156-115.77 Online Practice Questions and Answers

John is a Security Administrator of a Check Point platform. He has a mis-configuration issue that points to the Rule Base. To obtain information about the issue, John runs the command:

A. fw debug fw on and checks the file fwm.elg.

B. fw kdebug fwm on and checks the file fwm.elg.

C. fw debug fwm on and checks the file fwm.elg.

D. fw kdebug fwm on and checks the file fw.elg.

Your customer reports that the time on the standby cluster member is not correct. After failing over and making it active, the time is now correct. NTP has been configured on both machines, so it is expected that both machines be in sync with the NTP server. Upon investigating, it was found that the standby member was never able to communicate with the NTP server while it was in standby configuration. What could be the problem?

A. You should be syncing your backup to the primary for time settings.

B. NTP is not supported in active-passive mode.

C. Traffic from the standby member was hidden behind the cluster IP address and was therefore returning to the active member.

D. Routing prevents the standby member from performing functions such as peering with dynamic routing and obtaining NTP updates.

In the process of troubleshooting traffic issues across a VPN tunnel, you notice on the output of fw monitor -e host(172.21.1.10), accept; that packets are going through the inbound chain (i > I) and then disappearing after the outbound chain (o > __), while you were expecting to see the packet leave on O. What could be causing this issue?

A. When packets are destined to leave through a VPN tunnel, it is encrypted and encapsulated in an ESP packet, and thus will not show up on a fw monitor.

B. It's not showing up on the fw monitor because it is exiting the wrong interface

C. The packet is getting silently dropped because there is no route for the packet.

D. The gateway never completed the IKE and IPSec key exchange, and the tunnel does not exist yet.

In a ClusterXL cluster with delayed synchronization, which of the following is not true?

A. The length of time for the delay can be edited.

B. It applies only to TCP services whose Protocol Type is set to HTTP or None.

C. Delayed Synchronization is disabled if the Track option in the rule is set to Log or Account.

D. Delayed Synchronization is performed only for connections matching a SecureXL Connection Template.

The CoreXL software architecture includes the Secure Network Dispatcher (SND). One of the responsibilities of SND is to:

A. Distribute non-accelerated packets among kernel instances

B. Dispatch the packet securely through the VPN link

C. Processing outgoing traffic from the network interfaces

D. Dispatch the packet securely through the physical link

You are at a customer site, and when you run cphaprob stat you are not seeing a normal ClusterXL Health. What command could you run verify the number of cores are not matched on both cluster members?

A. cpconfig

B. cphaprob -a if

C. fw ctl multik stat

D. cphaprob stat

In R77, Under what circumstances would IPS bypass be enforced?

A. Single CoreXL fw instance usage over `High' threshold, Average Memory over `High' threshold

B. Single CoreXL fw instance usage over `Low' threshold, Average Memory over `High' threshold

C. Average CPU over `High' threshold, Average Memory over `Low' threshold

D. Average CPU over `High' threshold, Average Memory over `High' threshold

True or False: It is possible to operate a Security Gateway entirely with IPv6 addressing.

A. True: All IPv4 features are supported in IPv6'

B. True: Management can occur over IPv4 or IPv6 thus all gateways can have interfaces configured with valid IP addresses of either type'

C. False: There are many common IPv4 features that are not supported in IPv6'

D. False: Management only occurs over IPv4 thus all gateways are required to have interfaces configured with valid IPv4 addresses'

How do you enable IPv6 support on a R77 gateway running the GAiIA OS?

A. IPv6 is enabled by default.

B. Under WebUI go to System Management > System Configuration, turn on IPv6 Support, click apply and reboot.

C. Enable the IPv6 Software Blade for the gateway in Smart Dashboard.

D. Run the IPv6 script $FWDIR/scripts/fwipv6_enable and reboot.

Why would you choose to combine dynamic routing protocols and VPNs?

A. All options listed.

B. In the case of one tunnel failure, other tunnels may be used to route the traffic.

C. Dynamic-routing information can propagate over the VPN, utilizing the VPN as just another point-topoint link in the network.

D. The VPN device can be automatically updated with network changes on any VPN peer Gateway without the need to update the VPN Domain's configuration.