Certify4Sure 156-115 77

Checkpoint 156-115.
77 : Practice Exam
Exam Code: 156-115.77
Title : Check Point Certified Security Master

QUESTION 1
What command would you use for a packet capture on an absolute position for TCP streaming (out) 1ffffe0
A. fw ctl chain -po 1ffffe0 -o monitor.out

B. fw monitor -po -0x1ffffe0 -o monitor.out
C. fw monitor -e 0x1ffffe0 -o monitor.out
D. fw monitor -pr 1ffffe0 -o monitor.out
Correct Answer: B
QUESTION 2
The command fw monitor -p all displays what type of information?
A. It captures all points of the chain as the packet goes through the firewall kernel.
B. This is not a valid command.
C. The -p is used to resolve MAC address in the firewall capture.
D. It does a firewall monitor capture on all interfaces.
Correct Answer: A
QUESTION 3
What does the IP Options Strip represent under the fw chain output?
A. IP Options Strip is not a valid fw chain output.

B. The IP Options Strip removes the IP header of the packet prior to be passed to the other kernel functions.
C. The IP Options Strip copies the header details to forward the details for further IPS inspections.
D. IP Options Strip is only used when VPN is involved.
Correct Answer: B
QUESTION 4
The command that lists the firewall kernel modules on a Security Gateway is:
A. fw list kernel modules

B. fw ctl kernel chain
C. fw ctl debug -m
D. fw list modules
Correct Answer: C
QUESTION 5
Which of the following BEST describes the command fw ctl chain function?
A. View how CoreXL is distributing traffic among the firewall kernel instances.
B. View established connections in the connections table.
C. View the inbound and outbound kernel modules and the order in which they are applied.
D. Determine if VPN Security Associations are being established.
Correct Answer: C
QUESTION 6
The command _____________ shows which firewall chain modules are active on a gateway.
A. fw stat
B. fw ctl debug
C. fw ctl chain
D. fw ctl multik stat
Correct Answer: C
QUESTION 7
The command fw ctl kdebug <params> is used to:
A. list enabled debug parameters.

B. read the kernel debug buffer to obtain debug messages.
C. enable kernel debugging.
D. select specific kernel modules for debugging.
Correct Answer: B
QUESTION 8
Compare these two images to establish which blade/feature was disabled on the firewall.
A. IPS
B. VPN
C. NAT
D. L2TP
Correct Answer: B
QUESTION 9
What command would give you a summary of all the tables available to the firewall kernel?
A. fw tab
B. fw tab -s
C. fw tab -h
D. fw tab -o
Correct Answer: B
QUESTION 10
What flag option(s) must be used to dump the complete table in friendly format, assuming there are more than one hundred
connections in the table?
A. fw tab -t connections -f
B. fw tab -t connect -f -u
C. fw tab -t connections -s
D. fw tab -t connections -f u
Correct Answer: B
QUESTION 11
Which directory below contains the URL Filtering engine update info? Here you can also go to see the status of the URL Filtering and
Application Control updates.
A. $FWDIR/urlf/update
B. $FWDIR/appi/update
C. $FWDIR/appi/urlf
D. $FWDIR/update/appi
Correct Answer: B
QUESTION 12
For URL Filtering in the Cloud in R75 and above, what table is used to contain the URL Filtering cache values?
A. urlf_blade_on_gw
B. urlf_cache_tbl
C. urlf_cache_table
D. url_scheme_tab
Correct Answer: C
QUESTION 13
You are troubleshooting a Security Gateway, attempting to determine which chain is causing a problem. What command would you
use to show all the chains through which traffic passed?
A. [Expert@HostName]# fw ctl chain

B. [Expert@HostName]# fw monitor -e "accept;" -p all
C. [Expert@HostName]# fw ctl debug m
D. [Expert@HostName]# fw ctl zdebug all
Correct Answer: B
QUESTION 14
True or False: Software blades perform their inspection primarily through the kernel chain modules.
A. False. Software blades do not pass through the chain modules.

B. True. Many software blades have their own dedicated kernel chain module for inspection.
C. True. All software blades are inspected by the IP Options chain module.
D. True. Most software blades are inspected by the TCP streaming or Passive Streaming chain module.
Correct Answer: B
QUESTION 15
When using the command fw monitor, what command ensures the capture is accurate?
A. export TDERROR_ALL_ALL=5
B. fwaccel off
C. fwaccel on
D. fw accel off
Correct Answer: B
QUESTION 16
You are running a debugging session and you have set the debug environment to TDERROR_ALL_ALL=5 using the command
export TDERROR_ALL_ALL=5. How do you return the debug value to defaults?
A. fw ctl debug 0x1ffffe0

B. fw debug 0x1ffffe0
C. export TDERROR_ALL_ALL
D. unset TDERROR_ALL_ALL
Correct Answer: D
QUESTION 17
What command would you use to view which debugs are set in your current working environment?
A. "env" and "fw ctl debug"

B. "cat /proc/etc"
C. "fw ctl debug all"
D. "export"
Correct Answer: A
QUESTION 18
What causes the SIP Early NAT chain module to appear in the chain?
A. The SIP traffic is trying to pass through the firewall.

B. SIP is configured in IPS.
C. A VOIP domain is configured.
D. The default SIP service is used in the Rule Base.
Correct Answer: D
QUESTION 19
When you perform an install database, the status window is filled with large amounts of text. What could be the cause?
A. There is an active fw monitor running.

B. There is an environment variable of TDERROR_ALL_ALL set on the gateway.
C. There is an active debug on the SmartConsole.
D. There is an active debug on the FWM process.
Correct Answer: D
QUESTION 20
When finished running a debug on the Management Server using the command fw debug fwm on how do you turn this debug off?
A. fwm debug off

B. fw ctl debug off
C. fw debug off
D. fw debug fwm off
Correct Answer: D
QUESTION 21
Which commands will properly set the debug level to maximum and then run a policy install in debug mode for the policy Standard on
gateway A-GW from an R77 GAiA Management Server?
A. setenv TDERROR_ALL_ALL=5
fwm d load A-GW Standard
B. setenv TDERROR_ALL_ALL=5
fwm d load Standard A-GW
C. export TDERROR_ALL_ALL=5
fwm d load Standard A-GW
D. export TDERROR_ALL_ALL=5
fwm d load A-GW Standard
Correct Answer: C
QUESTION 22
Which of the following items is NOT part of the columns of the chain modules?
A. Inbound/Outbound chain
B. Function Pointer
C. Chain position
D. Module location
Correct Answer: A
QUESTION 23
John is a Security Administrator of a Check Point platform. He has a mis-configuration issue that points to the Rule Base. To obtain
information about the issue, John runs the command:
A. fw debug fw on and checks the file fwm.elg.

B. fw kdebug fwm on and checks the file fwm.elg.
C. fw debug fwm on and checks the file fwm.elg.
D. fw kdebug fwm on and checks the file fw.elg.
Correct Answer: C
QUESTION 24
The user tried to connect in SmartDashboard and did not work. You started a FWM debug and receive the logs below:
What is the error cause?
A. IP not defined in $FWDIR/conf/gui-clients

B. Wrong user and password
C. Wrong password
D. Wrong user
Correct Answer: D
QUESTION 25
When troubleshooting and trying to understand which chain is causing a problem on the Security Gateway, you should use the
command:
A. fw ctl zdebug drop

B. fw tab t connections
C. fw monitor -e "accept;" -p all
D. fw ctl chain
Correct Answer: C
QUESTION 26
Which process should you debug when SmartDashboard authentication is rejected?
A. fwm
B. cpd
C. fwd
D. DAService
Correct Answer: A
QUESTION 27
A fwm debug provides the following output. What prevents the customer from logging into SmartDashboard?
A. There are not any policy to login in SmartDashboard
B. FWM process is crashed and returned null to access
C. User and password are incorrect
D. IP not defined in $FWDIR/conf/gui-clients
Correct Answer: D
QUESTION 28
When performing a fwm debug, to which directory are the logs written?
A. $FWDIR/log
B. $FWDIR/log/fwm.elg
C. $FWDIR/conf/fwm.elg
D. $CPDIR/log/fwm.elg
Correct Answer: B
QUESTION 29
You are attempting to establish an FTP session between your computer and a remote server, but it is not being completed
successfully. You think the issue may be due to IPS. Viewing SmartView Tracker shows no drops. How would you confirm if the
traffic is actually being dropped by the gateway?
A. Search the connections table for that connection.

B. Run a fw monitor packet capture on the gateway.
C. Look in SmartView Monitor for that connection to see why it's being dropped.
D. Run fw ctl zdebug drop on the gateway.
Correct Answer: D
QUESTION 30
The fw tab t ___________ command displays the NAT table.
A. loglist
B. tablist
C. fwx_alloc
D. conns
Correct Answer: C
QUESTION 31
While troubleshooting a DHCP relay issue, you run a fw ctl zdebug drop and see the following output:
;[cpu_1];[fw_0];fw_log_drop: Packet proto=17 10.216.14.108:67 > 172.31.2.1:67 dropped by fw_handle_first_packet Reason:

fwconn_init_links (INBOUND) failed;
Where 10.216.14.108 is the IP address of the DHCP server and 172.31.2.1 is the VIP of the Cluster. What is the most likely cause of
this drop?
A. An inbound collision due to a connections table check on pre-existing connections.
B. An outbound collision due to a Rule Base check, and dropped by incorrectly configuring DHCP in the firewall policy.
C. A link collision due to more than one NAT symbolic link being created for outgoing connections to the DHCP server.
D. A link collision due to more than one NAT symbolic link being created for connections returning from the DHCP server back to the
VIP of the Cluster.
Correct Answer: D
QUESTION 32
You are trying to troubleshoot a NAT issue on your network, and you use a kernel debug to verify a connection is correctly translated
to its NAT address. What flags should you use for the kernel debug?
A. fw ctl debug -m fw + conn drop nat vm xlate xltrc

B. fw ctl debug -m fw + conn drop ld
C. fw ctl debug -m nat + conn drop nat xlate xltrc
D. fw ctl debug -m nat + conn drop fw xlate xltrc
Correct Answer: A
QUESTION 33
Since switching your network to ISP redundancy you find that your outgoing static NAT connections are failing. You use the
command _________ to debug the issue.
A. fwaccel stats misp

B. fw ctl pstat
C. fw ctl debug -m fw + nat drop
D. fw tab -t fwx_alloc -x
Correct Answer: C
QUESTION 34
Remote VPN clients can initiate connections with internal hosts, but internal hosts are unable to initiate connections with the remote
VPN clients, even though the policy is configured to allow it. You think that this is caused by NAT. What command can you run to see
if NAT is occurring on a packet?
A. fw tab -t fwx_alloc -x
B. fw ctl pstat
C. fwaccel stats misp
D. fw ctl debug -m fw + conn drop packet xlate xltrc nat
Correct Answer: D
QUESTION 35
Where in a fw monitor output would you see source address translation occur in cases of automatic Hide NAT?
A. Between the "I" and "o"

B. Hide NAT does not adjust the source IP
C. Between the "o" and "O"
D. Between the "i" and "I"
Correct Answer: C
QUESTION 36
Where in a fw monitor output would you see destination address translation occur in cases of inbound automatic static NAT?
A. Static NAT does not adjust the destination IP

B. Between the "i" and "I"
C. Between the "I" and "o"
D. Between the "o" and "O"
Correct Answer: B
QUESTION 37
Which flag in the fw monitor command is used to print the position of the kernel chain?
A. -all
B. -k
C. -c
D. -p
Correct Answer: D
QUESTION 38
Server A is subject to automatically static NAT and also resides on a network which is subject to automatic Hide NAT. With regards
to address translation what will happen when Server A initiates outbound communication?
A. This will cause a policy verification error.

