156-315.77 Sample Questions Answers

Expert@Green# fwmonitor –e “accept src=192.168.3.5 and dst=10.1.1.25;” –o monitor.out

Expert@Green# fw monitor –e “accept src=192.168.3.5 and dst=10.1.1.25;” –o monitor.out

Expert@Green# fwmonitor –e “accept src=192.168.3.5 or dst=10.1.1.25;” –o monitor.out

Expert@Green# fw monitor –e “accept src=192.168.3.5 or dst=10.1.1.25;” –o monitor.out

sglondon_1 because it the first configured object with the lowest IP.

sglondon_2 because sglondon_1 has highest IP.

sglondon_1, because it is up again, sglondon_2 took over during reboot.

sglondon_2 because it has highest priority.

For deployment of Identity Agents

Identity-based enforcement for non-AD users (non-Windows and guest users)

Leveraging identity in Internet application control

Basic identity enforcement in the internal network

From the Internet

Through all interfaces

Through internal interfaces

Through the Firewall policy

AD Query

Group Policy

Identity Agent

Captive Portal

You must run an ADquery for every domain.

Identity Awareness can only manage one AD domain.

Only one ADquery is necessary to ask for all domains.

Only Captive Portal can be used.

Leveraging machine name or identity

When accuracy in detecting identity is crucial

Identity based enforcement for non-AD users (non-Windows and guest users)

Protecting highly sensitive servers

pdp and lad

pdp and pdp-11

pep and lad

pdp and pep

fwaccel stats

fw accel stats

fw securexl stats

fwsecurexl stats

Inside the SmartLSM Security Gateway object in the SmartDashboard GUI

Inside the SmartLSM Security Gateway profile in the SmartProvisioning GUI

Inside the SmartLSM Security Gateway object in the SmartProvisioning GUI

Inside the SmartLSM Security Gateway profile in the SmartDashboard GUI

set static-route default nexthop gateway address 192.168.255.1 priority 1 on

set static-route 192.168.255.0/24 nexthop gateway logical ethl on

set static-route 192.168.255.0/24 nexthop gateway address 192.168.255.1 priority 1 on

set static-route nexthop default gateway logical 192.168.255.1 priority 1 on

There is more than one cluster connected to the same VLAN

A firewall cluster is configured to use Multicast for CCP traffic

There are more than two members in a firewall cluster

A firewall cluster is configured to use Broadcast for CCP traffic

apache

admin

cvpnd

cpauth

vpnd

cvpnd

fwm

fwd

$FWDIR/VPN/route_conf.c

$FWDIR/conf/vpn_route.conf

$FWDIR/bin/vpn_route.conf

$FWDIR/conf/vpn_route.c

Each H.323 connection will receive at least 512 Kbps of bandwidth.

The H.323 rule will consume no more than 2048 Kbps of available bandwidth.

50% of available bandwidth will be allocated to the Default Rule.

Neither rule will be allocated more than 10% of available bandwidth.

Accept, Reject, Encrypt, Drop

Accept, Hold, Reject, Proxy

Accept, Drop, Reject, Client Auth

Accept, Drop, Encrypt, Session Auth

The VPN Client selects which Security Gateway takes over, should the first connection fail.

MEP VPN’s are restricted to the location of the gateways.

State synchronization between Security Gateways is required.

MEP Security Gateways cannot be managed by separate Management Servers.

Gateway Setting

NAT Rules

Global Properties > NAT definition

Implied Rules

fw stat

fw ctl pstat

fw ver

cpstat fwd

Upgrades all cluster members except one at the same time.

Treats each individual cluster member as an individual gateway.

Is not a valid upgrade method in R76.

Is only supported in major releases (R70 to R71, R75 to R76).

On the Security Gateway

Internal network, where users are located

On the Internet

DMZ network, where application servers are located

Dedicated segment of the network

Scanning e-mails only if its sender e-mail address is part of this definition, by default.

Defining the e-mail address of the SMTP relay server.

