CCSA Practice Questions
Terms in this set (71)
You manage a global network extending from your base in Chicago to Tokyo, Calcutta and Dallas. Management wants a report detailing the current software level of each Enterprise class Security Gateway. You plan to take the opportunity to create a proposal outline, listing the most cost- effective way to upgrade your Gateways. Which two SmartConsole applications will you use to create this report and outline?
SmartView Monitor and SmartUpdate
Your bank's distributed R77 installation has Security Gateways up for renewal. Which SmartConsole application will tell you which Security Gateways have licenses that will expire within the next 30 days?
When launching SmartDashboard, what information is required to log into R77?
User Name, Password, Management Server IP
Message digests use
SHA-1 and MD5
A hash algorithm?
Uses the same key to decrypt as it does to encrypt?
You believe Phase 2 negotiations are failing while you are attempting to configure a site-to-site VPN with one of your firm's business partners. Which SmartConsole application should you use to confirm your suspicions?
A digital signature
Guarantees the authenticity and integrity of a message.
Which component functions as the Internal Certificate Authority for R77
The customer has a small Check Point installation, which includes one GAiA server working as the SmartConsole, and a second server running Windows 2008 as both Security Management Server and Security Gateway. This is an example of a(n)
The customer has a small Check Point installation which includes one Windows 2008 server as the SmartConsole and a second server running GAiA as both Security Management Server and the Security Gateway. This is an example of a(n):
The customer has a small Check Point installation which includes one Windows 7 workstation as the SmartConsole, one GAiA device working as Security Management Server, and a third server running SecurePlatform as Security Gateway. This is an example of a(n):
The customer has a small Check Point installation which includes one Windows 2008 server as SmartConsole and Security Management Server with a second server running GAiA as Security Gateway. This is an example of a(n):
When doing a Stand-Alone Installation, you would install the Security Management Server with which other Check Point architecture component?
Tom has been tasked to install Check Point R77 in a distributed deployment. Before Tom installs the systems this way, how many machines will he need if he does NOT include a SmartConsole machine in his calculations?
Which command allows Security Policy name and install date verification on a Security Gateway?
fw stat -l
You have two rules, ten users, and two user groups in a Security Policy. You create database version 1 for this configuration. You then delete two existing users and add a new user group. You modify one rule and add two new rules to the Rule Base. You save the Security Policy and create database version 2. After awhile, you decide to roll back to version 1 to use the Rule Base, but you want to keep your user database. How can you do this?
Restore the entire database, except the user database.
Which feature or command provides the easiest path for Security Administrators to revert to earlier versions of the same Security Policy and objects configuration?
Database Revision Control
Your Security Management Server fails and does not reboot. One of your remote Security Gateways managed by the Security Management Server reboots. What occurs with the remote Gateway after reboot?
The remote Gateway fetches the last installed Security Policy locally and passes traffic normally. The Gateway will log locally, since the Security Management Server is not available.
How can you configure an application to automatically launch on the Security Management Server when traffic is dropped or accepted by a rule in the Security Policy?
User-defined alert script
What is NOT useful to verify whether or not a Security Policy is active on a Gateway?
fw ctl get string active_secpol
Parameters that will NOT be preserved when using Database Revision Control
SecurePlatform WebUI Users, SIC Certificates, SmartView Tracker audit logs, SmartView Tracker traffic logs, Blocked connections, Gateway route table, Gateway licenses
You are about to test some rule and object changes suggested in an R77 news group. Which backup solution should you use to ensure the easiest restoration of your Security Policy to its previous configuration after testing the changes?
Database Revision Control
To create a backup of the rules, objects, policies, and global properties from an R77 SMS you would use the following backup and restore solutions
upgrade_export and upgrade_import utilities, Database Revision Control, SecurePlatform backup utilities.
Which R77 feature or command allows Security Administrators to revert to earlier Security Policy versions without changing object configurations?
Database Revision Control
What must a Security Administrator do to comply with a management requirement to log all traffic accepted through the perimeter Security Gateway?
In Global Properties > Reporting Tools check the box Enable tracking all rules (including rules marked as None in the Track column). Send these logs to a secondary log server for a complete logging history. Use your normal log server for standard logging for troubleshooting.
Which utility allows you to configure the DHCP service on GAiA from the command line?
The third-shift Administrator was updating Security Management Server access settings in Global Properties and testing. He managed to lock himself out of his account. How can you unlock this account?
Type fwm lock_admin -u <account name> from the Security Management Server command line.
The third-shift Administrator was updating Security Management Server access settings in Global Properties. He managed to lock all administrators out of their accounts. How should you unlock these accounts?
Type fwm lock_admin -ua from the Security Management Server command line.
You are the Security Administrator for ABC-Corp. A Check Point Firewall is installed and in use on GAiA. You are concerned that the system might not be retaining your entries for the interfaces and routing configuration. You would like to verify your entries in the corresponding file(s) on GAiA. Where can you view them? Give the BEST answer.
