156-210 Check Point NG with Application Intelligence - Management I

Page 1   
Question 1

Implicit rules do NOT allow what types of VPN-1/FireWall-1 Control Connections by

  • A. Outgoing traffic, originating from the gateway
  • B. RIP for routing configuration
  • C. IKE and RDP-traffic, for communication and encryption
  • D. VPN-1/Firewall-1 specific traffic, such as logging, management, and key exchange

Answer : B

Question 2

NAT can NOT be configured on which of the objects?

  • A. Hosts
  • B. Gateways
  • C. Networks
  • D. Users
  • E. Routers

Answer : D

Explanation: you can't configure NAT in a user because there is nothing useful to translate in a user relating to NAT technologies, users do not have network addresses itself, and NAT translates just that, network addresses. The users are not identified by addresses, the hosts are. Incorrect Answers A:You can make NAT on hosts, a hosts is any device with an IP addresses. If the device has an IP address you can use NAT. B:Gateways are a type of host, so they have an address inside the network, NAT is possible. C:You can make NAT in a Network, you can summarize a group of hosts behind a network address to create your NAT rules in your security policy. E:Routers are also a type of host, so they have an address inside the network, NAT is possible.

Question 3

What happens to current log file when you create a new log file?

  • A. New Log file cannot be created when current file is opened.
  • B. The current file is appended to the new file.
  • C. The current Log file is opened in addition to the new Log file.
  • D. The current Log file is closed and written to disk with a name that contains the current date and time, as only one Log file can be opened in the Log Viewer at a time.
  • E. The current file is lost.

Answer : D

Question 4

What is not a feature of the SVN Foundation.
✑ Watch dog for critical services
✑ Cpstart/CPstop
✑ Check Point Registry

Answer : D

Explanation: CPMAD is a log analyzer for Checkpoint, it compares the logs with the rules defined for alerting. Its not part of the SVN Foundation package. See Page 1.19 of the official CCSA NG Courseware - Management I. Incorrect Answers A:This part of SVN Foundation. See Page 1.19 of the official CCSA NG Courseware - Management I. B:This part of SVN Foundation. See Page 1.19 of the official CCSA NG Courseware - Management I. D:This part of SVN Foundation. See Page 1.19 of the official CCSA NG Courseware - Management I.

Question 5

When configuring Anti-Spoofing for VPN-1/FireWall-1 NG on the firewall interfaces,
all of the following are valid address choices except:

  • A. Network defined by Interface IP and Net Mask.
  • B. Not Defined.
  • C. Security Policy Installed.
  • D. Specific
  • E. None of the above.

Answer : C

Explanation: When you are configuring anti-spoofing on a Checkpoint gateway you have the following 3 options: "Not Defined" that will disable anti-spoofing, "Network Defined by the Interface and Net Mask" that will calculate the topology in base of you current network and "Specific" where you can specify a range of addresses or a group of networks. "Security Policy Installed" is not a valid option. Incorrect Answers A:This is one of the 3 options provided at the properties of the firewall module. B:Yes, you could have it disabled, This is also one of the 3 options provided at the properties of the firewall module. D:This is one of the 3 options provided at the properties of the firewall module. Its defined by yourself. E:Option C is incorrect, so this answer is wrong.

Question 6

If the security policy editor or system status GUI is open, you can open the log
viewer GUI from the window menu.

  • A. True
  • B. False

Answer : A

Explanation: when you are at the policy editor or the system status, you can click on the windows menu and go to the log viewer or other GUIs. When you call the GUIs this way you don't have to re-authenticate, you use your current security credentials. Incorrect Answers B:This answer is incorrect because you can call the log viewer through the Windows menu in the policy editor or the system status.

Question 7

For most installations, the Clean-Up rule should be the last rule in Rule Base.

