|
Question 1. In most cases when you are building the Rule Base you should place the Stealth Rule above all other rules except: A. Clean up rules. B. Implicit Riles. C. Client Authentication Rules. D. Pseudo Rules. E. Default Rules. Answer: C Explanation: you cannot place the stealth rule above the client authentication rule because the stealth rule will deny any connection to the firewall, so when the users try to authenticate with telnet or HTTP as they should for Client Authentication, they can't make it, because the stealth rule is preventing all the connections. Incorrect Answers: A: Stealth rule should always be above the clean up rule, the clean up rule should be the last explicit one in the rulebase. B: Implicit rules are not visible on the rule base, they are always at the very beginning of the rulebase or at the very end of it, those are configured in the global properties. D: Pseudo Rules could be below the Stealth rule. E: There is not such a thing like "default rules". Question 2. What is the command for installing a Security Policy from a *.W file? A. Fw gen and then the name of the .W file. B. Fw load and then the name of .W file. C. Fw regen and then the name of the .W file. D. Fw reload and then the directory location of the .W file. E. Fw import and then the name of the .W file. Answer: B Explanation: The .W files provides contains the information displayed graphically in the GUI regarding the rulebase upon saving or installation of the policy, its editable with a text editor. The command "fw load" will change the .W file to a *.pf file and compile into inspect code for policy installation in the enforcement module. Incorrect Answers A: This command is not valid for working with .W files and installing security polices from them. C: This command is not valid for working with .W files and installing security polices from them. D: This command is not valid for working with .W files and installing security polices from them. E: This command is not valid for working with .W files and installing security polices from them. Question 3. In the Check Point Configuration Tool, you create a GUI administrator with Read Only privileges. This allows the Firewall-1 administrator for the authorized GUI client (GUI workstation) privileges to change network object, and create and install rules. A. True B. False Answer: B Explanation: as the name implies, a "Read Only Administrator", can do just that, read information, it cannot perform tasks that require writing privileges like create rules and change properties of network objects. You can see the definition in the official CCSA courseware (VPN1-FW1 Management 1 NG FP-1). Incorrect Answers A: You can't modify or create objects policies with "read only" privileges. Question 4. Hybrid Authentication allows VPN-1/Firewall-1 NG to authenticate SecuRemote/SecureClient, using which of the following? A. RADIUS B. 3DES C. TACACS D. Any authentication method supported by VPN-1/Firewall-1. E. Both A and C. Answer: D Explanation: "Hybrid Authentication for IKE" is just that, it allows you to use existing authentication servers supported by VPN1/FW1 as shared secrets for IKE. This is supported since FW 1 4.1 SP1 and SecuRemote 4153. See Page 382 of "Essential Checkpoint Firewall 1" from Dameon Welch. Incorrect Answers: A: This is not the most complete answer, the most complete is answer "D". B: This is not a kind of authentication server, its an encryption algorithm. C: This is not the most complete answer, the most complete is answer "D". E: This is not the most complete answer, the most complete is answer "D". Question 5. In order to install a new Security Policy on a remote firewall, what command must be issued on the remote firewall? A. Fw unload all all. B. Fw load new. C. Cp clear policy. D. None of the above, the command cp policy remove is issued from the manager. E. None of the above, the new policy will automatically overwrite the existing policy. Answer: E Explanation: To install a new policy in a enforcement module you don't have to issue anything on it, you just need to select the install option in the policy editor and the management station will push the new policy as inspect code overwriting the actual policy being enforced at the remote firewall module. Incorrect Answers: A: You don't need to unload the current policy to make a new one effective, is not necessary. B: The policy is pushed from the management station in a transparent fashion on installation, you don't need to issue any additional command at the remote module. C: You don't need to issue any command. D: You doesn't need to use any "cp" command, the overwriting is automatic. Question 6. As a firewall administrator if you want to log packets dropped by “implicit drop anything not covered” rules, you must explicitly define a Clean-up rule. This must be the last rule in the rule base. A. True B. False Answer: A Explanation: the cleanup rule should always be the last rule in the rulebase, because it will drop or log (depending on your actions) all the traffic, it will always match the traffic that gets through it. Incorrect Answers: B: It should be the last rule, see the explanation for details. Question 7. Fully Automatic Client authentication provides authentication for all protocols, whether supported by these protocols or not. A. True B. False Answer: A Explanation: when we are using client authentication with all the setting for fully automatic authentication, you can authenticate all the protocols, it doesn't matters if the protocol supports authentication. See the Client Authentication features in the Secure knowledge base of Checkpoint for more