CCSM

Looking for Real Exam Questions for IT Certification Exams!
We guarantee you can pass any IT certification exam at your first attempt with just 10-12
hours study of our guides.
Our study guides contain actual exam questions; accurate answers with detailed explanation
verified by experts and all graphics and drag-n-drop exhibits shown just as on the real test.
To test the quality of our guides, you can download the one-fourth portion of any guide from
http://www.certificationking.com absolutely free. You can also download the guides for retired
exams that you might have taken in the past.
For pricing and placing order, please visit http://certificationking.com/order.html

We accept all major credit cards through www.paypal.com
For other payment options and any further query, feel free to mail us at
info@certificationking.com
Checkpoint 156-115.77 Exam
Topic 1, Chain Modules
QUESTION NO: 1
What command would you use for a packet capture on an absolute position for TCP streaming
(out) 1ffffe0
A. fw ctl chain -po 1ffffe0 -o monitor.out

B. fw monitor -po -0x1ffffe0 -o monitor.out
C. fw monitor -e 0x1ffffe0 -o monitor.out
D. fw monitor -pr 1ffffe0 -o monitor.out
Answer: B
Explanation:
QUESTION NO: 2
The command fw monitor -p all displays what type of information?
A. It captures all points of the chain as the packet goes through the firewall kernel.
B. This is not a valid command.
C. The -p is used to resolve MAC address in the firewall capture.
D. It does a firewall monitor capture on all interfaces.
Answer: A
Explanation:
QUESTION NO: 3
What does the IP Options Strip represent under the fw chain output?
A. IP Options Strip is not a valid fw chain output.

B. The IP Options Strip removes the IP header of the packet prior to be passed to the other kernel
functions.
C. The IP Options Strip copies the header details to forward the details for further IPS inspections.
D. IP Options Strip is only used when VPN is involved.
Answer: B
Explanation:
QUESTION NO: 4
The command that lists the firewall kernel modules on a Security Gateway is:
www.CertificationKing.com 2
A. fw list kernel modules
B. fw ctl kernel chain
C. fw ctl debug -m
D. fw list modules
Answer: C
Explanation:
QUESTION NO: 5
Which of the following BEST describes the command fw ctl chain function?
A. View how CoreXL is distributing traffic among the firewall kernel instances.
B. View established connections in the connections table.
C. View the inbound and outbound kernel modules and the order in which they are applied.
D. Determine if VPN Security Associations are being established.
Answer: C
Explanation:
QUESTION NO: 6
The command _____________ shows which firewall chain modules are active on a gateway.
A. fw stat
B. fw ctl debug
C. fw ctl chain
D. fw ctl multik stat
Answer: C
Explanation:
QUESTION NO: 7
The command fw ctl kdebug <params> is used to:
A. list enabled debug parameters.

B. read the kernel debug buffer to obtain debug messages.
C. enable kernel debugging.
D. select specific kernel modules for debugging.
Answer: B
Explanation:
QUESTION NO: 8
Compare these two images to establish which blade/feature was disabled on the firewall.
A. IPS
B. VPN
C. NAT
D. L2TP
Answer: B
Explanation:
QUESTION NO: 9
What command would give you a summary of all the tables available to the firewall kernel?
A. fw tab
B. fw tab -s
C. fw tab -h
D. fw tab -o
Answer: B
Explanation:
QUESTION NO: 10
What flag option(s) must be used to dump the complete table in friendly format, assuming there
are more than one hundred connections in the table?
A. fw tab -t connections -f
B. fw tab -t connect -f -u
C. fw tab -t connections -s
D. fw tab -t connections -f –u
Answer: B
Explanation:
QUESTION NO: 11
Which directory below contains the URL Filtering engine update info? Here you can also go to
see the status of the URL Filtering and Application Control updates.
A. $FWDIR/urlf/update
B. $FWDIR/appi/update
C. $FWDIR/appi/urlf
D. $FWDIR/update/appi
Answer: B
Explanation:
QUESTION NO: 12
For URL Filtering in the Cloud in R75 and above, what table is used to contain the URL Filtering
cache values?
A. urlf_blade_on_gw
B. urlf_cache_tbl
C. urlf_cache_table
D. url_scheme_tab
Answer: C
Explanation:
QUESTION NO: 13
You are troubleshooting a Security Gateway, attempting to determine which chain is causing a
problem. What command would you use to show all the chains through which traffic passed?
A. [Expert@HostName]# fw ctl chain
B. [Expert@HostName]# fw monitor -e "accept;" -p all
C. [Expert@HostName]# fw ctl debug –m
D. [Expert@HostName]# fw ctl zdebug all
Answer: B
Explanation:
QUESTION NO: 14
True or False: Software blades perform their inspection primarily through the kernel chain
modules.
A. False. Software blades do not pass through the chain modules.

