Академический Документы
Профессиональный Документы
Культура Документы
Checkpoint 156-115.77
Version 4.0
Score: 800/1000
Version: 4.0
Time Limit: 120 Minutes
1
Licensed to Redeserv Jmarc redeserv.jmarc@gmail.com
Exam A (180 questions)
Question 1
When you perform an install database, the status window is filled with large amounts of text. What
could be the cause?
Question 2
When finished running a debug on the Management Server using the command fw debug fwm on
how do you turn this debug off?
Question 3
Which commands will properly set the debug level to maximum and then run a policy install in debug
mode for the policy Standard on gateway A-GW from an R77 GAiA Management Server?
setenv TDERROR_ALL_ALL=5
fwm -d load A-GW Standard
setenv TDERROR_ALL_ALL=5
fwm -d load Standard A-GW
export TDERROR_ALL_ALL=5
fwm -d load Standard A-GW
export TDERROR_ALL_ALL=5
fwm -d load A-GW Standard
Question 4
Which of the following items is NOT part of the columns of the chain modules?
Inbound/Outbound chain
Function Pointer
Chain position
Module location
Question 6
The user tried to connect in SmartDashboard and did not work. You started a FWM debug and
receive the logs below:
Question 7
When troubleshooting and trying to understand which chain is causing a problem on the Security
Gateway, you should use the command:
fwm
cpd
fwd
DAService
Question 9
A fwm debug provides the following output. What prevents the customer from logging into
SmartDashboard?
Question 10
When performing a fwm debug, to which directory are the logs written?
$FWDIR/log
$FWDIR/log/fwm.elg
$FWDIR/conf/fwm.elg
$CPDIR/log/fwm.elg
Question 12
The fw tab -t ___________ command displays the NAT table.
loglist
tablist
fwx_alloc
conns
Question 13
While troubleshooting a DHCP relay issue, you run a fw ctl zdebug drop and see the following output:
Where 10.216.14.108 is the IP address of the DHCP server and 172.31.2.1 is the VIP of the Cluster.
What is the most likely cause of this drop?
Question 15
Since switching your network to ISP redundancy you find that your outgoing static NAT connections
are failing. You use the command _________ to debug the issue.
Question 16
Remote VPN clients can initiate connections with internal hosts, but internal hosts are unable to
initiate connections with the remote VPN clients, even though the policy is configured to allow it. You
think that this is caused by NAT. What command can you run to see if NAT is occurring on a packet?
fw tab -t fwx_alloc -x
fw ctl pstat
fwaccel stats misp
fw ctl debug -m fw + conn drop packet xlate xltrc nat
Question 17
Where in a fw monitor output would you see source address translation occur in cases of automatic
Hide NAT?
Question 19
Which flag in the fw monitor command is used to print the position of the kernel chain?
-all
-k
-c
-p
Question 20
Server A is subject to automatically static NAT and also resides on a network which is subject to
automatic Hide NAT. With regards to address translation what will happen when Server A initiates
outbound communication?
Question 21
In your SecurePlatform configuration you need to set up a manual static NAT entry. After creating
the proper NAT rule what step needs to be completed?
Since Hide NAT changes to random high ports it is by definition PAT (Port Address
Translation).
Create a manual NAT rule and specify the source and destination ports.
Edit the service in SmartDashboard, click on the NAT tab and specify the translated
port.
Port Address Translation is not support in Check Point environment
Question 23
You have set up a manual NAT rule, however fw monitor shows you that the device still uses the
automatic Hide NAT rule. How should you correct this?
Move your manual NAT rule above the automatic NAT rule.
In Global Properties > NAT ensure that server side NAT is enabled.
Set the following fwx_alloc_man kernel parameter to 1.
In Global Properties > NAT ensure that Merge Automatic to Manual NAT is selected.
Question 24
Since R76 GAiA, what is the method for configuring proxy ARP entries for manual NAT rules?
Question 25
Tom is troubleshooting NAT issues using fw monitor and Wireshark. He tries to initiate a connection
from the external network to a DMZ server using the public IP which the firewall translates to the
actual IP of the server. He analyzes the captured packets using Wireshark and observes that the
destination IP is being changed as required by the firewall but does not see the packet leave the
external interface.
What could be the reason?
