After replacing a faulty Gateway the admin installed the new Hardware and want to push the policy. Installing the policy using the SmartConsole he got an Error for the Threat Prevention Policy. There is no error for the Access Control Policy. What will be the most common cause for the issue? The admin forgot to reestablish the SIC for the new hardware. That is typically the case when configure only the interfaces of the replacement hardware instead restoring a backup. The IPS Protection engine on the replacement hardware is too old. Before pushing the Threat Prevention Policy use SmartConsole -> Security Policies -> Updates -> IPS 'Update Now' to update the engine. The admin forgot to apply the new license. The Access Control license is included by default but the service subscriptions for the Threat Prevention Blades are missing. The Threat Prevention Policy can't be installed on a Gateway without an already installed Access Control Policy. First install only the Access Control Policy.
In R81.10 a new feature dynamic log distribution was added. What is this for? In case of a Management High Availability the management server stores the logs dynamically on the member with the most available disk space in /var/log. To save disk space in case of a firewall cluster local logs are distributed between the cluster members. Configure the Security Gateway to distribute logs between multiple active Log Servers to support a better rate of Logs and Log Servers redundancy. Synchronize the log between the primary and secondary management server in case of a Management High Availability.
Which of the following Central Deployment is NOT a limitation in R81.10 SmartConsole? Dedicated Log Server Security Gateway Clusters in Load Sharing mode Dedicated SmartEvent Server Security Gateways/Clusters in ClusterXL HA new mode.
The installation of a package via SmartConsole CANNOT be applied on Multiple Security Gateways and/or Clusters A full Security Cluster (All Cluster Members included) A single Security Gateway R81.10 Security Management Server.
The customer has about 150 remote access user with a Windows laptops. Not more than 50 Clients will be connected at the same time. The customer want to use multiple VPN Gateways as entry point and a personal firewall. What will be the best license for him? Mobile Access license because he needs only a 50 user license, license count is per concurrent user. He will need Harmony Endpoint because of the personal firewall. He will need Capsule Connect using MEP (multiple entry points). Because the customer uses only Windows clients SecuRemote will be sufficient and no additional license is needed.
What should the admin do in case the Primary Management Server is temporary down? Run the 'promote_util' to activate the Secondary Management server. Use the VIP in SmartConsole you always reach the active Management Server. Logon with SmartConsole to the Secondary Management Server and choose 'Make Active' under Actions in the HA Management Menu. The Secondary will take over automatically. Change the IP in SmartConsole to logon to the private IP of the Secondary Management Server.
What are the two ClusterXL Deployment options? Distributed and Standalone Unicast and Multicast Mode Broadcast and Multicast Mode Distributed and Full High Availability.
What is the command switch to specify the Gaia API context? You have to specify it in the YAML file api.yml which is located underneath the /etc directory of the security management server You have to change to the zsh-Shell which defaults to the Gaia API context. No need to specify a context, since it defaults to the GAiA API context. mgmt_cli --context gaia_api <Command>.
What is the purpose of the command "ps aux | grep fwd"? You can check whether the IPS default setting is set to Detect or Prevent mode. You can check the Process ID and the processing time of the fwd process. You can list all Process IDs for all running services. You can convert the log file into Post Script format.
Alice wants to upgrade the current security management machine from R80.40 to R81.10 and she wants to check the Deployment Agent status over the GAIA CLISH. Which of the following GAIA CLISH command is true? show installer status show agent status show uninstaller status show installer packages.
What are the services used for Cluster Synchronization? TCP/256 for Full Sync and Delta Sync No service needed when using Broadcast Mode 256/TCP for Full Sync and 8116/UDP for Delta Sync 8116/UDP for Full Sync and Delta Sync.
What are possible Automatic Reactions in SmartEvent? Mail, SNMP Trap, Block Source, Block Event Activity, External Script Web Mail, Block Destination, SNMP Trap, SmartTask Web Mail, Block Service, SNMP Trap, SmartTask, Geo Protection Web Mail, Forward to SandBlast Appliance, SNMP Trap, External Script.
What is the difference between Updatable Objects and Dynamic Objects? Updatable Objects is a Threat Cloud Service. The provided Objects are updated automatically. Dynamic Objects are created and maintained locally. For Dynamic Objects there is no need to install policy for the changes to take effect. Updatable Objects is a Threat Cloud Service. The provided Objects are updated automatically. Dynamic Objects are created and maintained locally. In both cases there is no need to install policy for the changes to take effect. Dynamic Objects are maintained automatically by the Threat Cloud. Updatable Objects are created and maintained locally. In both cases there is no need to install policy for the changes to take effect. Dynamic Objects are maintained automatically by the Threat Cloud. For Dynamic Objects there is no need to install policy for the changes to take effect. Updatable Objects are created and maintained locally.
How can you grant GAiA API Permissions for a newly created user? In bash, use the following command: "gaia_api access --user Tom --enable true" Assign the user a permission profile in SmartConsole No need to grant access since every user has access by default. Assign the user the admin RBAC role in clish.