B. True. Many software blades have their own dedicated kernel chain module for inspection.
C. True. All software blades are inspected by the IP Options chain module.
D. True. Most software blades are inspected by the TCP streaming or Passive Streaming chain
module.
Answer: B
Explanation:
QUESTION NO: 15
When using the command fw monitor, what command ensures the capture is accurate?
A. export TDERROR_ALL_ALL=5
B. fwaccel off
C. fwaccel on
D. fw accel off
Answer: B
Explanation:
C1O2 - Chain Modules
QUESTION NO: 16
You are running a debugging session and you have set the debug environment to
TDERROR_ALL_ALL=5 using the command export TDERROR_ALL_ALL=5. How do you return
the debug value to defaults?
A. fw ctl debug 0x1ffffe0

B. fw debug 0x1ffffe0
C. export TDERROR_ALL_ALL
D. unset TDERROR_ALL_ALL
Answer: D
Explanation:
QUESTION NO: 17
What command would you use to view which debugs are set in your current working environment?
A. “env” and “fw ctl debug”

B. “cat /proc/etc”
C. “fw ctl debug all”
D. “export”
Answer: A
Explanation:
QUESTION NO: 18
What causes the SIP Early NAT chain module to appear in the chain?
A. The SIP traffic is trying to pass through the firewall.

B. SIP is configured in IPS.
C. A VOIP domain is configured.
D. The default SIP service is used in the Rule Base.
Answer: D
Explanation:
QUESTION NO: 19
When you perform an install database, the status window is filled with large amounts of text. What
could be the cause?
A. There is an active fw monitor running.

B. There is an environment variable of TDERROR_ALL_ALL set on the gateway.
C. There is an active debug on the SmartConsole.
D. There is an active debug on the FWM process.
Answer: D
Explanation:
QUESTION NO: 20
When finished running a debug on the Management Server using the command fw debug fwm on
how do you turn this debug off?
A. fwm debug off

B. fw ctl debug off
C. fw debug off
D. fw debug fwm off
Answer: D
Explanation:
QUESTION NO: 21
Which commands will properly set the debug level to maximum and then run a policy install in
debug mode for the policy Standard on gateway A-GW from an R77 GAiA Management Server?
A. setenv TDERROR_ALL_ALL=5
fwm –d load A-GW Standard
B. setenv TDERROR_ALL_ALL=5
fwm –d load Standard A-GW
C. export TDERROR_ALL_ALL=5
fwm –d load Standard A-GW
D. export TDERROR_ALL_ALL=5
fwm –d load A-GW Standard
Answer: C
Explanation:
QUESTION NO: 22
Which of the following items is NOT part of the columns of the chain modules?
A. Inbound/Outbound chain
B. Function Pointer
C. Chain position
D. Module location
Answer: A
Explanation:
QUESTION NO: 23
John is a Security Administrator of a Check Point platform. He has a mis-configuration issue that
points to the Rule Base. To obtain information about the issue, John runs the command:
A. fw debug fw on and checks the file fwm.elg.

B. fw kdebug fwm on and checks the file fwm.elg.
C. fw debug fwm on and checks the file fwm.elg.
D. fw kdebug fwm on and checks the file fw.elg.
Answer: C
Explanation:
QUESTION NO: 24
The user tried to connect in SmartDashboard and did not work. You started a FWM debug and
receive the logs below:
What is the error cause?
A. IP not defined in $FWDIR/conf/gui-clients

B. Wrong user and password
C. Wrong password
D. Wrong user
Answer: D
Explanation:
QUESTION NO: 25
When troubleshooting and trying to understand which chain is causing a problem on the Security
Gateway, you should use the command:
A. fw ctl zdebug drop

B. fw tab –t connections
C. fw monitor -e "accept;" -p all
D. fw ctl chain
Answer: C
Explanation:
QUESTION NO: 26
Which process should you debug when SmartDashboard authentication is rejected?
A. fwm
B. cpd
C. fwd
D. DAService
Answer: A
Explanation:
QUESTION NO: 27
A fwm debug provides the following output. What prevents the customer from logging into
SmartDashboard?
A. There are not any policy to login in SmartDashboard

B. FWM process is crashed and returned null to access
C. User and password are incorrect
D. IP not defined in $FWDIR/conf/gui-clients
Answer: D
Explanation:
QUESTION NO: 28
When performing a fwm debug, to which directory are the logs written?
A. $FWDIR/log
B. $FWDIR/log/fwm.elg
C. $FWDIR/conf/fwm.elg
D. $CPDIR/log/fwm.elg
Answer: B
Explanation:
Topic 2, NAT
QUESTION NO: 29
You are attempting to establish an FTP session between your computer and a remote server, but
it is not being completed successfully. You think the issue may be due to IPS. Viewing SmartView
Tracker shows no drops. How would you confirm if the traffic is actually being dropped by the
gateway?
A. Search the connections table for that connection.