The translation might be happening on the client side and the packet is being routed
by the OS back to the external interface.
The translation might be happening on the server side and the packet is being routed
by OS back to the external interface.
Packet is dropped by the firewall.
After the translation, the packet is dropped by the Anti-Spoofing Protection.
Question 28
With the default ClusterXL settings what will be the state of an active gateway upon using the
command ClusterXL_admin up?
Ready
Down
Standby
Active
Question 29
Which command should you use to stop kernel module debugging (excluding SecureXL)?
fw ctl debug 0
fw ctl zdebug - all
fw debug fwd off; vpn debug off
fw debug fwd off
Question 30
Which command should you run to debug the VPN-1 kernel module?
fw debug vpn on
vpn debug on TDERROR_ALL_ALL=5
fw ctl zdebug crypt kbuf
fw ctl debug -m VPN all
Question 31
Which command can be used to see all active modules on the Security Gateway:
Question 33
Which of the following commands shows the high watermark threshold for triggering the cluster
under load mechanism in R77?
Question 34
What mechanism solves asymmetric routing issues in a load sharing cluster?
Question 35
When you have edited the local.arp configuration, to support a manual NAT, what must be done to
ensure proxy arps for both manual and automatic NAT rules function?
In Global Properties > NAT tree select Merge manual proxy ARP configuration check
box
Run the command fw ctl ARP -a on the gateway
In Global Properties > NAT tree select Translate on client side check box
Create and run a script to forward changes to the local.arp tables of your gateway
fw tab -t connetion -u
fw ctl tab -t connetions -u
fw tab -t connetion -s
fw tab -t connections -x
Question 37
How can you see a dropped connection and the cause from the kernel?
fw zdebug drop
fw ctl debug drop on
fw debug drop on
fw ctl zdebug drop
Question 38
After creating and pushing out a new policy, Joe finds that an old connection is still being allowed
that should have been closed after his changes. He wants to delete the connection on the gateway,
and looks it up with fw tab -t connections -u. Joe finds the connection he is looking for. What
command should Joe use to remove this connection?
<0,a128c22,89,a158508,89,11;10001,2281,25,15b,a1,4ecdfeee,ac,691400ac,7b6,3e,ffffffff,3c,3c,0,0,
0,0, 0,0,0,0,0,0,0,0,0,0>
Question 39
Using the default values in R77 how many kernel instances will there be on a 16-core gateway?
16
8
12
14
Question 41
Each connection allowed by a Security Gateway, will have a real entry and some symbolic link entries
in the connections state table. The symbolic link entries point back to the real entry using this:
C3O3 - ClusterXL
Question 42
Extended Cluster Anti-Spoofing checks what value to determine if a packet with the source IP of a
gateway in the cluster is being spoofed?
Question 43
How do you clear the connections table?
Edit the relevant table.def on the Management Server and add the line
no_hide_services_ports = { <17, 123> }; and then push policy.
Edit the relevant table.def on the gateway and add the line no_hide_services_ports =
{ <17, 123> };.
Edit the relevant table.def on the Management Server and add the line
no_hide_services_ports = { <123, 17> }; and then push policy.
Edit the relevant table.def on the gateway and add the line no_hide_services_ports =
{ <123, 17> }.
Question 45
Of the following answer choices, which best describes a possible effect of expanding the connections
table?
Question 46
Adam wants to find idle connections on his gateway. Which command would be best suited for
viewing the connections table?
fw tab -t connections
fw tab -t connections -u -f
fw tab -t connections -x
fw tab -t connections -s
Question 47
Which command will you run to list established VPN tunnels?
fw tab -t vpn_active
vpn compstat
fw tab -t vpn_routing
vpn tu
Packet3
Packet4
Packet5
Packet1
Question 49
The file ike.elg is a log file used to log IKE negotiations during VPN tunnel establishment. Where is
this file located?
/opt/CPshrd-R77/log
/opt/CPsuite-R77/fw1/log
/var/log/opt/CPsuite-R77/fg1/log
/opt/CPsuite-R77/fg1/log
Question 50
Which command displays compression/decompression statistics?
vpn ver -k
vpn compstat
vpn compreset
vpn crlview
Question 51
What debug file would you check to see what IKE version is being used?
fwpnd.elg
vpn.txt
debug.txt
vpnd.elg
Question 52
What file contains IKEv2 debug messages?
