CheckPoint Checkpoint Certifications 156-915.77 Questions & Answers

• Question 181:

  How do you recover communications between your Security Management Server and Security Gateway if you lock yourself out through a rule or policy mis-configuration?

  A. fw unload policy

  B. fw unloadlocal

  C. fw delete all.all@localhost

  D. fwm unloadlocal

  Correct Answer: B

• Question 182:

  Which of the following tools is used to generate a Security Gateway R77 configuration report?

  A. fw cpinfo

  B. infoCP

  C. cpinfo

  D. infoview

  Correct Answer: C

• Question 183:

  You are the Security Administrator for MegaCorp. A Check Point firewall is installed and in use on a platform using GAiA. You have trouble configuring the speed and duplex settings of your Ethernet interfaces. Which of the following commands can be used in CLISH to configure the speed and duplex settings of an Ethernet interface and will survive a reboot? Give the BEST answer.

  A. ethtool

  B. set interface

  C. mii_tool

  D. ifconfig -a

  Correct Answer: B

• Question 184:

  How can you check whether IP forwarding is enabled on an IP Security Appliance?

  A. clish -c show routing active enable

  B. cat /proc/sys/net/ipv4/ip_forward

  C. echo 1 > /proc/sys/net/ipv4/ip_forward

  D. ipsofwd list

  Correct Answer: D

• Question 185:

  Which command allows you to view the contents of an R77 table?

  A. fw tab -a

  B. fw tab -t

  C. fw tab -s

  D. fw tab -x

  Correct Answer: B

• Question 186:

  You enable Automatic Static NAT on an internal host node object with a private IP address of 10.10.10.5, which is NATed into 216.216.216.5. (You use the default settings in Global Properties / NAT.)

  When you run fw monitor on the R77 Security Gateway and then start a new HTTP connection from host

  10.10.10.5 to browse the Internet, at what point in the monitor output will you observe the HTTP SYN-ACK packet translated from 216.216.216.5 back into 10.10.10.5?

  A. o=outbound kernel, before the virtual machine

  B. I=inbound kernel, after the virtual machine

  C. O=outbound kernel, after the virtual machine

  D. i=inbound kernel, before the virtual machine

  Correct Answer: B

• Question 187:

  You are MegaCorp's Security Administrator. There are various network objects which must be NATed. Some of them use the Automatic Hide NAT method, while others use the Automatic Static NAT method. What is the rule order if both methods are used together? Give the BEST answer.

  A. The Administrator decides the rule order by shifting the corresponding rules up and down.

  B. The Static NAT rules have priority over the Hide NAT rules and the NAT on a node has priority over the NAT on a network or an address range.

  C. The Hide NAT rules have priority over the Static NAT rules and the NAT on a node has priority over the NAT on a network or an address range.

  D. The rule position depends on the time of their creation. The rules created first are placed at the top; rules created later are placed successively below the others.

  Correct Answer: B

• Question 188:

  Which Check Point address translation method allows an administrator to use fewer ISP- assigned IP addresses than the number of internal hosts requiring Internet connectivity?

  A. Hide

  B. Static Destination

  C. Static Source

  D. Dynamic Destination

  Correct Answer: A

• Question 189:

  You have three servers located in a DMZ, using private IP addresses. You want internal users from

  10.10.10.x to access the DMZ servers by public IP addresses. Internal_net 10.10.10.x is configured for Hide NAT behind the Security Gateway's external interface.

  

  What is the best configuration for 10.10.10.x users to access the DMZ servers, using the DMZ servers' public IP addresses?

  A. When connecting to internal network 10.10.10.x, configure Hide NAT for the DMZ network behind the Security Gateway DMZ interface.

  B. When the source is the internal network 10.10.10.x, configure manual static NAT rules to translate the DMZ servers.

  C. When connecting to the Internet, configure manual Static NAT rules to translate the DMZ servers.

  D. When trying to access DMZ servers, configure Hide NAT for 10.10.10.x behind the DMZ's interface.

  Correct Answer: B

• Question 190:

  You want to implement Static Destination NAT in order to provide external, Internet users access to an internal Web Server that has a reserved (RFC 1918) IP address. You have an unused valid IP address on the network between your Security Gateway and ISP router. You control the router that sits between the firewall external interface and the Internet.

  What is an alternative configuration if proxy ARP cannot be used on your Security Gateway?

  A. Publish a proxy ARP entry on the ISP router instead of the firewall for the valid IP address.

  B. Place a static ARP entry on the ISP router for the valid IP address to the firewall's external address.

  C. Publish a proxy ARP entry on the internal Web server instead of the firewall for the valid IP address.

  D. Place a static host route on the firewall for the valid IP address to the internal Web server.

  Correct Answer: B