information. Incorrect Answers: B: You can authenticate all the protocol whatever or not they support authentication, remember, this is client authentication. Question 8. VPN-1/Firewall-1 NG differs from Packet filtering and Application Layer Gateways, because? A. VPN-1/Firewall-1 NG provides only minimal logging and altering mechanism. B. VPN-1/Firewal-1 NG uses Stateful inspection which allows packet to be examined at the top of the layers of the OSI model. C. VPN-1/Firewall-1 NG has access to a limited part of the packet header only. D. VPN-1/Firewall-1NG requires a connection from a client to a firewall and firewall to a server. E. VPN-1/Firewall-1 NG has access to packets passing through key locations in a network. Answer: B Explanation: this is the main difference between the listed firewall technologies, the statefull inspection, because with it, we can see the packet before it goes to the Layer 3 of the OSI model (Network Layer = O.S TCP/IP Protocol Stack), this technology has the most access to the TCP/IP packet including the top layers. Incorrect Answers: A: This is configurable and is not a difference between the listed firewall technologies. C: VPN1/Firewall 1 has full access to the packet headers. D: This is not a difference. E: All firewall technologies has access to the network, you define what are your key locations inside it, then, you put the firewall to make that "key locations" pass the traffic through it. Question 9. To completely setup Static NAT, you ONLY have to select Add Automatic Address Translation rules on the NAT tab, and specify a public NAT IP address. A. True B. False Answer: B Explanation: This is false because we also have to create a workstation object to represent the public IP that the internal machine is going to use in the translation process. Incorrect Answers: A: This is wrong because you have to define the public address for translation as an additional step. See book "Checkpoint NG Administration" from Syngress. Page 236. Question 10. If you configure the Minutes interval for a firewall in the User Authentication session timeout box, as shown below on the Authentication Tab of the Workstations properties window, users of one time password must re-authenticate for each request during this time period. A. True B. False Answer: B Explanation: this is the opposite, the time specified in the session time-out box will tell the firewall how much time the users with one time passwords can make request without CK authenticating to the firewall. Incorrect Answers: A: The session time-out specifies how much time should it pass until the firewall ask for re-authentication to the users of one time passwords during their requests. Question 11. What does a status of Untrusted tell you? A. A VPN-1/Firewall-1 NG firewall module has been compromised. B. A gateway cannot be reached. C. A module is installed and responding to status checks, but the status is problematic. D. A gateway is connected, but the management module is not the master of the module installed on the gateway. E. None of the above. Answer: D Explanation: when you see a status of "Untrusted" it means that the management module and the firewall module had been able to communicate but the management server is not the master for the enforcement module, it´s external from it´s control. Incorrect Answers: A: Untrusted does not mean "compromised", untrusted just tell you that the Management server is not the master for the firewall object. B: This is wrong, because in this status the gateway is reached, its only that the management server is not the master for that gateway module. C: Untrusted status is not related to the system status, its related to policy and management. E: This is wrong because answer D is correct. Question 12. Omanan Enterprises has the premier reclamation system for scrap aluminum in the western hemisphere. Then phenomenal growth over the last 10 years has led to the decision to establish a presence in the Internet in order to their customers. To that end, Omanan Enterprise network administrator, Jason has acquired a Web Server, and email server and 14 IP addresses from their ISP. Jason also purchased a Checkpoint VPN-1/FireWall-1 stand alone gateway module, with these interfaces, to protect Omanan enterprises’ corporate data their ISP will be providing DNS services. The Web Server and email server must have Static routable IP addresses. The eight member executive counsel of Omanan Enterprises would to have routable IP addresses also, so that they can video-conference with the company’s suppliers. Omanan Enterprises’ remaining 200 employees would like to have access to Internet, and the executive counsel believe that granting them access might improve company morale. Jason installs and configured Checkpoint VPN-1/FireWall1 stand alone Gateway module at the perimeter of Omanan Enterprises corporate LAN. He uses the 3rd NIC in the stand alone firewall gateway module to create DMZ. Jason installs the Web server and the email server on the DMZ. He creates tools and objects on the checkpoint VPN-1/FireWall-1 stand alone gateway module to allow HTTP, POP3 and SMTP from the Internet to the DMZ. He Creates objects to represent the web and email server and configures them for Static NAT. Jason reconfigures his DHCP server so that each of the members of the executive counsel has reserved IP address. He then sues those reservations co create Statically NAT-ed objects on the Checkpoint VPN/Firewall-1 Standalone Gateway module. Jason creates another object represents the internal network he configures this object for Dynamic NAT. He adds a rule allowing HTTP traffic from the internal network