Hi,
Sending you the Updated Testking Q&A, If you update you vce , please let me have a copy of the same along with the password to edit.
Rgds,
Ganapathy K.
QUESTION NO: 66
You are concerned that a message may have been intercepted and retransmitted,
thus compromising the security of the communications. You attach a code to the
electronically transmitted message that uniquely identifies the sender. This code is
known as a:
A. Digital signature
B. Tag
C. Private key
D. AES flag
E. Diffie-Helman verification
Answer: A
QUESTION NO: 67
A user attempts authentication using SecureClient. The user's password is rejected,
even though it is correctly defined in the LDAP directory.
Leading the way in IT testing and certification tools,
www.testking.com - 38 -
Which of the following is a valid cause?
A. The LDAP server has insufficient memory
B. The LDAP and Security Gateway databases are not synchronized.
C. The SmartCenter Server cannot communicate with the LDAP server.
D. The user has defined the wrong encryption scheme.
E. The user is defined in both the NGX user database and the LDAP directory
Answer: B
Explanation: The LDAP and Security gateway data base are not synchronized.
QUESTION NO: 68
Select the correct statement about Secure Internal Communications (SIC)
Certificates?
SIC Certificates:
A. for NGX Security Gateways are created during the SmartCenter Server installation.
B. For the SmartCenter Server are created during the SmartCenter Server installation.
C. Are used for securing internal network communications between the SmartView
Tracker and an OPSEC device
D. Decrease network security by securing administrative communication among the
SmartCenter Servers and the Security Gateway
E.
Authentication Certificates
Answer: E
Explanation: Uniquely identify checkpoint enabled machines: they have the same
function as authentication certificates
QUESTION NO: 69
Exhibit: *** MISSING ***
Review the following rules and note the Client Authentication Action properties
screen as displayed in the exhibit,
Leading the way in IT testing and certification tools,
www.testking.com - 39 -
After being authenticated by the Security Gateway, when a user starts an HPPT
connection to a Web site, the user tries to FTP antother site using the command line.
What happens to the user?
The...
A. FTP session is dropped by the implicit Cleanup Rule.
B. User is prompted from that FTP site only, and does not need to enter username and
password for Client Authentication.
C. FTP connection is dropped by rule 2.
D. FTP data connection is dropped, after the user is authenticated successfully.
E. User is prompted for authentication bye the Security Gateway again.
Answer:
Explanation: Pending. Send your suggestion to
feedback@testking.com QUESTION NO: 70
Diffie-Hellman uses which type of key exchange?
A. Adaptive
B. Asymmetric
C. Symmetric
D. Static
E. Dynamic
Answer: B
QUESTION NO: 71
Tess King's main internal network 10.10.10.0/24 allows all traffic to the Internet
using Hide NAT. Tess King also has a small network 10.10-.20.0/24 behind the
internal router. Tess wants to configure the kernel to translate the source address
only when network 10.10.20.0 tries to access the Internet for HTTP, SMTP, and
FTP services.
Which of the following configurations will allow this network to access Internet?
Leading the way in IT testing and certification tools,
www.testking.com - 40 -
A. Automatic Static NAT on network 10.10.20.0/24
B. Manual Hide NAT rules for HTTP, FTP, and SMTP services for network
10.10.20.0/24.
C. Manual Static NAT rules for network 10.10.20.0/24,
D. Automatic Hide NAT for network 10.10.20.0/24.
E. No change is necessarey.
Answer: D
Explanation: Automatic Hide NAT for network 10.10.20.0/24
QUESTION NO: 72
With SmartDashboard´s Smart Directory, you can create NGX user definitions on
a(n) _____________ Server.
A. NT Domain
B. LDAP
C. Provider-1
D. SecureID
E. Radius
Answer: B
QUESTION NO: 73
Jens notices a large amount of traffic from a specific internal IP address. He needs
to verify if it is a network attack, or a user's system infected with a worm. He has
enabled Sweep Scan Protection and Host port scan in SmartDefense. Will Jens get
all the information he needs from these actions?
A. No. SmartDefense will only block the traffic, but it will not provide a detailed analysis
of the traffic.
B. No. SmartDefense will not block the traffic. The logs and alert can provide a further
level information, but determining whether the attack is intentional or a worm requires
further research by Jens.
C. No. Jens also should set SmartDefense to quarantine the traffic from the suspicious IP
address.