$FWDIR/log/ikev2
$FWDIR/log/ike.xml
$FWDIR/log/vpnd.elg
$FWDIR/log/ike.elg
$FWDIR/log/ikev2.xmll
$FWDIR/log/ike.xmll
$FWDIR/log/ike.elg
$FWDIR/log/vpnd.elg
Question 54
What is the log file that shows the processes that participate in the tunnel initiation stage?
$FWDIR/log/ikev2.xmll
$FWDIR/log/ike.xmll
$FWDIR/log/vpnd.elg
$FWDIR/log/ike.elg
Question 55
Which program could you use to analyze Phase I and Phase II packet exchanges?
vpnView
Check PointView
IKEView
vpndebugView
Question 56
Check Point Best Practices suggest that when you finish a kernel debug, you should run the command
_____________________ .
fw debug 0
fw debug off
fw ctl debug default
fw ctl debug 0
Question 58
You are attempting to establish a VPN tunnel between a Check Point gateway and a 3rd party
vendor. When attempting to send traffic to the peer gateway it is failing. You look in SmartView
Tracker and see that the failure is due to "Encryption failure: no response from peer". After running a
VPN debug on the problematic gateway, what is one of the files you would want to analyze?
$FWDIR/log/fw.log
$FWDIR/log/fwd.elg
$FWDIR/log/ike.elg
/var/log/fw_debug.txt
Question 60
In IKEView while troubleshooting a VPN issue between your gateway and a partner site you see an
entry that states "Invalid ID". Which of the following is the most likely cause?
Question 61
While troubleshooting a VPN issue between your gateway and a partner site you see an entry in
Smartview Tracker that states "Info: encryption failure: Different community ID: possible NAT
problem".
Which of the following is the most likely cause?
Question 62
You are troubleshooting a VPN issue between your gateway and a partner site and you get a drop log
on your gateway that states "Clear text packet should be encrypted". Which of the following would
be the best troubleshooting step?
Use the excluded services in the VPN community to exclude this traffic from the VPN
or determine why the traffic is leaving the initiating (partner) gateway as clear text.
Use the excluded services in the VPN community to exclude this traffic from the VPN
or determine why the traffic is leaving local (your) gateway as clear text.
Your phase one algorithms are mismatched between gateways.
This is management traffic and we need to enable implied rule to address this issue.
Question 64
You are experiencing an issue where Endpoint Connect client connects successfully however, it
disconnects every 20 seconds. What is the most likely cause of this issue?
The Accept Remote Access control connections is not enabled in Global Properties >
FireWall Implied Rules.
You have selected IKEv2 only in Global Properties > Remote Access > VPN -
Authentication and Encryption.
You are not licensed for Endpoint Connect client.
Your remote access community is not configured.
Virtual Tunnel Interface (VTI) Mode can bypass firewall for all encrypted traffic
Hub Mode can be used to bypass stateful inspection
There is no such mode that can bypass firewall enforcement
Wire mode can be used to bypass stateful inspection
Question 66
When VPN user-based authentication fails, which of the following debug logs is essential to
understanding the issue?
Question 67
In Tracker you are troubleshooting a VPN issue between your gateway and a partner site and you get
a drop log that states "No proposal chosen" what is the most likely cause?
Question 68
When are rules that include identity awareness access roles accelerated through SecureXL?
Question 69
What command show the same information as fwaccel stats -l?
cat /proc/ppk/cpls
cat /proc/ppk/statistics
cphaprob -a hconf
fwaccell stats -s -u -k
Question 71
What is the corresponding connection template entered into the SecureXL connection table from the
connection: "10.0.0.100:1024 > 216.239.59.59:80"
Question 72
When are rules that include Identity Awareness Access (IDA) roles accelerated through SecureXL?
5
1
4
3
Question 74
When optimizing a customer firewall Rule Base, what is the BEST way to start the analysis?
With the command fwaccel stat followed by the command fwaccel stats.
At the top of the Rule Base.
Using the hit count column.
Using the Compliance Software Blade.
Question 75
What do the `F' flags mean in the output of fwaccel conns?
Forward to firewall
Flag set for debug
Fast path packets
Flow established
Question 77
A firewall administrator knows the details of the packet header for an already established connection
going through a firewall. What command will show if SecureXL will accelerate that packet?
