 | ||
 Don't Make The Mistake I Made With CCSA NGX | ||
| CPUG | |
| The Check Point User Group | |
| A Resource For The Check Point Community. Fast. Useful. Independent. | |
|
| |||||||
 |
| | LinkBack | Thread Tools | Display Modes |
 2006-09-05 | |||
| |||
 Re: Don't make the mistake I made with CCSA NGX Shouldn't the answer to this be "restore": QUESTION NO: 3 Which of the following commands is used to restore VPN-1 NGX configuration information? A. gunzip B. cpconfig C. fw ctl pstat D. cpinfo E. upgrade_import because on this question the answer is: QUESTION NO: 22 Your primary SmartCenter Server is on SecurePlattform. What is the easiest way to back up your VPN-1 NGX configuration? A. By copying the whole $FWDIR to another location. B. By using upgrade_export command in $FWDIR\bin directory. C. By executing a conf_merge with an objects_5_0.C from a new NGX installation. D. By copying the $FWDIR\conf and $FWDIR\lib directory to another location. E. By using native SecurePlatform backup utility from command line or in Web based interface. Answer: E  |
| 2006-09-05 | |||
| |||
| Re: Don't make the mistake I made with CCSA NGX QUESTION NO: 34 TestKing.com has two headquarters, one in London, one in New York. Each headquarter includes several branch offices. The branch offices only need to communicate with the headquarters in their country, not with each other, and only the headquarters need to communicate directly. What is the BEST configuration for VPN Communities among the branch offices and their headquarters, and between the two headquarters? A. VPN Communities comprised of three star Communities: The first one between New York headquarters and its branches. The second star Community is between London headquarters and its branches. The third star Community is between New York and London headquarters. B. VPN Communities comprised of two mesh Communities, one for each headquarters and their branch offices; one star community where New York is the center of the Community and London is the satellite. C. VPN Community is comprised of two star and one meshed; each star Community is set up for each site, with headquarters as the center of the Community and branches as satellites. The mesh Communities are between the New York and London headquarters. D. VPN Communities comprised of two mesh Communities for each headquarters and their branch offices; and one star Community, in which London is the center of the Community and New York is the satellite. E. VPN Communities comprised of three mesh Communities: one for London headquarters and its branches, one for New York headquarters and its branches, and one for London and New York headquarters. Answer: C Shouldn't the answer be A because setting up a meshed community will allow the branches to communicate with each other, not just the headquarters. No? |
| 2006-09-05 | |||
| |||
| Re: Don't make the mistake I made with CCSA NGX QUESTION NO: 39 Brianna has three servers located in a DMZ, using public IP addresses that need to be accessed by her internal networks. Brianna's internal network use class B IP addresses, per RFC 1918. Internal networks access the Internet, using Dynamic NAT behind the external IP address of her Security Gateway. What is the best way to configure access for the DMZ servers? A. Configure Manual NAT rules to translate the internal networks, when connecting to the DMZ servers. B. Configure Dynamic NAT for the DMZ interface of the Security Gateway. C. Configure Static NAT rules for the DMZ servers. D. Configure Manual NAT rules to translate the DMZ servers, when connecting to the internet. Answer: B Shouldn't this be C since the DMZ servers use "public IP addresses". Couldn't you just configure the host node to have a static "public IP" address? If you set the DMZ interface to hide NAT using the DMZ network scope then internal users WILL be able to access that network, internally, but aren't the keywords here "using public IP addresses that need to be accessed by her internal networks" or is that there to throw you off? You know what?! I think I'm just starting to figure this out. I think B IS correct because that is all you need to have the internal network access the DMZ servers. The "using public IP addresses that need to be accessed by her internal networks" is just extra tid-bit of info to throw you off. I doesn't necessarily mean that the internal network must access the DMZ servers from the external interface of the firewall. |
| 2006-09-05 | |||
| |||
