Reference Solution For Checkpoint 156-115.77 From Testking

Reference Solution for
Checkpoint 156-115.77 from Testking

156-115.77
Checkpoint 156-115.77
Check Point Certified Security Master
Version 4.0
Score: 800/1000
Version: 4.0
Time Limit: 120 Minutes
1
Licensed to Redeserv Jmarc redeserv.jmarc@gmail.com
Exam A (180 questions)
Question 1
When you perform an install database, the status window is filled with large amounts of text. What
could be the cause?
There is an active fw monitor running.

There is an environment variable of TDERROR_ALL_ALL set on the gateway.
There is an active debug on the SmartConsole.
There is an active debug on the FWM process.
Question 2
When finished running a debug on the Management Server using the command fw debug fwm on
how do you turn this debug off?
fwm debug off

fw ctl debug off
fw debug off
fw debug fwm off
Question 3
Which commands will properly set the debug level to maximum and then run a policy install in debug
mode for the policy Standard on gateway A-GW from an R77 GAiA Management Server?
setenv TDERROR_ALL_ALL=5
fwm -d load A-GW Standard
setenv TDERROR_ALL_ALL=5
fwm -d load Standard A-GW
export TDERROR_ALL_ALL=5
fwm -d load Standard A-GW
export TDERROR_ALL_ALL=5
fwm -d load A-GW Standard
Question 4
Which of the following items is NOT part of the columns of the chain modules?
Inbound/Outbound chain
Function Pointer
Chain position
Module location
2 Licensed to Redeserv Jmarc redeserv.jmarc@gmail.com

Question 5
John is a Security Administrator of a Check Point platform. He has a mis-configuration issue that
points to the Rule Base. To obtain information about the issue, John runs the command:
fw debug fw on and checks the file fwm.elg.

fw kdebug fwm on and checks the file fwm.elg.
fw debug fwm on and checks the file fwm.elg.
fw kdebug fwm on and checks the file fw.elg.
Question 6
The user tried to connect in SmartDashboard and did not work. You started a FWM debug and
receive the logs below:
What is the error cause?
IP not defined in $FWDIR/conf/gui-clients

Wrong user and password
Wrong password
Wrong user
Question 7
When troubleshooting and trying to understand which chain is causing a problem on the Security
Gateway, you should use the command:
fw ctl zdebug drop

fw tab -t connections
fw monitor -e "accept;" -p all
fw ctl chain

Question 8
Which process should you debug when SmartDashboard authentication is rejected?
fwm
cpd
fwd
DAService
Question 9
A fwm debug provides the following output. What prevents the customer from logging into
SmartDashboard?
There are not any policy to login in SmartDashboard

FWM process is crashed and returned null to access
User and password are incorrect
IP not defined in $FWDIR/conf/gui-clients
Question 10
When performing a fwm debug, to which directory are the logs written?
$FWDIR/log
$FWDIR/log/fwm.elg
$FWDIR/conf/fwm.elg
$CPDIR/log/fwm.elg

Question 11
You are attempting to establish an FTP session between your computer and a remote server, but it is
not being completed successfully. You think the issue may be due to IPS. Viewing SmartView Tracker
shows no drops. How would you confirm if the traffic is actually being dropped by the gateway?
Search the connections table for that connection.

Run a fw monitor packet capture on the gateway.
Look in SmartView Monitor for that connection to see why it's being dropped.
Run fw ctl zdebug drop on the gateway.
Question 12
The fw tab -t ___________ command displays the NAT table.
loglist
tablist
fwx_alloc
conns
Question 13
While troubleshooting a DHCP relay issue, you run a fw ctl zdebug drop and see the following output:
;[cpu_1];[fw_0];fw_log_drop: Packet proto=17 10.216.14.108:67 > 172.31.2.1:67 dropped by

fw_handle_first_packet Reason: fwconn_init_links (INBOUND) failed;
Where 10.216.14.108 is the IP address of the DHCP server and 172.31.2.1 is the VIP of the Cluster.
What is the most likely cause of this drop?
An inbound collision due to a connections table check on pre-existing connections.

An outbound collision due to a Rule Base check, and dropped by incorrectly
configuring DHCP in the firewall policy.
A link collision due to more than one NAT symbolic link being created for outgoing
connections to the DHCP server.
A link collision due to more than one NAT symbolic link being created for connections
returning from the DHCP server back to the VIP of the Cluster.

Question 14
You are trying to troubleshoot a NAT issue on your network, and you use a kernel debug to verify a
connection is correctly translated to its NAT address. What flags should you use for the kernel
debug?
fw ctl debug -m fw + conn drop nat vm xlate xltrc

fw ctl debug -m fw + conn drop ld
fw ctl debug -m nat + conn drop nat xlate xltrc
fw ctl debug -m nat + conn drop fw xlate xltrc
Question 15
Since switching your network to ISP redundancy you find that your outgoing static NAT connections
are failing. You use the command _________ to debug the issue.
fwaccel stats misp

fw ctl pstat
fw ctl debug -m fw + nat drop
fw tab -t fwx_alloc -x
Question 16
Remote VPN clients can initiate connections with internal hosts, but internal hosts are unable to
initiate connections with the remote VPN clients, even though the policy is configured to allow it. You
think that this is caused by NAT. What command can you run to see if NAT is occurring on a packet?
fw tab -t fwx_alloc -x
fw ctl pstat
fwaccel stats misp
fw ctl debug -m fw + conn drop packet xlate xltrc nat
Question 17
Where in a fw monitor output would you see source address translation occur in cases of automatic
Hide NAT?
Between the "I" and "o"

Hide NAT does not adjust the source IP
Between the "o" and "O"
Between the "i" and "I"

Question 18
Where in a fw monitor output would you see destination address translation occur in cases of
inbound automatic static NAT?
Static NAT does not adjust the destination IP

Between the "i" and "I"
Between the "I" and "o"
Between the "o" and "O"
Question 19
Which flag in the fw monitor command is used to print the position of the kernel chain?
-all
-k
-c
-p
Question 20
Server A is subject to automatically static NAT and also resides on a network which is subject to
automatic Hide NAT. With regards to address translation what will happen when Server A initiates
outbound communication?
This will cause a policy verification error.

This is called hairpin NAT, the traffic will return to the server.
The static NAT will take precedence.
The Hide NAT will take precedence.
Question 21
In your SecurePlatform configuration you need to set up a manual static NAT entry. After creating
the proper NAT rule what step needs to be completed?
Edit or create the file local.arp.

No further actions are required.
Edit or create the file discntd.if.
Edit the file netconf.conf.