B. Run a fw monitor packet capture on the gateway.
C. Look in SmartView Monitor for that connection to see why it’s being dropped.
D. Run fw ctl zdebug drop on the gateway.
Answer: D
Explanation:
QUESTION NO: 30
The fw tab –t ___________ command displays the NAT table.
A. loglist
B. tablist
C. fwx_alloc
D. conns
Answer: C
Explanation:
QUESTION NO: 31
While troubleshooting a DHCP relay issue, you run a fw ctl zdebug drop and see the following
output:
;[cpu_1];[fw_0];fw_log_drop: Packet proto=17 10.216.14.108:67 > 172.31.2.1:67 dropped by

fw_handle_first_packet Reason: fwconn_init_links (INBOUND) failed;
Where 10.216.14.108 is the IP address of the DHCP server and 172.31.2.1 is the VIP of the
Cluster. What is the most likely cause of this drop?
A. An inbound collision due to a connections table check on pre-existing connections.

B. An outbound collision due to a Rule Base check, and dropped by incorrectly configuring DHCP
in the firewall policy.
C. A link collision due to more than one NAT symbolic link being created for outgoing connections
to the DHCP server.
D. A link collision due to more than one NAT symbolic link being created for connections returning
from the DHCP server back to the VIP of the Cluster.
Answer: D
Explanation:
QUESTION NO: 32
You are trying to troubleshoot a NAT issue on your network, and you use a kernel debug to verify
a connection is correctly translated to its NAT address. What flags should you use for the kernel
debug?
A. fw ctl debug -m fw + conn drop nat vm xlate xltrc

B. fw ctl debug -m fw + conn drop ld
C. fw ctl debug -m nat + conn drop nat xlate xltrc
D. fw ctl debug -m nat + conn drop fw xlate xltrc
Answer: A
Explanation:
QUESTION NO: 33
Since switching your network to ISP redundancy you find that your outgoing static NAT
connections are failing. You use the command _________ to debug the issue.
A. fwaccel stats misp

B. fw ctl pstat
C. fw ctl debug -m fw + nat drop
D. fw tab -t fwx_alloc -x
Answer: C
Explanation:
QUESTION NO: 34
Remote VPN clients can initiate connections with internal hosts, but internal hosts are unable to
initiate connections with the remote VPN clients, even though the policy is configured to allow it.
You think that this is caused by NAT. What command can you run to see if NAT is occurring on a
packet?
A. fw tab -t fwx_alloc -x
B. fw ctl pstat
C. fwaccel stats misp
D. fw ctl debug -m fw + conn drop packet xlate xltrc nat
Answer: D
Explanation:
QUESTION NO: 35
Where in a fw monitor output would you see source address translation occur in cases of
automatic Hide NAT?
A. Between the “I” and “o”

B. Hide NAT does not adjust the source IP
C. Between the “o” and “O”
D. Between the “i” and “I”
Answer: C
Explanation:
QUESTION NO: 36
Where in a fw monitor output would you see destination address translation occur in cases of
inbound automatic static NAT?
A. Static NAT does not adjust the destination IP

B. Between the “i” and “I”
C. Between the “I” and “o”
D. Between the “o” and “O”
Answer: B
Explanation:
QUESTION NO: 37
Which flag in the fw monitor command is used to print the position of the kernel chain?
A. -all
B. -k
C. -c
D. -p
Answer: D
Explanation:
QUESTION NO: 38
Server A is subject to automatically static NAT and also resides on a network which is subject to
automatic Hide NAT. With regards to address translation what will happen when Server A initiates
outbound communication?
A. This will cause a policy verification error.

B. This is called hairpin NAT, the traffic will return to the server.
C. The static NAT will take precedence.
D. The Hide NAT will take precedence.
Answer: C
Explanation:
QUESTION NO: 39
In your SecurePlatform configuration you need to set up a manual static NAT entry. After creating
the proper NAT rule what step needs to be completed?
A. Edit or create the file local.arp.

