Q1. - (Topic 2) 

You are responsible for the configuration of MegaCorp's Check Point Firewall. You need to allow two NAT rules to match a connection. Is it possible? Give the BEST answer. 

A. Yes, it is possible to have two NAT rules which match a connection, but only when using Automatic NAT (bidirectional NAT). 

B. Yes, it is possible to have two NAT rules which match a connection, but only in using Manual NAT (bidirectional NAT). 

C. Yes, there are always as many active NAT rules as there are connections. 

D. No, it is not possible to have more than one NAT rule matching a connection. When the firewall receives a packet belonging to a connection, it compares it against the first rule in the Rule Base, then the second rule, and so on. When it finds a rule that matches, it stops checking and applies that rule. 

View Answer

Q2. - (Topic 2) 

Looking at the SYN packets in the Wireshark output, 

select the statement that is true about NAT. 

A. This is an example of Hide NAT. 

B. This is an example of Static NAT and Translate destination on client side unchecked in Global Properties. 

C. There is not enough information provided in the Wireshark capture to determine the NAT settings. 

D. This is an example of Static NAT and Translate destination on client side checked in Global Properties. 

View Answer

Q3. - (Topic 3) 

Which rule is responsible for the client authentication failure? Exhibit: 

A. Rule 4 

B. Rule 6 

C. Rule 3 

D. Rule 5 

View Answer

Q4. - (Topic 2) 

Installing a policy usually has no impact on currently existing connections. Which statement is TRUE? 

A. All connections are reset, so a policy install is recommended during announced downtime only. 

B. Users being authenticated by Client Authentication have to re-authenticate. 

C. Site-to-Site VPNs need to re-authenticate, so Phase 1 is passed again after installing the Security Policy. 

D. All FTP downloads are reset; users have to start their downloads again. 

View Answer

Q5. - (Topic 1) 

A digital signature: 

A. Provides a secure key exchange mechanism over the Internet. 

B. Automatically exchanges shared keys. 

C. Guarantees the authenticity and integrity of a message. 

D. Decrypts data to its original form. 

View Answer

Q6. - (Topic 2) 

Which SmartConsole tool would you use to see the last policy pushed in the audit log? 

A. SmartView Tracker 

B. SmartView Status 

C. None, SmartConsole applications only communicate with the Security Management Server. 

D. SmartView Server 

View Answer

Q7. - (Topic 3) 

What type of traffic can be re-directed to the Captive Portal? 

A. FTP B. All of the above 

C. SMTP 

D. HTTP 

View Answer

Q8. - (Topic 3) 

Which of the following statements BEST describes Check Point’s Hide Network Address Translation method? 

A. Translates many destination IP addresses into one destination IP address 

B. One-to-one NAT which implements PAT (Port Address Translation) for accomplishing both Source and Destination IP address translation 

C. Translates many source IP addresses into one source IP address 

D. Many-to-one NAT which implements PAT (Port Address Translation) for accomplishing both Source and Destination IP address translation 

View Answer

Q9. - (Topic 2) 

You are MegaCorp's Security Administrator. There are various network objects which must be NATed. Some of them use the Automatic Hide NAT method, while others use the Automatic Static NAT method. What is the rule order if both methods are used together? Give the best answer. 

A. The Administrator decides the rule order by shifting the corresponding rules up and down. 

B. The Hide NAT rules have priority over the Static NAT rules and the NAT on a node has priority over the NAT on a network or an address range. 

C. The Static NAT rules have priority over the Hide NAT rules and the NAT on a node has priority over the NAT on a network or an address range. 

D. The rule position depends on the time of their creation. The rules created first are placed at the top; rules created later are placed successively below the others. 

View Answer

Q10. - (Topic 3) 

Sally has a Hot Fix Accumulator (HFA) she wants to install on her Security Gateway which operates with GAiA, but she cannot SCP the HFA to the system. She can SSH into the Security Gateway, but she has never been able to SCP files to it. What would be the most likely reason she cannot do so? 

A. She needs to edit /etc/scpusers and add the Standard Mode account. 

B. She needs to run sysconfig and restart the SSH process. 

C. She needs to run cpconfig to enable the ability to SCP files. 

D. She needs to edit /etc/SSHd/SSHd_config and add the Standard Mode account. 

View Answer