156-315-65 Check Point Security Administration NGX II R65

Page 1   
Question 1


You study the Advanced Properties exhibit carefully. What settings can you change
to reduce the encryption overhead and improve performance for your mesh VPN

  • A. Change the “Renegotiate IPsec security associations every 3600 seconds” to 7200
  • B. Check the box “Use aggressive mode”
  • C. Change the box “Use Perfect Forward Secrecy”
  • D. Change the setting “Use Diffie-Hellman group:” to “Group 5 (1536 bit)”

Answer : A

Question 2

Which operating system is NOT supported by VPN-1 SecureClient?

  • A. IPSO 3.9
  • B. Windows XP SP2
  • C. Windows 2000 Professional
  • D. RedHat Linux 8.0
  • E. MacOSX

Answer : A

Question 3

Regarding QoS guarantees and limits, which of the following statements is FALSE? ~>

  • A. The guarantee of a suB. rule cannot be greater than the guarantee defined for the rule above it.
  • B. If a guarantee is defined in a suB. rule, a guarantee must be defined for the rule above it.
  • C. A rule guarantee must not be less than the sum defined in the guarantees' suB. rules.
  • D. If both a rule and per-connection limit are defined for a rule, the per-connection limit must not be greater than the rule limit.
  • E. If both a limit and guarantee per rule are defined in a QoS rule, the limit must be smaller than the guarantee.

Answer : E

Question 4

You configure a Check Point QoS Rule Base with two rules: an HTTP rule with a weight of
40, and the Default Rule with a weight of 10. If the only traffic passing through your QoS
Module is HTTP traffic, what percent of bandwidth will be allocated to the HTTP traffic?

  • A. 10%
  • B. 100%
  • C. 40%
  • D. 80%
  • E. 50%

Answer : B

Question 5

ABC.com has two sites using certificates-based VPN issued by the ICA. The two
sites, Tokyo and Paris, are configured using a simplified VPN policy. You are trying
to integrate a new office opening in New Delhi. You must enable all three sites to
connect via the VPN to each other. Three Security Gateways are managed by the
same SmartCenter Server behind the Paris Security Gateway.
After creating the Dubai Gateway object with the proper VPN domain, what must you

Answer :

Question 6

You have two Nokia Appliances: one IP530 and one IP380. Both Appliances have IPSO
3.9 and VPN-1 Pro NGX installed in a distributed deployment. Can they be members of a
gateway cluster?

  • A. No, because the Gateway versions must not be the same on both security gateways
  • B. Yes, as long as they have the same IPSO version and the same VPN-1 Pro version
  • C. No, because members of a security gateway cluster must be installed as stanD. alone deployments
  • D. Yes, because both gateways are from Nokia, whether they have the same VPN-1 PRO version or not
  • E. No, because the appliances must be of the same model (Both should be IP530 or IP380.)

Answer : B

Question 7

Which of the following are supported with the office mode? Select all that apply.

  • A. SecureClient
  • B. L2TP
  • C. Transparent Mode
  • D. Gopher
  • E. SSL Network Extender

Answer : A,B,E

Question 8

What type of packet does a VPN-1 SecureClient send to its Policy Server, to report its
Secure Configuration Verification status?

  • A. ICMP Port Unreachable
  • B. TCP keep alive
  • C. IKE Key Exchange
  • D. ICMP Destination Unreachable
  • E. UDP keep alive

Answer : E

Question 9

What tools CANNOT be launched from SmartUpdate NGX R65?

  • A. cpinfo
  • B. SecurePlatform Web UI
  • C. Nokia Voyager
  • D. snapshot

Answer : D

Question 10

What is the command to upgrade a SecurePlatform NG with Application Intelligence (Al)
R55 SmartCenter Server to VPN-1 NGX using a CD?

  • A. cd patch add
  • B. fwm upgrade_tool
  • C. cppkg add
  • D. patch add
  • E. patch add cd

Answer : E

Question 11

You want to create an IKE VPN between two VPN-1 NGX Security Gateways, to protect
two networks. The network behind one Gateway is, and network is behind the peer's Gateway. Which type of address translation should you
use, to ensure the two networks access each other through the VPN tunnel?

  • A. Manual NAT
  • B. Static NAT
  • C. Hide NAT
  • D. None
  • E. Hide NAT

Answer : D

Question 12

The following is cphaprob state command output from a ClusterXL New mode High
Availability memberWhen member fails over and restarts, which member will
become active?

  • A.
  • B. 192.168.1 1
  • C. Both members' state will be standby
  • D. Both members' state will be active

Answer : B

Question 13

Which of the following can be said about numbered VPN Tunnel Interfaces (VTIs)?

  • A. VTIs are assigned only local addresses, not remote addresses
  • B. VTIs cannot share IP addresses
  • C. VTIs cannot use an already existing physical-interface IP address
  • D. VTIs are only supported on Nokia IPSO

Answer : A

Question 14

In a Load Sharing Unicastmode scenario, the internal-cluster IP address is The
internal interfaces on two members are and Internal host
Pings, and receives replies. The following is the ARP table from the internal
Windows host c:> arp According to the output, which member is the Pivot?

  • A.
  • B.
  • C.
  • D.

Answer : C

Question 15

If a SmartUpdate upgrade or distribution operation fails on SecurePlatfom, how is the

  • A. SecurePlatform will reboot and automatically revert to the last snapshot version prior to upgrade.
  • B. The Administrator must remove the rpm packages manually, and reattempt the upgrade.
  • C. The Administrator can only revert to a previously created snapshot (if there is one) with the command cprinstall snapshot <object name> <filename>.
  • D. The Administrator must reinstall the last version via the command cprinstall revert <object name> <file name>.

Answer : A

Page 1