Question 78
What is the command to check how many connections the firewall has detected for the SecureXL
device?
fw tab -t connections -s
fw tab -t cphwd_db -s
fw tab -t connection -s | grep template
fwaccel conns
Connections are being partially accelerated by SecureXL, but too many packets are
still being processed by the firewall kernel.
The Secure Network Dispatcher (SND) is having to process too much inbound traffic
from the NICs.
Connections are not being accelerated by SecureXL, and all packets are being
forwarded to firewall kernel instances for inspection.
The Secure Network Dispatcher (SND) is working too hard to distribute the traffic to
the acceleration layer.
Question 80
Which of the following statements are TRUE about SecureXL?
Question 82
In an HA cluster, you modify the number of cores given to CoreXL on only one member using
cpconfig and then issue a reboot. What is the expected ClusterXL status of this member when it
comes up?
Standby
Ready
Active
Down
Question 83
Which information CANNOT be displayed by issuing the command cat /proc/cpuinfo?
CPU family
NFS_Unstable
fpu
vendor_id
top
sysconfig
cat /proc/cpuinfo
fw tab
Question 85
Where would you find CPU information like model, number of cores, vendor and architecture?
Question 86
From which version can you add Proxy ARP entries through the GAiA portal?
R77.10
R77
R75.40
R76
Question 87
What happens to manual changes in the file $FWDIR/conf/local.arp when adding Proxy ARP entries
through the GAiA portal or Clish?
Nothing.
If the file $FWDIR/conf/local.arp has been edited manually, you are not able to add
Proxy ARP entries through the GAiA portal or Clish.
They are merged with the new entries added from the GAiA Portal / Clish.
They are overwritten.
Question 89
The 'Maximum Entries' value in the GAiA Portal corresponds to the 'gc_thresh3' parameter in the
Linux kernel and has value of 1024. Knowing this, you know that gc_thresh2 and gc_thresh1 if are
automatically set to the values:
Question 90
Your ARP cache is overflowing negatively impacting users experience on your network. Which
command can you issue to increase the ARP cache on the fly? You do not need this to survive reboot.
Question 91
Your gateway object is currently defined with a max connection count of 25k connections in Smart
Dashboard. Which of the following commands would show you the current and peak connection
counts?
free
fw ctl pstat
cat /proc/meminfo
memoryinfo.conf
Question 93
What does the command fwaccel templates do?
Starts firewall acceleration after fwaccel off was run or SecureXL was enabled by
using the command cpconfig.
That SecureXL has been enabled in the cpconfig command menu.
Shows templates existing in the SecureXL device. This is so that an administrator can
look for the template that matches the specific traffic.
The Rule Base mapping between actual rules and the template built up in Layer 2.
Question 94
Running the command fw ctl pstat -l would return what information?
Question 95
You have a user-defined SMTP trap configured to send an alert to your mail server, and you also have
SmartView Monitor configured to trigger the alert whenever policy is pushed to your gateway.
However, you are not getting any mails even when you test for pushing policy. What process should
you troubleshoot on the Management Server?
fwd
fwm
cpwd_admin
cpstat_monitor
Question 97
You have just configured HA and find that connections are not being synced. When you have a
failover, users complain that they are losing their connections. What command could you run to see
the state synchronization statistics?
fw ctl pstat
fw sync stats
cphaprob stat
fw ctl get int fw_state_sync_stats
Question 98
Which of the following is a valid synchronization status as an output to fw ctl pstat?
Question 99
You are running some diagnostics on your GAIA gateway. You are reviewing the number of
fragmented packets; you notice that there are a lot of large and duplicate packets. Which command
did you issue to get this information?
sysconfig
fw ctl pstat
fw ctl get int fw_frag_stats
cat /proc/cpuinfo
ps -aux
top
cat /proc/net/capacity
fw ctl pstat
Explanation:
Question 101
Under which scenario would you most likely consider the use of Multi-Queue?
Question 102
If you need to use a Domain object in the Rule Base, where should this rule be located?
Question 103
You have a requirement to implement a strict security policy. With this in mind, you must create a
stealth rule. How will this impact your packet acceleration?
Question 105
In a ClusterXL cluster with delayed synchronization, which of the following is not true?
