Checkpoint 156-315 Practise Questions, Provide Discount Checkpoint 156-315 Preparation Materials With Accurate Answers
Fully Updated Do not hesitate to choose Flydumps Checkpoint 156-315 VCE Exam Dumps, all are updated timely by SAP expert professionals.Visit the site Flydumps.com to get the free Checkpoint 156-315 pdf dumps and free vce player.
QUESTION 61
Jacob is using a mesh VPN Community to create a site-to-site VPN. The VPN properties in this mesh Community display in this graphic:Which of the following statements is TRUE?
A. If Jacob changes the setting, “Perform key exchange encryption with” from “3DES” to “DES”, he will enhance the VPN Community’s security and reduce encryption overhead.
B. Jacob must change the data-integrity settings for this VPN Community. MD5 is incompatible with AES.
C. If Jacob changes the setting “Perform IPSec data encryption with” from “AES-128” to “3DES”, he will increase the encryption overhead.
D. Jacob’s VPN Community will perform IKE Phase 1 key-exchange encryption, using the longest key VPN-1 NGX supports.
Correct Answer: C
QUESTION 62
Barak is a Security Administrator for an organization that has two sites using pre-shared secrets in its
VPN. The two sites are Oslo and London. Barak has just been informed that a new office is opening in
Madrid, and he must enable all three sites to connect via the VPN to each other. Three Security Gateways
are managed by the same SmartCenter Server, behind the Oslo Security Gateway. Barak decides to
switch from pre-shared secrets to Certificates issued by the Internal Certificate Authority (ICA). After
creating the Madrid gateway object with the proper VPN Domain, what are Barak’s remaining steps?
1.Disable “Pre-Shared Secret” on the London and Oslo gateway objects.
2.Add the Madrid gateway object into the Oslo and London’s mesh VPN Community.
3.Manually generate ICA Certificates for all three Security Gateways.
4.Configure “Traditional mode VPN configuration” in the Madrid gateway object’s VPN screen.
5.Reinstall the Security Policy on all three Security Gateways.
A. 1, 2, 5
B. 1,3,4,5
C. 1,2,3,5
D. 1,2,4,5
E. 1, 2,3,4
Correct Answer: A
QUESTION 63
State Synchronization is enabled on both members in a cluster, and the Security Policy is successfully installed. No protocols or services have been unselected for “selective sync”.
The following is the fw tab -t connections -s output from both members:Is State Synchronization working properly between the two members?
A. Members A and B are synchronized, because ID for both members is identical in the connections table.
B. The connections-table output is incomplete. You must run the cphaprob state command, to determine if members A and B are synchronized.
C. Members A and B are not synchronized, because #PEAK for both members is not close in the connections table.
D. Members A and B are synchronized, because #SLINKS are identical in the connections table.
E. Members A and B are not synchronized, because #VALS in the connections table are not close.
Correct Answer: E
QUESTION 64
You must set up SIP with a proxy for your network. IP phones are in the 172.16.100.0 network. The Registrar and proxy are installed on host 172.16.100.100. To allow handover enforcement for outbound calls from SIP-net to network Net_B on the Internet, you have defined the following objects:
Network object: SIP-net: 172.16.100.0/24 SIP-gateway: 172.16.100.100 VoIP Domain object: VoIP_domain_A 1.End-point domain: SIP-net 2.VoIP gateway installed at: SIP-gateway host object
How would you configure the rule?
A. SIP-Gateway/Net_B/sip_any/accept
B. VoIP_domain_A/Net_B/sip/accept
C. SIP-Gateway/Net_B/sip/accept
D. VoIP_domain_A/Net_B/sip_any, and sip/accept
E. VoIP_Gateway_A/Net_B/sip_any/accept
Correct Answer: B
QUESTION 65
Jennifer wants to protect internal users from malicious Java code, but she does not want to strip Java scripts. Which is the BEST configuration option?
A. Use the URI resource to block Java code
B. Use CVP in the URI resource to block Java code
C. Use the URI resource to strip ActiveX tags
D. Use the URI resource to strip applet tags
E. Use the URI resource to strip script tags
Correct Answer: A
QUESTION 66
Your network includes ClusterXL running Multicast mode on two members, as shown in this topology:Your
network is expanding, and you need to add new interfaces:
10.10.10.1/24 on Member A, and 10.10.10.2/24 on Member B. The virtual IP address for interface
10.10.10.0/24 is 10.10.10.3. What is the correct procedure to add these interfaces?