to any destination. Jason created an additional rule to allow POP3 and SMTP traffic between the internal networks and DMZ. Choose the one phrase below that best describes Jason’s proposal. A. The proposed solution meets the required objectives and none of the desired objectives. B. The proposed solution meets the required objectives and only one of the desired objectives. C. The proposed solution meets the required objectives and all desired objectives. D. The proposed solution does not meet the required objective. Answer: C Explanation: all the objectives are completed because you have your mail and web server with routable addresses with static nat obtaining full connectivity from the inside and the outside, you provide video conferencing to the 8 workers with static dhcp mapping in combination of static NAT (they can request to Internet and receive incoming connections), and then you provide access to Internet access with HTTP and access to e-mail with dynamic NAT translation because you don't need the rest of the workers to receive initial connections from the Internet. Incorrect Answers: A: all the objectives are met, see the explanation above. B: all the objectives are met, see the explanation above. D: all the objectives are met, see the explanation above. Question 13. Anna is a security administrator setting up User Authentication for the first time. She has correctly configured her Authentication rule, but authentication still does not work. What is the Check Point recommended way to troubleshoot this issue? A. Verify the properties of the user attempting authentication and the authentication method selected in the Authentication Properties of your firewall object. B. Verify the firewall settings of your firewall object, and the properties for the user attempting encryption and authentication. C. Verify the properties for the user attempting authentication and make sure that the file Stealth Authentication method is selected in the Authentication properties of both the peer gateway object and your firewall object. D. Verify both Client and User Authentication, and the authentication method selected in the Authentication properties of your Firewall object. E. Re-import Schema from the VPN-1/FireWall-1 NG installation CD. Answer: A Explanation: this is the best practice, you have to check both, the properties of the user, to see that the correct authentication has been selected & the settings are correct and also the authentication properties of the firewall object to see if that authentication method is enabled. Incorrect Answers: B: we are not talking about encryption, only authentication, the question does not talk about a user performing encryption of traffic through any rule. C: this is wrong because this option is not mandatory to achieve a successful authentication process. D: You don't have to check client authentication, the question clearly talks only about user authentication. E: this is not an available option for this issue. Question 14. When you select the alert radio button on the topology tab of the interface properties window: A. The action specified in the Action element of the Rule Base is taken. B. The action specified in the Anti-Spoofing Alert field in the Global properties window is taken. C. The action specified in the Pop up Alter Command in the Global properties window is taken. D. Both A and B. E. Both B and C. Answer: E Explanation: when you select the alert button in the properties of the interface at the topology tab, you achieve to main things: the action specified at the anti-spoof alert in the global properties is executed and the action of the alert pop up command at the Global Properties gets executed too. The configuration of these action is made from the policy editor at the Global Configuration of the Checkpoint infrastructure. Incorrect Answers: A: This is wrong, the action taken is in the Anti-Spoofing Alert field in the Global properties window is taken, not at the action field of the rule base. B: This is only part of the answer. C: This is only part of the answer D: This in wrong because it includes answer A that is incorrect. Question 15. You are the firewall administrator with one management server managing one firewall. The system status displays a computer icon with a ‘!’ symbol in the status column. Which of the following is the most likely cause? A. The destination object has been defined as external. B. The Rule Base is unable to resolve the IP address. C. The firewall has been halted. D. The firewall is unprotected, no security policy is loaded. E. Nothing is wrong. Answer: D Explanation: You can check it out in the Syngress Book "Checkpoint NG: Next Generation Security Administration", the "!" means that the firewall module does not have a security policy installed, so its insecure. This could happen if your firewall module becomes corrupted and it can't fetch a valid security policy either from the management module or from the local host. Incorrect Answers: A: when we have an object as external, we can't see the status of it because we are not managing it from that management console, we don't either get a "!" next to it. B: The rulebase doesn't resolve IP address, it doesn't make sense. C: The "!" is not a valid representation for a halted firewall, it's a representation for a unsecured one. E: a "!" status next to one of our modules it's a bad thing, it means that we have our gateway unsecured, without enforcing any security policy. Question 16. System Administrators use session authentication when they want users to: A. Authenticate each time they use a supported service. B. Authenticate all services. C. Use