Question 22
How do you set up Port Address Translation?
Since Hide NAT changes to random high ports it is by definition PAT (Port Address
Translation).
Create a manual NAT rule and specify the source and destination ports.
Edit the service in SmartDashboard, click on the NAT tab and specify the translated
port.
Port Address Translation is not support in Check Point environment
Question 23
You have set up a manual NAT rule, however fw monitor shows you that the device still uses the
automatic Hide NAT rule. How should you correct this?
Move your manual NAT rule above the automatic NAT rule.
In Global Properties > NAT ensure that server side NAT is enabled.
Set the following fwx_alloc_man kernel parameter to 1.
In Global Properties > NAT ensure that Merge Automatic to Manual NAT is selected.
Question 24
Since R76 GAiA, what is the method for configuring proxy ARP entries for manual NAT rules?
WebUI or add proxy ARP ... commands via CLISH

SmartView Tracker
local.arp file
SmartDashboard
Question 25
Tom is troubleshooting NAT issues using fw monitor and Wireshark. He tries to initiate a connection
from the external network to a DMZ server using the public IP which the firewall translates to the
actual IP of the server. He analyzes the captured packets using Wireshark and observes that the
destination IP is being changed as required by the firewall but does not see the packet leave the
external interface.
What could be the reason?
The translation might be happening on the client side and the packet is being routed
by the OS back to the external interface.
The translation might be happening on the server side and the packet is being routed
by OS back to the external interface.
Packet is dropped by the firewall.
After the translation, the packet is dropped by the Anti-Spoofing Protection.

Question 26
Tom has a Web server for which he has created a manual NAT rule. The rule is not working. He tries
to initiate a connection from the external network to a DMZ server using the public IP which the
firewall translates to the actual IP of the server. He analyzes the captured packets using Wireshark
and observes that the destination IP is being changed as required by the firewall but does not see the
packet leave the internal interface. Which box in Global Properties should be checked?
Automatic NAT rules > Allow bi-directional NAT

Automatic NAT rules > Automatic ARP Configuration
Automatic NAT rules > Translate destination on client side
Manual NAT rules > Translate destination on client side

Question 27
The "Hide internal networks behind the Gateway's external IP" option is selected. What defines what
traffic will be NATted?
The Firewall policy of the gateway

The network objects configured for the network
The VPN encryption domain of the gateway object
The topology configuration of the gateway object
Question 28
With the default ClusterXL settings what will be the state of an active gateway upon using the
command ClusterXL_admin up?
Ready
Down
Standby
Active
Question 29
Which command should you use to stop kernel module debugging (excluding SecureXL)?
fw ctl debug 0
fw ctl zdebug - all
fw debug fwd off; vpn debug off
fw debug fwd off
Question 30
Which command should you run to debug the VPN-1 kernel module?
fw debug vpn on
vpn debug on TDERROR_ALL_ALL=5
fw ctl zdebug crypt kbuf
fw ctl debug -m VPN all
Question 31
Which command can be used to see all active modules on the Security Gateway:
fw ctl zdebug drop

fw ctl debug -h
fw ctl chain
fw ctl debug -m

Question 32
In some situations, switches may not play nicely with a Check Point Cluster and it is necessary to
change from multicast to broadcast. What command should you invoke to correct the issue?
set ccp broadcast

cphaconf set_ccp broadcast
cpha_conf set ccp broadcast
This can only be changed via GuiDbEdit.
Question 33
Which of the following commands shows the high watermark threshold for triggering the cluster
under load mechanism in R77?
fw ctl get int fwha_cul_mechanism_enable

fw ctl get int fwha_cul_cluster_short_timeout
fw ctl get int fwha_cul_member_cpu_load_limit
fw ctl get int fwha_cul_policy_freeze_event_timeout_millisec
Question 34
What mechanism solves asymmetric routing issues in a load sharing cluster?
Flush and ACK

Stateful Inspection
SYN Defender
State Synchronization
Question 35
When you have edited the local.arp configuration, to support a manual NAT, what must be done to
ensure proxy arps for both manual and automatic NAT rules function?
In Global Properties > NAT tree select Merge manual proxy ARP configuration check
box
Run the command fw ctl ARP -a on the gateway
In Global Properties > NAT tree select Translate on client side check box
Create and run a script to forward changes to the local.arp tables of your gateway

Question 36
Which command clears all the connection table entries on a Security Gateway?
fw tab -t connetion -u
fw ctl tab -t connetions -u
fw tab -t connetion -s
fw tab -t connections -x
Question 37
How can you see a dropped connection and the cause from the kernel?
fw zdebug drop
fw ctl debug drop on
fw debug drop on
fw ctl zdebug drop
Question 38
After creating and pushing out a new policy, Joe finds that an old connection is still being allowed
that should have been closed after his changes. He wants to delete the connection on the gateway,
and looks it up with fw tab -t connections -u. Joe finds the connection he is looking for. What
command should Joe use to remove this connection?
<0,a128c22,89,a158508,89,11;10001,2281,25,15b,a1,4ecdfeee,ac,691400ac,7b6,3e,ffffffff,3c,3c,0,0,
0,0, 0,0,0,0,0,0,0,0,0,0>
fw tab -t connections -x -d "0,a128c22,89,0a158508,89,11"

fw tab -t connections -x -e "0,a128c22,00000089,0a158508,00000089,00000011"
fw tab -t connections -x -d
"00000000,a128c22,00000089,0a158508,00000089,00000011"
fw tab -t connections -x -e "0,a128c22,89,0a158508,89,11"
Question 39
Using the default values in R77 how many kernel instances will there be on a 16-core gateway?
16
8
12
14

Question 40
When viewing connections using the command fw tab -t connections, all entries are displayed with a
6- tuple key, the elements of the 6-tuple include the following EXCEPT:
destination port number

source port number
direction (inbound / outbound)
interface id
Question 41
Each connection allowed by a Security Gateway, will have a real entry and some symbolic link entries
in the connections state table. The symbolic link entries point back to the real entry using this:
serial number of the real entry.

6-tuple.
memory pointer.
date and time of the connection establishment.
Explanation:
C3O3 - ClusterXL
Question 42
Extended Cluster Anti-Spoofing checks what value to determine if a packet with the source IP of a
gateway in the cluster is being spoofed?
The source IP of the packet.

The packet has a TTL value of less than 255.
The source MAC address of the packet.
The destination IP of the packet.
Question 43
How do you clear the connections table?
Run the command fw tab -t connections -x

In Gateway Properties > Optimizations click Clear connections table
Run the command fw tab -t conns -c
Run the command fw tab -t connections -c

Question 44
In order to prevent outgoing NTP traffic from being hidden behind a Cluster IP you should?
Edit the relevant table.def on the Management Server and add the line
no_hide_services_ports = { <17, 123> }; and then push policy.
Edit the relevant table.def on the gateway and add the line no_hide_services_ports =
{ <17, 123> };.
Edit the relevant table.def on the Management Server and add the line
no_hide_services_ports = { <123, 17> }; and then push policy.
Edit the relevant table.def on the gateway and add the line no_hide_services_ports =
{ <123, 17> }.
Question 45
Of the following answer choices, which best describes a possible effect of expanding the connections
table?
Increased memory consumption