Native Applications require a thin client under which circumstances? If you are about to use a client (FTP, RDP, …) that is installed on the endpoint. If you want to use a legacy 32-Bit Windows OS. If you want to use a VPN Client that is not officially supported by the underlying operating system. If you want to have assigned a particular Office Mode IP address.
What are scenarios supported by the Central Deployment in SmartConsole? Upgrading a Standalone environment Upgrading a Dedicated SmartEvent Server Upgrading a Dedicated Log Server to R81.10 Installation of Jumbo Hotfix on a ClusterXL environment in High Availability Mode.
Bob has finished to setup provisioning a secondary security management server. Now he wants to check if the provisioning has been correct. Which of the following Check Point command can be used to check if the security management server has been installed as a primary or a secondary security management server? cpprod_util FwIsSecondary cpprod_util FwIsPrimary cpprod_util MgmtIsSecondary cpprod_util MgmtIsPrimary.
You want to set up a VPN tunnel to a external gateway. You had to make sure that the IKE P2 SA will only be established between two subnets and not all subnets defined in the default VPN domain of your gateway. In the SmartConsole create a dedicated VPN Community for both Gateways. On the Management add the following line to the $FWDIR/conf/user.def.FW1 file -> subnet_for_range_and_peer = { <peerGW_IP, first_IP_in_range1, last_IP_in_the_range1; subnet_mask> }; In the SmartConsole create a dedicated VPN Community for both Gateways. Selecting the local gateway in the Community you can set the VPN Domain to 'User defined' and put in the local network. In the SmartConsole create a dedicated VPN Community for both Gateways. Go to Security Policies / Access Control and create an in-line layer rule with source and destination containing the two networks used for the IKE P2 SA. Put the name of the Community in the VPN column. In the SmartConsole create a dedicated VPN Community for both Gateways. On the Gateway add the following line to the $FWDIR/conf/user.def.FW1 file -> subnet_for_range_and_peer = { <peerGW_IP, first_IP_in_range1, last_IP_in_the_range1; subnet_mask> };.
Secure Configuration Verification (SCV), makes sure that remote access client computers are configured in accordance with the enterprise Security Policy. Bob was asked by Alice to implement a specific SCV configuration but therefore Bob needs to edit and configure a specific Check Point file. Which location file and directory is true? $CPDIR/conf/client.svc $CPDIR/conf/local.scv $FWDIR/conf/client.scv $FWDIR/conf/local.scv.
Which Queue in the Priority Queue has the maximum priority? Routing Heavy Data Queue High Priority Control.
What is a possible command to delete all of the SSH connections of a gateway? fwaccel dos config set dport ssh fw sam -I dport 22 fw tab -t connections -x -e 00000016 fw ctl conntab -x -dport=22.
What is the recommended way to have a redundant Sync connection between the cluster nodes? In the SmartConsole / Gateways & Servers -> select Cluster Properties / Network Management and define two Sync interfaces per node. Connect both Sync interfaces without using a switch. In the SmartConsole / Gateways & Servers -> select Cluster Properties / Network Management and define two Sync interfaces per node. Use two different Switches to connect both Sync interfaces. Use a group of bonded interfaces connected to different switches. Define a dedicated sync interface, only one interface per node using the SmartConsole / Gateways & Servers -> select Cluster Properties / Network Management. Use a group of bonded interfaces. In the SmartConsole / Gateways & Servers -> select Cluster Properties / Network Management and define a Virtual IP for the Sync interface.
Mobile Access Gateway can be configured as a reverse proxy for Internal Web Applications. Reverse proxy users browse to a URL that is resolved to the Security Gateway IP address. Which of the following Check Point command is true for enabling the Reverse Proxy: ReverseProxy ProxyReverseCLI ReverseProxyCLI ReverseCLIProxy.
After having saved the Clish Configuration with the "save configuration config.txt" command, where can you find the config.txt file? You cannot locate the file in the file system since Clish does not have any access to the bash file system. You can locate the file via SmartConsole > Command Line. You will find it in the home directory of your user account (e.g. /home/admin/). You have to launch the WebUI and go to "Config" -> "Export Config File" and specifiy the destination directory of your local file system.
You have used the SmartEvent GUI to create a custom Event policy. What is the best way to display the correlated Events generated by SmartEvent Policies? In the SmartConsole / Logs & Monitor -> open a new Tab and select External Apps / SmartEvent. Select the Events tab in the SmartEvent GUI or use the Events tab in the SmartView web interface. In the SmartConsole / Logs & Monitor -> open the Logs View and use type:Correlated as query filter. Open SmartView Monitor and select the SmartEvent Window from the main menu.
What are valid authentication methods for mutual authenticating the VPN gateways? PKI Certificates and DynamicID OTP PKI Certificates and Kerberos Tickets Pre-Shared Secrets and Kerberos Ticket Pre-shared Secret and PKI Certificates.
Aggressive Mode in IKEv1 uses how many packages for negotiation? depends on the make of the peer gateway 6 5 3.