B. This is called hairpin NAT, the traffic will return to the server.
C. The static NAT will take precedence.
D. The Hide NAT will take precedence.
Correct Answer: C
QUESTION 39
In your SecurePlatform configuration you need to set up a manual static NAT entry. After creating the proper NAT rule what step
needs to be completed?
A. Edit or create the file local.arp.

B. No further actions are required.
C. Edit or create the file discntd.if.
D. Edit the file netconf.conf.
Correct Answer: A
QUESTION 40
How do you set up Port Address Translation?
A. Since Hide NAT changes to random high ports it is by definition PAT (Port Address Translation).
B. Create a manual NAT rule and specify the source and destination ports.
C. Edit the service in SmartDashboard, click on the NAT tab and specify the translated port.
D. Port Address Translation is not support in Check Point environment
Correct Answer: B
QUESTION 41
You have set up a manual NAT rule, however fw monitor shows you that the device still uses the automatic Hide NAT rule. How
should you this?
A. Move your manual NAT rule above the automatic NAT rule.
B. In Global Properties > NAT ensure that server side NAT is enabled.
C. Set the following fwx_alloc_man kernel parameter to 1.
D. In Global Properties > NAT ensure that Merge Automatic to Manual NAT is selected.
Correct Answer: A
QUESTION 42
Since R76 GAiA, what is the method for configuring proxy ARP entries for manual NAT rules?
A. WebUI or add proxy ARP ... commands via CLISH

B. SmartView Tracker
C. local.arp file
D. SmartDashboard
Correct Answer: A
QUESTION 43
Tom is troubleshooting NAT issues using fw monitor and Wireshark. He tries to initiate a connection from the external network to a
DMZ server using the public IP which the firewall translates to the actual IP of the server. He analyzes the captured packets using
Wireshark and observes that the destination IP is being changed as required by the firewall but does not see the packet leave the
external interface. What could be the reason?
A. The translation might be happening on the client side and the packet is being routed by the OS back to the external interface.
B. The translation might be happening on the server side and the packet is being routed by OS back to the external interface.
C. Packet is dropped by the firewall.
D. After the translation, the packet is dropped by the Anti-Spoofing Protection.
Correct Answer: B
QUESTION 44
Tom has a Web server for which he has created a manual NAT rule. The rule is not working. He tries to initiate a connection from the
external network to a DMZ server using the public IP which the firewall translates to the actual IP of the server. He analyzes the
captured packets using Wireshark and observes that the destination IP is being changed as required by the firewall but does not see
the packet leave the internal interface. Which box in Global Properties should be checked?
A. Automatic NAT rules > Allow bi-directional NAT
B. Automatic NAT rules > Automatic ARP Configuration
C. Automatic NAT rules > Translate destination on client side
D. Manual NAT rules > Translate destination on client side
Correct Answer: D
QUESTION 45
Which FW-1 kernel flags should be used to properly debug and troubleshoot NAT issues?
A. nat, route, conn, fwd, zeco, err

B. nat, xlate, fwd, vm, ld, chain
C. nat, xltrc, xlate, drop, conn, vm
D. nat, drop, conn, xlate, filter, ioctl
Correct Answer: C
QUESTION 46
Which file should be edited to modify ClusterXL VIP Hide NAT rules, and where?
A. $FWDIR/lib/base.def on the cluster members

B. $FWDIR/lib/table.def on the SMC
C. $FWDIR/lib/table.def on the cluster members
D. $FWDIR/lib/base.def on the SMC
Correct Answer: B
QUESTION 47
When viewing a NAT Table, What represents the second hexadecimal number of the 6-tuple:
A. Source port
B. Protocol
C. Source IP
D. Destination port
Correct Answer: C
QUESTION 48
By default, the size of the fwx_alloc table is:
A. 65535
B. 65536
C. 25000
D. 1024
Correct Answer: C
QUESTION 49
Given the screen configuration shown, the failure's probable cause is:
A. Packet 1 Proposes SA life Type , Sa Life Duration, Authentication and Encapsulation Algorithm.
B. Packet 1 proposes a symmetrical key.
C. Packet 1 proposes a subnet and host ID, an encryption and hash algorithm.
D. Packet 1 proposes either a subnet or host ID, an encryption and hash algorithm, and ID data.
Correct Answer: D
QUESTION 50
Ann wants to hide FTP traffic behind the virtual IP of her cluster. Where is the relevant file table.def located to make this
modification?
A. $FWDIR/log/table.def
B. $FWDIR/conf/table.def
C. $FWDIR/bin/table.def
D. $FWDIR/lib/table.def
Correct Answer: D
QUESTION 51
While troubleshooting a connectivity issue with an internal web server, you know that packets are getting to the upstream router, but
when you run a tcpdump on the external interface of the gateway, the only traffic you observe is ARP requests coming from the
upstream router. Does the problem lie on the Check Point Gateway?
A. Yes This could be due to a misconfigured route on the firewall.
B. No This is a layer 2 connectivity issue and has nothing to do with the firewall.
C. No The firewall is not dropping the traffic, therefore the problem does not lie with the firewall.
D. Yes This could be due to a misconfigured Static NAT in the firewall policy.
Correct Answer: D
QUESTION 52
In a production environment, your gateway is configured to apply a Hide NAT for all internal traffic destined to the Internet. However,
you are setting up a VPN tunnel with a remote gateway, and you are concerned about the encryption domain that you need to define
on the remote gateway. Does the remote gateway need to include your production gateway's external IP in its encryption domain?
A. No all packets destined through a VPN will leave with original source and destination packets without translation.
B. No all packets destined to go through the VPN tunnel will have the payload encapsulated in an ESP packet and after decryption
at the remote site, will have the same internal source and destination IP addresses.
C. Yes all packets destined to go through the VPN tunnel will have the payload encapsulated in an ESP packet and after decryption
at the remote site, the packet will contain the source IP of the Gateway because of Hide NAT.
D. Yes The gateway will apply the Hide NAT for this VPN traffic.
Correct Answer: B
QUESTION 53
The "Hide internal networks behind the Gateway's external IP" option is selected. What defines what traffic will be NATted?
A. The Firewall policy of the gateway

B. The network objects configured for the network
C. The VPN encryption domain of the gateway object
D. The topology configuration of the gateway object
Correct Answer: D
QUESTION 54
With the default ClusterXL settings what will be the state of an active gateway upon using the command ClusterXL_admin up?
A. Ready
B. Down
C. Standby
D. Active
Correct Answer: C
QUESTION 55
Which command should you use to stop kernel module debugging (excluding SecureXL)?
A. fw ctl debug 0
B. fw ctl zdebug - all
C. fw debug fwd off; vpn debug off
D. fw debug fwd off
Correct Answer: A
QUESTION 56
Which command should you run to debug the VPN-1 kernel module?
A. fw debug vpn on
B. vpn debug on TDERROR_ALL_ALL=5
C. fw ctl zdebug crypt kbuf
D. fw ctl debug -m VPN all
Correct Answer: D
QUESTION 57
Which command can be used to see all active modules on the Security Gateway:
A. fw ctl zdebug drop

B. fw ctl debug -h
C. fw ctl chain
D. fw ctl debug -m
Correct Answer: C
QUESTION 58
In some situations, switches may not play nicely with a Check Point Cluster and it is necessary to change from multicast to
broadcast. What command should you invoke to the issue?
A. set ccp broadcast

B. cphaconf set_ccp broadcast
C. cpha_conf set ccp broadcast
D. This can only be changed via GuiDbEdit.
Correct Answer: B
QUESTION 59
Which of the following commands shows the high watermark threshold for triggering the cluster under load mechanism in R77?
A. fw ctl get int fwha_cul_mechanism_enable

B. fw ctl get int fwha_cul_cluster_short_timeout
C. fw ctl get int fwha_cul_member_cpu_load_limit
D. fw ctl get int fwha_cul_policy_freeze_event_timeout_millisec
Correct Answer: C
QUESTION 60
What mechanism solves asymmetric routing issues in a load sharing cluster?
A. Flush and ACK

B. Stateful Inspection
C. SYN Defender
D. State Synchronization
Correct Answer: A
QUESTION 61
When you have edited the local.arp configuration, to support a manual NAT, what must be done to ensure proxy arps for both
manual and automatic NAT rules function?
A. In Global Properties > NAT tree select Merge manual proxy ARP configuration check box
B. Run the command fw ctl ARP a on the gateway
C. In Global Properties > NAT tree select Translate on client side check box
D. Create and run a script to forward changes to the local.arp tables of your gateway
Correct Answer: A
QUESTION 62
Which command clears all the connection table entries on a Security Gateway?
A. fw tab t connetion u
B. fw ctl tab t connetions u
C. fw tab t connetion -s
D. fw tab t connections -x
Correct Answer: D
QUESTION 63
How can you see a dropped connection and the cause from the kernel?
A. fw zdebug drop
B. fw ctl debug drop on
C. fw debug drop on
D. fw ctl zdebug drop
Correct Answer: D
QUESTION 64
After creating and pushing out a new policy, Joe finds that an old connection is still being allowed that should have been closed after
his changes. He wants to delete the connection on the gateway, and looks it up with fw tab t connections u. Joe finds the connection
he is looking for. What command should Joe use to remove this connection?
<0,a128c22,89,a158508,89,11;10001,2281,25,15b,a1,4ecdfeee,ac,691400ac,7b6,3e,ffffffff,3c,3c, 0,0,0,0,0,0,0,0,0,0,0,0,0,0>
A. fw tab t connections x d "0,a128c22,89,0a158508,89,11"