only TENET, FTP, RLOGIN, and HTTP services. D. Authenticate once, and then be able to use any service until logging off. E. Both B and D Answer: B Explanation: with session authentication we can authenticate all the services in a transparent way because all the authentication request are made between the session authentication agent and the firewall object. The user doesn't worry about authenticating each type of service. Incorrect Answers A: This is not the case, remember that we have the session authentication agent installed in the PC. C: This is the case of User authentication, not Session authentication. D: This is not true, because by default we have an expiration time for our sessions. E: This answer is wrong because it takes answer "D" as correct. Question 17. Your customer has created a rule so that every time a user wants to go to Internet, that user must be authenticated. The customer requires an authentication scheme that provides transparency for the user and granular control for the administrator. User must also be able to log in from any location. Based on this information, which authentication schemes meets the customer’s needs? A. Session B. User C. Client D. Dual E. Reverse Answer: B Explanation: As it says in the question, the administrator wants granular control and that requires authentication in a user basis, he also wants logging from any place, so the best option is to use "User Authentication" because we can have a centralized user database that will provide successfully provide the mobility requirements exposed in the question. Incorrect Answers: A: Session authentication does not provide the mobility requirements because the user will have to install the session authentication agent on every PC and that's not a transparent experience for him. C: Client authentication does not provide a transparent experience to the user because he / she have to make a manual logon to the firewall with Telnet or HTTP. D: This is not one of the 3 authentication methods supported by the NG suite. E: This is not one of the 3 authentication methods supported by the NG suite. Question 18. Implementing Dynamic NAT would enable an internal machine behind the firewall to act as an FTP Server for external clients. A. True B. False Answer: B Explanation: to achieve this functionality we need static NAT, remember that dynamic NAT does not provide access for an external client to an internal machine, the firewall doesn't know where to redirect the service incoming requests when the mappings are one to many, this is the case of Dynamic NAT. Incorrect Answers: A: You can't provide this functionality with dynamic NAT, you have to use Static NAT in this case. Question 19. The Enforcement Module (part if the VPN-1/FireWall-1 Module): A. Examines all communications according to an Enterprise Security Policy. B. Is installed on a host enforcement point. C. Can provide authentication and Content Security features at the application level. D. Us usually installed on a multi-homed machine. E. All of the above. Answer: E Explanation: An enforcement module is all of the above, it has to analyze the traffic according to the Security policy that gets from a management server as inspect code, it makes this passing all the traffic through the inspect engine between the top of the layer 2 and the layer 3 of the OSI model, it usually have 2 or 3 interfaces, one internal and the other external, the third one for the advertisement of public services (DMZ). It can also provide authentication through various methods like the proprietary Firewall 1. Incorrect Answers: A: this is only part of the answer. B: this is only part of the answer. C: this is only part of the answer. D: this is only part of the answer. Question 20. AlphaBravo Corp has 72 privately addressed internal addresses. Each network is a piece of the 10-net subnetted to a class C address. AlphaBravo uses Dynamic NAT and hides all of the internal networks behind the external IP addresses of the Firewall. The Firewall administrator for AlphaBravo has noticed that policy installation takes significantly longer since adding all 72 internal networks to the address translation rule. What should the Firewall administrator do to reduce the time it takes to install a policy? A. Create an object for the entire 10-net and use the object for the translation rule instead of the individual network objects. B. Use automatic NAT rule creation on each network object. Hide the network behind the firewall’s external IP addresses. C. Match packets to the state table, so packets are not dropped. Increase the size of the NAT tables. D. Reinstall the Firewall and Security Policy Editor. The policy is corrupting Firewall’s binaries. E. Increase the size of state table. Use automatic NAT rule creation to hide the networks behind an IP address other than firewall’s external IP. Answer: A Explanation: to reduce the installation time, you can group the different network objects into one object so you don't have to use individual network object to make your translation rules, this will improve policy install performance and will ease the administration. Incorrect Answers: B: We are not reducing installation time with this answer because we are creating the rules with every single network object. C: This is not a matching problem, it's clear that we have too many network objects inside the same rule. D: This is not possible, you cannot corrupt the binaries with a policy definition, they don't talk directly to each other. E: For security reasons, we should protect the internal addresses behind the external IP Address of the firewall. This is one of the purposes of NAT.