Decreased memory consumption
Increased connection duration
Decreased connection duration
Question 46
Adam wants to find idle connections on his gateway. Which command would be best suited for
viewing the connections table?
fw tab -t connections -u -f
fw tab -t connections -x
fw tab -t connections -s
Question 47
Which command will you run to list established VPN tunnels?
fw tab -t vpn_active
vpn compstat
fw tab -t vpn_routing
vpn tu

Question 48
You are in VPN troubleshooting with a Partner and you suspect a mismatch configuration in Diffie-
Hellman (DH) group to Phase1. After starting a vpn debug, in which packet would you look to analyze
this option in your debug file?
Packet3
Packet4
Packet5
Packet1
Question 49
The file ike.elg is a log file used to log IKE negotiations during VPN tunnel establishment. Where is
this file located?
/opt/CPshrd-R77/log
/opt/CPsuite-R77/fw1/log
/var/log/opt/CPsuite-R77/fg1/log
/opt/CPsuite-R77/fg1/log
Question 50
Which command displays compression/decompression statistics?
vpn ver -k
vpn compstat
vpn compreset
vpn crlview
Question 51
What debug file would you check to see what IKE version is being used?
fwpnd.elg
vpn.txt
debug.txt
vpnd.elg
Question 52
What file contains IKEv2 debug messages?
$FWDIR/log/ikev2
$FWDIR/log/ike.xml
$FWDIR/log/vpnd.elg
$FWDIR/log/ike.elg

Question 53
What is the log file that shows the keep alive packets during the debug process?
$FWDIR/log/ikev2.xmll
$FWDIR/log/ike.xmll
$FWDIR/log/ike.elg
$FWDIR/log/vpnd.elg
Question 54
What is the log file that shows the processes that participate in the tunnel initiation stage?
$FWDIR/log/ikev2.xmll
$FWDIR/log/ike.xmll
$FWDIR/log/vpnd.elg
$FWDIR/log/ike.elg
Question 55
Which program could you use to analyze Phase I and Phase II packet exchanges?
vpnView
Check PointView
IKEView
vpndebugView
Question 56
Check Point Best Practices suggest that when you finish a kernel debug, you should run the command
_____________________ .
fw debug 0
fw debug off
fw ctl debug default
fw ctl debug 0

Question 57
Given the following IKEView output, what do we know about QuickMode Packet 1?
Packet 1 proposes a symmetrical key

Packet 1 proposes a subnet and host ID, an encryption and hash algorithm
Packet 1 Proposes SA life Type, Sa Life Duration, Authentication and Encapsulation
Algorithm
Packet 1 proposes either a subnet or host ID, an encryption and hash algorithm, and
ID data
Question 58
You are attempting to establish a VPN tunnel between a Check Point gateway and a 3rd party
vendor. When attempting to send traffic to the peer gateway it is failing. You look in SmartView
Tracker and see that the failure is due to "Encryption failure: no response from peer". After running a
VPN debug on the problematic gateway, what is one of the files you would want to analyze?
$FWDIR/log/fw.log
$FWDIR/log/fwd.elg
$FWDIR/log/ike.elg
/var/log/fw_debug.txt

Question 59
You want to run VPN debug that will generate both ike.elg and vpn.elg files. What is the best
command that can be used to achieve this goal?
vpn debug ikeon

vpn debug on TDERR_ALL_ALL=5
vpn debug trunc
vpn debug trunc
Question 60
In IKEView while troubleshooting a VPN issue between your gateway and a partner site you see an
entry that states "Invalid ID". Which of the following is the most likely cause?
IKEv1 is not supported by the peer.

Time is not matching between two members.
The encryption parameters (hash, encryption type, etc.) do not match.
Wrong subnets are being negotiated.
Question 61
While troubleshooting a VPN issue between your gateway and a partner site you see an entry in
Smartview Tracker that states "Info: encryption failure: Different community ID: possible NAT
problem".
Which of the following is the most likely cause?
You have an encryption method mismatch.

Implied rules in global properties such as ICMP and DNS are set to first instead of
before last.
You have not created a specific rule allowing VPN traffic.
You have the wrong encryption domains configured.
Question 62
You are troubleshooting a VPN issue between your gateway and a partner site and you get a drop log
on your gateway that states "Clear text packet should be encrypted". Which of the following would
be the best troubleshooting step?
Use the excluded services in the VPN community to exclude this traffic from the VPN
or determine why the traffic is leaving the initiating (partner) gateway as clear text.
Use the excluded services in the VPN community to exclude this traffic from the VPN
or determine why the traffic is leaving local (your) gateway as clear text.
Your phase one algorithms are mismatched between gateways.
This is management traffic and we need to enable implied rule to address this issue.

Question 63
Your company has recently decided to allow remote access for clients. You find that no one is able to
connect, although you are confident that your rule set and remote access community has been
defined correctly. What is the most likely cause, based on the options below? You have the following
debug file:
RDP is being blocked upstream.

You have selected IKEv2 only in Global Properties > Remote Access > VPN -
Authentication and Encryption.
Remote access clients are all behind NAT devices.
Implied rule is not set to accept control connections.
Question 64
You are experiencing an issue where Endpoint Connect client connects successfully however, it
disconnects every 20 seconds. What is the most likely cause of this issue?
The Accept Remote Access control connections is not enabled in Global Properties >
FireWall Implied Rules.
You have selected IKEv2 only in Global Properties > Remote Access > VPN -
Authentication and Encryption.
You are not licensed for Endpoint Connect client.
Your remote access community is not configured.

Question 65
In a VPN configuration, the following mode can be used to increase throughput by bypassing firewall
enforcement.
Virtual Tunnel Interface (VTI) Mode can bypass firewall for all encrypted traffic
Hub Mode can be used to bypass stateful inspection
There is no such mode that can bypass firewall enforcement
Wire mode can be used to bypass stateful inspection
Question 66
When VPN user-based authentication fails, which of the following debug logs is essential to
understanding the issue?
VPN-1 kernel debug logs

IKE.elg
Vpnd.elg
fw monitor trace
Question 67
In Tracker you are troubleshooting a VPN issue between your gateway and a partner site and you get
a drop log that states "No proposal chosen" what is the most likely cause?
There is a time mismatch

The peer machine is not accepting multicast packets
A mismatch in the settings between the two peers
Using IKEv1 when peer uses IKEv2
Question 68
When are rules that include identity awareness access roles accelerated through SecureXL?
Rules using Identity Awareness are always accelerated.

Only when Ùnauthenticated Guests' is included in the access role.
They have no bearing on whether the connection for the rule is accelerated.
Rules using Identity Awareness are never accelerated.
Question 69
What command show the same information as fwaccel stats -l?
cat /proc/ppk/cpls
cat /proc/ppk/statistics
cphaprob -a hconf
fwaccell stats -s -u -k

Question 70
In order to perform some connection troubleshooting, you run the command fw monitor -e accept
dport = 443. You do NOT see the TCP ACK packet. Why is this?
The connection is encrypted.