| Re: Don't make the mistake I made with CCSA NGX I failed the CCSA test with a 57%. I remember this question: What command will allow you to view a specific table on a Security Gateway? A. fw tab -t <table_name> B. fw tab -a <table_name> C. fw tab -s <table_name> D. fw tab -n <table_name> E. fw tab -r <table_name> Answer: A Usage: fw tab [-t <table>] [-s | -c] [-f] [-o <filename>] [-r] [-u | -m <maxvals>] [[-x | -a] -e entry] [-y] It falls in line with this question on testking: QUESTION NO: 106 You have blocked an IP address via the Block Intruder feature of SmartView Tracker. How can you see the addresses you have blocked? A. In SmartView Status click the Blocked Intruder tab. B. Run fwm blocked_view. C. Run fw sam -va. D. Run fw tab -t sam_blocked_ips. E. In SmartView Tracker, click the Active tab, and the actively blocked connections display. Answer: D |
| 2006-09-05 | |||
| |||
| Re: Don't make the mistake I made with CCSA NGX I don't think this is correct: QUESTION NO: 81 What is the reason for the Critical Problem notification in this SmartView Monitor example? A. Active real memory shortage on the Gateway B. No Security Policy installed on the Security Gateway C. Version mismatch between the SmartCenter Server and Security Gateway D. Time not synchronized between the SmartCenter Server and Security Gateway E. No Secure Internal Communications established between the SmartCenter Server and Security Gateway Answer: B Shouldn't this be E? The image does not show the security policy BECAUSE OF SIC not being established. It was previously established since you can see the connection was for 16 days and after SIC was lost you get this error? I have not confirmed this on my lab but will be soon. Has anyone else confirmed this? Can someone remove SIC and see what error they get on SmartView Monitor? Or maybe the answer B is correct if someone can try an "fw unloadlocal" from that security gateway? Well I just tested this by resetting SIC on the firewall, I get "unknown" as the error on Monitor. With fw unloadlocal is ran on the firewall, I get "Problem" but not "Critical Problem" maybe because I have a cluster setup. Last edited by onnig; 2006-09-05 at 15:36. |
| 2006-09-05 | |||
| |||
| Re: Don't make the mistake I made with CCSA NGX This one is definitely wrong: QUESTION NO: 111 When you find a suspicious connection from a problematic host, you want to block everything from that whole network, not just the host. You want to block this for an hour, but you do not want to add any rules to the Rule Base. How do you achieve this? A. Create a Suspicious Activity rule in SmartView Tracker. B. Create a Suspicious Activity Rule in SmartView. C. Create an "FW SAM" rule in SmartView Monitor. D. Select "block intruder" from the Tools menu in the SmartView Tracker. Answer: B Never mind the answer IS B! v16 tk has the word "Monitor" at the end of answer B so that makes it correct. This is done through SmartView Monitor SAM (Suspicious Activity Monitor). The answer is C. Last edited by onnig; 2006-09-06 at 13:16. |
| 2006-09-05 | |||
| |||
| Re: Don't make the mistake I made with CCSA NGX Is this right? QUESTION NO: 113 Which of these changes to a Security Policy optimizes Security Gateway performance? A. Using domain objects in rules when possible B. Using groups within groups in the manual NAT Rule Base C. Putting the least-used rule at the top of the Rule Base D. Logging rules as much as possible E. Removing old or unused Security Policies from Policy Packages Answer: E How would removing old or unused policies increase performance? The only way I can see this is that it decreases the objects_5_0 file size which may increase performace when pushing policy. |
| 2006-09-05 | |||
| |||
| Re: Don't make the mistake I made with CCSA NGX Isn't this wrong? QUESTION NO: 118 Mary is recently hired as the Security Administrator for TestKing.com. Mary's manager has asked her to investigate ways to improve the performance of the firm's perimeter Security Gateway. Mary must propose a plan based on the following required and desired results: Required Result #1: Do not purchase new hardware. Required Result #2: Use configuration changes the do not reduce security. Desired Result #1: Reduce the number of explicit rules in the Rule Base. Desired Result #2: Reduce the volume of logs. Desired Result #3: Improve the Gateway's performance. Proposed solution: * Replace all domain objects with network and group objects. * Check "Log implied rules" and "Accept ICMP requests" in Global Properties. * Use Global Properties, instead of explicit rules, to control ICMP, VRRP, and RIP. Does Mary's proposed solution meet the required and desired results? A. The