NEW QUESTION 1
When using vpn tu, which option must you choose if you only want to clear phase 2 for a specific IP (gateway)?
Exhibit:

• A. (5) Delete all IPsec SAs for a given peer (GW)
• B. (7) Delete all IPsec+IKE SAs for a given peer (GW)
• C. (6) Delete all IPsec SAs for a given User (Client)
• D. (8) Delete all IPsec+IKE SAs for a given User (Client)

Answer: A

NEW QUESTION 2
What command syntax would you use to turn on PDP logging in a distributed environment?

• A. pdp track=1
• B. pdp tracker on
• C. pdp logging on
• D. pdp log=1

Answer: B

NEW QUESTION 3
Where do we need to reset the SIC on a gateway object?

• A. SmartDashboard > Edit Gateway Object > General Properties > Communication
• B. SmartUpdate > Edit Security Management Server Object > SIC
• C. SmartUpdate > Edit Gateway Object > Communication
• D. SmartDashboard > Edit Security Management Server Object > SIC

Answer: D

NEW QUESTION 4
The third-shift Administrator was updating Security Management Server access settings in Global Properties. He managed to lock all administrators out of their accounts.
How should you unlock these accounts?

• A. Delete the file admin.lock in the Security Management Server directory $FWDIR/tmp/.
• B. Reinstall the Security Management Server and restore using upgrade_import.
• C. Type fwm lock_admin -ua from the Security Management Server command line.
• D. Login to SmartDashboard as the special cpconfig_admin user account; right-click on each administrator object and select unlock.

Answer: C

NEW QUESTION 5
How can you most quickly reset Secure Internal Communications (SIC) between a Security Management Server and Security Gateway?

• A. From cpconfig on the Gateway, choose the Secure Internal Communication option and retype the activation ke
• B. Next, retype the same key in the Gateway object in SmartDashboard and reinitialize Secure Internal Communications (SIC).
• C. Use SmartUpdate to retype the Security Gateway activation ke
• D. This will automatically sync SIC to both the Security Management Server and Gateway.
• E. From the Security Management Server’s command line, type fw putkey -p <shared key><IP Address of Security Gateway>.
• F. Run the command fwm sic_reset to reinitialize the Security Management Server Internal Certificate Authority (ICA). Then retype the activation key on the Security Gateway from SmartDashboard.

Answer: A

NEW QUESTION 6
Which operating systems are supported by a Check Point Security Gateway on an open server? Select MOST complete list.

• A. Sun Solaris, Red Hat Enterprise Linux, Check Point SecurePlatform, IPSO, Microsoft Windows
• B. Check Point GAiA and SecurePlatform, and Microsoft Windows
• C. Check Point GAiA, Microsoft Windows, Red Hat Enterprise Linux, Sun Solaris, IPSO
• D. Check Point GAiA and SecurePlatform, IPSO, Sun Solaris, Microsoft Windows

Answer: B

NEW QUESTION 7
You find a suspicious FTP site trying to connect to one of your internal hosts. How do you block it in real time and verify it is successfully blocked? Highlight the suspicious connection in SmartView Tracker:

• A. Log mod
• B. Block it using Tools > Block Intruder men
• C. Observe in the Log mode that the suspicious connection does not appear again in this SmartView Tracker view.
• D. Log mod
• E. Block it using Tools > Block Intruder men
• F. Observe in the Log mode that thesuspicious connection is listed in this SmartView Tracker view as “dropped.”
• G. Active mod
• H. Block it using Tools > Block Intruder men
• I. Observe in the Active mode that the suspicious connection does not appear again in this SmartView Tracker view.
• J. Active mod
• K. Block it using Tools > Block Intruder men
• L. Observe in the Active mode that the suspicious connection is listed in this SmartView Tracker view as “dropped.”

Answer: C

NEW QUESTION 8
If you were NOT using IKE aggressive mode for your IPsec tunnel, how many packets would you see for normal Phase 1 exchange?

• A. 9
• B. 2
• C. 3
• D. 6

Answer: D

NEW QUESTION 9
Sally has a Hot Fix Accumulator (HFA) she wants to install on her Security Gateway which operates with GAiA, but she cannot SCP the HFA to the system. She can SSH into the Security Gateway, but she has never been able to SCP files to it. What would be the most likely reason she cannot do so?

• A. She needs to edit /etc/SSHd/SSHd_config and add the Standard Mode account.
• B. She needs to run sysconfig and restart the SSH process.
• C. She needs to edit /etc/scpusers and add the Standard Mode account.
• D. She needs to run cpconfig to enable the ability to SCP files.

Answer: C

NEW QUESTION 10
Lilly needs to review VPN History counters for the last week. Where would she do this?

• A. SmartView Monitor > Tunnels > VPN History
• B. SmartView Monitor > System Counters > VPN History
• C. SmartView Monitor > System Counters > Firewall Security History
• D. SmartView Monitor > System Counters > VPN

Answer: B

NEW QUESTION 11
Which of the following objects is a valid source in an authentication rule?

• A. Host@Any
• B. User@Network
• C. User_group@Network
• D. User@Any

Answer: C

NEW QUESTION 12
In a distributed management environment, the administrator has removed the default check from Accept Control Connections under the Policy > Global Properties > FireWall tab. In order for the Security Management Server to install a policy to the Firewall, an explicit rule must be created to allow the server to communicate to the Security Gateway on port ______

• A. 259
• B. 900
• C. 256
• D. 80

Answer: C

NEW QUESTION 13
Because of pre-existing design constraints, you set up manual NAT rules for your HTTP server. However, your FTP server and SMTP server are both using automatic NAT rules. All traffic from your FTP and SMTP servers are passing through the Security Gateway without a problem, but traffic from the Web server is dropped on rule 0 because of anti- spoofing settings.
What is causing this?

