156-115.77 Practice Exam Questions with Answers Check Point Certified Security Master Certification

Active/Standby

Active/Ready

Active Attention/Down

Active/Down

fwaccel conns

fw tab –t connections –p

fwaccel stats

fw ctl pstat

fw getifs

cpstat os –f memory

fw ctl pstat

cpstat os –f cpu

Disables NAT templates when SecureXL is turned on.

Enables NAT templates when SecureXL is turned on.

Enables NAT templates at all times.

Disables NAT templates at all times.

There are not any policy to login in SmartDashboard

FWM process is crashed and returned null to access

User and password are incorrect

IP not defined in $FWDIR/conf/gui-clients

fw ctl zdebug drop

fw tab –t connections

fw monitor -e "accept;" -p all

fw ctl chain

fw debug fw on and checks the file fwm.elg.

fw kdebug fwm on and checks the file fwm.elg.

fw debug fwm on and checks the file fwm.elg.

fw kdebug fwm on and checks the file fw.elg.

fw ctl debug 0x1ffffe0

fw debug 0x1ffffe0

export TDERROR_ALL_ALL

unset TDERROR_ALL_ALL

To allow for automatic upgrades.

To allow two or more cluster members to exist on the same network.

To allow two or more clusters to exist on the same network.

To allow the two cluster members to use the same virtual IP address.

In Global Properties > NAT tree select Merge manual proxy ARP configuration check box

Run the command fw ctl ARP –a on the gateway

In Global Properties > NAT tree select Translate on client side check box

Create and run a script to forward changes to the local.arp tables of your gateway

fw ctl zdebug drop

fw ctl debug -h

fw ctl chain

fw ctl debug -m

set ccp broadcast

cphaconf set_ccp broadcast

cpha_conf set ccp broadcast

This can only be changed via GuiDbEdit.

“10.0.0.100:1024 > 216.239.59.59:80”

“10.0.0.100:1024 > 216.239.59.59:*”

“10.0.0.100:* > 216.239.59.59:*”

“10.0.0.100:* > 216.239.59.59:80”

Accelerator status, accept templates, drop templates

Accelerated packets, accept templates, dropped packets

Accelerator status, accelerated rules, drop templates

Accelerator status, CoreXL state, drop templates

With the command fwaccel stat followed by the command fwaccel stats.

At the top of the Rule Base.

Using the hit count column.

Using the Compliance Software Blade.

Connections are being partially accelerated by SecureXL, but too many packets are still being processed by the firewall kernel.

The Secure Network Dispatcher (SND) is having to process too much inbound traffic from the NICs.

Connections are not being accelerated by SecureXL, and all packets are being forwarded to firewall kernel instances for inspection.

The Secure Network Dispatcher (SND) is working too hard to distribute the traffic to the acceleration layer.

IPv6 is enabled by default.

Under WebUI go to System Management > System Configuration, turn on IPv6 Support, click apply and reboot.

Enable the IPv6 Software Blade for the gateway in Smart Dashboard.

Run the IPv6 script $FWDIR/scripts/fwipv6_enable and reboot.

ip -6 neigh show

ip -6 addr show

tcpdump -nni eth ip6

fw6 monitor

True: All IPv4 features are supported in IPv6’

True: Management can occur over IPv4 or IPv6 thus all gateways can have interfaces configured with valid IP addresses of either type’

False: There are many common IPv4 features that are not supported in IPv6’

False: Management only occurs over IPv4 thus all gateways are required to have interfaces configured with valid IPv4 addresses’

Yes provided the operating system on which Smart Dashboard is installed is configured with IPv6.

SmartDashboard does not support IPv6.

IPv6 needs to be tunneled through IPv4 to support IPv6.

R77.20 and above provides the support for Smart Dashboard and IPv6 support.

Context Management Interface layer (CMI)

Protections

Protocol Parsers

Passive Streaming Library (PSL)

From the command line, run: ips_import -f [-p ].

IPS profiles must be manually configured on each gateway.

From the command line, run: ips_export_import import -f [-p ].

From the Smart Dashboard IPS tab select import IPS profiles and select the gateway to get the profile from.

Run command fw ctl set int enable_inspect_debug  1 from the command line.

Toggle the checkbox in Global Properties > Firewalls > Inspection section.

WebUI

Set the following parameter to true using GuiDBedit: enable_inspect_debug_compilation.

fwaccel stats misp

fw ctl pstat

fw ctl debug -m fw + nat drop

fw tab -t fwx_alloc -x

WebUI or add proxy ARP ... commands via CLISH

SmartView Tracker

local.arp file

SmartDashboard

loglist

tablist

fwx_alloc

conns

-all

-k

-c

-p

This is not possible CoreXL is best left to manage the Kernel to CPU core mappings. It is only when a daemon is bound to a dedicated core that CoreXL will ignore that CPU core when mapping Kernel instances to CPU cores.

fw ctl affinity -s -k 3 5

Run fwaffinity_apply –t 3 -k 5 and then check that the settings have taken affect with the command fw ctl multik stat.

Edit the file fwaffinity.conf and add the line “k3 cpuid 5”

Check Point QoS

IPv6

Overlapping NAT

Route-based VPN

Increase the number of cores dedicated to logging.

Increase the number of Secure Network Dispatchers as the accelerated traffic is not passed to a worker core.

Add more CPU resources to the hardware.

Upgrade to SAM hardware.

cpconfig

SmartDashboard

sysconfig

CoreXL automatically recognizes the number of cores on a system at startup so there is no method or reason to modify the setting.

65%

90%

100%

75%

When IPS is heavily used.

When most of the traffic is accelerated.

When most of the processing is done in CoreXL.

When trying to increase session rate.

gc_thresh2=256 and gc_thresh1=128

gc_thresh2=512 and gc_thresh1=256

gc_thresh2=1024 and gc_thresh1=1024

gc_thresh1=256 and gc_thresh2=128

free

fw ctl pstat

cat /proc/meminfo

memoryinfo.conf

VPN PSK authentication

VPN certificate authentication

SIC

Identity Awareness Kerberos authentication

When packets are destined to leave through a VPN tunnel, it is encrypted and encapsulated in an ESP packet, and thus will not show up on a fw monitor.

It’s not showing up on the fw monitor because it is exiting the wrong interface

The packet is getting silently dropped because there is no route for the packet.

The gateway never completed the IKE and IPSec key exchange, and the tunnel does not exist yet.

You have an encryption method mismatch.

Implied rules in global properties such as ICMP and DNS are set to first instead of before last.

You have not created a specific rule allowing VPN traffic.

You have the wrong encryption domains configured.

Use the excluded services in the VPN community to exclude this traffic from the VPN or determine why the traffic is leaving the initiating (partner) gateway as clear text.

Use the excluded services in the VPN community to exclude this traffic from the VPN or determine why the traffic is leaving local (your) gateway as clear text.

Your phase one algorithms are mismatched between gateways.

This is management traffic and we need to enable implied rule to address this issue.