The connection is NATted.
The connection is dropped.
The connection is accelerated.
Question 71
What is the corresponding connection template entered into the SecureXL connection table from the
connection: "10.0.0.100:1024 > 216.239.59.59:80"
"10.0.0.100:1024 > 216.239.59.59:80"

"10.0.0.100:1024 > 216.239.59.59:*"
"10.0.0.100:* > 216.239.59.59:*"
"10.0.0.100:* > 216.239.59.59:80"
Question 72
When are rules that include Identity Awareness Access (IDA) roles accelerated through SecureXL?
Only when Ùnauthenticated Guests' is included in the access role.

Never, the inclusion of an IDA role disables SecureXL.
The inclusion of an IDA role has no bearing on whether the connection for the rule is
accelerated.
Always, the inclusion of an IDA role guarantees the connection for the rule is
accelerated.

Question 73
In the policy below, which rule disables SecureXL?
5
1
4
3
Question 74
When optimizing a customer firewall Rule Base, what is the BEST way to start the analysis?
With the command fwaccel stat followed by the command fwaccel stats.
At the top of the Rule Base.
Using the hit count column.
Using the Compliance Software Blade.
Question 75
What do the `F' flags mean in the output of fwaccel conns?
Forward to firewall
Flag set for debug
Fast path packets
Flow established

Question 76
What command should a firewall administrator use to begin debugging SecureXL?
fwaccel dbg api + verbose add

fwaccel debug -m <module name> <flag>
fwaccel dbg -m <module name> <flag>
SecureXL cannot be dubugged and the kernel debug will give enough output to help
the firewall administrator to understand the firewalls behaviour. The right command to use
is fw ctl debug -m fw.
Question 77
A firewall administrator knows the details of the packet header for an already established connection
going through a firewall. What command will show if SecureXL will accelerate that packet?
fw ctl zdebug + sxl error warning asm

fwaccel conns
fwaccel templates
fw tab -t connections -f | grep `dest. port #' | grep `source port #' | grep `dest. IP
address'
Question 78
What is the command to check how many connections the firewall has detected for the SecureXL
device?
fw tab -t cphwd_db -s
fw tab -t connection -s | grep template
fwaccel conns

Question 79
While troubleshooting high CPU usage on cores 3 and 4 on a cluster, you notice the following output
of fwaccel stats -s:
What could be a possible cause of the high CPU usage?
Connections are being partially accelerated by SecureXL, but too many packets are
still being processed by the firewall kernel.
The Secure Network Dispatcher (SND) is having to process too much inbound traffic
from the NICs.
Connections are not being accelerated by SecureXL, and all packets are being
forwarded to firewall kernel instances for inspection.
The Secure Network Dispatcher (SND) is working too hard to distribute the traffic to
the acceleration layer.
Question 80
Which of the following statements are TRUE about SecureXL?
SecureXL is able to accelerate all connections through the firewall.

II. Medium path acceleration will still cause some CPU utilization of CoreXL cores.
III. F2F connections represent "forwarded to firewall" connections that are not
accelerated and fully processed through the firewall kernel.
IV. Packets going through SecureXL must be inspected by the firewall kernel before
being accelerated.
II and III
I, II, and III
III and IV
I and IV

Question 81
Consider the following Rule Base;
What can be concluded in regards to SecureXL Accept Templates?
Accept Templates will be disabled on Rule #4

Accept Templates will be fully functional
Accept Templates will be disabled on Rule #6
Accept Templates do not function with VPN communities in the Rule Base
Question 82
In an HA cluster, you modify the number of cores given to CoreXL on only one member using
cpconfig and then issue a reboot. What is the expected ClusterXL status of this member when it
comes up?
Standby
Ready
Active
Down
Question 83
Which information CANNOT be displayed by issuing the command cat /proc/cpuinfo?
CPU family
NFS_Unstable
fpu
vendor_id

Question 84
You find that your open server SecurePlatform system is lagging although you know you have plenty
of memory and the complexity of the Rule Base has not changed significantly. You think that
upgrading the CPU frequency speed could help your performance. Which command could help you
see what speed and model of CPU you are using?
top
sysconfig
cat /proc/cpuinfo
fw tab
Question 85
Where would you find CPU information like model, number of cores, vendor and architecture?
In the file cpuinfo in the directory /proc.

Right click the gateway object in Smart Dashboard and view properties
WebUI
sysconfig
Question 86
From which version can you add Proxy ARP entries through the GAiA portal?
R77.10
R77
R75.40
R76
Question 87
What happens to manual changes in the file $FWDIR/conf/local.arp when adding Proxy ARP entries
through the GAiA portal or Clish?
Nothing.
If the file $FWDIR/conf/local.arp has been edited manually, you are not able to add
Proxy ARP entries through the GAiA portal or Clish.
They are merged with the new entries added from the GAiA Portal / Clish.
They are overwritten.

Question 88
You are analyzing your firewall logs, /var/log/messages, and repeatedly see the following kernel
message:
'kernel: neighbor table overflow'
What is the cause?
Arp cache overflow

OSPF neighbor down
Nothing, you can disconsider it.
Cluster member table overflow
Question 89
The 'Maximum Entries' value in the GAiA Portal corresponds to the 'gc_thresh3' parameter in the
Linux kernel and has value of 1024. Knowing this, you know that gc_thresh2 and gc_thresh1 if are
automatically set to the values:
gc_thresh2=256 and gc_thresh1=128

Question 90
Your ARP cache is overflowing negatively impacting users experience on your network. Which
command can you issue to increase the ARP cache on the fly? You do not need this to survive reboot.
Modify the /etc/sysctl.conf: net.ipv4.neigh.default.gc_thresh3 = 1024.

echo 1024 > /proc/sys/net/ipv4/neigh/default/gc_thresh3
arp cache table > 1024
You cannot increase the size of the ARP cache on the fly.
Question 91
Your gateway object is currently defined with a max connection count of 25k connections in Smart
Dashboard. Which of the following commands would show you the current and peak connection
counts?
show connections all

fw ctl conn
fw ctl chain
fw ctl pstat

Question 92
Which command will NOT display information related to memory usage?
free
fw ctl pstat
cat /proc/meminfo
memoryinfo.conf
Question 93
What does the command fwaccel templates do?
Starts firewall acceleration after fwaccel off was run or SecureXL was enabled by
using the command cpconfig.
That SecureXL has been enabled in the cpconfig command menu.
Shows templates existing in the SecureXL device. This is so that an administrator can
look for the template that matches the specific traffic.
The Rule Base mapping between actual rules and the template built up in Layer 2.
Question 94
Running the command fw ctl pstat -l would return what information?
Additional hmem details

General Security Gateway statistics
Additional kmem details
Additional smem details
Question 95
You have a user-defined SMTP trap configured to send an alert to your mail server, and you also have
SmartView Monitor configured to trigger the alert whenever policy is pushed to your gateway.
However, you are not getting any mails even when you test for pushing policy. What process should
you troubleshoot on the Management Server?
fwd
fwm
cpwd_admin
cpstat_monitor