FTP traffic sent from a user where his e-mail is part of this definition scanned by DLP, by default.

HTTP traffic sent from a user where his e-mail is part of this definition scanned by DLP, by default.

fw ver

fw stat

fw printver

cpstat -gw

fw merge

fw tab -u

fw shutdown

fwm policy_print

Message Body

Protocol

Data Type

Destination

Traffic is filtered using controlled port scanning.

IP protocol types listed as secure are allowed by default, i.e. ICMP, TCP, UDP sessions are inspected.

All traffic is expressly permitted via explicit rules.

Traffic not explicitly permitted is dropped.

snapshot

database revision

backup

upgrade export

ifconfig -a

arping

telnet

ping

sdm

cpd

fwd

fwm

cvpnd

fwm

vpnd

fwssd

make_au, au_auth, au_fetchuser, au_auth_auth, cpLdapCheck, cpLdapGetUser

make_au, au_auth, au_fetchuser, cpLdapGetUser, cpLdapCheck, au_auth_auth

cpLdapGetUser, au_fetchuser, cpLdapCheck, make_au, au_auth, au_auth_auth

au_fetchuser, make_au, au_auth, cpLdapGetUser, au_auth_auth, cpLdapCheck

ldapauth

cpauth

ldapd

cpShared

To allow SmartEvent R77 to function properly with all other R71 devices.

To avoid incorrect event generation by the default IPS event definition; a scenario that may occur in deployments that include Security Gateways of versions prior to R71.

As a base for starting and building exclusions.

To give samples of how to write your own exclusion.

SmartLog has a “Top Results” pane showing things like top sources, rules, and users.

SmartLog displays query results across multiple log files, reducing the need to open previous files to view results.

SmartLog requires less disk space by consolidating log entries into fewer records.

SmartLog creates an index of log entries, increasing query speed.

SSH

HTTPS

FTP

Telnet

MGCP MAC address response to a Multicast IP request

Multicast MAC address response to a Unicast IP request

Unicast MAC address response to a Multicast IP request

Multicast MAC address response to a RARP request

Load Balancing – Forward

High Availability

Load Sharing – Multicast

Load Sharing – Unicast

Load Sharing based on SPIs

Load Sharing based on IP addresses, ports, and serial peripheral interfaces

Load Sharing based on IP addresses, ports, and security parameter indexes

Load Sharing based on ports, VTI, and IP addresses

The customer can use the firewalls with Performance Pack inside the cluster, which should support the Sticky Decision Function. It is just necessary to configure it with the clusterXL_SDF_enable command.

ClusterXL always supports the Sticky Decision Function in the Load Sharing mode.

The customer can use the firewalls with Performance Pack inside the cluster, which should support the Sticky Decision Function. It is just necessary to enable the Sticky Decision Function in the SmartDashboard cluster object in the ClusterXL page, Advanced Load Sharing Configuration window.

Sticky Decision Function is not supported when employing either Performance Pack or a hardware-based accelerator card. Enabling the Sticky Decision Function disables these acceleration products.

cpd on the Security Gateway

fwd on the Security Gateway

fw kernel on the Security Gateway

Clustering on the Security Gateway

Gratuitous ARP

Broadcast storm

arp -s

Ping the sync interface

The Security Policy is installed.

The user data base is installed.

The standby Security Management Server starts for the first time.

The Security Policy is saved.

To the Internet and other targets only

To the center and other satellites, through the center

To the center only

To the center; or through the center to other satellites, then to the Internet and other VPN targets

Highlight the suspicious connection in SmartView Tracker > Active mode.Block the connection using the Tools > Block Intruder menu.Use the Active mode to confirm that the suspicious connection does not reappear.

Highlight the suspicious connection in SmartView Tracker > Log mode.Block the connection using Tools > Block Intruder menu.Use Log mode to confirm that the suspicious connection does not reappear.