B. fw tab t connections x e "0,a128c22,00000089,0a158508,00000089,00000011"
C. fw tab t connections x d "00000000,a128c22,00000089,0a158508,00000089,00000011"
D. fw tab t connections x e "0,a128c22,89,0a158508,89,11"
Correct Answer: B
QUESTION 65
Using the default values in R77 how many kernel instances will there be on a 16-core gateway?
A. 16
B. 8
C. 12
D. 14
Correct Answer: D
QUESTION 66
When viewing connections using the command fw tab -t connections, all entries are displayed with a 6-tuple key, the elements of the
6-tuple include the following EXCEPT:
A. destination port number

B. source port number
C. direction (inbound / outbound)
D. interface id
Correct Answer: D
QUESTION 67
Each connection allowed by a Security Gateway, will have a real entry and some symbolic link entries in the connections state table.
The symbolic link entries point back to the real entry using this:
A. serial number of the real entry.

B. 6-tuple.
C. memory pointer.
D. date and time of the connection establishment.
Correct Answer: B
QUESTION 68
Extended Cluster Anti-Spoofing checks what value to determine if a packet with the source IP of a gateway in the cluster is being
spoofed?
A. The source IP of the packet.

B. The packet has a TTL value of less than 255.
C. The source MAC address of the packet.
D. The destination IP of the packet.
Correct Answer: B
QUESTION 69
How do you clear the connections table?
A. Run the command fw tab t connections x

B. In Gateway Properties > Optimizations click Clear connections table
C. Run the command fw tab t conns c
D. Run the command fw tab t connections c
Correct Answer: A
QUESTION 70
In order to prevent outgoing NTP traffic from being hidden behind a Cluster IP you should?
A. Edit the relevant table.def on the Management Server and add the line no_hide_services_ports = { <17, 123> }; and then push
policy.
B. Edit the relevant table.def on the gateway and add the line no_hide_services_ports = { <17, 123> };.
C. Edit the relevant table.def on the Management Server and add the line no_hide_services_ports = { <123, 17> }; and then push
policy.
D. Edit the relevant table.def on the gateway and add the line no_hide_services_ports = { <123, 17> }.
Correct Answer: C
QUESTION 71
Of the following answer choices, which best describes a possible effect of expanding the connections table?
A. Increased memory consumption

B. Decreased memory consumption
C. Increased connection duration
D. Decreased connection duration
Correct Answer: A
QUESTION 72
Adam wants to find idle connections on his gateway. Which command would be best suited for viewing the connections table?
A. fw tab -t connections
B. fw tab -t connections -u f
C. fw tab -t connections x
D. fw tab -t connections s
Correct Answer: B
QUESTION 73
From the output of the following cphaprob -i list, what is the most likely cause of the clustering issue?
Cluster B> cphaprob -i list
Built-in Devices:
Device Name: Interface Active Check Current state: OK
Device Name: HA Initialization Current state: OK
Device Name: Recovery Delay Current state: OK
Registered Devices:
Device Name: Synchronization Registration number: 0 Timeout: none Current state: OK Time since last report: 3651.5 sec
Device Name: Filter Registration number: 1 Timeout: none Current state: problem Time since last report: 139 sec
Device Name: routed Registration number: 2 Timeout: none Current state: OK Time since last report: 3651.9 sec
Device Name: cphad Registration number: 3 Timeout: none Current state: OK Time since last report: 3696.5 sec
Device Name: fwd Registration number: 4 Timeout: none Current state: OK Time since last report:
3696.5 sec
A. There is an interface down on Cluster A

B. There is a sync network issue between Cluster A and Cluster B
C. The routing table on Cluster B is different from Cluster A
D. Cluster B and Cluster A have different versions of policy installed.
Correct Answer: D
QUESTION 74
Which command would a troubleshooter use to verify table connection info (peak, concurrent) and verify information about cluster
synchronization state?
A. fw tab t connections s
B. fw ctl pstat
C. fw ctl multik stat
D. Show info all
Correct Answer: D
QUESTION 75
Which definition best describes the file table.def function? It is a placeholder for:
A. definitions of various kernel tables for Security Gateways.

B. definitions of various kernel tables for Management Servers.
C. user defined implied rules for Security Gateways.
D. user defined implied rules for Management Servers.
Correct Answer: A
QUESTION 76
Your customer receives an alert from their network operation center, they are seeing ARP and Ping scans of their network originating
from the firewall. What could be the reason for the behaviour?
A. Check Point firewalls probe adjacent networking devices during normal operation.
B. IPS is disabled on the firewalls and there is a known OpenSSL vulnerability that allows a hacker to cause a network scan to
originate from the firewall.
C. One or both of the firewalls in a cluster have stopped receiving CCP packets on an interface.
D. Check Point's Antibot blade performs anti-bot scans of the surrounding network.
Correct Answer: C
QUESTION 77
Your cluster member is showing a state of "Ready". Which of the following is NOT a reason one would expect for this behaviour?
A. One cluster member is configured for 32 bit and the other is configured for 64 bit
B. CoreXL is configured differently on the two machines
C. The firewall that is showing "Ready" has been upgraded but the other firewall has not yet been upgraded
D. Firewall policy has not yet been installed to the firewall
Correct Answer: D
QUESTION 78
Which of the following is NOT a cphaprob status?
A. "Standby"
B. "Active"
C. "Backup"
D. "Down Attention" (or "Down!" in VSX mode)
Correct Answer: D
QUESTION 79
What would be a reason for changing the "Magic MAC"?
A. To allow for automatic upgrades.

B. To allow two or more cluster members to exist on the same network.
C. To allow two or more clusters to exist on the same network.
D. To allow the two cluster members to use the same virtual IP address.
Correct Answer: C
QUESTION 80
What are the kernel parameters that control "Magic MACs"?
A. fwha_magic_mac and fw_forward_magic_mac

B. fwha_mac_magic and fw_mac_forward_magic
C. cpha_mac_magic and cp_mac_forward_magic
D. cpha_magic_mac and cpha_mac_forward_magic
Correct Answer: B
QUESTION 81
How many sync interfaces are supported on Check Point R77 GAiA?
A. 3
B. 4
C. 2
D. 1
Correct Answer: D
QUESTION 82
Which is NOT a valid upgrade method in an R77 GAiA ClusterXL deployment?
A. Optimal Service Upgrade

B. Full Connectivity Upgrade
C. Minimal Effort Upgrade
D. Automatic Incremental Upgrade
Correct Answer: D
QUESTION 83
What would be a reason to use the command cphaosu stat?
A. To determine the number of connections from OPSEC software using Open Source Licenses.
B. To decide when to fail over traffic to a new cluster member.
C. This is not a valid command.
D. To see the policy install dates on each of the members in the cluster.
Correct Answer: B
QUESTION 84
You run the commands:
fw ctl debug 0
fw ctl debug -buf 32000
Which of the following commands would be best to troubleshoot a clustering issue?
A. fw ctl zdebug -m cluster + all

B. fw ctl debug -m CLUSTER + conf stat
C. fw ctl debug -m cluster + pnote stat if
D. fw ctl kdebug -m CLUSTER all
Correct Answer: C
QUESTION 85
You run the command fw tab -t connections -s on both members in the cluster. Both members report differing values for "vals" and
"peaks". Which may NOT be a reason for this difference?
A. Synchronization is not working between the two members

B. SGMs in a 61k environment only sync selective parts of the connections table.
C. Heavily used short-lived services have had synchronization disabled for performance improvement.
D. Standby member does not synchronize until a failover is needed.
Correct Answer: D
QUESTION 86
Your customer reports that the time on the standby cluster member is not correct. After failing over and making it active, the time is
now correct. NTP has been configured on both machines, so it is expected that both machines be in sync with the NTP server. Upon
investigating, it was found that the standby member was never able to communicate with the NTP server while it was in standby
configuration. What could be the problem?
A. You should be syncing your backup to the primary for time settings.
B. NTP is not supported in active-passive mode.
C. Traffic from the standby member was hidden behind the cluster IP address and was therefore returning to the active member.
D. Routing prevents the standby member from performing functions such as peering with dynamic routing and obtaining NTP
updates.
Correct Answer: C
QUESTION 87
Your customer has an R77 Multi-domain Management Server managing a mix of firewalls of R70 and R77 versions. A change was
made to the file $FWDIR/lib/tables.def on one of the domains. However, it was found that the change was not applied to the R70
firewalls. What could be the problem?
A. Changes to the table.def can only be applied to firewalls matching the Management Server version. The customer needs to
upgrade the firewalls to the same version as the firewall.
B. R70 is end of life and is not supported. Most functions will work, but modifying the table.def will not.
C. In order to make changes on R70 machines you need work within GuiDBedit
D. To support R70, the file in the compatibility directory should have been modified.
Correct Answer: D
QUESTION 88
What is the function of the setting "no_hide_services_ports" in the tables.def files?
A. Preventing the secondary member from hiding its presence by not forwarding any packets.
B. Allowing management traffic to be accepted in an applied rule ahead of the stealth rule.
C. Hiding the particular tables from being synchronized to the other cluster member.
D. Preventing outbound traffic from being hidden behind the cluster IP address.
Correct Answer: D
QUESTION 89
Which command will you run to list established VPN tunnels?
A. fw tab -t vpn_active
B. vpn compstat
C. fw tab -t vpn_routing
D. vpn tu
Correct Answer: D
QUESTION 90
You are in VPN troubleshooting with a Partner and you suspect a mismatch configuration in Diffie- Hellman (DH) group to Phase1.
After starting a vpn debug, in which packet would you look to analyze this option in your debug file?
A. Packet3
B. Packet4
C. Packet5
D. Packet1
Correct Answer: D
QUESTION 91
The file ike.elg is a log file used to log IKE negotiations during VPN tunnel establishment. Where is this file located?
A. /opt/CPshrd-R77/log
B. /opt/CPsuite-R77/fw1/log
C. /var/log/opt/CPsuite-R77/fg1/log
D. /opt/CPsuite-R77/fg1/log
Correct Answer: B
QUESTION 92
Which command displays compression/decompression statistics?
A. vpn ver k
B. vpn compstat
C. vpn compreset
D. vpn crlview
Correct Answer: B
QUESTION 93
What debug file would you check to see what IKE version is being used?
A. fwpnd.elg
B. vpn.txt
C. debug.txt
D. vpnd.elg
Correct Answer: D
QUESTION 94
What file contains IKEv2 debug messages?
A. $FWDIR/log/ikev2
B. $FWDIR/log/ike.xml
C. $FWDIR/log/vpnd.elg
D. $FWDIR/log/ike.elg
Correct Answer: A
QUESTION 95
What is the log file that shows the keep alive packets during the debug process?
A. $FWDIR/log/ikev2.xmll
B. $FWDIR/log/ike.xmll
C. $FWDIR/log/ike.elg
D. $FWDIR/log/vpnd.elg
Correct Answer: C
QUESTION 96
What is the log file that shows the processes that participate in the tunnel initiation stage?
A. $FWDIR/log/ikev2.xmll
B. $FWDIR/log/ike.xmll
C. $FWDIR/log/vpnd.elg
D. $FWDIR/log/ike.elg
Correct Answer: C
QUESTION 97
Which program could you use to analyze Phase I and Phase II packet exchanges?
A. vpnView
B. Check PointView
C. IKEView
D. vpndebugView
Correct Answer: C
QUESTION 98
Check Point Best Practices suggest that when you finish a kernel debug, you should run the command _____________________ .
A. fw debug 0
B. fw debug off
C. fw ctl debug default
D. fw ctl debug 0
Correct Answer: D
QUESTION 99
Given the following IKEView output, what do we know about QuickMode Packet 1?
A. Packet 1 proposes a symmetrical key