A. 1. Use the ifconfig command to configure and enable the new interface.
2.
Run cpstop and cpstart on both members at the same time.
3.
Update the topology in the cluster object for the cluster and both members.
4.
Install the Security Policy.
B. 1. Disable “Cluster membership” from one Gateway via cpconfig.
2.
Configure the new interface via sysconfig from the “non-member” Gateway.
3.
Re-enable “Cluster membership” on the Gateway.
4.
Perform the same step on the other Gateway.
5.
Update the topology in the cluster object for the cluster and members.
6.
Install the Security Policy.
C. 1. Run cpstop on one member, and configure the new interface via sysconfig.
2.
Run cpstart on the member. Repeat the same steps on another member.
3.
Update the new topology in the cluster object for the cluster and members.
4.
Install the Security Policy.
D. 1. Use sysconfig to configure the new interfaces on both members.
2.
Update the topology in the cluster object for the cluster and both members.
3.
Install the Security Policy.
Correct Answer: C QUESTION 67
You are configuring the VoIP Domain object for an H.323 environment, protected by VPN-1 NGX. Which VoIP Domain object type can you use?
A. Transmission Router
B. Gatekeeper
C. Call Manager
D. Proxy
E. Call Agent
Correct Answer: B
QUESTION 68
You are preparing computers for a new ClusterXL deployment. For your cluster, you plan to use three machines with the following configurations:Are these machines correctly configured for a ClusterXL deployment?
A. Yes, these machines are configured correctly for a ClusterXL deployment.
B. No, QuadCards are not supported with ClusterXL.
C. No, all machines in a cluster must be running on the same OS.
D. No, a cluster must have an even number of machines.
E. No, ClusterXL is not supported on Red Hat Linux.
Correct Answer: C
QUESTION 69
You receive an alert indicating a suspicious FTP connection is trying to connect to one of your internal hosts. How do you block the connection in real time and verify the connection is successfully blocked?
A. Highlight the suspicious connection in SmartView Tracker > Active mode. Block the connection using the Tools > Block Intruder menu. Use the Active mode to confirm that the suspicious connection does not reappear.
B. Highlight the suspicious connection in SmartView Tracker > Log mode. Block the connection using Tools > Block Intruder menu. Use Log mode to confirm that the suspicious connection does not reappear.
C. Highlight the suspicious connection in SmartView Tracker > Active mode. Block the connection using Tools > Block Intruder menu. Use Active mode to confirm that the suspicious connection is dropped.
D. Highlight the suspicious connection in SmartView Tracker > Log mode. Block the connection using Tools > Block Intruder menu. Use the Log mode to confirm that the suspicious connection is dropped.
Correct Answer: A
QUESTION 70
You want to block corporate-internal-net and localnet from accessing Web sites containing inappropriate content. You are using WebTrends for URL filtering. You have disabled VPN-1 Control connections in the Global properties. Review the diagram and the Security Policies for GW_A and GW_B in the exhibit provided.
Corporate users and localnet users receive message “Web cannot be displayed”. In SmartView Tracker, you see the connections are dropped with message “content security is not reachable”. What is the problem, and how do you fix it?
A. The connection from GW_B to the internal WebTrends server is not allowed in the Policy. Fix: Add a rule in GW_A’s Policy to allow source WebTrends Server, destination GW_B, service TCP port 18182, and action accept.
B. The connection from GW_B to the WebTrend server is not allowed in the Policy. Fix: Add a rule in GW_B’s Policy with Source GW_B, destination WebTrends server, service TCP port 18182, and action accept.
C. The connection from GW_A to the WebTrends server is not allowed in the Policy. Fix: Add a rule in GW_B’s Policy with source WebTrends server, destination GW_A, service TCP port 18182, and action accept.
D. The connection from GW_A to the WebTrends server is not allowed in the Policy. Fix: Add a rule in GW_B’s Policy with source GW_A, destination: WebTrends server, service TCP port 18182, and action accept.
E. The connection from GW_A to the WebTrends server is not allowed in the Policy. Fix: Add a rule in GW_A’s Policy to allow source GW_A, destination WebTrends server, service TCP port 18182, and action accept.