Question 96
what command other than fw ctl pstat, will display your peak concurrent connections?
fw ctl get int fw_peak_connections

netstat -ni
top
Question 97
You have just configured HA and find that connections are not being synced. When you have a
failover, users complain that they are losing their connections. What command could you run to see
the state synchronization statistics?
fw ctl pstat
fw sync stats
cphaprob stat
fw ctl get int fw_state_sync_stats
Question 98
Which of the following is a valid synchronization status as an output to fw ctl pstat?
Unable to receive sync packets

Sync member down
Synchronized
Communicating
Question 99
You are running some diagnostics on your GAIA gateway. You are reviewing the number of
fragmented packets; you notice that there are a lot of large and duplicate packets. Which command
did you issue to get this information?
sysconfig
fw ctl pstat
fw ctl get int fw_frag_stats
cat /proc/cpuinfo

Question 100
Your company has grown significantly over the past few months. You are seeing that new
connections are being dropped but note that the connections table is not full. You suspect that the
kernel memory allocated to the firewall has reached its full capacity. To check the "Machine Capacity
Summary" statistics, you use command:
ps -aux
top
cat /proc/net/capacity
fw ctl pstat
Explanation:
C6O4 - Hardware Optimization
Question 101
Under which scenario would you most likely consider the use of Multi-Queue?
When IPS is heavily used.

When most of the traffic is accelerated.
When most of the processing is done in CoreXL.
When trying to increase session rate.
Question 102
If you need to use a Domain object in the Rule Base, where should this rule be located?
No higher than the 2nd rule.

The first rule in the Rule Base.
The last rule before the clean up rule.
The last rule after the clean up rule.
Question 103
You have a requirement to implement a strict security policy. With this in mind, you must create a
stealth rule. How will this impact your packet acceleration?
Using a stealth rule disables SecureXL.

There will be no impact as long as the rule is not logged.
NAT templates will not work.
There will be no impact, since stealth rules do not affect SecureXL.

Question 104
What will be the outcome if you set the kernel parameters cphwd_nat_templates_enabled and
cphwd_nat_templates_support?
This would enable Hide NAT support.

These parameters are mutually exclusive and cannot be used at the same time.
This would enable SecureXL NAT templates.
These are not valid parameters.
Question 105
In a ClusterXL cluster with delayed synchronization, which of the following is not true?
The length of time for the delay can be edited.

It applies only to TCP services whose Protocol Type is set to HTTP or None.
Delayed Synchronization is disabled if the Track option in the rule is set to Log or
Account.
Delayed Synchronization is performed only for connections matching a SecureXL
Connection Template.
Question 106
What is the best way to see how a firewall is performing while processing packets in the firewall
path, including resource usage?
fw getperf
SecureXL stat
fwaccel stats
fw ctl pstat
Question 107
What is the best way to see how much traffic went through the firewall that was TCP, UDP and
ICMP?
fwaccel conns
fw tab -t connections -p
fwaccel stats
fw ctl pstat

Question 108
Which file holds global Kernel values to survive reboot in a Check Point R77 gateway?
$FWDIR/conf/fwkern.conf
$FWDIR/boot/modules/fwkern.conf
$FWDIR/boot/confwkern.conf
$FWDIR/boot/fwkern.conf
Question 109
ACME Corp has a cluster consisting of two 13500 appliances. As the Firewall Administrator, you
notice that on an output of top, you are seeing high CPU usage of the cores assigned as SNDs, but
low CPU usage on cores assigned to individual fw_worker_X processes. What command should you
run next to performance tune your cluster?
fw ctl debug -m cluster + all - this will show you all the connections being processed
by ClusterXL and explain the high CPU usage on your appliance.
fwaccel off - this will turn off SecureXL, which is causing your SNDs to be running high
in the first place.
fwaccel stats -s - this will show you the acceleration profile of your connections and
potentially why your SNDs are running high while other cores are running low.
fw tab -t connections -s - this will show you a summary of your connections table,
and allow you to determine whether there is too much traffic traversing your firewall.

Question 110
Your customer has a well optimized Rule Base with most traffic accelerated by SecureXL. They are
still seeing slow performance. They are using an 8 core machine. They see the following output from
fw ctl affinity -l. What could be done to improve performance with this deployment?
Increase the number of cores dedicated to logging.

Increase the number of Secure Network Dispatchers as the accelerated traffic is not
passed to a worker core.
Add more CPU resources to the hardware.
Upgrade to SAM hardware.
Question 111
The CoreXL software architecture includes the Secure Network Dispatcher (SND). One of the
responsibilities of SND is to:
Distribute non-accelerated packets among kernel instances

Dispatch the packet securely through the VPN link
Processing outgoing traffic from the network interfaces
Dispatch the packet securely through the physical link

Question 112
What is the method to change the number of cores that CoreXL will use?
cpconfig
SmartDashboard
sysconfig
CoreXL automatically recognizes the number of cores on a system at startup so there
is no method or reason to modify the setting.
Question 113
What command verifies which core each gateway interface and firewall instance is currently running
on?
fw ctl pstat
fw accel stat
show corexl stat
fw ctl affinity -l
Question 114
A Security Administrator wants to increase the amount of processing cores on a Check Point Security
Gateway. He starts by increasing the number of cores, however the number of kernel instances
remain the same way. What is the correct process to increase the number of kernel instances?
Cpconfig- Enable Check Point CoreXL- Change the number of firewall instances-define
how many firewall instances to enable-cprestart
Cpconfig- Check Point CoreXL- Change the number of firewall instances-define how
many firewall instances to enable-reboot
Cpconfig- Enable Check Point ClusterXL- Change the number of firewall instances-
define how many firewall instances to enable-reboot
Cpconfig- Check Point CoreXL- Change the number of firewall instances-define how
many firewall instances to enable-cpstop,cpstart
Question 115
What command displays the Connections Table for a specified CoreXL firewall instance?
fw -i FW_INSTANCE_ID tab -t connections [flags]
fw tab -t connection | grep fw<FW_INSTANCE_ID>

Question 116
Why would you not see a CoreXL configuration option in cpconfig?
The gateway only has one processor core.