B. No further actions are required.
C. Edit or create the file discntd.if.
D. Edit the file netconf.conf.
Answer: A
Explanation:
QUESTION NO: 40
How do you set up Port Address Translation?
A. Since Hide NAT changes to random high ports it is by definition PAT (Port Address
Translation).
B. Create a manual NAT rule and specify the source and destination ports.
C. Edit the service in SmartDashboard, click on the NAT tab and specify the translated port.
D. Port Address Translation is not support in Check Point environment
Answer: B
Explanation:
QUESTION NO: 41
You have set up a manual NAT rule, however fw monitor shows you that the device still uses the
automatic Hide NAT rule. How should you correct this?
A. Move your manual NAT rule above the automatic NAT rule.
B. In Global Properties > NAT ensure that server side NAT is enabled.
C. Set the following fwx_alloc_man kernel parameter to 1.
D. In Global Properties > NAT ensure that Merge Automatic to Manual NAT is selected.
Answer: A
Explanation:
QUESTION NO: 42
Since R76 GAiA, what is the method for configuring proxy ARP entries for manual NAT rules?
A. WebUI or add proxy ARP ... commands via CLISH

B. SmartView Tracker
C. local.arp file
D. SmartDashboard
Answer: A
Explanation:
QUESTION NO: 43
Tom is troubleshooting NAT issues using fw monitor and Wireshark. He tries to initiate a
connection from the external network to a DMZ server using the public IP which the firewall
translates to the actual IP of the server. He analyzes the captured packets using Wireshark and
observes that the destination IP is being changed as required by the firewall but does not see the
packet leave the external interface. What could be the reason?
A. The translation might be happening on the client side and the packet is being routed by the OS
back to the external interface.
B. The translation might be happening on the server side and the packet is being routed by OS
back to the external interface.
C. Packet is dropped by the firewall.
D. After the translation, the packet is dropped by the Anti-Spoofing Protection.
Answer: B
Explanation:
QUESTION NO: 44
Tom has a Web server for which he has created a manual NAT rule. The rule is not working. He
tries to initiate a connection from the external network to a DMZ server using the public IP which
the firewall translates to the actual IP of the server. He analyzes the captured packets using
Wireshark and observes that the destination IP is being changed as required by the firewall but
does not see the packet leave the internal interface. Which box in Global Properties should be
checked?
A. Automatic NAT rules > Allow bi-directional NAT
B. Automatic NAT rules > Automatic ARP Configuration
C. Automatic NAT rules > Translate destination on client side
D. Manual NAT rules > Translate destination on client side
Answer: D
Explanation:
QUESTION NO: 45
Which FW-1 kernel flags should be used to properly debug and troubleshoot NAT issues?
A. nat, route, conn, fwd, zeco, err

B. nat, xlate, fwd, vm, ld, chain
C. nat, xltrc, xlate, drop, conn, vm
D. nat, drop, conn, xlate, filter, ioctl
Answer: C
Explanation:
QUESTION NO: 46
Which file should be edited to modify ClusterXL VIP Hide NAT rules, and where?
A. $FWDIR/lib/base.def on the cluster members

B. $FWDIR/lib/table.def on the SMC
C. $FWDIR/lib/table.def on the cluster members
D. $FWDIR/lib/base.def on the SMC
Answer: B
Explanation:
QUESTION NO: 47
When viewing a NAT Table, What represents the second hexadecimal number of the 6-tuple:
A. Source port
B. Protocol
C. Source IP
D. Destination port
Answer: C
Explanation:
QUESTION NO: 48
By default, the size of the fwx_alloc table is:
A. 65535
B. 65536
C. 25000
D. 1024
Answer: C
Explanation:
QUESTION NO: 49
Given the screen configuration shown, the failure’s probable cause is:
A. Packet 1 Proposes SA life Type , Sa Life Duration, Authentication and Encapsulation Algorithm.
B. Packet 1 proposes a symmetrical key.
C. Packet 1 proposes a subnet and host ID, an encryption and hash algorithm.
D. Packet 1 proposes either a subnet or host ID, an encryption and hash algorithm, and ID data.
Answer: D
Explanation:
QUESTION NO: 50
Ann wants to hide FTP traffic behind the virtual IP of her cluster. Where is the relevant file
table.def located to make this modification?
A. $FWDIR/log/table.def
B. $FWDIR/conf/table.def
C. $FWDIR/bin/table.def
D. $FWDIR/lib/table.def
Answer: D
Explanation:
QUESTION NO: 51
While troubleshooting a connectivity issue with an internal web server, you know that packets are
getting to the upstream router, but when you run a tcpdump on the external interface of the
gateway, the only traffic you observe is ARP requests coming from the upstream router. Does the
problem lie on the Check Point Gateway?
A. Yes – This could be due to a misconfigured route on the firewall.