B. Packet 1 proposes a subnet and host ID, an encryption and hash algorithm
C. Packet 1 Proposes SA life Type, Sa Life Duration, Authentication and Encapsulation Algorithm
D. Packet 1 proposes either a subnet or host ID, an encryption and hash algorithm, and ID data
Correct Answer: D
QUESTION 100
You are attempting to establish a VPN tunnel between a Check Point gateway and a 3rd party vendor. When attempting to send
traffic to the peer gateway it is failing. You look in SmartView Tracker and see that the failure is due to "Encryption failure: no
response from peer". After running a VPN debug on the problematic gateway, what is one of the files you would want to analyze?
A. $FWDIR/log/fw.log
B. $FWDIR/log/fwd.elg
C. $FWDIR/log/ike.elg
D. /var/log/fw_debug.txt
Correct Answer: C
QUESTION 101
You want to run VPN debug that will generate both ike.elg and vpn.elg files. What is the best command that can be used to achieve
this goal?
A. vpn debug ikeon

B. vpn debug on TDERR_ALL_ALL=5
C. vpn debug trunc
D. vpn debug trunc
Correct Answer: D
QUESTION 102
In IKEView while troubleshooting a VPN issue between your gateway and a partner site you see an entry that states "Invalid ID".
Which of the following is the most likely cause?
A. IKEv1 is not supported by the peer.

B. Time is not matching between two members.
C. The encryption parameters (hash, encryption type, etc.) do not match.
D. Wrong subnets are being negotiated.
Correct Answer: D
QUESTION 103
While troubleshooting a VPN issue between your gateway and a partner site you see an entry in Smartview Tracker that states "Info:
encryption failure: Different community ID: possible NAT problem". Which of the following is the most likely cause?
A. You have an encryption method mismatch.

B. Implied rules in global properties such as ICMP and DNS are set to first instead of before last.
C. You have not created a specific rule allowing VPN traffic.
D. You have the wrong encryption domains configured.
Correct Answer: B
QUESTION 104
You are troubleshooting a VPN issue between your gateway and a partner site and you get a drop log on your gateway that states
"Clear text packet should be encrypted". Which of the following would be the best troubleshooting step?
A. Use the excluded services in the VPN community to exclude this traffic from the VPN or determine why the traffic is leaving the
initiating (partner) gateway as clear text.
B. Use the excluded services in the VPN community to exclude this traffic from the VPN or determine why the traffic is leaving local
(your) gateway as clear text.
C. Your phase one algorithms are mismatched between gateways.
D. This is management traffic and we need to enable implied rule to address this issue.
Correct Answer: A
QUESTION 105
Your company has recently decided to allow remote access for clients. You find that no one is able to connect, although you are
confident that your rule set and remote access community has been defined correctly. What is the most likely cause, based on the
options below? You have the following debug file:
A. RDP is being blocked upstream.
B. You have selected IKEv2 only in Global Properties > Remote Access > VPN Authentication and Encryption.
C. Remote access clients are all behind NAT devices.
D. Implied rule is not set to accept control connections.
Correct Answer: B
QUESTION 106
You are experiencing an issue where Endpoint Connect client connects successfully however, it disconnects every 20 seconds.
What is the most likely cause of this issue?
A. The Accept Remote Access control connections is not enabled in Global Properties > FireWall Implied Rules.
B. You have selected IKEv2 only in Global Properties > Remote Access > VPN Authentication and Encryption.
C. You are not licensed for Endpoint Connect client.
D. Your remote access community is not configured.
Correct Answer: A
QUESTION 107
In a VPN configuration, the following mode can be used to increase throughput by bypassing firewall enforcement.
A. Virtual Tunnel Interface (VTI) Mode can bypass firewall for all encrypted traffic
B. Hub Mode can be used to bypass stateful inspection
C. There is no such mode that can bypass firewall enforcement
D. Wire mode can be used to bypass stateful inspection
Correct Answer: D
QUESTION 108
When VPN user-based authentication fails, which of the following debug logs is essential to understanding the issue?
A. VPN-1 kernel debug logs

B. IKE.elg
C. Vpnd.elg
D. fw monitor trace
Correct Answer: B
QUESTION 109
In Tracker you are troubleshooting a VPN issue between your gateway and a partner site and you get a drop log that states "No
proposal chosen" what is the most likely cause?
A. There is a time mismatch

B. The peer machine is not accepting multicast packets
C. A mismatch in the settings between the two peers
D. Using IKEv1 when peer uses IKEv2
Correct Answer: C
QUESTION 110
Which of the following is NEVER affected by inOS time and date configuration?
A. VPN PSK authentication

B. VPN certificate authentication
C. SIC
D. Identity Awareness Kerberos authentication
Correct Answer: A
QUESTION 111
In the process of troubleshooting traffic issues across a VPN tunnel, you notice on the output of fw monitor -e host(172.21.1.10),
accept; that packets are going through the inbound chain (i > I) and then disappearing after the outbound chain (o > __), while you
were expecting to see the packet leave on O. What could be causing this issue?
A. When packets are destined to leave through a VPN tunnel, it is encrypted and encapsulated in an ESP packet, and thus will not
show up on a fw monitor.
B. It's not showing up on the fw monitor because it is exiting the wrong interface
C. The packet is getting silently dropped because there is no route for the packet.
D. The gateway never completed the IKE and IPSec key exchange, and the tunnel does not exist yet.
Correct Answer: A
QUESTION 112
You are troubleshooting your VPN and are reviewing the output of your command fw monitor, shown below. What can you determine
from the following output?
A. The fw monitor command cannot display the relevant information since it is encrypted traffic
B. NAT is not being applied to the IP address 10.10.10.86
C. There is no issue, since the traffic is being seen at all points in the inspection kernel
D. Traffic is not being encrypted
Correct Answer: D
QUESTION 113
What would the following command fw monitor tell you?
A. Only OSPF and FTP traffic between 10.10.10.86 and 192.168.10.4
B. Only traffic between 10.10.10.86 and 192.168.10.4 on port 21 or port 89
C. Only accepted traffic between 10.10.10.86 and 192.168.10.4, or any accepted FTP traffic, or any accepted OSPF traffic
D. Any communication between 10.10.10.86 and 192.168.10.4, or any FTP traffic, or any OSPF traffic
Correct Answer: D
QUESTION 114
After disabling SecureXL you ran command fw monitor to help troubleshoot a VPN issue. In your review you note that you only see
pre-inbound traffic ("i") and no other traffic after this. Which of the following reasons could explain this output?
A. You don't have an "encrypt" rule

B. Traffic is not destined to the MAC address because you failed to set up proxy ARP
C. You have overlapping encryption domains with the remote site
D. Routes are set up incorrectly
Correct Answer: C
QUESTION 115
You are setting up VPN between two gateways Local-GW and New-GW and want to use shared secret. For some reason New-GW
is not showing up in the shared secret properties under mesh community properties. What is the most likely reason why the New-GW
is not displayed?
A. Gateway is locally managed by the same management station as Local-GW and shared secret is not supported for this
configuration
B. New-GW has to have Advanced properties > shared secret enabled.
C. You need to install database by selecting Policy > Install database before gateway can be added.
D. Gateway is 600 appliance and does not support "shared secret" option.
Correct Answer: A
QUESTION 116
SecureXL uses templating to accelerate traffic passing through the gateway. What command should you run to determine if Accept,
Drop and NAT templating is enabled?
A. fwaccel stat
B. fw ctl pstat
C. cphaprob -a if
D. cpconfig
Correct Answer: A
QUESTION 117
Certain rules will disable connection rate acceleration (templates) in the Rule Base. What command should be used to determine on
what rule templates are disabled?
A. cpconfig
B. cphaprob -a if
C. fw ctl pstat
D. fwaccel stat
Correct Answer: D
QUESTION 118
Look at the follow Rule Base display. Rule 5 contains a TIME object. What is the effect on the following rules?
A. Rule 6 will be eligible but Rule 7 will not.