CoreXL is not enabled in the gateway object.
CoreXL is not licensed.
CoreXL is disabled via policy.
Question 117
Where would you go to adjust the number of Kernels in CoreXL?
Cpconfig
fw ctl conf
fw ctl affinity
fw ctl multik stat
Question 118
CoreXL on IPSO R77.20 does NOT support which of the following features?
Check Point QoS

IPv6
Overlapping NAT
Route-based VPN
Question 119
When troubleshooting a performance problem on multicore firewall that is using CoreXL, what
command checks the number of connections each core is processing?
sim affinity -l
cat fwkern.conf
fw CTL pstat
fw ctl multik stat

Question 120
A firewall has 8 CPU cores and the correct license. CoreXL is enabled. How could you set kernel
instance #3 to run on processing core #5?
This is not possible CoreXL is best left to manage the Kernel to CPU core mappings. It
is only when a daemon is bound to a dedicated core that CoreXL will ignore that CPU core
when mapping Kernel instances to CPU cores.
fw ctl affinity -s -k 3 5
Run fwaffinity_apply -t 3 -k 5 and then check that the settings have taken affect with
the command fw ctl multik stat.
Edit the file fwaffinity.conf and add the line "k3 cpuid 5"
Question 121
What command would you use to check if CoreXL is enabled?
fw ctl multik stat

cpconfig
fw ctl affinity -1
fw ctl pstat
Question 122
Which command will allow you to change firewall affinity and survive a reboot with no further
modification?
fw ctl affinity -s
sim affinity -l
fw affinity -l
sim affinity -s
Question 123
What does the output of the commands fw ctl multik stat and fw6ctl multik stat show?
Only the number of total connections currently being handled by all Kernels on a
CoreXL enabled firewalls.
Information for each kernel instance. The output displays state and processing core
number of each instance.
Which CPU cores are Kernel and SND bound cores.
The number of Firewall Kernels that are installed.

Question 124
You are at a customer site, and when you run cphaprob stat you are not seeing a normal ClusterXL
Health. What command could you run verify the number of cores are not matched on both cluster
members?
cpconfig
cphaprob -a if
fw ctl multik stat
cphaprob stat
Question 125
What is required when changing the configuration of the number of workers in CoreXL?
A reboot
cpstop/cpstart
evstop/evstart
A policy installation
Question 126
In IPS which of the two initial profiles is the more resource intensive?
Prevention
Standard
Default
Recommended
Question 127
In IPS what does a high confidence rating mean?
This is a rating for how confident Check Point is with catching this attack
This is a rating for how likely this attack is to penetrate most systems
There is a high likelihood of false positives
There is a low likelihood of false positives
Question 128
Which of the following CANNOT be used as a source/destination for an IPS network exception?
Network Group
Identity Awareness Access Role
Any
IP Address

Question 129
When using Geo Protections, you find there are logs for a country that you believe is incorrect. What
file do you review to verify what country Geo Protections should identify the traffic as?
asm.C
objects.C
objects_5_0.C
IpToCountry.csv
Question 130
When performing a Clean IPS procedure to resolve a corrupt IPS files issue, what file is modified in
order for the SDUU process to automatically update the IPS files after completing the procedure?
asm.C
inspect.C
objects_5_0.C
profiles.C
Question 131
How would one enable ÌNSPECT debugging' if one suspects IPS false positives?
Run command fw ctl set int enable_inspect_debug 1 from the command line.
Toggle the checkbox in Global Properties > Firewalls > Inspection section.
WebUI
Set the following parameter to true using GuiDBedit:
enable_inspect_debug_compilation.
Question 132
Jerry is a network administrator for ACME Co. Their network contains 5 gateways all managed by a
single Management Server. They are currently receiving an exorbitant amount of false positive for
traffic traversing their network. Based on this information, what factor do you think is contributing
most to the high amount of false positives Jerry is receiving?
She is performing IPS inspection on all traffic

She has set protections to run in "Detect" mode
She has enabled protections based on the network devices and requirements
She has created a dedicated IPS profile for each Security Gateway

Question 133
You have created a number of profiles and activated the relevant protections. Afterwards, you
decide that the Ènterprise gateway' should allow instant messaging. The current profile enabled for
Enterprise gateway blocks instant messaging. The profile for the Enterprise gateway is currently
being used on the Voyager gateway and the Bird of Prey gateway. What is the best process for
making this change on the Enterprise gateway only?
Create an exception for the Enterprise gateway

Create a rule allowing that traffic and install it on the Enterprise gateway
Create a new profile and apply to the Enterprise gateway
Edit the existing profile
Question 134
What steps can be taken if IPS is causing a High Performance Impact?
Consider activating the "Bypass under Load" IPS setting on the gateway
Check your IPS configuration assigned to this gateway and deactivate protections
with critical or high performance impact
Determine if different or custom IPS profiles are better suited for different gateways
in your organization
All options listed
Question 135
When the IPS `Bypass under Load' mechanism detects that the certain CPU and memory usage
thresholds have been reached, which of the following occurs?
The mechanism configures all IPS protections in `Detect Mode'

IPS is disabled completely
The mechanism disables all IPS protections by placing them under èxception'
Stateful Inspection is disabled
Question 136
Which of the following IPS Layers is responsible for ensuring that only valid retransmission packets
are allowed to proceed to destinations?
Protocol Parsers
Context Management Interface layer (CMI)
Protections
Passive Streaming Library (PSL)

Question 137
One of IPS Layers' main functions are to ensure compliance to well-defined protocol standards,
detect anomalies if any exist, and assemble the data for further inspection by other components of
the IPS engine. Which component is responsible for these functions?

Protections
Protocol Parsers
Question 138
Which of the following IPS Layers is the "brain" of the IPS? That is, what coordinates between
different components, decides which protections should run on a certain packet, decides the final
action to be performed on the packet and issues an event log?
Protections
Protocol Parsers
Question 139
Which of the following IPS Layers is a set of signatures and/or handlers, where:
? Signature is a malicious pattern that is searched for.
? Handler is the INSPECT code that performs more complex inspection.

Protections
Protocol Parsers
Question 140
You have strict IPS corporate guidelines. This is having a performance impact on the firewall. What
steps could you take to minimize this impact without compromising the corporate policy?
Select "Protect Internal hosts only"

Select "Bypass IPS inspection when gateway is under heavy load"
Select "Perform IPS inspection on all traffic"
Without minimizing signatures you cannot improve performance

Question 141
Which of the following is true when IPv6 is enabled on a Security Gateway?
An interface on the Gateway can either have IPv4 or IPv6 IP address or have both.
As of version R77, IPv6 is only supported on Security Management Server.
IPv4 will be completely disabled when IPv6 has been enabled.
An interface on the Gateway can either have IPv4 or IPv6 IP address but cannot have
both.
Question 142
Which of the following is true about Node / Host objects?
A Node / Host object can either have IPv4 or IPv6 IP address or have both.
A Node / Host object can either have IPv4 or IPv6 IP address but not have both.
Separate objects need to be created for hosts that use dual stack.
A Node / Host object can only have IPv4 IP address. For IPv6, a Node / Host6 object
must be used.
Node / Host object does not support IPv6, hence a Network object must be created
for IPv6.
Question 143
Which of these commands can be used to display the IPv6 routes?
show route
show ipv6 route
show routes all
show route ipv6
Question 144
Which of these commands can be used to display the IPv6 status?
show ipv6-stat
show ipv6 all
show ipv6 status
show ipv6-status

Question 145
What VSX components do not support IPv6 in R77 VSX mode?
VSX mode does not support IPv6

All devices support IPv6
Virtual Systems
Virtual Routers
Question 146
A system administrator wants to convert an IPv6 gateway from a standard gateway into a gateway
running VSX mode. What does he need to consider?
It is not possible to convert a gateway with IPv6 enabled to VSX mode.