B. No – This is a layer 2 connectivity issue and has nothing to do with the firewall.
C. No – The firewall is not dropping the traffic, therefore the problem does not lie with the firewall.
D. Yes – This could be due to a misconfigured Static NAT in the firewall policy.
Answer: D
Explanation:
QUESTION NO: 52
In a production environment, your gateway is configured to apply a Hide NAT for all internal traffic
destined to the Internet. However, you are setting up a VPN tunnel with a remote gateway, and
you are concerned about the encryption domain that you need to define on the remote gateway.
Does the remote gateway need to include your production gateway’s external IP in its encryption
domain?
A. No – all packets destined through a VPN will leave with original source and destination packets
without translation.
B. No – all packets destined to go through the VPN tunnel will have the payload encapsulated in
an ESP packet and after decryption at the remote site, will have the same internal source and
destination IP addresses.
C. Yes – all packets destined to go through the VPN tunnel will have the payload encapsulated in
an ESP packet and after decryption at the remote site, the packet will contain the source IP of the
Gateway because of Hide NAT.
D. Yes – The gateway will apply the Hide NAT for this VPN traffic.
Answer: B
Explanation:
QUESTION NO: 53
The "Hide internal networks behind the Gateway's external IP" option is selected. What defines
what traffic will be NATted?
A. The Firewall policy of the gateway

B. The network objects configured for the network
C. The VPN encryption domain of the gateway object
D. The topology configuration of the gateway object
Answer: D
Explanation:
Topic 3, ClusterXL
QUESTION NO: 54
With the default ClusterXL settings what will be the state of an active gateway upon using the
command ClusterXL_admin up?
A. Ready
B. Down
C. Standby
D. Active
Answer: C
Explanation:
QUESTION NO: 55
Which command should you use to stop kernel module debugging (excluding SecureXL)?
A. fw ctl debug 0
B. fw ctl zdebug - all
C. fw debug fwd off; vpn debug off
D. fw debug fwd off
Answer: A
Explanation:
QUESTION NO: 56
Which command should you run to debug the VPN-1 kernel module?
A. fw debug vpn on
B. vpn debug on TDERROR_ALL_ALL=5
C. fw ctl zdebug crypt kbuf
D. fw ctl debug -m VPN all
Answer: D
Explanation:
QUESTION NO: 57
Which command can be used to see all active modules on the Security Gateway:
A. fw ctl zdebug drop

B. fw ctl debug -h
C. fw ctl chain
D. fw ctl debug -m
Answer: C
Explanation:
QUESTION NO: 58
In some situations, switches may not play nicely with a Check Point Cluster and it is necessary to
change from multicast to broadcast. What command should you invoke to correct the issue?
A. set ccp broadcast

B. cphaconf set_ccp broadcast
C. cpha_conf set ccp broadcast
D. This can only be changed via GuiDbEdit.
Answer: B
Explanation:
QUESTION NO: 59
Which of the following commands shows the high watermark threshold for triggering the cluster
under load mechanism in R77?
A. fw ctl get int fwha_cul_mechanism_enable

B. fw ctl get int fwha_cul_cluster_short_timeout
C. fw ctl get int fwha_cul_member_cpu_load_limit
D. fw ctl get int fwha_cul_policy_freeze_event_timeout_millisec
Answer: C
Explanation:
QUESTION NO: 60
What mechanism solves asymmetric routing issues in a load sharing cluster?
A. Flush and ACK

B. Stateful Inspection
C. SYN Defender
D. State Synchronization
Answer: A
Explanation:
QUESTION NO: 61
When you have edited the local.arp configuration, to support a manual NAT, what must be done to
ensure proxy arps for both manual and automatic NAT rules function?
A. In Global Properties > NAT tree select Merge manual proxy ARP configuration check box
B. Run the command fw ctl ARP –a on the gateway
C. In Global Properties > NAT tree select Translate on client side check box
D. Create and run a script to forward changes to the local.arp tables of your gateway
Answer: A
Explanation:
QUESTION NO: 62
Which command clears all the connection table entries on a Security Gateway?
A. fw tab –t connetion –u
B. fw ctl tab –t connetions –u
C. fw tab –t connetion -s
D. fw tab –t connections -x
Answer: D
Explanation:
QUESTION NO: 63
How can you see a dropped connection and the cause from the kernel?
A. fw zdebug drop
B. fw ctl debug drop on
C. fw debug drop on
D. fw ctl zdebug drop
Answer: D
Explanation:
QUESTION NO: 64
After creating and pushing out a new policy, Joe finds that an old connection is still being allowed
that should have been closed after his changes. He wants to delete the connection on the
gateway, and looks it up with fw tab –t connections –u. Joe finds the connection he is looking for.
What command should Joe use to remove this connection?
<0,a128c22,89,a158508,89,11;10001,2281,25,15b,a1,4ecdfeee,ac,691400ac,7b6,3e,ffffffff,3c,3c,
0,0,0,0,0,0,0,0,0,0,0,0,0,0>
A. fw tab –t connections –x –d “0,a128c22,89,0a158508,89,11"