B. All subsequent rules below Rule 5 will not be templated, regardless of the rule
C. No effect. Rules 6 and 7 will be eligible for templating.
D. The restriction on one rule does not affect later rules with regards to templates.
Correct Answer: B
QUESTION 119
The command fwaccel stat displays what information?
A. Accelerator status, accept templates, drop templates

B. Accelerated packets, accept templates, dropped packets
C. Accelerator status, accelerated rules, drop templates
D. Accelerator status, CoreXL state, drop templates
Correct Answer: A
QUESTION 120
When running a SecureXL debug how do you initialize the debug buffer to 32000?
A. fwaccel debug buf 32000

B. fw ctl debug buf 32000
C. sim debug buf 32000
D. fwaccel dbg buf 32000
Correct Answer: B
QUESTION 121
What command can be used to get the following output?
A. fw ctl kdebug
B. fw monitor e "accept;"
C. fwaccel conns
D. netstat -ni
Correct Answer: C
QUESTION 122
What command would you use to determine if a particular connection is being accelerated by SecureXL?
A. fw tab t connections u
B. fw ctl kdebug
C. fwaccel stat
D. fwaccel conns
Correct Answer: D
QUESTION 123
A new packet has arrived to a firewall's interface. The packet was compared with the connection table and there is no match. What
process does the firewall start with that connection?
A. The packet will be then forwarded to the outbound interface for handling.
B. The new packet represents a new flow and requires a new connection table entry.
C. The packet will be rejected by the kernel firewall.
D. The packet will be forwarded to the firewall to apply the Security Policy.
Correct Answer: D
QUESTION 124
According to this Rule Base, templates will be created until which rule?
A. Rule 4
B. Rule 2
C. Rule 3
D. Rule 5
Correct Answer: B
QUESTION 125
How to check the overall SecureXL statistics:
A. fwaccel on
B. fwaccel stat
C. cat /proc/ppk/statistics
D. fwaccel conns
Correct Answer: C
QUESTION 126
When are rules that include identity awareness access roles accelerated through SecureXL?
A. Rules using Identity Awareness are always accelerated.

B. Only when Ùnauthenticated Guests' is included in the access role.
C. They have no bearing on whether the connection for the rule is accelerated.
D. Rules using Identity Awareness are never accelerated.
Correct Answer: C
QUESTION 127
What command show the same information as fwaccel stats l?
A. cat /proc/ppk/cpls
B. cat /proc/ppk/statistics
C. cphaprob a hconf
D. fwaccell stats s u -k
Correct Answer: B
QUESTION 128
In order to perform some connection troubleshooting, you run the command fw monitor e accept dport = 443. You do NOT see the
TCP ACK packet. Why is this?
A. The connection is encrypted.

B. The connection is NATted.
C. The connection is dropped.
D. The connection is accelerated.
Correct Answer: D
QUESTION 129
What is the corresponding connection template entered into the SecureXL connection table from the connection: "10.0.0.100:1024 >
216.239.59.59:80"
A. "10.0.0.100:1024 > 216.239.59.59:80"

B. "10.0.0.100:1024 > 216.239.59.59:*"
C. "10.0.0.100:* > 216.239.59.59:*"
D. "10.0.0.100:* > 216.239.59.59:80"
Correct Answer: D
QUESTION 130
When are rules that include Identity Awareness Access (IDA) roles accelerated through SecureXL?
A. Only when Ùnauthenticated Guests' is included in the access role.

B. Never, the inclusion of an IDA role disables SecureXL.
C. The inclusion of an IDA role has no bearing on whether the connection for the rule is accelerated.
D. Always, the inclusion of an IDA role guarantees the connection for the rule is accelerated.
Correct Answer: C
QUESTION 131
In the policy below, which rule disables SecureXL?
A. 5
B. 1
C. 4
D. 3
Correct Answer: B
QUESTION 132
When optimizing a customer firewall Rule Base, what is the BEST way to start the analysis?
A. With the command fwaccel stat followed by the command fwaccel stats.
B. At the top of the Rule Base.
C. Using the hit count column.
D. Using the Compliance Software Blade.
Correct Answer: A
QUESTION 133
What do the `F' flags mean in the output of fwaccel conns?
A. Forward to firewall
B. Flag set for debug
C. Fast path packets
D. Flow established
Correct Answer: A
QUESTION 134
What command should a firewall administrator use to begin debugging SecureXL?
A. fwaccel dbg api + verbose add

B. fwaccel debug m <module name> <flag>
C. fwaccel dbg -m <module name> <flag>
D. SecureXL cannot be dubugged and the kernel debug will give enough output to help the firewall administrator to understand the
firewalls behaviour. The right command to use is fw ctl debug m fw.
Correct Answer: C
QUESTION 135
A firewall administrator knows the details of the packet header for an already established connection going through a firewall. What
command will show if SecureXL will accelerate that packet?
A. fw ctl zdebug + sxl error warning asm

B. fwaccel conns
C. fwaccel templates
D. fw tab t connections f | grep `dest. port #' | grep `source port #' | grep `dest. IP address'
Correct Answer: C
QUESTION 136
What is the command to check how many connections the firewall has detected for the SecureXL device?
B. fw tab -t cphwd_db s
C. fw tab t connection s | grep template
D. fwaccel conns
Correct Answer: B
QUESTION 137
While troubleshooting high CPU usage on cores 3 and 4 on a cluster, you notice the following output of fwaccel stats -s:
What could be a possible cause of the high CPU usage?
A. Connections are being partially accelerated by SecureXL, but too many packets are still being processed by the firewall kernel.
B. The Secure Network Dispatcher (SND) is having to process too much inbound traffic from the NICs.
C. Connections are not being accelerated by SecureXL, and all packets are being forwarded to firewall kernel instances for
inspection.
D. The Secure Network Dispatcher (SND) is working too hard to distribute the traffic to the acceleration layer.
Correct Answer: C
QUESTION 138
Which of the following statements are TRUE about SecureXL?
A. SecureXL is able to accelerate all connections through the firewall.

II. Medium path acceleration will still cause some CPU utilization of CoreXL cores.
III. F2F connections represent "forwarded to firewall" connections that are not accelerated and fully processed through the firewall
kernel.
IV. Packets going through SecureXL must be inspected by the firewall kernel before being accelerated.
B. II and III
C. I, II, and III
D. III and IV
E. I and IV
Correct Answer: A
QUESTION 139
Consider the following Rule Base;
What can be concluded in regards to SecureXL Accept Templates?
A. Accept Templates will be disabled on Rule #4

B. Accept Templates will be fully functional
C. Accept Templates will be disabled on Rule #6
D. Accept Templates do not function with VPN communities in the Rule Base
Correct Answer: A
QUESTION 140
In an HA cluster, you modify the number of cores given to CoreXL on only one member using cpconfig and then issue a reboot. What
is the expected ClusterXL status of this member when it comes up?
A. Standby
B. Ready
C. Active
D. Down
Correct Answer: A
QUESTION 141
Which information CANNOT be displayed by issuing the command cat /proc/cpuinfo?
A. CPU family
B. NFS_Unstable
C. fpu
D. vendor_id
Correct Answer: B
QUESTION 142
You find that your open server SecurePlatform system is lagging although you know you have plenty of memory and the complexity
of the Rule Base has not changed significantly. You think that upgrading the CPU frequency speed could help your performance.
Which command could help you see what speed and model of CPU you are using?
A. top
B. sysconfig
C. cat /proc/cpuinfo
D. fw tab
Correct Answer: C
QUESTION 143
Where would you find CPU information like model, number of cores, vendor and architecture?
A. In the file cpuinfo in the directory /proc.

B. Right click the gateway object in Smart Dashboard and view properties
C. WebUI
D. sysconfig
Correct Answer: A
QUESTION 144
From which version can you add Proxy ARP entries through the GAiA portal?
A. R77.10
B. R77
C. R75.40
D. R76
Correct Answer: C
QUESTION 145
What happens to manual changes in the file $FWDIR/conf/local.arp when adding Proxy ARP entries through the GAiA portal or
Clish?
A. Nothing.
B. If the file $FWDIR/conf/local.arp has been edited manually, you are not able to add Proxy ARP entries through the GAiA portal or
Clish.
C. They are merged with the new entries added from the GAiA Portal / Clish.
D. They are overwritten.
Correct Answer: D
QUESTION 146
You are analyzing your firewall logs, /var/log/messages, and repeatedly see the following kernel message:
'kernel: neighbor table overflow'
What is the cause?
A. Arp cache overflow

B. OSPF neighbor down
C. Nothing, you can disconsider it.
D. Cluster member table overflow
Correct Answer: A
QUESTION 147
The 'Maximum Entries' value in the GAiA Portal corresponds to the 'gc_thresh3' parameter in the Linux kernel and has value of 1024.
Knowing this, you know that gc_thresh2 and gc_thresh1 if are automatically set to the values:
A. gc_thresh2=256 and gc_thresh1=128

B. gc_thresh2=512 and gc_thresh1=256
C. gc_thresh2=1024 and gc_thresh1=1024
D. gc_thresh1=256 and gc_thresh2=128
Correct Answer: B
QUESTION 148
Your ARP cache is overflowing negatively impacting users experience on your network. Which command can you issue to increase
the ARP cache on the fly? You do not need this to survive reboot.
A. Modify the /etc/sysctl.conf: net.ipv4.neigh.default.gc_thresh3 = 1024.

