handled by Firewall Kernel using TCP port 256 by default. Full synchronization occurs when a cluster member joins or rejoins the cluster and needs to receive the entire state table from

  another member. References:

  [ClusterXL Administration Guide]

• Question 484:

  Which is the command to identify the NIC driver before considering about the employment of the Multi-Queue feature?

  A. ip show int eth0
  B. show interface eth0 mq
  C. ifconfig -i eth0 verbose
  D. ethtool -i eth0
  D. ethtool -i eth0

• Question 485:

  After verifying that API Server is not running, how can you start the API Server?

  A. Run command "set api start" in CLISH mode
  B. Run command "mgmt__cli set api start" in Expert mode
  C. Run command "mgmt api start" in CLISH mode
  D. Run command "api start" in Expert mode
  D. Run command "api start" in Expert mode

  ---

  Explanation/Reference:

  After verifying that API Server is not running, you can start the API Server by running the command "api start" in Expert mode. This command will start the API Server process (cpm_api) and enable it to run automatically after reboot. You can also use the command "api enable" to enable the API Server without starting it immediately. The other commands are either incorrect or not related to the API Server. The set api command is used in CLISH mode to configure API settings, such as port, domain, or certificate. The mgmt_cli command is used in Expert mode to execute API commands, such as login, logout, show, set, etc. References: [API Server]

• Question 486:

  During the Check Point Stateful Inspection Process, for packets that do not pass Firewall Kernel Inspection and are rejected by the rule definition, packets are:

  A. Dropped without sending a negative acknowledgment
  B. Dropped without logs and without sending a negative acknowledgment
  C. Dropped with negative acknowledgment
  D. Dropped with logs and without sending a negative acknowledgment
  D. Dropped with logs and without sending a negative acknowledgment

  ---

  Explanation/Reference:

  For packets that do not pass Firewall Kernel Inspection and are rejected by the rule definition, packets are dropped with logs and without sending a negative acknowledgment. Firewall Kernel Inspection is the process of applying security policies and rules to network traffic by the Firewall kernel module. If a packet does not match any rule or matches a rule with an action of Drop or Reject, the packet is dropped by the Firewall kernel module. The difference between Drop and Reject is that Drop silently discards the packet without informing the sender, while Reject discards the packet and sends a negative acknowledgment (such as an ICMP message) to the sender. However, both Drop and Reject actions generate logs that record the details of the dropped packets, such as source, destination, protocol, port, rule number, etc. The other options are either incorrect or describe different scenarios.

• Question 487:

  SmartEvent provides a convenient way to run common command line executables that can assist in investigating events. Right-clicking the IP address, source or destination, in an event provides a list of default and customized commands. They appear only on cells that refer to IP addresses because the IP address of the active cell is used as the destination of the command when run. The default commands are:

  A. ping, traceroute, netstat, and route
  B. ping, nslookup, Telnet, and route
  C. ping, whois, nslookup, and Telnet
  D. ping, traceroute, netstat, and nslookup
  C. ping, whois, nslookup, and Telnet

  ---

  Explanation/Reference:

  The default commands that appear when right-clicking the IP address, source or destination, in an event in SmartEvent are ping, whois, nslookup, and Telnet. SmartEvent is a unified security event management solution that provides visibility, analysis, and reporting of security events across multiple Check Point products. SmartEvent has a feature that allows administrators to run common command line executables that can assist in investigating events. Right-clicking the IP address, source or destination, in an event provides a list of default and customized commands that can be executed on the IP address of the active cell. The default commands are ping, whois, nslookup, and Telnet. Ping is a command that tests the connectivity and latency between two hosts by sending packets and measuring the response time. Whois is a command that queries a database for information about the owner and registrar of a domain name or an IP address. Nslookup is a command that queries a DNS server for information about a domain name or an IP address, such as its IP address, name server, mail server, etc. Telnet is a command that establishes a remote connection to another host using the Telnet protocol.

• Question 488:

  Which of the following is NOT an attribute of packet acceleration?

  A. Source address
  B. Protocol
  C. Destination port
  D. VLAN Tag
  D. VLAN Tag

  ---

  Explanation/Reference:

  VLAN Tag is not an attribute of packet acceleration. Packet acceleration is a feature of SecureXL that allows certain packets to bypass the Firewall kernel and be processed by a more efficient mechanism. Packet acceleration is based on templates that match packets based on four attributes: Source IP address, Destination IP address, Protocol, and Destination port. If a packet matches an existing template, it is accelerated; otherwise, it is sent to the Firewall path for inspection. References: [SecureXL Mechanism]

• Question 489:

  In which VPN community is a satellite VPN gateway not allowed to create a VPN tunnel with another satellite VPN gateway?

  A. Pentagon
  B. Combined
  C. Meshed
  D. Star
  D. Star

  ---

  Explanation/Reference:

  A star VPN community is a type of VPN community that allows a central gateway to create VPN tunnels with multiple satellite gateways or hosts, but does not allow satellite gateways or hosts to create VPN tunnels with each other. This type of community is suitable for hub-and-spoke topologies, where the central gateway acts as the hub and the satellite gateways or hosts act as the spokes. The central gateway can initiate or terminate VPN traffic to any satellite member, but the satellite members can only initiate or terminate VPN traffic to the central gateway.

• Question 490:

  Which of the following is NOT a VPN routing option available in a star community?

  A. To satellites through center only.
  B. To center, or through the center to other satellites, to Internet and other VPN targets.
  C. To center and to other satellites through center.
  D. To center only.
  A. To satellites through center only.
  D. To center only.

  ---

  Explanation/Reference:

  A star community is a VPN topology where one or more satellites connect to a center gateway. The center gateway can be a Security Gateway or a Security Management Server. The VPN routing option determines how the traffic is routed between the satellites and the center, and between the satellites themselves. There are three VPN routing options available in a star community12: To center only: The satellites can only communicate with the center gateway, and not with each other or with any other VPN targets. This option is useful for remote access clients that only need to access resources on the center gateway. To center, or through the center to other satellites, to Internet and other VPN targets: The satellites can communicate with the center gateway, and also with other satellites, Internet hosts, and other VPN targets through the center gateway. This option is useful for branch offices that need to access resources on the center gateway, as well as on other branch offices, Internet hosts, and other VPN targets. To center and to other satellites through center: The satellites can communicate with the center gateway, and also with other satellites through the center gateway. However, they cannot communicate with Internet hosts or other VPN targets. This option is useful for branch offices that need to access resources on the center gateway and on other branch offices, but not on Internet hosts or other VPN targets. Therefore, the options A (To satellites through center only) and D (To center only) are not valid VPN routing options in a star community. References: 1: Remote Access VPN R81.20 Administration Guide - Check Point Software, page 13 2: Gaia R81.20 Administration Guide - Check Point Software, page 1030