B. fw tab –t connections –x –e "0,a128c22,00000089,0a158508,00000089,00000011"
C. fw tab –t connections –x –d “00000000,a128c22,00000089,0a158508,00000089,00000011"
D. fw tab –t connections –x –e “0,a128c22,89,0a158508,89,11"
Answer: B
Explanation:
QUESTION NO: 65
Using the default values in R77 how many kernel instances will there be on a 16-core gateway?
A. 16
B. 8
C. 12
D. 14
Answer: D
Explanation:
QUESTION NO: 66
When viewing connections using the command fw tab -t connections, all entries are displayed with
a 6-tuple key, the elements of the 6-tuple include the following EXCEPT:
A. destination port number

B. source port number
C. direction (inbound / outbound)
D. interface id
Answer: D
Explanation:
QUESTION NO: 67
Each connection allowed by a Security Gateway, will have a real entry and some symbolic link
entries in the connections state table. The symbolic link entries point back to the real entry using
this:
A. serial number of the real entry.

B. 6-tuple.
C. memory pointer.
D. date and time of the connection establishment.
Answer: B
Explanation:
C3O3 - ClusterXL
QUESTION NO: 68
Extended Cluster Anti-Spoofing checks what value to determine if a packet with the source IP of a
gateway in the cluster is being spoofed?
A. The source IP of the packet.

B. The packet has a TTL value of less than 255.
C. The source MAC address of the packet.
D. The destination IP of the packet.
Answer: B
Explanation:
QUESTION NO: 69
How do you clear the connections table?
A. Run the command fw tab –t connections –x

B. In Gateway Properties > Optimizations click Clear connections table
C. Run the command fw tab –t conns –c
D. Run the command fw tab –t connections –c
Answer: A
Explanation:
QUESTION NO: 70
In order to prevent outgoing NTP traffic from being hidden behind a Cluster IP you should?
A. Edit the relevant table.def on the Management Server and add the line no_hide_services_ports
= { <17, 123> }; and then push policy.
B. Edit the relevant table.def on the gateway and add the line no_hide_services_ports = { <17,
123> };.
C. Edit the relevant table.def on the Management Server and add the line no_hide_services_ports
= { <123, 17> }; and then push policy.
D. Edit the relevant table.def on the gateway and add the line no_hide_services_ports = { <123,
17> }.
Answer: C
Explanation:
QUESTION NO: 71
Of the following answer choices, which best describes a possible effect of expanding the
connections table?
A. Increased memory consumption

B. Decreased memory consumption
C. Increased connection duration
D. Decreased connection duration
Answer: A
Explanation:
QUESTION NO: 72
Adam wants to find idle connections on his gateway. Which command would be best suited for
viewing the connections table?
A. fw tab -t connections
B. fw tab -t connections -u –f
C. fw tab -t connections –x
D. fw tab -t connections –s
Answer: B
Explanation:
QUESTION NO: 73
From the output of the following cphaprob -i list, what is the most likely cause of the clustering
issue?
Cluster B> cphaprob -i list
Built-in Devices:
Device Name: Interface Active Check Current state: OK
Device Name: HA Initialization Current state: OK
Device Name: Recovery Delay Current state: OK
Registered Devices:
Device Name: Synchronization Registration number: 0 Timeout: none Current state: OK Time
since last report: 3651.5 sec
Device Name: Filter Registration number: 1 Timeout: none Current state: problem Time since last
report: 139 sec
Device Name: routed Registration number: 2 Timeout: none Current state: OK Time since last
report: 3651.9 sec
Device Name: cphad Registration number: 3 Timeout: none Current state: OK Time since last
report: 3696.5 sec
Device Name: fwd Registration number: 4 Timeout: none Current state: OK Time since last report:
3696.5 sec
A. There is an interface down on Cluster A

B. There is a sync network issue between Cluster A and Cluster B
C. The routing table on Cluster B is different from Cluster A
D. Cluster B and Cluster A have different versions of policy installed.
Answer: D
Explanation:
QUESTION NO: 74
Which command would a troubleshooter use to verify table connection info (peak, concurrent) and
verify information about cluster synchronization state?
A. fw tab –t connections –s
B. fw ctl pstat
C. fw ctl multik stat
D. Show info all
Answer: D
Explanation:
QUESTION NO: 75
Which definition best describes the file table.def function? It is a placeholder for:
A. definitions of various kernel tables for Security Gateways.