Correct Answer: E
QUESTION 71
Wayne configures an HTTP Security Server to work with the content vectoring protocol to screen forbidden sites. He has created a URI resource object using CVP with the following settings:
Use CVP Allow CVP server to modify content Return data after content is approved
He adds two rules to his Rule Base: one to inspect HTTP traffic going to known forbidden sites, the other to allow all other HTTP traffic.
Wayne sees HTTP traffic going to those problematic sites is not prohibited.
What could cause this behavior?
A. The Security Server Rule is after the general HTTP Accept Rule.
B. The Security Server is not communicating with the CVP server.
C. The Security Server is not configured correctly.
D. The Security Server is communicating with the CVP server, but no restriction is defined in the CVP server.
Correct Answer: A
QUESTION 72
What is the consequence of clearing the “Log VoIP Connection” box in Global Properties?
A. Dropped VoIP traffic is logged, but accepted VoIP traffic is not logged.
B. VoIP protocol-specific log fields are not included in SmartView Tracker entries.
C. The log field setting in rules for VoIP protocols are ignored.
D. IP addresses are used, instead of object names, in log entries that reference VoIP Domain objects.
E. The SmartCenter Server stops importing logs from VoIP servers.
Correct Answer: B
QUESTION 73
Your organization has many VPN-1 Edge gateways at various branch offices, to allow VPN-1 SecureClient users to access company resources. For security reasons, your organization’s Security Policy requires all Internet traffic initiated behind the VPN-1 Edge gateways first be inspected by your headquarters’ VPN-1 Pro Security Gateway. How do you configure VPN routing in this star VPN Community?
A. To the Internet and other targets only
B. To the center and other satellites, through the center
C. To the center only
D. To the center; or through the center to other satellites, then to the Internet and other VPN targets
Correct Answer: D
QUESTION 74
You are configuring the VoIP Domain object for a Skinny Client Control Protocol (SCCP) environment protected by VPN-1 NGX. Which VoIP Domain object type can you use?
A. CallManager
B. Gatekeeper
C. Gateway
D. Proxy
E. Transmission Router
Correct Answer: A
QUESTION 75
Your VPN Community includes three Security Gateways. Each Gateway has its own internal network defined as a VPN Domain. You must test the VPN-1 NGX route-based VPN feature, without stopping the VPN. What is the correct order of steps?
A. 1. Add a new interface on each Gateway.
2.
Remove the newly added network from the current VPN Domain for each Gateway.
3.
Create VTIs on each Gateway, to point to the other two peers
4.
Enable advanced routing on all three Gateways.
B. 1. Add a new interface on each Gateway.
2.
Remove the newly added network from the current VPN Domain in each gateway object.
3.
Create VPN Tunnel Interfaces (VTI) on each gateway object, to point to the other two peers.
4.
Add static routes on three Gateways, to route the new network to each peer’s VTI interface.
C. 1. Add a new interface on each Gateway.
2.
Add the newly added network into the existing VPN Domain for each Gateway.
3.
Create VTIs on each gateway object, to point to the other two peers.
4.
Enable advanced routing on all three Gateways.
D. 1. Add a new interface on each Gateway.
2.
Add the newly added network into the existing VPN Domain for each gateway object.
3.
Create VTIs on each gateway object, to point to the other two peers.
4.
Add static routes on three Gateways, to route the new networks to each peer’s VTI interface.
Correct Answer: B
QUESTION 76
You must set up SIP with a proxy for your network. IP phones are in the 172.16.100.0 network. The Registrar and proxy are installed on host 172.16.100.100. To allow handover enforcement for outbound calls from SIP-net to network Net_B on the Internet, you have defined the following objects:
Network object: SIP-net: 172.16.100.0/24 SIP-gateway: 172.16.100.100 VoIP Domain object: VoIP_domain_A 1.End-point domain: SIP-net 2.VoIP gateway installed at: SIP-gateway host object
How would you configure the rule?
A. SIP-Gateway/Net_B/sip/accept
B. VoIP_Gateway_A/Net_B/sip/accept
C. SIP-Gateway/Net_B/sip_any/accept
D. VoIP_domain_A/Net_B/sip_any, and sip/accept
E. VoIP_domain_A/Net_B/sip_any/accept
Correct Answer: E QUESTION 77
You want to upgrade a cluster with two members to VPN-1 NGX. The SmartCenter Server and both members are version VPN-1/FireWall-1 NG FP3, with the latest Hotfix.