solution meets all required and desired results. B. The solution meets all required, and one of the desired results. C. The solution meets all required, and two of the desired results. D. The solution meets all required, and none of the desired results. E. The solution does not meet the required results. Answer: E She never purchases new hardware so Required #1 is already met. None of the changes reduce security, its just represented differently. She has more logs but less explicit rules. Increased logs means decreased performance, so Desired #1 is met or does Desired #1 fail because of the increase of network and group objects which will require more explicit rules to represent the security policy? I don't see how. |
| 2006-09-05 | |||
| |||
| Re: Don't make the mistake I made with CCSA NGX Allowing ICMP requests will lower the overall security of the network, so it doesn't meet the requirements. Quote:
|
| 2006-09-05 | |||
| |||
| Re: Don't make the mistake I made with CCSA NGX Quote:
|
| 2006-09-05 | |||
| |||
| Re: Don't make the mistake I made with CCSA NGX Quote:
|
| 2006-09-05 | |||
| |||
| Re: Don't make the mistake I made with CCSA NGX Quote:
I wasn't sure about the performance gain associated with option E either. On the hand, I believe all of the other options would decrease performance. So, it is reasonable to assume that the only acceptable answer is E. |
| 2006-09-07 | |||
| |||
| Re: Don't make the mistake I made with CCSA NGX version 16.1 Question NO: 95 Amy is configuring a User Auth rule for the technical support dept to access an intranet server. What is the correct statement? A. The security Server first checks if there is any rule that does not require auth for this type of connection. B. The User Auth rule must be placed above the Stealth Rule. C. Once a user is first authenticated, the user will not be prompted for auth again until logging out. D. Amy can only use the rule for Telnet, FTP, and rlogin service. E. Amy can limit the authentication attempts in the Authentication tab of the User Properties screen. They say D. That is wrong because user Authentication also does HTTP and HTTPS. I suspect A is correct because if you have another rule down below the user Auth rule that allows the connection, you will get in without being asked to log in. I had a hard time getting a User Auth rule to prompt for login because of this. Also: Page 350 of the Official Student guide (NGX version 1.1) “The fact that a user successfully connects does not necessarily mean that the user was first authenticated. The authenticating Security Server first checks if the connection can be allowed by a rule that does not require authentication. If one exists, the user will be connected through the less-restrictive rule, bypassing the User Authentication rule.” Last edited by cbrandst@gmail.com; 2006-09-07 at 14:28. |
| 2006-09-07 | |||
| |||
| Re: Don't make the mistake I made with CCSA NGX Hi, Regarding question 39, the answer is A. Internal networks need a way to access DMZ servers. The Address Translation should look like this: Original Packet Translated Packet Source Destination Service Source Destination Service internal_net dmz_net Any Original Original Original If it isn't specified that internal networks need to be translated behind the dmz interface, I think routing is the best way, so the internal networks don't need to be translated. |
| 2006-09-08 | |||
| |||
| Re: Don't make the mistake I made with CCSA NGX Regarding the new exam, the trickiest questions are those regarding NAT and Backup and Restore. I hope testking will also include those questions in their future updates. This way we could discussed them. |
| 2006-09-08 | |||
| |||
| Re: Don't make the mistake I made with CCSA NGX Quote:
|
| 2006-09-11 | |||
| |||
| Re: Don't make the mistake I made with CCSA NGX hi friends, i am planning to give ccsa soon. can u provide me the testking questions and answers. any exam dumps will be highly appreciated. regards pulkit dutt |
| 2006-09-25 | |||
| |||
| Re: Don't make the mistake I made with CCSA NGX Hi Silverblade, I am going to appear for CCSA Ngx soon.....can you please guide me thru bcoz i hav done my all the prepration by my own .So a little nervous.... I wud appericiate if you can tel me for few important hints or guidelines. Thankx. |
| 2006-09-25 | |||
| |||
| Re: Don't make the mistake I made with CCSA NGX Hi Silverblade.. i need to know, is it only latest dump of testking? or there is any other has came after this....if it is here then how can i get it? |
|
| Thread Tools | |
| Display Modes | |
| |
Linear Mode
