Check Point Security Administration NGX II (156-315.1) (156-315) Free Practice Test

Question 1

The following rule contains an FTP resource object in the Service field:
Source: local_net
Destination: Any
Service: FTP-resource object
Action: Accept
How do you define the FTP Resource Properties > Match tab to prevent internal users from sending corporate files to external FTP servers, while allowing users to retrieve files?

A. Enable the "Get" method on the match tab.

B. Disable "Get" and "Put" methods on the Match tab.

C. Disable the "Put" method globally.

D. Enable the "Put" method only on the match tab.

E. Enable the "Put" and "Get" methods.

Correct Answer: A

Question 2

Robert has configured a Common Internet File System (CIFS) resource to allow access to the public partition of his company's file server, on \\erisco\goldenapple\files\public. Robert receives reports that users are unable to access the shared partition, unless they use the file server's IP address. Which of the following is a possible cause?

A. Access violations are not logged.

B. Null CIFS sessions are blocked.

C. The CIFS resource is not configured to use Windows name resolution.

D. Remote registry access is blocked.

E. Mapped shares do not allow administrative locks.

Correct Answer: C

Question 3

Which OPSEC server is used to prevent users from accessing certain Web sites?

A. UFP

B. URI

C. CVP

D. AMON

E. LEA

Correct Answer: A

Question 4

Cody is notified by blacklist.org that his site has been reported as a spam relay, due to his SMTP Server being unprotected. Cody decides to implement an SMTP Security Server, to prevent the server from being a spam relay. Which of the following is the most efficient configuration method?

A. Configure the SMTP Security Server to apply a generic "from" address to all outgoing mail.

B. Configure the SMTP Security Server to perform MX resolving.

C. Configure the SMTP Security Server to allow only mail to or from names, within Cody's corporate domain.

D. Configure the SMTP Security Server to work with an OPSEC based product, for content checking.

E. Configure the SMTP Security Server to perform filtering, based on IP address and SMTP protocols.

Correct Answer: C

Question 5

Which of the following actions is most likely to improve the performance of Check Point QoS?

A. Install Check Point QoS only on the external interfaces of the QoS Module.

B. Put the most frequently used rules at the bottom of the QoS Rule Base.

C. Define weights in the Default Rule in multiples of 10.

D. Turn "per rule guarantees" into "per connection guarantees".

E. Turn "per rule limits" into "per connection limits".

Correct Answer: A

Question 6

Jacob is using a mesh VPN Community to create a site-to-site VPN. The VPN properties in this mesh Community display in this graphic:Which of the following statements is TRUE?

A. Jacob must change the data-integrity settings for this VPN Community. MD5 is incompatible with AES.

B. If Jacob changes the setting "Perform IPSec data encryption with" from "AES-128" to
"3DES", he will increase the encryption overhead.

C. If Jacob changes the setting, "Perform key exchange encryption with" from "3DES" to
"DES", he will enhance the VPN Community's security and reduce encryption overhead.

D. Jacob's VPN Community will perform IKE Phase 1 key-exchange encryption, using the longest key VPN-1 NGX supports.

Correct Answer: B

Question 7

You are preparing computers for a new ClusterXL deployment. For your cluster, you plan to use three machines with the following configurations:Are these machines correctly configured for a ClusterXL deployment?

A. No, QuadCards are not supported with ClusterXL.

B. No, ClusterXL is not supported on Red Hat Linux.

C. Yes, these machines are configured correctly for a ClusterXL deployment.

D. No, a cluster must have an even number of machines.

E. No, all machines in a cluster must be running on the same OS.

Correct Answer: E

Question 8

You configure a Check Point QoS Rule Base with two rules: an H.323 rule with a weight of
10, and the Default Rule with a weight of 10. The H.323 rule includes a per-connection guarantee of 384 Kbps, and a per-connection limit of 512 Kbps. The per-connection guarantee is for four connections, and no additional connections are allowed in the Action properties. If traffic passing through the QoS Module matches both rules, which of the following statements is true?

A. 50% of available bandwidth will be allocated to the H.323 rule.

B. Neither rule will be allocated more than 10% of available bandwidth.

C. Each H.323 connection will receive at least 512 Kbps of bandwidth.

D. 50% of available bandwidth will be allocated to the Default Rule.

E. The H.323 rule will consume no more than 2048 Kbps of available bandwidth.

Correct Answer: E

Question 9

In a distributed VPN-1 Pro NGX environment, where is the Internal Certificate Authority (ICA) installed?