B. echo 1024 > /proc/sys/net/ipv4/neigh/default/gc_thresh3
C. arp cache table > 1024
D. You cannot increase the size of the ARP cache on the fly.
Correct Answer: B
QUESTION 149
Your gateway object is currently defined with a max connection count of 25k connections in Smart Dashboard. Which of the following
commands would show you the current and peak connection counts?
A. show connections all

B. fw ctl conn
C. fw ctl chain
D. fw ctl pstat
Correct Answer: D
QUESTION 150
Which command will NOT display information related to memory usage?
A. free
B. fw ctl pstat
C. cat /proc/meminfo
D. memoryinfo.conf
Correct Answer: D
QUESTION 151
What does the command fwaccel templates do?
A. Starts firewall acceleration after fwaccel off was run or SecureXL was enabled by using the command cpconfig.
B. That SecureXL has been enabled in the cpconfig command menu.
C. Shows templates existing in the SecureXL device. This is so that an administrator can look for the template that matches the
specific traffic.
D. The Rule Base mapping between actual rules and the template built up in Layer 2.
Correct Answer: C
QUESTION 152
Running the command fw ctl pstat l would return what information?
A. Additional hmem details

B. General Security Gateway statistics
C. Additional kmem details
D. Additional smem details
Correct Answer: B
QUESTION 153
You have a user-defined SMTP trap configured to send an alert to your mail server, and you also have SmartView Monitor
configured to trigger the alert whenever policy is pushed to your gateway. However, you are not getting any mails even when you test
for pushing policy. What process should you troubleshoot on the Management Server?
A. fwd
B. fwm
C. cpwd_admin
D. cpstat_monitor
Correct Answer: D
QUESTION 154
what command other than fw ctl pstat, will display your peak concurrent connections?
A. fw ctl get int fw_peak_connections

B. netstat -ni
D. top
Correct Answer: C
QUESTION 155
You have just configured HA and find that connections are not being synced. When you have a failover, users complain that they are
losing their connections. What command could you run to see the state synchronization statistics?
A. fw ctl pstat
B. fw sync stats
C. cphaprob stat
D. fw ctl get int fw_state_sync_stats
Correct Answer: A
QUESTION 156
Which of the following is a valid synchronization status as an output to fw ctl pstat?
A. Unable to receive sync packets

B. Sync member down
C. Synchronized
D. Communicating
Correct Answer: A
QUESTION 157
You are running some diagnostics on your GAIA gateway. You are reviewing the number of fragmented packets; you notice that
there are a lot of large and duplicate packets. Which command did you issue to get this information?
A. sysconfig
B. fw ctl pstat
C. fw ctl get int fw_frag_stats
D. cat /proc/cpuinfo
Correct Answer: B
QUESTION 158
Your company has grown significantly over the past few months. You are seeing that new connections are being dropped but note
that the connections table is not full. You suspect that the kernel memory allocated to the firewall has reached its full capacity. To
check the "Machine Capacity Summary" statistics, you use command:
A. ps -aux
B. top
C. cat /proc/net/capacity
D. fw ctl pstat
Correct Answer: D
QUESTION 159
Under which scenario would you most likely consider the use of Multi-Queue?
A. When IPS is heavily used.

B. When most of the traffic is accelerated.
C. When most of the processing is done in CoreXL.
D. When trying to increase session rate.
Correct Answer: B
QUESTION 160
If you need to use a Domain object in the Rule Base, where should this rule be located?
A. No higher than the 2nd rule.

B. The first rule in the Rule Base.
C. The last rule before the clean up rule.
D. The last rule after the clean up rule.
Correct Answer: C
QUESTION 161
You have a requirement to implement a strict security policy. With this in mind, you must create a stealth rule. How will this impact
your packet acceleration?
A. Using a stealth rule disables SecureXL.

B. There will be no impact as long as the rule is not logged.
C. NAT templates will not work.
D. There will be no impact, since stealth rules do not affect SecureXL.
Correct Answer: D
QUESTION 162
What will be the outcome if you set the kernel parameters cphwd_nat_templates_enabled and cphwd_nat_templates_support?
A. This would enable Hide NAT support.

B. These parameters are mutually exclusive and cannot be used at the same time.
C. This would enable SecureXL NAT templates.
D. These are not valid parameters.
Correct Answer: C
QUESTION 163
You are finding that some users are complaining about slow connection speed. You would like to review a summary of your
connections, including which connections are accelerated and those that are not. What command could you use?
A. fw ctl pstat
B. fwaccel perf
D. fwaccel stats -s
Correct Answer: D
QUESTION 164
You want to verify that the majority of your connections are being optimized by SecureXL. What command would you run to establish
this information?
A. fw ctl pstat
B. fw tab -t connections -s
C. fwaccel conns -s
D. sim_dbg -s
Correct Answer: C
QUESTION 165
What is the difference between "connection establishment acceleration" (templating) and "traffic acceleration"?
A. These are the same technologies with different names.

B. "Connection establishment acceleration" only accelerates a single connection, while "traffic acceleration" accelerates similar
traffic.
C. "Traffic acceleration" is accelerated through hardware, and "connection establishment acceleration" is accelerated in software.
D. "Traffic acceleration" only accelerates a single connection, while "connection establishment acceleration" accelerates similar
traffic.
Correct Answer: D
QUESTION 166
What type of connections cannot be templated?
A. Any connections that contain Hide NAT

B. Complex connections such as FTP, H323, SQL, ETC
C. UDP because it is not connection oriented
D. TCP
Correct Answer: B
QUESTION 167
You issue the command fwaccel stat and see the following:
What is a possible reason that the "accept templates" is disabled?
A. Rule one is a drop rule.

B. Rule one uses static NAT.
C. Rule one contains a time object.
D. Your administrator has not enabled templating.
Correct Answer: C
QUESTION 168
PXL is considered to be what type of acceleration?
A. Fast Path
B. Slow Path
C. Medium Path
D. PXL is not related to acceleration
Correct Answer: C
QUESTION 169
You are running an inventory process within your corporate environment (R77) and need to find out CPU, memory, disk space, and
information regarding the software blades enabled. What command could you use to easily gather this information?
A. cpconfig
B. fw ctl pstat
C. SmartView Tracker
D. cpview
Correct Answer: D
QUESTION 170
A Rule Base has been improperly configured with a rule which disables templating at the top of the Rule Base. How will this impact
traffic acceleration?
A. SecureXL is disabled.
B. Templates are disabled, and throughput acceleration only functions for rules above this one.
C. Templates are disabled for this rule but it does not impact the rest of the Rule Base.
D. Templates are disabled but throughput acceleration is still taking place.
Correct Answer: D
QUESTION 171
You run the command fwaccel conns and notice in the output that all the connections have "F" in the "flags" column, see below:
What does this mean?
A. Connections are being "forward to firewall" ("f2f").

B. Connections are being "forwarded" to the accelerating engine.
C. Connections are accelerated ("fastpath").
D. Connections have the fragment flag set.
Correct Answer: A
QUESTION 172
From a Best Practices perspective, what percentage of your packets should be accelerated?
A. 65%
B. 90%
C. 100%
D. 75%
Correct Answer: B
QUESTION 173
How does the Check Point Security Administrator enable NAT Templates?
A. Run commands with syntax fw ctl set int cphwd_nat_templates_support 1 and fw ctl set int cphwd_nat_templates_enabled 1.
B. Edit file $FWDIR/boot/modules/fwkern.conf with the lines "cphwd_nat_templates_support=1" and
"cphwd_nat_templates_enabled=1".
C. Set Firewall object > NAT > Advanced
D. Set Global properties > NAT-Network address translation
Correct Answer: B
QUESTION 174
What should you do after editing fwkern.conf to enable NAT templates?
A. Install database
B. Reboot
C. Install policy
D. Make sure the change shows up in Smartview Monitor
Correct Answer: B
QUESTION 175
How would you determine the value of 'Maximum concurrent connections' of the NAT Table?
A. fwx_alloc
B. fwx_max_conns
C. fwx_auth
D. objects_5_0.C
Correct Answer: A
QUESTION 176
What does "cphwd_nat_templates_enabled=1" do when entered into fwkern.conf?
A. Disables NAT templates when SecureXL is turned on.

B. Enables NAT templates when SecureXL is turned on.
C. Enables NAT templates at all times.
D. Disables NAT templates at all times.
Correct Answer: B
QUESTION 177
You are a system administrator and you are working with Support. Support asked you to enable kernel core dumps on the files. You
are unsure if this has already been set. You run the command chkconfig -list kdump. Does the screen capture tell you if kernel
dumps are enabled on this gateway?
A. There is not enough information to determine if kernel core files will be generated.
B. Yes kernel dump has been enabled and kernel files should be captured.
C. Kdump has nothing to do with kernel core file generation.
D. All values should be set to "on". A kernel core dump will not be created.
Correct Answer: B
QUESTION 178
When a cluster member is completely powered down, how will the other member identify if there is network connectivity?
A. The working member will ARP for the default gateway.

B. The working member will look for replies to traffic sent from internal hosts.
C. The working member will automatically assume connectivity.
D. The working member will Ping IPs in the subnet until it gets a response.
Correct Answer: D
QUESTION 179
If the number of Firewall Workers for CoreXL is set higher on one member of a cluster than the other, the cluster will be in what
state?
A. Active/Standby
B. Active/Ready
C. Active Attention/Down
D. Active/Down
Correct Answer: B
QUESTION 180
What is one way to check cluster status on two gateways running in HA mode?
A. show cluster
B. cphaprob stat
C. cp ha prob stat
D. show cluster ha status
Correct Answer: B
QUESTION 181
Which command displays FireWall internal statistics about memory and traffic?
A. fw getifs
B. cpstat os f memory
C. fw ctl pstat
D. cpstat os f cpu
Correct Answer: C
QUESTION 182
To check what is currently set in the Firewall kernel debug input the command:
A. fw ctl multistate
B. fw ctl debug x
C. fw ctl pstat
D. fw ctl debug
Correct Answer: D
QUESTION 183
Misha is working on a stand-by firewall and deletes the connections table in error. He finds that now the table is out of sync with the
Active member. to get them completely synced again, Mish should run the command pair ____________ and __________ .
A. fw ctl sync stop, fw ctl sync start

B. fw ctl setsync off, fw ctl setsync start
C. fw ctl setsync stop, fw ctl setsync on
D. fw ctl setsync off, fw ctl setsync on
Correct Answer: B
QUESTION 184
In a ClusterXL cluster with delayed synchronization, which of the following is not true?
A. The length of time for the delay can be edited.