• A. Manual NAT rules are not configured correctly.
• B. Allow bi-directional NAT is not checked in Global Properties.
• C. Routing is not configured correctly.
• D. Translate destination on client side is not checked in Global Properties under Manual NAT Rules.

Answer: D

NEW QUESTION 14
Your company is still using traditional mode VPN configuration on all Gateways and policies. Your manager now requires you to migrate to a simplified VPN policy to benefit from the new features. This needs to be done with no downtime due to critical applications which must run constantly. How would you start such a migration?

• A. This cannot be done without downtime as a VPN between a traditional mode Gateway and a simplified mode Gateway does not work.
• B. This can not be done as it requires a SIC- reset on the Gateways first forcing an outage.
• C. You first need to completely rewrite all policies in simplified mode and then push this new policy to all Gateways at the same time.
• D. Convert the required Gateway policies using the simplified VPN wizard, check their logic and then migrate Gateway per Gateway.

Answer: D

NEW QUESTION 15
If a SmartUpdate upgrade or distribution operation fails on GAiA, how is the system recovered?

• A. The Administrator can only revert to a previously created snapshot (if there is one) with the command cprinstall snapshot <object name> <filename>.
• B. The Administrator must reinstall the last version via the command cprinstall revert <object name> <file name>.
• C. The Administrator must remove the rpm packages manually, and re-attempt the upgrade.
• D. GAiA will reboot and automatically revert to the last snapshot version prior to upgrade.

Answer: D

NEW QUESTION 16
Which authentication type permits five different sign-on methods in the authentication properties window?

• A. Client Authentication
• B. Manual Authentication
• C. User Authentication
• D. Session Authentication

Answer: A

NEW QUESTION 17
Certificates for Security Gateways are created during a simple initialization from ____.

• A. sysconfig
• B. The ICA management tool
• C. SmartUpdate
• D. SmartDashboard

Answer: D

NEW QUESTION 18
In SmartDashboard, you configure 45 MB as the required free hard-disk space to accommodate logs. What can you do to keep old log files, when free space falls below 45 MB?

• A. Do nothin
• B. Old logs are deleted, until free space is restored.
• C. Use the command fwm logexport to export the old log files to another location.
• D. Configure a script to run fw logswitch and SCP the output file to a separate file server.
• E. Do nothin
• F. The Security Management Server automatically copies old logs to a backup server before purging.

Answer: C

NEW QUESTION 19
Which command line interface utility allows the administrator to verify the Security Policy name and timestamp currently installed on a firewall module?

• A. cpstat fwd
• B. fw ver
• C. fw stat
• D. fw ctl pstat

Answer: C

NEW QUESTION 20
What command syntax would you use to see accounts the gateway suspects are service accounts?

• A. pdp check_log
• B. pdp show service
• C. adlog check_accounts
• D. adlog a service_accounts

Answer: D

NEW QUESTION 21
All R77 Security Servers can perform authentication with the exception of one. Which of the Security Servers can NOT perform authentication?

• A. FTP
• B. SMTP
• C. HTTP
• D. RLOGIN

Answer: B

NEW QUESTION 22
You have three servers located in a DMZ, using private IP addresses. You want internal users from 10.10.10.x to access the DMZ servers by public IP addresses. Internal_net
10.10.10.x is configured for Hide NAT behind the Security Gateway’s external interface.

What is the best configuration for 10.10.10.x users to access the DMZ servers, using the DMZ servers’ public IP addresses?

• A. When connecting to internal network 10.10.10.x, configure Hide NAT for the DMZ network behind the Security Gateway DMZ interface.
• B. When the source is the internal network 10.10.10.x, configure manual static NAT rules to translate the DMZ servers.
• C. When connecting to the Internet, configure manual Static NAT rules to translate the DMZ servers.
• D. When trying to access DMZ servers, configure Hide NAT for 10.10.10.x behind the DMZ’s interface.

Answer: B

NEW QUESTION 23
Which of the following is a CLI command for Security Gateway R77?

• A. fw tab -u
• B. fw shutdown
• C. fw merge
• D. fwm policy_print <policyname>

Answer: A

NEW QUESTION 24
Select the TRUE statements about the Rule Base shown? Exhibit:

1) HTTP traffic from webrome to websingapore will be encrypted.
2) HTTP traffic from websingapore to webrome will be encrypted.
3) HTTP traffic from webrome to websingapore will be authenticated.
4) HTTP traffic from websingapore to webrome will be blocked.

• A. 1, 2, and 3
• B. 3 only
• C. 2 and 3
• D. 3 and 4

Answer: D

NEW QUESTION 25
A marketing firm’s networking team is trying to troubleshoot user complaints regarding access to audio-streaming material from the Internet. The networking team asks you to check the object and rule configuration settings for the perimeter Security Gateway.
Which SmartConsole application should you use to check these objects and rules?

• A. SmartView Tracker
• B. SmartView Monitor
• C. SmartView Status
• D. SmartDashboard

Answer: D

NEW QUESTION 26
One of your remote Security Gateway’s suddenly stops sending logs, and you cannot install the Security Policy on the Gateway. All other remote Security Gateways are logging normally to the Security Management Server, and Policy installation is not affected. When you click the Test SIC status button in the problematic Gateway object, you receive an error message. What is the problem?

• A. The remote Gateway's IP address has changed, which invalidates the SIC Certificate.
• B. The time on the Security Management Server’s clock has changed, which invalidates the remote Gateway's Certificate.
• C. The Internal Certificate Authority for the Security Management Server object has been removed from objects_5_0.C.
• D. There is no connection between the Security Management Server and the remote Gatewa
• E. Rules or routing may block the connection.

Answer: D

NEW QUESTION 27
......