There needs to be proper IPv6 routing setup.
At least two interfaces need to be configured with IPv6.
Policy needs to be properly applied to the gateway before converting the system to
VSX mode.
Question 147
How do you enable IPv6 support on a R77 gateway running the GAiIA OS?
IPv6 is enabled by default.

Under WebUI go to System Management > System Configuration, turn on IPv6
Support, click apply and reboot.
Enable the IPv6 Software Blade for the gateway in Smart Dashboard.
Run the IPv6 script $FWDIR/scripts/fwipv6_enable and reboot.
Question 148
How do you disable IPv6 on an IPSO gateway?
Run $FWDIR/scripts/fwipv6_enable off and reboot.

Remove the IPv6 license from the gateway.
You cannot disable IPv6.
In IPSO go to System Management > System Configuration, set IPv6 Support to off,
and click Apply.

Question 149
Does R77 SmartDashboard support IPv6?
Yes provided the operating system on which Smart Dashboard is installed is

configured with IPv6.
SmartDashboard does not support IPv6.
IPv6 needs to be tunneled through IPv4 to support IPv6.
R77.20 and above provides the support for Smart Dashboard and IPv6 support.
Question 150
Which of the following statements about Full HA support with IPv6 is NOT true?
There is no Dynamic Routing with IPv6.

Mirrored Interfaces must have IPv4 addresses.
Sync traffic must be IPv4.
IPv6 does not support a Secondary Management Server.
Question 151
When troubleshooting a VPN site-to-site to a peer, it may be necessary to "down" the tunnel. What
is the best method to remove ONLY the tunnel to this peer?
Change the vpn tunnel sharing parameters to force the tunnel down.
Reboot your gateway.
Remove the peer from the community and install policy.
Delete the IKE and IPsec Security Associations using the command vpn tu.
Question 152
In Check Point, Domain-based VPN's take precedence over route-based VPN. If implementing a
route- based VPN, what is one configuration step you must make on the gateway object taking part
in the route-based VPN?
You should remove the gateway from all communities.

Check Point does not support route-based VPN's.
You need to create a new simple group with no objects in it and apply this as the VPN
domain under that gateway's topology tab.
You should check the "Use route-based VPN" checkbox in the community properties.

Question 153
What utility would you use to configure route-based VPNs?
vpn sw_topology
vpn shell
vpn set_slim_server
vpn tu
Question 154
Where do you configure the file user.def to change the encryption domain of the Security Gateway?
Management Server
Endpoint Client
Security Gateway
interoperable device
Question 155
Henry is attempting to verify VPN connectivity between two hosts, x and y. Of the following
commands, which could be BEST used to verify connectivity of this VPN?
[Expert@HostName]# fw monitor -e "((src=x.x.x.x , dst=y.y.y.y) or (src=y.y.y.y,

dst=x.x.x.x)), accept;" x- o /var/log/fw_mon.cap
[Expert@HostName]# fw monitor -e "host(x.x.x.x) and host(y.y.y.y), accept;" -o
/var/log/fw_mon.capw monitor -e "accept;" -o /var/log/fw_mon.cap
[Expert@HostName]# fw monitor -e "(ip_p=X) or (ip_p=Y, port(Z)), accept;" -o
/var/log/fw_mon.cap
[Expert@HostName]# fw monitor -e "ip_p=X, accept;" -o /var/log/fw_mon.cap
Question 156
Which technology is not supported with route-based VPNs?
Unnumbered VTI
Numbered VTI
IKEv2
OSPF

Question 157
Which feature is not supported with unnumbered VTI?
Proxy interfaces
High availability
Policy based routing
Anti-spoofing
Question 158
In the gateway object, under topology you select the "Get All Members Interfaces with Topology"
option and your newly configured unnumbered VTIs are not populated. Why is this information
missing?
VTI information on unnumbered interfaces should appear, so there is an issue with

your configuration.
VTI information on unnumbered interfaces is not required information for the VPN to
work.
VTI information on unnumbered interfaces needs to be entered manually.
In order to fetch VTI information on unnumbered interfaces you must add an explicit
rule to the policy.
Question 159
What operating systems support unnumbered VTIs?
GAIA and Secure Platform

Solaris and IPSO
GAIA and IPSO
Secure Platform and IPSO
Question 160
You would like to configure unnumbered VTIs and your environment uses load sharing clustering.
Would this clustering technology be supported by your unnumbered VTI's?
No, unnumbered VTIs only support VRRP HA active-passive mode.

Yes, unnumbered VTIs only support clustering load sharing.
Yes, all HA modes are supported.
No, unnumbered VTIs do not support any HA modes.

Question 161
You are configuring dynamic routing on Secure Platform, as the administrator you run the command
pro enable and reboot. You are confident that your configuration has been done correctly. When you
check, you find the dynamic routing daemon has not started. What is the likely cause of this issue?
Secure Platform does not support dynamic routing.

You need to apply the license and push the policy.
Dynamic routing needs to be enabled in cpconfig.
You must push the policy after your reboot.
Question 162
What is the prefix name for the interface when creating an unnumbered VTI in GAIA?
VTii
tun
vpnt
VTI
Question 163
How can an administrator stay up-to-date on the status of their VPN Tunnels?
Tracking settings can be configured on the Tunnel Management screen of the

Community Properties screen for all VPN tunnels.
Make a change in /proc/net/tun.
Run vpn tu and select the option Live Monitoring.
In Smartview Tracker.
Question 164
Where would an administrator set an email alert for a specific permanent VPN tunnel?
Edit the file vpnconf.

Run sysconfig.
In the Tunnel Properties select Mail Alert.
You can only enable logging or SNMP traps.
Explanation:
C11O2 - Advanced VPN

Question 165
Which of the these dynamic route protocols CANNOT be used along with VTI (VPN Tunnel Interface).
OSPFR
IGRP
IPv1
BGP4
Question 166
When configuring a Numbered VPN-Tunnel, what parameters are necessary?
VPN Tunnel ID, Local Address, Remote Address

Peer, Local Address, Remote Address
VPN Tunnel ID, Peer, Local Address, Remote Address
VPN Tunnel ID, Peer, Physical Device
Question 167
You have to establish a VPN communication between 2 spokes, routed through the Hub gateway.
Where do you configure VPN routing?
Security Gateway Object

WebUI
vpn_route.conf
VPN shell
Question 168
Where do you enable Route-based VPN?
WebUI
VPN shell
Security Gateway Object
vpn_route.conf

Question 169
The current release of Check Point R77, what is a potential performance-related drawback to using
Virtual Tunnel Interfaces (VTI) rather than Domain-based VPNs?
Use of VTIs will disable CoreXL and therefore will negatively impact hardware
platforms running more than one CPU core.
Dynamic routing protocols will work across a domain-based VPN, but will not work
across a VTI.
Use of VTIs will disable the entire SecureXL mechanism and prevent any traffic
acceleration.
Domain-based VPNs are easier to configure than VTIs and therefore is the preferred
implementation.
Question 170
What type(s) of VTI interfaces do Edge gateways support?
Both numbered and unnumbered