Leading the way in IT testing and certification tools,
www.testking.com - 41 -
D. Yes. SmartDefense will limit the traffic impact from the scans, and identify if the
pattern of the traffic matches any known worms.
E. No. To verify if this is a worm or an active attack, Jens should also enable TCP attack
defenses.
Answer: B
QUESTION NO: 74
Which NGX feature or command provides the easiest path for Security
Administrators to revert to earlier versions of the same Security Policy and objects
configuration?
A. cpconfig
B. upgrade_export/upgrade_import
C. Database Revision Control
D. Dbexport/dbimport
E. Policy Package management
Answer: C
QUESTION NO: 75
How do you configure an NGX Security Gateway's kernel memory settings, without
manually modifying the configuration files in $FWDIR\lib? By configuring:
A. the settings on the Gateway object's Capacity Optimization screen
B. the settings on the Global Properties Capacity Optimization screen
C. the Settings on the Gateway object's Advanced screen
D. the settings on the SmartCenter Server object's Advanced screen
E. SmartDefense Kernel Defender options
Answer: A
Leading the way in IT testing and certification tools,
www.testking.com - 42 -
QUESTION NO: 76
Which of the following is NOT a feature or quality of a hash function?
A. Encrypted with the sender's RSA private key, the hash function forms the digital
signature.
B. It is mathematically infeasible to derive the original message from the message digest.
C. The hash function forms a two-way, secure communication.
D. The hash function is irreversible.
E. It is mathematically infeasible for two different messages to produce the same
message digest.
Answer: C
Explanation: The hash function does not provide a two way secure communication,
it's simply a function which when used in conjuction with a digital certificate
ensures the integrity and unique identity of a sender.
QUESTION NO: 77
You are a Security Administrator configuring Static NAT on an internal host-node
object. You clear the box "Translate destination on client side", accessed from
Global Properties > NAT settings > Automatic NAT. Assuming all other Global
Properties NAT settings are selected, what else must be configured for automatic
Static NAT to work?
A. The NAT IP address must be added to the anti-spoofing group of the external
Gateway interface
B. Two address-translation rules in the Rule Base
C. No extra configuring needed
D. A proxy ARP entry, to ensure packets destined for the public IP address will reach the
Security Gateway's external interface
E. A static route, to ensure packets destined for the public NAT IP address will reach the
Gateway's internal interface
Answer: C
QUESTION NO: 78
Leading the way in IT testing and certification tools,
www.testking.com - 43 -
Which encryption scheme provides "In-place" encryption?
A. IKE
B. Manual IPSec
C. DES
D. SKIP
E. AES
Answer: C
Explanation: DES (and FWZ1 and RC4) is an encryption algorithm that is used to
encrypt the data portion of a packet.
The relationship between the components of the encryption schemes, as implemented in
FireWall-1, is described in the following table.
Not B, D: Manual IPSec and SKIP are an examples of encapsulated encryption, where
the entire packet is encrypted.
QUESTION NO: 79
After importing the NGX schema into an LDAP server, what should you enable?
A. Schema checking
B. Encryption
C. UserAuthority
D. ConnectControl
E. Secure Internal Communications
Answer: A
Leading the way in IT testing and certification tools,
www.testking.com - 44 -
QUESTION NO: 80
Which ldif file must you modify to extend the schema of a Windows 2000 domain?
A. In NGX you do not need to modify any .ldif file
B. The appropriate .ldif file is located in the Security Gateway:
$FWDIR/conf/ldif/Microsoft_ad_schema.ldif
C. The appropriate .ldif file is located in the SmartCenter Server:
$FWDIR/lib/ldap/schema_microsoft_ad.ldif
D. The appropriate .ldif file is located in the Security Gateway:
$FWDIR/lib/ldif/Microsoft_ad_schema.ldif
E. The appropriate .ldif file is located in the SmartCenter Server:
$FWDIR/conf/ldif/Microsoft_ad_schema.ldif
Answer: C
Explanation: Page 226 of the SmartCenter_UserGuide.pdf from Check Point says
"The definitions of all VPN-1 Pro attributes in LDIF format are contained in the file
'scheme_microsoft_ad.ldif' located in $FWDIR/lib/ldap directory."
http://www.checkpoint.com/support/te.../docs_r61.html Also screenshot from SecurePlatform confirms this
Not B, D, E: All of thefilenames/locations in answers B,D,E are invalid - it can't be those
QUESTION NO: 81
Leading the way in IT testing and certification tools,
www.testking.com - 45 -
What is the reason for the Critical Problem notification in this SmartView Monitor
example?