Highlight the suspicious connection in SmartView Tracker > Active mode.Block the connection using Tools > Block Intruder menu.Use Active mode to confirm that the suspicious connection is dropped.

Highlight the suspicious connection in SmartView Tracker > Log mode.Block the connection using Tools > Block Intruder menu.Use the Log mode to confirm that the suspicious connection is dropped.

Connections created between the user and the DLP Gateway when clicking links within e-mail notifications to send or discard quarantined e-mails (matched for an Ask User rule) are encrypted.

The daemon running DLP Portal starts to run and can cater requests from users' browsers (following links from e-mail notifications) and from Check Point User Check.

The DLP Gateway can now notify Data Owners about DLP incidents.

User Check is activated.

Phase 3 Key Revocation

Perfect Forward Secrecy

MD5 Hash Completion

SHA1 Hash Completion

DES Key Reset

Global Properties > Security Server > Allowed FTP Commands

SmartDefense > Application Intelligence > FTP Security Server

Rule Base > Action Field > Properties

Web Intelligence > Application Layer > FTP Settings

FTP Service Object > Advanced > Blocked FTP Commands

WebUI

SmartProvisioning

Smart Dashboard

SmartUpdate

If both a limit and a guarantee per rule are defined in a QoS rule, then the limit must be smaller than the guarantee.

If both a rule limit and a per connection limit are defined for a rule, the per connection limit must not be greater than the rule limit.

A rule guarantee must not be less than the sum the guarantees defined in its sub-rules.

If a guarantee is defined in a sub-rule, then a guarantee must be defined for the rule above it.

Submit for Approval

Check the consistency of SmartWorkflow sessions.

Overall status information: Everything is OK.

Session has been approved.

Restart service CPwebis

Update Connector's certificate to reflect the newly assigned IP address

Make the change using sysconfig instead of the admin portal

Install a new license corresponding to the newly configured IP

Non repudiation

Data integrity

Availability

Authentication

snapshot

backup

backup_export

migrate export

CPConfig_Export

Backup

Upgrade_Export

migrate export

migrate export

upgrade_export

snapshot

backup

CPD

FWM

CPRID

FWD

meets the required objective and only one desired objective.

meets the required objective and both desired objectives.

meets the rquired objective but does not meet either deisred objective.

does not meet the required objective.

SmartDashboard

SmartBlade

SmartLSM

SmartProvisioning

fwaccel on

fw securexl on

fw accel on

fwsecurexl on

routed

There's no separate process, but the Linux default router can take care of that.

routerd

arouted

CPGUI

CPD

FWD

FWM

FWM

CPD

FWCMP

CPLMD

cpp

fwm

assld

fwd

80%

50%

40%

100%

fw ver -k

fw ctl pstat

fw ctl get kernel

fw kernel

show all |grep commands

show configuration

show commands

get all commands

Anti-Virus settings, Anti-Bot settings, Threat Emulation settings.

Anti-Virus settings, Anti-Bot settings, Threat Emulation settings, Intrusion-prevention settings.

Anti-Virus settings, Anti-Bot settings, Threat Emulation settings, Intrusion-prevention settings, HTTPS inspection settings.

Anti-Bot settings, Threat Emulation settings, Intrusion-prevention settings, HTTPS inspection settings

fw purge active

fw purge policy

fw fetch policy

fw unloadlocal

There is no dynamic update at reboot.

No. The revert will most probably not match to hard disk.

Yes. Everything is dynamically updated at reboot.

No. At installation the necessary hardware support is selected. The snapshot saves this state.

Type, Severity, Confidence level, Performance impact, Geo information.

Severity, Confidence level, Performance impact, Protection type.

Type, Severity, Confidence level, Performance impact.

Type, Severity, Confidence level, Performance impact, Protection type.

Open the SmartDashboard, Select Global properties, select Identity Awareness; check the boxes for Password must include an upper character, Password must include a digit, Password must include a symbol and change the password length to 8 characters.

Open the SmartDashboard, Select Global properties, select User Authority; check the boxes for Password must include an upper character, Password must include a digit and Password must include a symbol.