B. It applies only to TCP services whose Protocol Type is set to HTTP or None.
C. Delayed Synchronization is disabled if the Track option in the rule is set to Log or Account.
D. Delayed Synchronization is performed only for connections matching a SecureXL Connection Template.
Correct Answer: A
QUESTION 185
What is the best way to see how a firewall is performing while processing packets in the firewall path, including resource usage?
A. fw getperf
B. SecureXL stat
C. fwaccel stats
D. fw ctl pstat
Correct Answer: D
QUESTION 186
What is the best way to see how much traffic went through the firewall that was TCP, UDP and ICMP?
A. fwaccel conns
B. fw tab t connections p
C. fwaccel stats
D. fw ctl pstat
Correct Answer: D
QUESTION 187
Which file holds global Kernel values to survive reboot in a Check Point R77 gateway?
A. $FWDIR/conf/fwkern.conf
B. $FWDIR/boot/modules/fwkern.conf
C. $FWDIR/boot/confwkern.conf
D. $FWDIR/boot/fwkern.conf
Correct Answer: B
QUESTION 188
ACME Corp has a cluster consisting of two 13500 appliances. As the Firewall Administrator, you notice that on an output of top, you
are seeing high CPU usage of the cores assigned as SNDs, but low CPU usage on cores assigned to individual fw_worker_X
processes. What command should you run next to performance tune your cluster?
A. fw ctl debug m cluster + all this will show you all the connections being processed by ClusterXL and explain the high CPU usage
on your appliance.
B. fwaccel off this will turn off SecureXL, which is causing your SNDs to be running high in the first place.
C. fwaccel stats s this will show you the acceleration profile of your connections and potentially why your SNDs are running high
while other cores are running low.
D. fw tab t connections s this will show you a summary of your connections table, and allow you to determine whether there is too
much traffic traversing your firewall.
Correct Answer: C
QUESTION 189
Your customer has a well optimized Rule Base with most traffic accelerated by SecureXL. They are still seeing slow performance.
They are using an 8 core machine. They see the following output from fw ctl affinity -l. What could be done to improve performance
with this deployment?
A. Increase the number of cores dedicated to logging.
B. Increase the number of Secure Network Dispatchers as the accelerated traffic is not passed to a worker core.
C. Add more CPU resources to the hardware.
D. Upgrade to SAM hardware.
Correct Answer: B
QUESTION 190
The CoreXL software architecture includes the Secure Network Dispatcher (SND). One of the responsibilities of SND is to:
A. Distribute non-accelerated packets among kernel instances

B. Dispatch the packet securely through the VPN link
C. Processing outgoing traffic from the network interfaces
D. Dispatch the packet securely through the physical link
Correct Answer: A
QUESTION 191
What is the method to change the number of cores that CoreXL will use?
A. cpconfig
B. SmartDashboard
C. sysconfig
D. CoreXL automatically recognizes the number of cores on a system at startup so there is no method or reason to modify the
setting.
Correct Answer: A
QUESTION 192
What command verifies which core each gateway interface and firewall instance is currently running on?
A. fw ctl pstat
B. fw accel stat
C. show corexl stat
D. fw ctl affinity -l
Correct Answer: D
QUESTION 193
A Security Administrator wants to increase the amount of processing cores on a Check Point Security Gateway. He starts by
increasing the number of cores, however the number of kernel instances remain the same way. What is the process to increase the
number of kernel instances?
A. Cpconfig- Enable Check Point CoreXL- Change the number of firewall instances-define how many firewall instances to enable-
cprestart
B. Cpconfig- Check Point CoreXL- Change the number of firewall instances-define how many firewall instances to enable-reboot
C. Cpconfig- Enable Check Point ClusterXL- Change the number of firewall instances-define how many firewall instances to enable-
reboot
D. Cpconfig- Check Point CoreXL- Change the number of firewall instances-define how many firewall instances to enable-
cpstop,cpstart
Correct Answer: B
QUESTION 194
What command displays the Connections Table for a specified CoreXL firewall instance?
B. fw -i FW_INSTANCE_ID tab -t connections [flags]
C. fw tab t connection | grep fw<FW_INSTANCE_ID>
D. fw tab t connections
Correct Answer: B
QUESTION 195
Why would you not see a CoreXL configuration option in cpconfig?
A. The gateway only has one processor core.

B. CoreXL is not enabled in the gateway object.
C. CoreXL is not licensed.
D. CoreXL is disabled via policy.
Correct Answer: A
QUESTION 196
Where would you go to adjust the number of Kernels in CoreXL?
A. Cpconfig
B. fw ctl conf
C. fw ctl affinity
Correct Answer: A
QUESTION 197
CoreXL on IPSO R77.20 does NOT support which of the following features?
A. Check Point QoS

B. IPv6
C. Overlapping NAT
D. Route-based VPN
Correct Answer: A
QUESTION 198
When troubleshooting a performance problem on multicore firewall that is using CoreXL, what command checks the number of
connections each core is processing?
A. sim affinity -l
B. cat fwkern.conf
C. fw CTL pstat
Correct Answer: D
QUESTION 199
A firewall has 8 CPU cores and the license. CoreXL is enabled. How could you set kernel instance #3 to run on processing core #5?
A. This is not possible CoreXL is best left to manage the Kernel to CPU core mappings. It is only when a daemon is bound to a
dedicated core that CoreXL will ignore that CPU core when mapping Kernel instances to CPU cores.
B. fw ctl affinity -s -k 3 5
C. Run fwaffinity_apply t 3 -k 5 and then check that the settings have taken affect with the command fw ctl multik stat.
D. Edit the file fwaffinity.conf and add the line "k3 cpuid 5"
Correct Answer: B
QUESTION 200
What command would you use to check if CoreXL is enabled?
A. fw ctl multik stat
B. cpconfig
C. fw ctl affinity -1
D. fw ctl pstat
Correct Answer: A
QUESTION 201
Which command will allow you to change firewall affinity and survive a reboot with no further modification?
A. fw ctl affinity s
B. sim affinity l
C. fw affinity l
D. sim affinity s
Correct Answer: D
QUESTION 202
What does the output of the commands fw ctl multik stat and fw6ctl multik stat show?
A. Only the number of total connections currently being handled by all Kernels on a CoreXL enabled firewalls.
B. Information for each kernel instance. The output displays state and processing core number of each instance.
C. Which CPU cores are Kernel and SND bound cores.
D. The number of Firewall Kernels that are installed.
Correct Answer: B
QUESTION 203
You are at a customer site, and when you run cphaprob stat you are not seeing a normal ClusterXL Health. What command could
you run verify the number of cores are not matched on both cluster members?
A. cpconfig
B. cphaprob -a if
C. fw ctl multik stat
D. cphaprob stat
Correct Answer: C
QUESTION 204
What is required when changing the configuration of the number of workers in CoreXL?
A. A reboot
B. cpstop/cpstart
C. evstop/evstart
D. A policy installation
Correct Answer: A
QUESTION 205
In IPS which of the two initial profiles is the more resource intensive?
A. Prevention
B. Standard
C. Default
D. Recommended
Correct Answer: C
QUESTION 206
In IPS what does a high confidence rating mean?
A. This is a rating for how confident Check Point is with catching this attack
B. This is a rating for how likely this attack is to penetrate most systems
C. There is a high likelihood of false positives
D. There is a low likelihood of false positives
Correct Answer: D
QUESTION 207
Which of the following CANNOT be used as a source/destination for an IPS network exception?
A. Network Group
B. Identity Awareness Access Role
C. Any
D. IP Address
Correct Answer: B
QUESTION 208
When using Geo Protections, you find there are logs for a country that you believe is incorrect. What file do you review to verify what
country Geo Protections should identify the traffic as?
A. asm.C
B. objects.C
C. objects_5_0.C
D. IpToCountry.csv
Correct Answer: D
QUESTION 209
When performing a Clean IPS procedure to resolve a corrupt IPS files issue, what file is modified in order for the SDUU process to
automatically update the IPS files after completing the procedure?
A. asm.C
B. inspect.C
C. objects_5_0.C
D. profiles.C
Correct Answer: A
QUESTION 210
How would one enable ÌNSPECT debugging' if one suspects IPS false positives?
A. Run command fw ctl set int enable_inspect_debug 1 from the command line.
B. Toggle the checkbox in Global Properties > Firewalls > Inspection section.
C. WebUI
D. Set the following parameter to true using GuiDBedit: enable_inspect_debug_compilation.
Correct Answer: D
QUESTION 211
You have configured IPS on your network; you find you are being overwhelmed with what you believe are false positives. You
investigated this traffic and confirmed they are false positives.
What can you do to stop these IPS alerts?
A. Right click the alert and "ignore"

B. Disable the IPS protection for this network
C. Use a SAM rule to categorize this traffic
D. Add an exception for this traffic under the IPS protection
Correct Answer: D
QUESTION 212
You have spent time configuring the IPS profile on your primary gateway firewall. You want to ensure that this profile can be applied
to all gateway firewalls in your environment. How can you share this information between firewalls?
A. From the command line, run: ips_export <profile-name> [-o <export-file-name>] [-p <ip>].
B. IPS profiles must be manually configured on each gateway.
C. From the Smart Dashboard IPS tab select export IPS profiles and select the gateway to send this export to.
D. From the command line, run: ips_export_import export <profile-name> [-o <export-file-name>] [-p <ip>].
Correct Answer: D
QUESTION 213
You are adding a new gateway into your network. You must make sure that it is running the latest Corporate approved IPS profile.
How can you get this information to your new gateway?
A. From the command line, run: ips_import <new-profile-name> -f <file-name> [-p <ip>].
C. From the command line, run: ips_export_import import <new-profile-name> -f <file-name> [-p <ip>].
D. From the Smart Dashboard IPS tab select import IPS profiles and select the gateway to get the profile from.
Correct Answer: C
QUESTION 214
SNORT is a popular open source IDS, you would like to import SNORT rules from plain text into Check Point Smart Center. How can
you accomplish this?
A. Under the IPS tree Protections > By Protocol > IPS Software Blade > Application Intelligence > SNORT import and select the
SNORT import option.
C. Check Point does not support third party signatures.
D. From the command line, run: ips_export_import import <SNORTprofilename> -f <file-name> [-p <ip>].
Correct Answer: A
QUESTION 215
You would like to import SNORT rules but to comply with corporate policy you need to test the conversion prior to import. How can
you do this?
A. You must manually review each signature.

B. SnortConvertor update -f <inputfile> --dry-run
C. Check Point does not support third party signatures.
D. Under the IPS tree Protections > By Protocol > IPS Software Blade > Application Intelligence > SNORT import and select the
SNORT import option.
Correct Answer: B
QUESTION 216
You are a system administrator and would like to configure Geo Protection on your gateway to comply with a new corporate policy.
What must you have to do this?
A. Valid IPS contract and software blade licensing

B. DNS resolution on the gateway
C. Geo Protection is enabled by default
D. The latest IPS update
Correct Answer: A
QUESTION 217
You have just taken over as a firewall administrator. Your company is using Geo Protections on your gateway, but you want to verify
that the protections are up-to-date. How can you see when these were updated?
A. In the IPS tree Protections > Select Check for Update.