Question 106
What is the best way to see how a firewall is performing while processing packets in the firewall
path, including resource usage?
fw getperf
SecureXL stat
fwaccel stats
fw ctl pstat
Question 107
What is the best way to see how much traffic went through the firewall that was TCP, UDP and
ICMP?
fwaccel conns
fw tab -t connections -p
fwaccel stats
fw ctl pstat
$FWDIR/conf/fwkern.conf
$FWDIR/boot/modules/fwkern.conf
$FWDIR/boot/confwkern.conf
$FWDIR/boot/fwkern.conf
Question 109
ACME Corp has a cluster consisting of two 13500 appliances. As the Firewall Administrator, you
notice that on an output of top, you are seeing high CPU usage of the cores assigned as SNDs, but
low CPU usage on cores assigned to individual fw_worker_X processes. What command should you
run next to performance tune your cluster?
fw ctl debug -m cluster + all - this will show you all the connections being processed
by ClusterXL and explain the high CPU usage on your appliance.
fwaccel off - this will turn off SecureXL, which is causing your SNDs to be running high
in the first place.
fwaccel stats -s - this will show you the acceleration profile of your connections and
potentially why your SNDs are running high while other cores are running low.
fw tab -t connections -s - this will show you a summary of your connections table,
and allow you to determine whether there is too much traffic traversing your firewall.
Question 111
The CoreXL software architecture includes the Secure Network Dispatcher (SND). One of the
responsibilities of SND is to:
cpconfig
SmartDashboard
sysconfig
CoreXL automatically recognizes the number of cores on a system at startup so there
is no method or reason to modify the setting.
Question 113
What command verifies which core each gateway interface and firewall instance is currently running
on?
fw ctl pstat
fw accel stat
show corexl stat
fw ctl affinity -l
Question 114
A Security Administrator wants to increase the amount of processing cores on a Check Point Security
Gateway. He starts by increasing the number of cores, however the number of kernel instances
remain the same way. What is the correct process to increase the number of kernel instances?
Cpconfig- Enable Check Point CoreXL- Change the number of firewall instances-define
how many firewall instances to enable-cprestart
Cpconfig- Check Point CoreXL- Change the number of firewall instances-define how
many firewall instances to enable-reboot
Cpconfig- Enable Check Point ClusterXL- Change the number of firewall instances-
define how many firewall instances to enable-reboot
Cpconfig- Check Point CoreXL- Change the number of firewall instances-define how
many firewall instances to enable-cpstop,cpstart
Question 115
What command displays the Connections Table for a specified CoreXL firewall instance?
fw tab -t connections -s
fw -i FW_INSTANCE_ID tab -t connections [flags]
fw tab -t connection | grep fw<FW_INSTANCE_ID>
fw tab -t connections
Question 117
Where would you go to adjust the number of Kernels in CoreXL?
Cpconfig
fw ctl conf
fw ctl affinity
fw ctl multik stat
Question 118
CoreXL on IPSO R77.20 does NOT support which of the following features?
Question 119
When troubleshooting a performance problem on multicore firewall that is using CoreXL, what
command checks the number of connections each core is processing?
sim affinity -l
cat fwkern.conf
fw CTL pstat
fw ctl multik stat
This is not possible CoreXL is best left to manage the Kernel to CPU core mappings. It
is only when a daemon is bound to a dedicated core that CoreXL will ignore that CPU core
when mapping Kernel instances to CPU cores.
fw ctl affinity -s -k 3 5
Run fwaffinity_apply -t 3 -k 5 and then check that the settings have taken affect with
the command fw ctl multik stat.
Edit the file fwaffinity.conf and add the line "k3 cpuid 5"
Question 121
What command would you use to check if CoreXL is enabled?
Question 122
Which command will allow you to change firewall affinity and survive a reboot with no further
modification?
fw ctl affinity -s
sim affinity -l
fw affinity -l
sim affinity -s
Question 123
What does the output of the commands fw ctl multik stat and fw6ctl multik stat show?
Only the number of total connections currently being handled by all Kernels on a
CoreXL enabled firewalls.
Information for each kernel instance. The output displays state and processing core
number of each instance.
Which CPU cores are Kernel and SND bound cores.