When using GAiA, it might be necessary to temporarily change the MAC address of the interface eth 0 to 00:0C:29:12:34:56. After restarting the network the old MAC address should be active. How do you configure this change?
# IP link set eth0 addr 00:0C:29:12:34:56 OR Open the WebUI, select Network > Connections > eth0. Place the new MAC address in the field Physical Address, and press Apply to save the settings.
Several Security Policies can be used for different installation targets. The Firewall protecting Human Resources' servers should have its own Policy Package. These rules must be installed on this machine and not on the Internet Firewall. How can this be accomplished?
In the menu of SmartDashboard, go to Policy > Policy Installation Targets and select the correct firewall via Specific Targets.
You have a diskless appliance platform. How do you keep swap file wear to a minimum?
A RAM drive reduces the swap file thrashing which causes fast wear on the device.
Your R77 primary Security Management Server is installed on GAiA. You plan to schedule the Security Management Server to run fw logswitch automatically every 48 hours. How do you create this schedule?
Create a time object, and add 48 hours as the interval. Open the primary Security Management Server object's Logs and Masters window, enable Schedule log switch, and select the Time object.
Which of the following methods will provide the most complete backup of an R77 configuration?
Execute command upgrade_export
Which of the following commands can provide the most complete restoration of a R77 configuration?
When restoring R77 using the command upgrade_import, which of the following items are NOT restored?
The Security Policy repository must be backed up no less frequently than every 24 hours. The R77 components that enforce the Security Policies should be backed up at least once a week. Back up R77 logs at least once a week.
Use the cron utility to run the command upgrade_export each night on the Security Management Servers. Configure the organization's routine back up software to back up the files created by the command upgrade_export. Configure the GAiA back up utility to back up the Security Gateways every Saturday night. Use the cron utility to run the command upgrade_export each Saturday night on the log servers. Configure an automatic, nightly logswitch. Configure the organization's routine back up software to back up the switched logs every night.
Your company is running Security Management Server R77 on GAiA, which has been migrated through each version starting from Check Point 4.1. How do you add a new administrator account?
Using SmartDashboard, under Users, select Add New Administrator
Peter is your new Security Administrator. On his first working day, he is very nervous and enters the wrong password three times. His account is locked. What can be done to unlock Peter's account? Give the BEST answer.
You can unlock Peter's account by using the command fwm lock_admin -u Peter on the Security Management Server.
Where can you find the Check Point's SNMP MIB file?
You want to generate a cpinfo file via CLI on a system running GAiA. This will take about 40 minutes since the log files are also needed. What action do you need to take regarding timeout?
Log in as Administrator, set the timeout to one hour with the command idle 60 and start cpinfo.
Many companies have defined more than one administrator. To increase security, only one administrator should be able to install a Rule Base on a specific Firewall. How do you configure this?
Put the one administrator in an Administrator group and configure this group in the specific Firewall object in Advanced > Permission to Install.
What is the officially accepted diagnostic tool for IP Appliance Support?
Which of these Security Policy changes optimize Security Gateway performance?
Use Automatic NAT rules instead of Manual NAT rules whenever possible.
Your perimeter Security Gateway's external IP is 220.127.116.11. Allow only network 192.168.10.0 and 192.168.20.0 to go out to the Internet, using 18.104.22.168. The local network 192.168.1.0/24 needs to use 22.214.171.124 to go out to the Internet.
Create an Address Range object, starting from 192.168.10.1 to 192.168.20.254. Enable Hide NAT on the NAT page of the address range object. Enter Hiding IP address 126.96.36.199. Add an ARP entry for 188.8.131.52 for the MAC address of 184.108.40.206
Because of pre-existing design constraints, you set up manual NAT rules for your HTTP server. However, your FTP server and SMTP server are both using automatic NAT rules. All traffic from your FTP and SMTP servers are passing through the Security Gateway without a problem, but traffic from the Web server is dropped on rule 0 because of anti-spoofing settings. What is causing this?
Translate destination on client side is not checked in Global Properties under Manual NAT Rules.
You enable Hide NAT on the network object, 10.1.1.0 behind the Security Gateway's external interface. You browse to the Google Website from host, 10.1.1.10 successfully. You enable a log on the rule that allows 10.1.1.0 to exit the network. How many log entries do you see for that connection in SmartView Tracker?
Only one, outbound
Which of the following statements BEST describes Check Point's Hide Network Address Translation method?
Translates many source IP addresses into one source IP address
Which Check Point address translation method allows an administrator to use fewer ISP-assigned IP addresses than the number of internal hosts requiring Internet connectivity?
NAT can NOT be configured on which of the following objects?
HTTP Logical Server
Which Check Point address translation method is necessary if you want to connect from a host on the Internet via HTTP to a server with a reserved (RFC 1918) IP address on your DMZ?