B. definitions of various kernel tables for Management Servers.
C. user defined implied rules for Security Gateways.
D. user defined implied rules for Management Servers.
Answer: A
Explanation:
QUESTION NO: 76
Your customer receives an alert from their network operation center, they are seeing ARP and
Ping scans of their network originating from the firewall. What could be the reason for the
behaviour?
A. Check Point firewalls probe adjacent networking devices during normal operation.
B. IPS is disabled on the firewalls and there is a known OpenSSL vulnerability that allows a
hacker to cause a network scan to originate from the firewall.
C. One or both of the firewalls in a cluster have stopped receiving CCP packets on an interface.
D. Check Point's Antibot blade performs anti-bot scans of the surrounding network.
Answer: C
Explanation:
QUESTION NO: 77
Your cluster member is showing a state of "Ready". Which of the following is NOT a reason one
would expect for this behaviour?
A. One cluster member is configured for 32 bit and the other is configured for 64 bit
B. CoreXL is configured differently on the two machines
C. The firewall that is showing "Ready" has been upgraded but the other firewall has not yet been
upgraded
D. Firewall policy has not yet been installed to the firewall
Answer: D
Explanation:
QUESTION NO: 78
Which of the following is NOT a cphaprob status?
A. “Standby”
B. “Active”
C. “Backup”
D. “Down Attention” (or “Down!” in VSX mode)
Answer: D
Explanation:
QUESTION NO: 79
What would be a reason for changing the “Magic MAC”?
A. To allow for automatic upgrades.

B. To allow two or more cluster members to exist on the same network.
C. To allow two or more clusters to exist on the same network.
D. To allow the two cluster members to use the same virtual IP address.
Answer: C
Explanation:
QUESTION NO: 80
What are the kernel parameters that control “Magic MACs”?
A. fwha_magic_mac and fw_forward_magic_mac
B. fwha_mac_magic and fw_mac_forward_magic
C. cpha_mac_magic and cp_mac_forward_magic
D. cpha_magic_mac and cpha_mac_forward_magic
Answer: B
Explanation:
QUESTION NO: 81
How many sync interfaces are supported on Check Point R77 GAiA?
A. 3
B. 4
C. 2
D. 1
Answer: D
Explanation:
QUESTION NO: 82
Which is NOT a valid upgrade method in an R77 GAiA ClusterXL deployment?
A. Optimal Service Upgrade

B. Full Connectivity Upgrade
C. Minimal Effort Upgrade
D. Automatic Incremental Upgrade
Answer: D
Explanation:
QUESTION NO: 83
What would be a reason to use the command cphaosu stat?
A. To determine the number of connections from OPSEC software using Open Source Licenses.
B. To decide when to fail over traffic to a new cluster member.
C. This is not a valid command.
D. To see the policy install dates on each of the members in the cluster.
Answer: B
Explanation:
QUESTION NO: 84
You run the commands:
fw ctl debug 0
fw ctl debug -buf 32000
Which of the following commands would be best to troubleshoot a clustering issue?
A. fw ctl zdebug -m cluster + all

B. fw ctl debug -m CLUSTER + conf stat
C. fw ctl debug -m cluster + pnote stat if
D. fw ctl kdebug -m CLUSTER all
Answer: C
Explanation:
QUESTION NO: 85
You run the command fw tab -t connections -s on both members in the cluster. Both members
report differing values for "vals" and "peaks". Which may NOT be a reason for this difference?
A. Synchronization is not working between the two members