The number of Firewall Kernels that are installed.
cpconfig
cphaprob -a if
fw ctl multik stat
cphaprob stat
Question 125
What is required when changing the configuration of the number of workers in CoreXL?
A reboot
cpstop/cpstart
evstop/evstart
A policy installation
Question 126
In IPS which of the two initial profiles is the more resource intensive?
Prevention
Standard
Default
Recommended
Question 127
In IPS what does a high confidence rating mean?
This is a rating for how confident Check Point is with catching this attack
This is a rating for how likely this attack is to penetrate most systems
There is a high likelihood of false positives
There is a low likelihood of false positives
Question 128
Which of the following CANNOT be used as a source/destination for an IPS network exception?
Network Group
Identity Awareness Access Role
Any
IP Address
asm.C
objects.C
objects_5_0.C
IpToCountry.csv
Question 130
When performing a Clean IPS procedure to resolve a corrupt IPS files issue, what file is modified in
order for the SDUU process to automatically update the IPS files after completing the procedure?
asm.C
inspect.C
objects_5_0.C
profiles.C
Question 131
How would one enable `INSPECT debugging' if one suspects IPS false positives?
Run command fw ctl set int enable_inspect_debug 1 from the command line.
Toggle the checkbox in Global Properties > Firewalls > Inspection section.
WebUI
Set the following parameter to true using GuiDBedit:
enable_inspect_debug_compilation.
Question 132
Jerry is a network administrator for ACME Co. Their network contains 5 gateways all managed by a
single Management Server. They are currently receiving an exorbitant amount of false positive for
traffic traversing their network. Based on this information, what factor do you think is contributing
most to the high amount of false positives Jerry is receiving?
Question 134
What steps can be taken if IPS is causing a High Performance Impact?
Consider activating the "Bypass under Load" IPS setting on the gateway
Check your IPS configuration assigned to this gateway and deactivate protections
with critical or high performance impact
Determine if different or custom IPS profiles are better suited for different gateways
in your organization
All options listed
Question 135
When the IPS `Bypass under Load' mechanism detects that the certain CPU and memory usage
thresholds have been reached, which of the following occurs?
Question 136
Which of the following IPS Layers is responsible for ensuring that only valid retransmission packets
are allowed to proceed to destinations?
Protocol Parsers
Context Management Interface layer (CMI)
Protections
Passive Streaming Library (PSL)
Question 138
Which of the following IPS Layers is the "brain" of the IPS? That is, what coordinates between
different components, decides which protections should run on a certain packet, decides the final
action to be performed on the packet and issues an event log?
Protections
Passive Streaming Library (PSL)
Protocol Parsers
Context Management Interface layer (CMI)
Question 139
Which of the following IPS Layers is a set of signatures and/or handlers, where:
Question 140
You have strict IPS corporate guidelines. This is having a performance impact on the firewall. What
steps could you take to minimize this impact without compromising the corporate policy?
An interface on the Gateway can either have IPv4 or IPv6 IP address or have both.
As of version R77, IPv6 is only supported on Security Management Server.
IPv4 will be completely disabled when IPv6 has been enabled.
An interface on the Gateway can either have IPv4 or IPv6 IP address but cannot have
both.
Question 142
Which of the following is true about Node / Host objects?
A Node / Host object can either have IPv4 or IPv6 IP address or have both.
A Node / Host object can either have IPv4 or IPv6 IP address but not have both.
Separate objects need to be created for hosts that use dual stack.
A Node / Host object can only have IPv4 IP address. For IPv6, a Node / Host6 object
must be used.
Node / Host object does not support IPv6, hence a Network object must be created
for IPv6.
Question 143
Which of these commands can be used to display the IPv6 routes?
show route
show ipv6 route
show routes all
show route ipv6
Question 144
Which of these commands can be used to display the IPv6 status?
show ipv6-stat
show ipv6 all
show ipv6 status
show ipv6-status
Question 146
A system administrator wants to convert an IPv6 gateway from a standard gateway into a gateway
running VSX mode. What does he need to consider?
Question 147
How do you enable IPv6 support on a R77 gateway running the GAiIA OS?
Question 148
How do you disable IPv6 on an IPSO gateway?
Question 150
Which of the following statements about Full HA support with IPv6 is NOT true?