Static Destination Address Translation
You want to implement Static Destination NAT in order to provide external, Internet users access to an internal Web Server that has a reserved (RFC 1918) IP address. You have an unused valid IP address on the network between your Security Gateway and ISP router. You control the router that sits between the firewall external interface and the Internet. What is an alternative configuration if proxy ARP cannot be used on your Security Gateway?
Place a static ARP entry on the ISP router for the valid IP address to the firewall's external address.
After implementing Static Address Translation to allow Internet traffic to an internal Web Server on your DMZ, you notice that any NATed connections to that machine are being dropped by anti- spoofing protections. Which of the following is the MOST LIKELY cause?
The Global Properties setting Translate destination on client side is unchecked. But the topology on the DMZ interface is set to Internal - Network defined by IP and Mask. Check the Global Properties setting Translate destination on client side.
Which NAT option applicable for Automatic NAT applies to Manual NAT as well?
Translate destination on client-side
Your main internal network 10.10.10.0/24 allows all traffic to the Internet using Hide NAT. You also have a small network 10.10.20.0/24 behind the internal router. You want to configure the kernel to translate the source address only when network 10.10.20.0 tries to access the Internet for HTTP, SMTP, and FTP services. Which of the following configurations will allow this network to access the Internet?
Configure one Manual Hide NAT rule for HTTP, FTP, and SMTP services for network 10.10.20.0/24.
You have three servers located in a DMZ, using private IP addresses. You want internal users from 10.10.10.x to access the DMZ servers by public IP addresses. Internal_net 10.10.10.x is configured for Hide NAT behind the Security Gateway's external interface. What is the best configuration for 10.10.10.x users to access the DMZ servers, using the DMZ servers' public IP addresses?
When the source is the internal network 10.10.10.x, configure manual static NAT rules to translate the DMZ servers.
An internal host initiates a session to the Google.com website and is set for Hide NAT behind the Security Gateway. The initiating traffic is an example of
A host on the Internet initiates traffic to the Static NAT IP of your Web server behind the Security Gateway. With the default settings in place for NAT, the initiating packet will translate the
destination on client side
A Web server behind the Security Gateway is set to Automatic Static NAT. Client side NAT is not checked in the Global Properties. A client on the Internet initiates a session to the Web Server. Assuming there is a rule allowing this traffic, what other configuration must be done to allow the traffic to reach the Web server?
A static route must be added on the Security Gateway to the internal host.
When translation occurs using automatic Hide NAT, what also happens?
The source port is modified.
The fw monitor utility is used to troubleshoot which of the following problems?
In SmartDashboard, Translate destination on client side is checked in Global Properties. When Network Address Translation is used:
It is not necessary to add a static route to the Gateway's routing table
Secure Internal Communications (SIC) is completely NAT-tolerant because it is based on
Static NAT connections, by default, translate on which firewall kernel inspection point?
You are MegaCorp's Security Administrator. There are various network objects which must be NATed. Some of them use the Automatic Hide NAT method, while others use the Automatic Static NAT method. What is the rule order if both methods are used together?
The Static NAT rules have priority over the Hide NAT rules and the NAT on a node has priority over the NAT on a network or an address range.
Automatic Static NAT CANNOT be used when:
NAT decision is based on the destination port. Both Source and Destination IP's have to be translated.
After filtering a fw monitor trace by port and IP, a packet is displayed three times; in the i, I, and o inspection points, but not in the O inspection point. Which is the likely source of the issue?
It is due to NAT.
Your internal network is configured to be 10.1.1.0/24. This network is behind your perimeter R77 Gateway, which connects to your ISP provider. How do you configure the Gateway to allow this network to go out to the Internet?
Use Hide NAT for network 10.1.1.0/24 behind the external IP address of your perimeter Gateway.
You enable Automatic Static NAT on an internal host node object with a private IP address of 10.10.10.5, which is NATed into 220.127.116.11. (You use the default settings in Global Properties / NAT.)
When you run fw monitor on the R77 Security Gateway and then start a new HTTP connection from host 10.10.10.5 to browse the Internet, at what point in the monitor output will you observe the HTTP SYN-ACK packet translated from 18.104.22.168 back into 10.10.10.5?
I=inbound kernel, after the virtual machine
You have configured Automatic Static NAT on an internal host-node object. You clear the box Translate destination on client site from Global Properties > NAT. Assuming all other NAT settings in Global Properties are selected, what else must be configured so that a host on the Internet can initiate an inbound connection to this host?
A static route, to ensure packets destined for the public NAT IP address will reach the Gateway's internal interface.
YOU MIGHT ALSO LIKE...
Test Preparation TOEIC, SAT, TOEFL
CCNA Sec 210-260 Practice
CCNA Security Final
OTHER SETS BY THIS CREATOR
SANS GICSP Priority Study List
GICSP Acronym Soup
GICSP Encyclopedia v2.0
Windows/Linux Terminal Commands You Should know
THIS SET IS OFTEN IN FOLDERS WITH...
CCSA Practice Quiz
CCSA Exam 361-390
Combined CCSA Questions