What is the correct upgrade procedure?
1.
Change the version, in the General Properties of the gateway-cluster object.
2.
Upgrade the SmartCenter Server, and reboot after upgrade.
3.
Run cpstop on one member, while leaving the other member running. Upgrade one member at a time, and reboot after upgrade.
4.
Reinstall the Security Policy.
A. 3, 2, 1, 4
B. 2, 4, 3, 1
C. 1, 3, 2, 4
D. 2, 3, 1, 4
E. 1, 2, 3, 4
Correct Answer: D QUESTION 78
You are reviewing SmartView Tracker entries, and see a Connection Rejection on a Check Point QoS rule. What causes the Connection Rejection?
A. No QOS rule exists to match the rejected traffic.
B. The number of guaranteed connections is exceeded. The rule’s action properties are not set to accept additional connections.
C. The Constant Bit Rate for a Low Latency Class has been exceeded by greater than 10%, and the Maximal Delay is set below requirements.
D. Burst traffic matching the Default Rule is exhausting the Check Point QoS global packet buffers.
E. The guarantee of one of the rule’s sub-rules exceeds the guarantee in the rule itself.
Correct Answer: B QUESTION 79
In a distributed VPN-1 Pro NGX environment, where is the Internal Certificate Authority (ICA) installed?
A. On the Security Gateway
B. Certificate Manager Server
C. On the Policy Server
D. On the Smart View Monitor
E. On the primary SmartCenter Server
Correct Answer: E QUESTION 80
You want VPN traffic to match packets from internal interfaces. You also want the traffic to exit the Security Gateway, bound for all site-to-site VPN Communities, including Remote Access Communities. How should you configure the VPN match rule?
A. internal_clear > All_GwToGw
B. Communities > Communities
C. Internal_clear > External_Clear
D. Internal_clear > Communities
E. internal_clear > All_communities
Correct Answer: E
QUESTION 81
You want to create an IKE VPN between two VPN-1 NGX Security Gateways, to protect two networks. The network behind one Gateway is 10.15.0.0/16, and network 192.168.9.0/24 is behind the peer’s Gateway. Which type of address translation should you use, to ensure the two networks access each other through the VPN tunnel?
A. Manual NAT
B. Static NAT
C. Hide NAT
D. None
E. Hide NAT
Correct Answer: D
QUESTION 82
Robert has configured a Common Internet File System (CIFS) resource to allow access to the public partition of his company’s file server, on \\erisco\goldenapple\files\public.
Robert receives reports that users are unable to access the shared partition, unless they use the file server’s IP address. Which of the following is a possible cause?
A. Mapped shares do not allow administrative locks.
B. The CIFS resource is not configured to use Windows name resolution.
C. Access violations are not logged.
D. Remote registry access is blocked.
E. Null CIFS sessions are blocked.
Correct Answer: B
QUESTION 83
You are preparing computers for a new ClusterXL deployment. For your cluster, you plan to use three machines with the following configurations:Are these machines correctly configured for a ClusterXL deployment?
A. Yes, these machines are configured correctly for a ClusterXL deployment.
B. No, QuadCards are not supported with ClusterXL.
C. No, all machines in a cluster must be running on the same OS.
D. No, a cluster must have an even number of machines.
E. No, ClusterXL is not supported on Red Hat Linux.
Correct Answer: C
QUESTION 84
Which of the following commands shows full synchronization status?
A. cphaprob -i list
B. cphastop
C. fw ctl pstat
D. cphaprob -a if
E. fw hastat
Correct Answer: A
QUESTION 85
Which of the following actions is most likely to improve the performance of Check Point QoS?
A. Turn “per rule guarantees” into “per connection guarantees”.
B. Install Check Point QoS only on the external interfaces of the QoS Module.
C. Put the most frequently used rules at the bottom of the QoS Rule Base.
D. Turn “per rule limits” into “per connection limits”.
E. Define weights in the Default Rule in multiples of 10.
Correct Answer: B
Free practice questions for Checkpoint 156-315 exam.These questions are aimed at giving you an idea of the type of questions you can expect on the actual exam.You will get an idea of the level of knowledge each topic goes into but because these are simple web pages you will not see the interactive and performance based questions – those are available in the Checkpoint 156-315.