Question 151
When troubleshooting a VPN site-to-site to a peer, it may be necessary to "down" the tunnel. What
is the best method to remove ONLY the tunnel to this peer?
Change the vpn tunnel sharing parameters to force the tunnel down.
Reboot your gateway.
Remove the peer from the community and install policy.
Delete the IKE and IPsec Security Associations using the command vpn tu.
Question 152
In Check Point, Domain-based VPN's take precedence over route-based VPN. If implementing a
route- based VPN, what is one configuration step you must make on the gateway object taking part
in the route-based VPN?
vpn sw_topology
vpn shell
vpn set_slim_server
vpn tu
Question 154
Where do you configure the file user.def to change the encryption domain of the Security Gateway?
Management Server
Endpoint Client
Security Gateway
interoperable device
Question 155
Henry is attempting to verify VPN connectivity between two hosts, x and y. Of the following
commands, which could be BEST used to verify connectivity of this VPN?
Question 156
Which technology is not supported with route-based VPNs?
Unnumbered VTI
Numbered VTI
IKEv2
OSPF
Proxy interfaces
High availability
Policy based routing
Anti-spoofing
Question 158
In the gateway object, under topology you select the "Get All Members Interfaces with Topology"
option and your newly configured unnumbered VTIs are not populated. Why is this information
missing?
Question 159
What operating systems support unnumbered VTIs?
Question 160
You would like to configure unnumbered VTIs and your environment uses load sharing clustering.
Would this clustering technology be supported by your unnumbered VTI's?
Question 162
What is the prefix name for the interface when creating an unnumbered VTI in GAIA?
VTii
tun
vpnt
VTI
Question 163
How can an administrator stay up-to-date on the status of their VPN Tunnels?
Question 164
Where would an administrator set an email alert for a specific permanent VPN tunnel?
OSPFR
IGRP
IPv1
BGP4
Question 166
When configuring a Numbered VPN-Tunnel, what parameters are necessary?
Question 167
You have to establish a VPN communication between 2 spokes, routed through the Hub gateway.
Where do you configure VPN routing?
Question 168
Where do you enable Route-based VPN?
WebUI
VPN shell
Security Gateway Object
vpn_route.conf
Use of VTIs will disable CoreXL and therefore will negatively impact hardware
platforms running more than one CPU core.
Dynamic routing protocols will work across a domain-based VPN, but will not work
across a VTI.
Use of VTIs will disable the entire SecureXL mechanism and prevent any traffic
acceleration.
Domain-based VPNs are easier to configure than VTIs and therefore is the preferred
implementation.
Question 170
What type(s) of VTI interfaces do Edge gateways support?
Question 171
What does the command vpn shell interface add numbered 192.168.0.1 192.168.0.2 Gateway_A
to_B accomplish?
Question 172
You are configuring a VTI in a clustered environment. Which of the following must be TRUE?
Question 174
What are the common Best Practices for configuring QoS over a route-based VPN?
IKE traffic must have a minimum Guarantee of 50% of the external interface
throughput.
QoS is not supported.
Ensure the VTI is numbered.
Ensure the VTI is unnumbered.
Question 175
Where do you configure VTIs on your R77 gateway in VSX mode?
Question 176
Which Dynamic Routing Protocols are supported in GAiA in a Route-based VPN configuration?
OSPF,BGP
OSPF
OSPF,BGP,RIPv2
OSPF,BGP,RIPv1,RIPv2
Site-to-site VPN
Domain-based VPN
Route-based VPN
Remote-access VPN
Question 178
You are configuring dynamic VPN routing using OSPF. You have defined the gateways, created a fully
meshed VPN Community that includes all participating Gateways; created a rule to accept OSPF and
configured dynamic routing. OSPF adjacencies are not establishing. Which of the following could
explain why?
Question 179
Which routing protocols are not supported with GAIA OS running VTIs?
RIPv1; RIPv2
BGP
Static routes
OSPF
Question 180
You want to enable OSPF on Secure Platform, but you notice that the required gated daemon is not
running. How can you enable this?
Enter cpconfig, type Y to enable OSPF, type Y to restart Check Point services.
Enter cpconfig, type Y to enable Advanced Routing, type Y to restart Check Point
services.
At the command prompt enter tellpm gated.
Add an OSPF rule to your Rule Base.