  • A. True
  • B. False

Answer : A

Explanation: this is an absolute truth for Checkpoint firewall implementations, since the cleanup rule drops all the traffic without making any logging, it should always be the last entry in the rulebase because any packets that gets through or to the firewall is dropped at the inspection engine before getting to the Network layer at the OSI model. Incorrect AnswersB:This is one of the basics, the clean up rule should always be the last rule in the rulebase of the installed policy.

Question 8

Your organization's internal programming team developed a proprietary application
for accessing the time-management system. The application uses a custom-
designed protocol. As the Security Administrator, you must control user access to
the time-management system.
Which is the BEST authentication method for this scenario?
✑ NG with Application Intelligence authentication methods can only be applied to
protocols included in the standard, pre-defined suite.
✑ Implicit User Authentication
✑ User Authentication
✑ Session Authentication

Answer : Pending

Question 9

Which of the following is TRUE, if you change the inspection order of implied rules?
✑ You must stop and start the Enforcement Module, before the changes can take
✑ After the Security Policy is installed, the order in which rules are enforced
✑ You cannot change the inspection order of implied rules.
✑ You must stop and start the SmartCenter Server, before the changes can take
✑ Security Policy installation will fail.

Answer : Pending

Question 10

Which of the following denial-of-service attacks does SmartDefense defeat? (Choose
✑ Ping of Death
✑ Rouge Applets
✑ Teardrop
✑ Host System Hogging

Answer : Pending

Question 11

In the figure below, Localnet is an internal network with private addresses A
corresponding set of public addresses is available as follows:
Public IP addressesPrivate IP addresses
The private addresses are translated to public addresses by specifying addresses
Translation in the NAT tab of Localnets network properties window. Source
addresses for the outbound packets from hosts in Localnet will be translated to as shown in the figure below.

  • A. True
  • B. False

Answer : B

Explanation: As we can see in the exhibit, this statement is wrong because when the packet is coming back with a reply from Internet to the gateway the source address should be the address of the Internet server, not the translated public address from the Checkpoint Firewall making the translation. Incorrect Answers A:The exhibit cannot be true because you cannot have a reply with the same IP address in the source field that you used to make the request when you lived your gateway in your local network.

Question 12

You are importing product data from modules, during a VPN-1/Firwall-1 Enforcement
Module upgrade. Which of the following statements are true? Choose two.

  • A. Upgrading a single Enforcement Module is recommended by Check Point, since there is no chance of mismatch between installed product versions.
  • B. SmartUpdate queries license information, from the SmartConsole runging locally on the Enforcement Module.
  • C. SmartUpdate queries the SmartCenter Server and Enforcement Module for product information.
  • D. If SmartDashboard and all SmartConsoles must be open during input, otherwise the product-data retrieval process will fail

Answer : A,C

Question 13

You are Security Administrator preparing to deploy a new hot-fix to ten Enforcement
Modules at five geographically separated locations. What is the BEST method to
implement this hot-fix?

  • A. Use SmartView installer to deploy the hot-fix to each Enforcement Module.
  • B. Send a CDROM with the hot-fix to each location, and have local personnel install it.
  • C. Send a Certified Security Engineer to each site to perform the update.
  • D. Use SmartInstaller to install the packages to each of the Enforcement Models remotely.
  • E. Use SmartUpdate to install the packages to each of the Enforcement Models remotely.

Answer : E

Question 14

Which authentication method could be used for SIP services? (Choose two)
✑ Client Authentication
✑ No authentication can be used for SIP
✑ VoIP Authentication
✑ Session Authentication
✑ User Authentication

Answer : Pending

Question 15

When defining objects, why should you NOT change the name or IP address of the
system-created SmartCenter Server objects? Choose two.

  • A. Changes the certificate of the system-created object
  • B. Causes a fault-tolerance error on the VPN-1/Firewall-1 Enforcement Module
  • C. Interferes with Security Policy Installation
  • D. Does not change the object name in the Rule Base.
  • E. Negatively affects the Internal Certificate Authority.

Answer : A,E

Page 1