B. SGMs in a 61k environment only sync selective parts of the connections table.
C. Heavily used short-lived services have had synchronization disabled for performance
improvement.
D. Standby member does not synchronize until a failover is needed.
Answer: D
Explanation:
QUESTION NO: 86
Your customer reports that the time on the standby cluster member is not correct. After failing
over and making it active, the time is now correct. NTP has been configured on both machines, so
it is expected that both machines be in sync with the NTP server. Upon investigating, it was found
that the standby member was never able to communicate with the NTP server while it was in
standby configuration. What could be the problem?
A. You should be syncing your backup to the primary for time settings.
B. NTP is not supported in active-passive mode.
C. Traffic from the standby member was hidden behind the cluster IP address and was therefore
returning to the active member.
D. Routing prevents the standby member from performing functions such as peering with dynamic
routing and obtaining NTP updates.
Answer: C
Explanation:
QUESTION NO: 87
Your customer has an R77 Multi-domain Management Server managing a mix of firewalls of R70
and R77 versions. A change was made to the file $FWDIR/lib/tables.def on one of the domains.
However, it was found that the change was not applied to the R70 firewalls. What could be the
problem?
A. Changes to the table.def can only be applied to firewalls matching the Management Server
version. The customer needs to upgrade the firewalls to the same version as the firewall.
B. R70 is end of life and is not supported. Most functions will work, but modifying the table.def will
not.
C. In order to make changes on R70 machines you need work within GuiDBedit
D. To support R70, the file in the compatibility directory should have been modified.
Answer: D
Explanation:
QUESTION NO: 88
What is the function of the setting "no_hide_services_ports" in the tables.def files?
A. Preventing the secondary member from hiding its presence by not forwarding any packets.
B. Allowing management traffic to be accepted in an applied rule ahead of the stealth rule.
C. Hiding the particular tables from being synchronized to the other cluster member.
D. Preventing outbound traffic from being hidden behind the cluster IP address.
Answer: D
Explanation:
Topic 4, VPN Troubleshooting
QUESTION NO: 89
Which command will you run to list established VPN tunnels?
A. fw tab -t vpn_active

CCSM

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

CCSM

Загружено:

Авторское право:

Доступные форматы

Looking for Real Exam Questions for IT Certification Exams!

For pricing and placing order, please visit http://certificationking.com/order.html

A. fw ctl chain -po 1ffffe0 -o monitor.out

The command fw monitor -p all displays what type of information?

A. IP Options Strip is not a valid fw chain output.

The command fw ctl kdebug <params> is used to:

A. list enabled debug parameters.

A. False. Software blades do not pass through the chain modules.

A. fw ctl debug 0x1ffffe0

A. “env” and “fw ctl debug”

A. The SIP traffic is trying to pass through the firewall.

A. There is an active fw monitor running.

A. fwm debug off

A. fw debug fw on and checks the file fwm.elg.

What is the error cause?

A. IP not defined in $FWDIR/conf/gui-clients

A. fw ctl zdebug drop

Which process should you debug when SmartDashboard authentication is rejected?

A. There are not any policy to login in SmartDashboard

A. Search the connections table for that connection.

The fw tab –t ___________ command displays the NAT table.

;[cpu_1];[fw_0];fw_log_drop: Packet proto=17 10.216.14.108:67 > 172.31.2.1:67 dropped by

A. An inbound collision due to a connections table check on pre-existing connections.

A. fw ctl debug -m fw + conn drop nat vm xlate xltrc

A. fwaccel stats misp

A. Between the “I” and “o”

A. Static NAT does not adjust the destination IP

A. This will cause a policy verification error.

A. Edit or create the file local.arp.

A. WebUI or add proxy ARP ... commands via CLISH

A. nat, route, conn, fwd, zeco, err

A. $FWDIR/lib/base.def on the cluster members

By default, the size of the fwx_alloc table is:

A. Yes – This could be due to a misconfigured route on the firewall.

A. The Firewall policy of the gateway

A. fw ctl zdebug drop

A. set ccp broadcast

A. fw ctl get int fwha_cul_mechanism_enable

What mechanism solves asymmetric routing issues in a load sharing cluster?

A. Flush and ACK

A. fw tab –t connections –x –d “0,a128c22,89,0a158508,89,11"

A. destination port number

A. serial number of the real entry.

A. The source IP of the packet.

How do you clear the connections table?

A. Run the command fw tab –t connections –x

A. Increased memory consumption

Cluster B> cphaprob -i list

Device Name: Interface Active Check Current state: OK

Device Name: HA Initialization Current state: OK

Device Name: Recovery Delay Current state: OK

A. There is an interface down on Cluster A

A. definitions of various kernel tables for Security Gateways.

Which of the following is NOT a cphaprob status?

What would be a reason for changing the “Magic MAC”?

A. To allow for automatic upgrades.

What are the kernel parameters that control “Magic MACs”?

Which is NOT a valid upgrade method in an R77 GAiA ClusterXL deployment?

A. Optimal Service Upgrade

What would be a reason to use the command cphaosu stat?

You run the commands:

fw ctl debug -buf 32000

Which of the following commands would be best to troubleshoot a clustering issue?

A. fw ctl zdebug -m cluster + all