Open the SmartDashboard, Select Global Properties, select User Directory, check the boxes for Password must include an uppercase character, Password must include a digit, and Password must include a symbol.

Open the SmartDashboard, Select Global Properties, select User Directory, check the boxes for Password must include an uppercase character, Password must include a digit, Password must include a symbol and change the password length to 8 characters.

set bitrate 64

set edition default 64

configure edition 64-bit

set edition default 64-bit

by authentication.

via both private and public keys, without the use of digital Certificates.

by Certificate Authorities, digital certificates, and public key encryption.

by Certificate Authorities, digital certificates, and two-way symmetric-key encryption.

Assign links to specific VPN communities.

Assign links to use Dynamic DNS.

Set up links for Remote Access.

Use links based on Day/Time.

directional_match (true) in the objects_5_0.C file on Security Management Server

VPN Directional Match on the Gateway object’s VPN tab

VPN Directional Match on the VPN advanced window, in Global Properties

Advanced Routing on each Security Gateway

Assign links to use Dynamic DNS.

Use Load Sharing to distribute VPN traffic.

Use links based on Day/Time.

Use links based on authentication method.

internal_clear > All_communities

Internal_clear > External_Clear

Communities > Communities

internal_clear > All_GwToGw

Domain VPN takes precedence over the route-based VTI. To make the VPN go through VTI, remove the Gateways out of the mesh community and replace with a star community

Domain VPN takes precedence over the route-based VTI. To make the VPN go through VTI, use an empty group object as each Gateway’s VPN Domain

Route-based VTI takes precedence over the Domain VPN. To make the VPN go through VTI, use dynamic-routing protocol like OSPF or BGP to route the VTI address to the peer instead of static routes

Route-based VTI takes precedence over the Domain VPN. Troubleshoot the static route entries to insure that they are correctly pointing to the VTI gateway IP.

Once CoreXL is installed you cannot enable additional Kernel instances without reinstalling R76.

In Smart Update, right-click on Firewall Object and choose Add Kernel Instances.

Use cpconfig to reconfigure CoreXL.

Kernel instances are automatically added after process installed and no additional configuration is needed.

Potentially hundreds and thousands of gateways.

Only Clustered Gateways.

Specific gateways.

Profiles are not used for updating, just reporting.

cphastart -status

cphainfo -s

cphaprob state

cphaconf state

fw hastat

cphaprob -i list

cphaprob -a if

fw ctl iflist

router ospf 1 creates the Router ID for the Security Gateway and should be the same ID for all Gateways.

router ospf 1 creates the Router ID for the Security Gateway and should be different for all Gateways.

router ospf 1 creates an OSPF routing instance and this process ID should be different for each Security Gateway.

router ospf 1 creates an OSPF routing instance and this process ID should be the same on all Gateways.

Run cpconfig utility to enable ospf routing

ip route ospfospf network1ospf network2

EnableConfigure terminalRouter ospf [id]Network [network] [wildmask] area [id]

Use DBedit utility to either the objects_5_0.c file

Download Migration Tool R77 for IPSO and Splat/Linux from Check Point website.

Use already installed Migration Tool.

Use Migration Tool from CD/ISO

Fetch Migration Tool R71 for IPSO and Migration Tool R77 for Splat/Linux from CheckPoint website

Upgrade Smartcenter to R77 first.

Upgrade R60-Gateways to R65.

Upgrade every unit directly to R77.

Check the ReleaseNotes to verify that every step is supported.

Login to Smart Dashboard, access Properties of the SMS, and verify whether Paul’s IP address is listed.

Type cpconfig on the Management Server and select the option “GUI client List” to see if Paul’s IP address is listed.

Login in to Smart Dashboard, access Global Properties, and select Security Management, to verify whether Paul’s IP address is listed.

Access the WEBUI on the Security Gateway, and verify whether Paul’s IP address is listed as a GUI client.