A. Active real memory shortage on the Gateway
B. No Security Policy installed on the Security Gateway
C. Version mismatch between the SmartCenter Server and Security Gateway
D. Time not synchronized between the SmartCenter Server and Security Gateway
E. No Secure Internal Communications established between the SmartCenter Server and
Security Gateway
Leading the way in IT testing and certification tools,
www.testking.com - 46 -
Answer: B
QUESTION NO: 82
Your standby SmartCenter Server's status is collision. What does that mean, and
how do you synchronize the Server and its peer?
A. The standby and active Servers have two Internal Certificate Authority (ICA)
Certificates. Uninstall and reinstall the standby Server.
B. The active Server detected a keep-alive packet from the standby Server.
C. The peer Server has not been properly synchronized. Manually synchronize both
Servers again.
D. The peer Server is more up-to-date. Manually synchronize both Servers again.
E. The active SmartCenter Server and its peer have different Security Policies and
databases. Manually synchronize the Servers, and decide which Server's configuration to
overwrite.
Answer: E
This description is taken from the help menu in SmartDashboard in an article titled "The
Management High Availability Solution".
The possible synchronization statuses are:
(several other status codes) ... then
Collision - the Active SmartCenter Server and its peer have different installed policies and
databases. The administrator must perform manual synchronization and decide which of the SCSs
to overwrite.
In this case, both SmartCenter Server A and B have some information which is not synchronized
with its peer. In order to remedy the collision state, one of the SmartCenter Servers will need to
be overwritten. The SmartCenter Server which is found to have the dominant or significant
changes should be the SmartCenter Server on which manual synchronization is initiated.
At this point the system administrator needs to decide which of the SmartCenter Server's should
become the Standby SCS, and change its status, if necessary.
Leading the way in IT testing and certification tools,
www.testking.com - 47 -
QUESTION NO: 83
Sarah is the Security Administrator for TestKing. Sarah has configured
SmartDefense to block the CWD and FIND commands. Sarah installs the Security
Policy, but the Security Gateway continues to pass the commands. Which of the
following could be the cause of the problem?
A. The Rule Base includes a rule accepting FTP to any source, from any destination.
B. The SmartDefense > Application Intelligence > FTP Security Server screen does not
have the radio button set to "Configurations apply to all connections".
C. The FTP Service Object > Advanced > Blocked FTP Commands list does not include
CWD and FIND.
D. The Web Intelligence > Application Layer > FTP Settings list is configured to allow,
rather than exlude, CW and FIND commands.
E. The Global Properties > Security Server > "Control FTP Commands" box is not
checked.
Answer: B
QUESTION NO: 84
Your NGX enterprise SmartCenter Server is working normally. However, you must
reinstall the SmartCenter Server, but keep the SmartCenter Server configuration
(for example, all Security Policies, databases, etc.) How would you reinstall the
Server and keep its configuration?
A. 1. Run the latest upgrade_export utility to export the configuration.
2. Keep the exported file in the same location.
3. Use SmartUpdate to reinstall the SmartCenter Server.
4. Run upgrade_import to import the configuration.
B. 1. Run the latest upgrade_export utility to export the configuration.
2. Leave the exported .tgz file in $FWDIR.
3. Install the primary SmartCenter Server on top of the current installation.
4. Run upgrade_import to import the configuration.
C. 1. Insert the NGX CD-ROM, and select the option to export the configuration into a
.tgz file.
2. Transfer the .tgz file to another networked machine.
3. Uninstall all NGX packages, and reboot.
Leading the way in IT testing and certification tools,
www.testking.com - 48 -
4. Use the NGX CD-ROM to select the upgrade_import option to import the
configuration.
D. 1. Download the latest upgrade_export utility, and run it from $FWDIR\bin to export
the configuration into a .tgz file.
2. Transfer the .tgz file to another networked machine.
3. Uninstall all NGX packages, and reboot.
4. Install a new primary SmartCenter Server.
5. Run upgrade_import to import the configuration.
Answer: D
QUESTION NO: 85
How can you reset Secure Internal Communications (SIC) between a SmartCenter
and Security Gateway?