Is it possible to establish a VPN before the user login to the Endpoint Client? no, the user must login first. yes, you had to set neo_always_connected to true in the trac.defaults of the Remote Access Client or you can use the endpoint_vpn_always_connected attribute in the trac_client_1.ttm file located in the $FWDIR/conf directory on the Security Gateway. yes, you had to enable Machine Authentication in the Gateway object of the Smart Console. yes, you had to set neo_remember_user_password to true in the trac.defaults of the Remote Access Client or you can use the endpoint_vpn_remember_user_password attribute in the trac_client_1.ttm file located in the $FWDIR/conf directory on the Security Gateway.
.
How can you make sure that the old logs will be available after updating the Management to version R81.10 using the Advanced Upgrade Method? The logs will be included running $FWDIR/scripts/migrate_server export -v R81.10 <path/filename> Use the WebUI -> Maintenance > System Backup and store the backup on a remote FTP server Use the WebUI to save a snapshot before updating the Management -> Maintenance > Snapshot Management Use the migrate_server tool with the option '-l' for the logs and '-x' for the index.
Which of the following Check Point commands is true to enable Multi-Version Cluster (MVC)? Check Point Security Management HA (Primary): set cluster member mvc on Check Point Security Gateway Only: set cluster member mvc on Check Point Security Management HA (Secondary): set cluster member mvc on Check Point Security Gateway Cluster Member: set cluster member mvc on.
What are the two modes for SNX (SSL Network Extender)? Network Mode and Hub Mode Office Mode and Hub Mode Network Mode and Application Mode Visitor Mode and Office Mode.
What mechanism can ensure that the Security Gateway can communicate with the Management Server with ease in situations with overwhelmed network resources? The corresponding feature is called "Dynamic Split" The corresponding feature is called "Dynamic Dispatching" The corresponding feature is new to R81.10 and is called "Management Data Plane Separation" There is a feature for ensuring stable connectivity to the management server and is done via Priority Queuing.
What is the correct description for the Dynamic Balancing / Split feature? Dynamic Balancing / Split dynamically distribute the traffic from one network interface to multiple SND's. The interface must support Multi-Queue. It is only available on Quantum Appliances (not on Quantum Spark or Open Server) Dynamic Balancing / Split dynamically distribute the traffic from one network interface to multiple SND's. The interface must support Multi-Queue. It is only available on Quantum Appliances and Open Server (not on Quantum Spark) Dynamic Balancing / Split dynamically change the number of SND's and firewall instances based on the current load. It is only available on Quantum Appliances (not on Quantum Spark or Open Server) Dynamic Balancing / Split dynamically change the number of SND's and firewall instances based on the current load. It is only available on Quantum Appliances and Open Server (not on Quantum Spark).
Which SmartEvent component is responsible to collect the logs from different Log Servers? SmartEvent Collector SmartEvent Correlation Unit SmartEvent Server SmartEvent Database.
What are valid Policy Types in R81.10? Access Control, RemoteAccess VPN, NAT, IPS Access Control, IPS, Threat Emulation, NAT Access Control, IPS, QoS, DLP Access Control, Threat Prevention, QoS, Desktop Security.
What is "Accelerated Policy Installation"? Starting R81, the QoS Policy installation process is accelerated thereby reducing the duration of the process significantly Starting R81, the Desktop Security Policy installation process is accelerated thereby reducing the duration of the process significantly Starting R81, the Access Control Policy installation process is accelerated thereby reducing the duration of the process significantly Starting R81, the Threat Prevention Policy installation process is accelerated thereby reducing the duration of the process significantly.
How can you switch the active log file? Run fw logswitch on the gateway Run fw logswitch on the Management Server Run fwm logswitch on the Management Server Run fwm logswitch on the gateway.
SecureXL is able to accelerate the Connection Rate using templates. Which attributes are used in the template to identify the connection? Source address, Destination address, Source Port, Destination port Source address, Destination address, Destination port Source address, Destination address, Source Port, Destination port, Protocol Source address, Destination address, Destination port, Protocol.
Using Web Services to access the API, which Header Name/Value had to be in the HTTP Post request after the login? API-Key X-chkp-sid Session Unique Identifier uuid Universally Unique Identifier user-uid.
The admin lost access to the Gaia Web Management Interface but he was able to connect via ssh. How can you check if the web service is enabled, running and which port is used? In expert mode run #netstat -tulnp | grep httpd to see if httpd is up and to get the port number. In clish run >show web daemon-enable to see if the web daemon is enabled. In clish run >show web ssl-port to see if the web daemon is enabled and which port is in use. In expert mode run #netstat -anp | grep httpd2 to see if the httpd2 is up. In expert mode run #netstat -tulnp | grep httpd2 to see if httpd2 is up and to get the port number. In clish run >show web daemon-enable to see if the web daemon is enabled. In clish run >show web ssl-port to see if the web daemon is enabled and which port is in use. In expert mode run #netstat -anp | grep httpd to see if the httpd is up.
|