A. Certificate Manager Server

B. On the primary SmartCenter Server

C. On the Policy Server

D. On the Security Gateway

E. On the Smart View Monitor

Correct Answer: B

Question 10

How can you prevent delay-sensitive applications, such as video and voice traffic, from being dropped due to long queues when using a Check Point QoS solution?

A. guaranteed per VoIP rule

B. DiffServ rule

C. guaranteed per connection

D. Weighted Fair Queuing

E. Low latency class

Correct Answer: E

Question 11

If you check the box "Use Aggressive Mode", in the IKE Properties dialog box:

A. The standard three-packet IKE Phase 2 exchange is replaced by a six-packet exchange.

B. The standard six-packet IKE Phase 1 exchange is replaced by a twelve-packet exchange.

C. The standard six-packet IKE Phase 1 exchange is replaced by a three-packet exchange.

D. The standard three-packet IKE Phase 1 exchange is replaced by a six-packet exchange.

E. The standard six-packet IKE Phase 2 exchange is replaced by a three-packet exchange.

Correct Answer: C

Question 12

How can you completely tear down a specific VPN tunnel in an intranet IKE VPN deployment?

A. Run the command vpn tu on the Security Gateway, and choose the option "Delete all IPSec SAs for ALL peers and users".

B. Run the command vpn tu on the Security Gateway, and choose the option "Delete all IPSec SAs for a given user (Client)".

C. Run the command vpn tu on the Security Gateway, and choose the option "Delete all IPSec+IKE SAs for ALL peers and users".

D. Run the command vpn tu on the SmartCenter Server, and choose the option "Delete all IPSec+IKE SAs for ALL peers and users".

E. Run the command vpn tu on the Security Gateway, and choose the option "Delete all IPSec+IKE SAs for a given peer (GW)".

Correct Answer: E

Question 13

You want only RAS signals to pass through H.323 Gatekeeper and other H.323 protocols, passing directly between end points. Which routing mode in the VoIP Domain Gatekeeper do you select?

A. Call Setup

B. Call Setup and Call Control

C. Direct and Call Setup

D. Direct

Correct Answer: D

Question 14

Your company has two headquarters, one in London, one in New York. Each headquarters includes several branch offices. The branch offices only need to communicate with the headquarters in their country, not with each other, and only the headquarters need to communicate directly. What is the BEST configuration for VPN Communities among the branch offices and their headquarters, and between the two headquarters? VPN Communities comprised of:

A. two mesh Communities, one for each headquarters and their branch offices; and one star Community, where New York is the center of the Community and London is the satellite.

B. three mesh Communities: one for London headquarters and its branches, one for New York headquarters and its branches, and one for London and New York headquarters.

C. two star and one mesh Community; each star Community is set up for each site, with headquarters as the center of the Community, and branches as satellites. The mesh Communities are between the New York and London headquarters.

D. two mesh Communities, one for each headquarters and their branch offices; and one star Community, in which London is the center of the Community and New York is the satellite.

Correct Answer: C

Question 15

You want to block corporate-internal-net and localnet from accessing Web sites containing inappropriate content. You are using WebTrends for URL filtering. You have disabled VPN-
1 Control connections in the Global properties. Review the diagram and the Security Policies for GW_A and GW_B in the exhibit provided.
Corporate users and localnet users receive message "Web cannot be displayed". In SmartView Tracker, you see the connections are dropped with message "content security is not reachable". What is the problem, and how do you fix it?

A. The connection from GW_A to the WebTrends server is not allowed in the Policy.
Fix: Add a rule in GW_A's Policy to allow source GW_A, destination WebTrends server, service TCP port 18182, and action accept.

B. The connection from GW_A to the WebTrends server is not allowed in the Policy.
Fix: Add a rule in GW_B's Policy with source WebTrends server, destination GW_A, service TCP port 18182, and action accept.

C. The connection from GW_B to the WebTrend server is not allowed in the Policy.
Fix: Add a rule in GW_B's Policy with Source GW_B, destination WebTrends server, service TCP port 18182, and action accept.

D. The connection from GW_A to the WebTrends server is not allowed in the Policy.
Fix: Add a rule in GW_B's Policy with source GW_A, destination: WebTrends server, service TCP port 18182, and action accept.

E. The connection from GW_B to the internal WebTrends server is not allowed in the Policy.
Fix: Add a rule in GW_A's Policy to allow source WebTrends Server, destination GW_B, service TCP port 18182, and action accept.

Correct Answer: A

Welcome to TestSimulate

CheckPoint Check Point Security Administration NGX II (156-315.1) (156-315) Free Practice Test