|
Question 1. A new Xserve is booted from the Mac OS X Server v10.4 installation disc. Which password will let you connect to the Xserve remotely? A. the sequence of characters, "PASSWORD" B. the first eight characters of the Xserve serial number C. the first eight characters of the Xserve Ethernet MAC address D. the first eight characters of the Mac OS X Server software serial number Answer: B Question 2. Which command-line tool can help you identify the configuration file that is written to when you change an option from the graphical interface? A. ps B. otool C. tcpdump D. fs_usage E. netstat -a Answer: D Question 3. Certain tools must be used to configure a Mac OS X Server computer from the command line. Other tools are optional. Which tool below is optional when configuring Mac OS X Server from the command line? A. ifconfig B. serversetup C. networksetup Answer: A Question 4. You want to enable secure connections to your AFP service. Which command can you use to do so? A. sudo serveradmin settings afp:SSHTunnel = yes B. sudo serveradmin command afp:setSSHTunnel:yes C. sudo networksetup -CreateBond afp:SSHTunnel D. sudo networksetup settings -setappletalk "Built-in Ethernet" = SSH Answer: A Question 5. Where are records for share points stored? A. in /etc/afpd.conf B. in /etc/aftovertcp.cfg C. in the local NetInfo database D. in the LDAP database of the Open Directory Master Answer: C Question 6. Server Admin typically sends commands to servermgrd using ________. A. SSH B. SNMP C. XML over HTTPS D. an Apple-proprietary data stream over HTTP Answer: C Question 7. Which statement is true of Server Admin's default SSL configuration? A. Each server has a unique, self-signed certificate. B. SSL is disabled because no valid certificates are pre-installed. C. Each server has a unique certificate signed by Apple's Certificate Authority. D. All servers use the identical, pre-installed certificate signed by Apple's Certificate Authority. Answer: A Question 8. You are using the command-line installer to install PretendCoTools.pkg. You want to install it on a non-boot volume mounted on a server. Which command will help you determine whether the package supports installation on that volume? A. hdiutil verify PretendCoTools.pkg B. installer-volinfo -pkg PretendCoTools.pkg C. lsbom PretendCoTools.pkg/Contents/Archive.bom D. cat PretendCoTools.pkg/contents/Resources/preflight Answer: B Question 9. You want to use the built-in software RAID in Mac Os X Server to create a RAID 1 set across two disks in an Xserve. Which command will accomplish this goal? A. megaraid create R1 -drive 0 1 -stripesize 64 B. diskutil createRAID mirror RAID_Volume HFS+ disk0 disk1 C. diskutil createRAID stripe RAID_Volume HFS+ disk0 disk1 D. diskutil createRAID stripe-distributed-parity RAID_Volume HFS+ disk0 disk1 Answer: B Question 10. You want to update the software on a headless Xserve over an SSH connection to the server, but one of the component installers has a graphical element that displays a splash screen. How can you prevent the installer from launching this graphical element? A. Run softwareupdate with the -headless option. B. Set the environment variable COMMAND_LINE_INSTALL to 1. C. Use SystemStarter to start the HeadlessStartup startup item. D. Download the updates with softwareupdate -d, then install them with installer -noGUI. Answer: B
Copyright © 2004 CertsBraindumps.com Inc. All rights reserved.