A. Run the command fwm sic_reset to reinitialize the Internal Certificate Authority
(ICA) of the SmartCenter Server. Then retype the activation key on the Security Gateway
from SmartDashboard.
B. From cpconfig on the SmartCenter Server, choose the Secure Internal Communication
option and retype the activation key. Next, retype the same key in the gateway object in
SmartDashboard and reinitialize Secure Internal Communications (SIC).
C. From the SmartCenter Server's command line type fw putkey -p <shared key> <IP
Address of SmartCenter Server>.
D. From the SmartCenter Server's command line type fw putkey -p <shared key> <IP
Address of Security Gateway>.
E. Reinstall the Security Gateway.
Answer: B
Explanation: A deletes the certificates, although this would work it's not needed just to
reset SIC
C,D,E are irrelevant to SIC
QUESTION NO: 86
Leading the way in IT testing and certification tools,
www.testking.com - 49 -
You have locked yourself out of SmartDashoard with the rules you just installed on
your stand alone Security Gateway. Now you cannot access the SmartCenter Server
or any SmartConsole tools via SmartDashboard. How can you reconnect to
SmartDashboard?
A. Run cpstop on the SmartCenter Server.
B. Run fw unlocklocal on the SmartCenter Server.
C. Run fw unloadlocal on the Security Gatewawy.
D. Delete the $fwdir/database/manage.lock file and run cprestart.
E. Run fw uninstall localhost on the Security Gateway.
Answer: C
QUESTION NO: 87
Ellen is performing penetration tests against SmartDefense for her Web server
farm. She needs to verify that the Web servers are secure against traffic hijacks. She
has activated the Cross-Site Scripting property. What other settings would be
appropriate? Ellen:
A. should also enable the Web intelligence > SQL injection setting.
B. must select the "Products > Web Server" box on each of the node objects.
C. should enable all settings in Web Intelligence.
D. needs to configure TCP defenses such as "Small PMTU" size.
E. needs to create resource objects for the web farm servers and configure rules for the
web farm.
Answer: B
QUESTION NO: 88
William is a Security Administrator who has added address translation for his
internal Web server to be accessible by external clients. Due to poor network design
by his predecessor, William sets up manual NAT rules for this server, while his FTP
server and SMTP server are both using automatic NAT rules. All traffic from his
FTP and SMTP servers are passing through the Security Gateway without a
problem, but traffic from the Web server is dropped because of anti-spoofing
settings. What is causing this?
Leading the way in IT testing and certification tools,
www.testking.com - 50 -
A. "Allow bi-directional NAT" is not checked in Global Properties.
B. "Translate destination on client side" is not checked in Global Properties under
"Manual NAT Rules".
C. "Translate destination on client side" is not checked in Global Properties > Automatic
NAT Rules.
D. Routing is not configured correctly.
E. Manual NAT rules are not configured correctly.
Answer: E
Explanation: A,B,C will be ticked by default anyway, D is irrelevant as his FTP and
SMTP NAT is working fine - these also wouldn't work if there was a routing
problem.
QUESTION NO: 89
You are a security consultant for a hospital. You are asked to create some type of
authentication rule on the NGX Security Gateway, to allow doctors to update
patients' records via HTTP from various workstations. Which authentication
method should you use?
A. Client Authentication
B. LDAP Authentication
C. SecureID Authentication
D. TACAS Authentication
E. User Authentication
Answer: E
QUESTION NO: 90
Tess King is the Security Administrator for an online bookstore. Customers connect
to a variety of Web servers to place orders, change orders, and check status of their
orders. Mrs. King checked every box in the Web Intelligence tab, and installed the
Security Policy, She ran penetration test through the Security Gateway, to
determine if the Web servers were protected from cross-site scripting attacks. The
penetration test indicated the Web servers were still vulnerable. Which of the
following might correct the problem?
Leading the way in IT testing and certification tools,
www.testking.com - 51 -
A. The penetration software Tess King is using is malfunctioning and is reporting a
false-positive.
B. Tess King must create resource objects, and use them in the rule allowing HTTP
traffic to the Web servers.
C. Tess King needs to check the "Products > Web Server" box on the host node objects
representing his Web servers.
D. Tess King needs to check the "Web Intelligence" box in the SmartDefense > HTTP
Properties.
E. Tess King needs to configure the Security Gateway protecting the Web servers as a
Web server.
Answer: C
Explanation: Tess check everything on web intelligence and what she must to next is
to check product-->web server to activate the rules.