Unnumbered interfaces
Numbered interfaces
Neither numbered and unnumbered
Question 171
What does the command vpn shell interface add numbered 192.168.0.1 192.168.0.2 Gateway_A
to_B accomplish?
Between Security Gateways A and B, 192.168.0.1 is assigned as the endpoint IP

address to Gateway A.
192.168.0.2 is assigned to Gateway B.
Between Security Gateways A and B 192.168.0.2 is assigned as the endpoint IP
address to Gateway A.
192.168.0.1 is assigned to Gateway B.
shell is not a valid option for the command vpn.
This command can be used to create a VPN tunnel from the command line without
having any VPN configuration in Smart Dashboard (although "IPSec VPN" must still be
enabled on the gateway).
Question 172
You are configuring a VTI in a clustered environment. Which of the following must be TRUE?
Every interface on each member requires a unique IP address.

Each member must have the same source IP address.
You do not need to have cluster IP addresses.
You cannot set up a VTI in a clustered environment.

Question 173
You are configuring VTIs in a clustered environment. On Peer A the VTI name is VT_Cluster_GWA and
on Peer B the VTI name is VT_Cluster_GWB. You find that the route-based tunnel is not coming up.
What could be the cause?
The names for your peers have been reversed.

You have not issued the command "vpn write config' command.
You have not licensed your gateways for VTIs.
All VTIs going to the same remote peer must have the same name.
Question 174
What are the common Best Practices for configuring QoS over a route-based VPN?
IKE traffic must have a minimum Guarantee of 50% of the external interface
throughput.
QoS is not supported.
Ensure the VTI is numbered.
Ensure the VTI is unnumbered.
Question 175
Where do you configure VTIs on your R77 gateway in VSX mode?
VTIs are configured in each VS context.

VTIs are configured in VS0 context.
VTIs are not supported in VSX mode.
VTIs are configured in SmartDashboard.
Explanation:
C11O3-5 - Advanced VPN
Question 176
Which Dynamic Routing Protocols are supported in GAiA in a Route-based VPN configuration?
OSPF,BGP
OSPF
OSPF,BGP,RIPv2
OSPF,BGP,RIPv1,RIPv2

Question 177
Jane wants to create a VPN using OSPF. Which VPN configuration would you recommend she use?
Site-to-site VPN
Domain-based VPN
Route-based VPN
Remote-access VPN
Question 178
You are configuring dynamic VPN routing using OSPF. You have defined the gateways, created a fully
meshed VPN Community that includes all participating Gateways; created a rule to accept OSPF and
configured dynamic routing. OSPF adjacencies are not establishing. Which of the following could
explain why?
You have overlapping encryption domains.

You have not configured VTIs.
You must to create a VPN star community.
Check Point does not support dynamic VPN routing using OSPF.
Question 179
Which routing protocols are not supported with GAIA OS running VTIs?
RIPv1; RIPv2
BGP
Static routes
OSPF
Question 180
You want to enable OSPF on Secure Platform, but you notice that the required gated daemon is not
running. How can you enable this?
Enter cpconfig, type Y to enable OSPF, type Y to restart Check Point services.
Enter cpconfig, type Y to enable Advanced Routing, type Y to restart Check Point
services.
At the command prompt enter tellpm gated.
Add an OSPF rule to your Rule Base.

Reference Solution For Checkpoint 156-115.77 From Testking

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Reference Solution For Checkpoint 156-115.77 From Testking

Uploaded by

Copyright:

Available Formats

Reference Solution for

Checkpoint 156-115.77 from Testking

Check Point Certified Security Master

There is an active fw monitor running.

fwm debug off

2 Licensed to Redeserv Jmarc redeserv.jmarc@gmail.com

fw debug fw on and checks the file fwm.elg.

What is the error cause?

IP not defined in $FWDIR/conf/gui-clients

fw ctl zdebug drop

3 Licensed to Redeserv Jmarc redeserv.jmarc@gmail.com

There are not any policy to login in SmartDashboard

4 Licensed to Redeserv Jmarc redeserv.jmarc@gmail.com

Search the connections table for that connection.

;[cpu_1];[fw_0];fw_log_drop: Packet proto=17 10.216.14.108:67 > 172.31.2.1:67 dropped by

An inbound collision due to a connections table check on pre-existing connections.

5 Licensed to Redeserv Jmarc redeserv.jmarc@gmail.com

fw ctl debug -m fw + conn drop nat vm xlate xltrc

fwaccel stats misp

Between the "I" and "o"

6 Licensed to Redeserv Jmarc redeserv.jmarc@gmail.com

Static NAT does not adjust the destination IP

This will cause a policy verification error.

Edit or create the file local.arp.

7 Licensed to Redeserv Jmarc redeserv.jmarc@gmail.com

WebUI or add proxy ARP ... commands via CLISH

8 Licensed to Redeserv Jmarc redeserv.jmarc@gmail.com

Automatic NAT rules > Allow bi-directional NAT

9 Licensed to Redeserv Jmarc redeserv.jmarc@gmail.com

The Firewall policy of the gateway

fw ctl zdebug drop

10 Licensed to Redeserv Jmarc redeserv.jmarc@gmail.com

set ccp broadcast

fw ctl get int fwha_cul_mechanism_enable

Flush and ACK

11 Licensed to Redeserv Jmarc redeserv.jmarc@gmail.com

fw tab -t connections -x -d "0,a128c22,89,0a158508,89,11"

12 Licensed to Redeserv Jmarc redeserv.jmarc@gmail.com

destination port number

serial number of the real entry.

The source IP of the packet.

Run the command fw tab -t connections -x

13 Licensed to Redeserv Jmarc redeserv.jmarc@gmail.com

Increased memory consumption

14 Licensed to Redeserv Jmarc redeserv.jmarc@gmail.com

15 Licensed to Redeserv Jmarc redeserv.jmarc@gmail.com

16 Licensed to Redeserv Jmarc redeserv.jmarc@gmail.com

Packet 1 proposes a symmetrical key

17 Licensed to Redeserv Jmarc redeserv.jmarc@gmail.com

vpn debug ikeon

IKEv1 is not supported by the peer.

You have an encryption method mismatch.

18 Licensed to Redeserv Jmarc redeserv.jmarc@gmail.com

RDP is being blocked upstream.

19 Licensed to Redeserv Jmarc redeserv.jmarc@gmail.com

VPN-1 kernel debug logs

There is a time mismatch

Rules using Identity Awareness are always accelerated.

20 Licensed to Redeserv Jmarc redeserv.jmarc@gmail.com

The connection is encrypted.

"10.0.0.100:1024 > 216.239.59.59:80"

Only when `Unauthenticated Guests' is included in the access role.

21 Licensed to Redeserv Jmarc redeserv.jmarc@gmail.com