B. Check asm_update_version_geo in GuiDBedit.
C. In the IPS tree Protections > Geo Protections and check the profile name which is mm/dd/yy.
D. Check the time stamp of $FWDIR/tmp/geo_location_tmp/updates/IpToCountry.csv.
Correct Answer: D
QUESTION 218
What would be considered Best Practice to determine which IPS protections you can safely disable for your environment?
A. You should use vulnerability tools to perform an assessment of your environment.

B. Work through turning on each protection to see which signatures get alerts.
C. You should set all protections to "Detect".
D. You should not disable any IPS protections.
Correct Answer: A
QUESTION 219
You are troubleshooting an issue for your HR team. One of the users is using IP 10.10.10.24. They having been trying to access the
vacation servers but all connections are failing. You have checked the logs and do not see any dropped traffic. You have a suspicion
that the drop is not being logged. What command could you use to confirm this?
A. fw -t connections -s
B. fw ctl zdebug + log dynlog
C. You cannot run a command for this; you must enable logging on all rules
D. fw ctl pstat host 10.10.10.24
Correct Answer: B
QUESTION 220
In R77, Under what circumstances would IPS bypass be enforced?
A. Single CoreXL fw instance usage over `High' threshold, Average Memory over `High' threshold
B. Single CoreXL fw instance usage over `Low' threshold, Average Memory over `High' threshold
C. Average CPU over `High' threshold, Average Memory over `Low' threshold
D. Average CPU over `High' threshold, Average Memory over `High' threshold
Correct Answer: A
QUESTION 221
Your Customer would like to enable IPS in his Corporate Cluster, but he is concerned about high CPU usage because if the IPS
inspection. What feature would you configure to disable inspection if a high CPU usage develops?
A. It is not possible. In this case no enable IPS

B. Bypass Under Load. (In IPS Option on Gateway Properties)
C. Bypass Inspection. (In IPS Option on Gateway Properties)
D. Disable Inspection. (In IPS Option on Gateway Properties)
Correct Answer: B
QUESTION 222
Where do you run the command get_ips_statistics.sh from?
A. $FWDIR/conf on the Management Server

B. $FWDIR/scripts on the Management Server
C. $FWDIR/conf on the gateway
D. $FWDIR/scripts on the gateway
Correct Answer: B
QUESTION 223
"Tuning" IPS protections to suit the specific needs of an environment can be accomplished by all of the following EXCEPT:
A. Focusing on high confidence level protections.

B. Focusing on low capacity protections.
C. Focusing on low performance impact protections.
D. Focusing on high severity protections.
Correct Answer: B
QUESTION 224
OF the following, which is NOT a kernel parameter relating to the IPS "Bypass Under Load" settings:
A. ids_timeout
B. ids_tolerance_no_stress
C. ids_assume_stress
D. ids_limit_stress
Correct Answer: D
QUESTION 225
"If the machine is under stress, we do not want to leave the stress condition due to a single measurement (which could be an
anomaly), but rather wait for a given length of time, before changing the condition." ...describes which of the following "Bypass under
Load" setting kernel parameters?
A. ids_assume_stress
B. ide_tolerance_no_stress
C. ids_tolerance_stress
D. ids_timeout
Correct Answer: A
QUESTION 226
Jerry is a network administrator for ACME Co. Their network contains 5 gateways all managed by a single Management Server.
They are currently receiving an exorbitant amount of false positive for traffic traversing their network. Based on this information, what
factor do you think is contributing most to the high amount of false positives Jerry is receiving?
A. She is performing IPS inspection on all traffic

B. She has set protections to run in "Detect" mode
C. She has enabled protections based on the network devices and requirements
D. She has created a dedicated IPS profile for each Security Gateway
Correct Answer: A
QUESTION 227
You have created a number of profiles and activated the relevant protections. Afterwards, you decide that the Ènterprise gateway'
should allow instant messaging. The current profile enabled for Enterprise gateway blocks instant messaging. The profile for the
Enterprise gateway is currently being used on the Voyager gateway and the Bird of Prey gateway. What is the best process for
making this change on the Enterprise gateway only?
A. Create an exception for the Enterprise gateway

B. Create a rule allowing that traffic and install it on the Enterprise gateway
C. Create a new profile and apply to the Enterprise gateway
D. Edit the existing profile
Correct Answer: A
QUESTION 228
What steps can be taken if IPS is causing a High Performance Impact?
A. Consider activating the "Bypass under Load" IPS setting on the gateway
B. Check your IPS configuration assigned to this gateway and deactivate protections with critical or high performance impact
C. Determine if different or custom IPS profiles are better suited for different gateways in your organization
D. All options listed
Correct Answer: D
QUESTION 229
When the IPS `Bypass under Load' mechanism detects that the certain CPU and memory usage thresholds have been reached,
which of the following occurs?
A. The mechanism configures all IPS protections in `Detect Mode'

B. IPS is disabled completely
C. The mechanism disables all IPS protections by placing them under èxception'
D. Stateful Inspection is disabled
Correct Answer: C
QUESTION 230
Which of the following IPS Layers is responsible for ensuring that only valid retransmission packets are allowed to proceed to
destinations?
A. Protocol Parsers
B. Context Management Interface layer (CMI)
C. Protections
D. Passive Streaming Library (PSL)
Correct Answer: D
QUESTION 231
One of IPS Layers' main functions are to ensure compliance to well-defined protocol standards, detect anomalies if any exist, and
assemble the data for further inspection by other components of the IPS engine. Which component is responsible for these
functions?
A. Context Management Interface layer (CMI)

B. Protections
C. Protocol Parsers
D. Passive Streaming Library (PSL)
Correct Answer: C
QUESTION 232
Which of the following IPS Layers is the "brain" of the IPS? That is, what coordinates between different components, decides which
protections should run on a certain packet, decides the final action to be performed on the packet and issues an event log?
A. Protections
B. Passive Streaming Library (PSL)
C. Protocol Parsers
D. Context Management Interface layer (CMI)
Correct Answer: D
QUESTION 233
Which of the following IPS Layers is a set of signatures and/or handlers, where:
?Signature is a malicious pattern that is searched for.

?Handler is the INSPECT code that performs more complex inspection.
A. Passive Streaming Library (PSL)

B. Protections
C. Context Management Interface layer (CMI)
D. Protocol Parsers
Correct Answer: B
QUESTION 234
You have strict IPS corporate guidelines. This is having a performance impact on the firewall. What steps could you take to minimize
this impact without compromising the corporate policy?
A. Select "Protect Internal hosts only"

B. Select "Bypass IPS inspection when gateway is under heavy load"
C. Select "Perform IPS inspection on all traffic"
D. Without minimizing signatures you cannot improve performance
Correct Answer: A
QUESTION 235
Which of the following is true when IPv6 is enabled on a Security Gateway?
A. An interface on the Gateway can either have IPv4 or IPv6 IP address or have both.
B. As of version R77, IPv6 is only supported on Security Management Server.
C. IPv4 will be completely disabled when IPv6 has been enabled.
D. An interface on the Gateway can either have IPv4 or IPv6 IP address but cannot have both.
Correct Answer: A
QUESTION 236
Which of the following is true about Node / Host objects?
A. A Node / Host object can either have IPv4 or IPv6 IP address or have both.
B. A Node / Host object can either have IPv4 or IPv6 IP address but not have both. Separate objects need to be created for hosts
that use dual stack.
C. A Node / Host object can only have IPv4 IP address. For IPv6, a Node / Host6 object must be used.
D. Node / Host object does not support IPv6, hence a Network object must be created for IPv6.
Correct Answer: A
QUESTION 237
Which of these commands can be used to display the IPv6 routes?
A. show route
B. show ipv6 route
C. show routes all
D. show route ipv6
Correct Answer: B
QUESTION 238
Which of these commands can be used to display the IPv6 status?
A. show ipv6-stat
B. show ipv6 all
C. show ipv6 status
D. show ipv6-status
Correct Answer: D
QUESTION 239
You enabled IPv6 in your environment and would like to erase all IPv6 connection tables. How can you do it?
A. fw tab t connections x
B. fw tab t connections6 x
C. clear connections table ipv6
D. fw6 tab t connections x
Correct Answer: D
QUESTION 240
What is the length of an IPv6 address?
A. 128 Bytes
B. 54 bits
C. 128 bits
D. 6 Bytes
Correct Answer: C
QUESTION 241
In a ClusterXL that uses IPV6 Address, how do you configure the sync interface?
A. You must configure synchronization interfaces with an IPv4 address only.

B. If an interface does not require IPv6, only the IPv4 definition address is necessary.
C. All interfaces configured with an IPv6 address must also have a corresponding IPv4 address.
D. You must configure synchronization interfaces with an IPv6 address only.
Correct Answer: A
QUESTION 242
What command allows you to monitor IPV6 packets in the kernel module?
A. ip -6 neigh show
B. ip -6 addr show
C. tcpdump -nni eth<n> ip6
D. fw6 monitor
Correct Answer: D
QUESTION 243
True or False: It is possible to operate a Security Gateway entirely with IPv6 addressing.
A. True: All IPv4 features are supported in IPv6'

B. True: Management can occur over IPv4 or IPv6 thus all gateways can have interfaces configured with valid IP addresses of either
type'
C. False: There are many common IPv4 features that are not supported in IPv6'
D. False: Management only occurs over IPv4 thus all gateways are required to have interfaces configured with valid IPv4 addresses'
Correct Answer: D
QUESTION 244
What VSX components do not support IPv6 in R77 VSX mode?
A. VSX mode does not support IPv6

B. All devices support IPv6
C. Virtual Systems
D. Virtual Routers
Correct Answer: D
QUESTION 245
A system administrator wants to convert an IPv6 gateway from a standard gateway into a gateway running VSX mode. What does he
need to consider?
A. It is not possible to convert a gateway with IPv6 enabled to VSX mode.

B. There needs to be proper IPv6 routing setup.
C. At least two interfaces need to be configured with IPv6.
D. Policy needs to be properly applied to the gateway before converting the system to VSX mode.
Correct Answer: A
QUESTION 246
How do you enable IPv6 support on a R77 gateway running the GAiIA OS?
A. IPv6 is enabled by default.

B. Under WebUI go to System Management > System Configuration, turn on IPv6 Support, click apply and reboot.
C. Enable the IPv6 Software Blade for the gateway in Smart Dashboard.
D. Run the IPv6 script $FWDIR/scripts/fwipv6_enable and reboot.
Correct Answer: B
QUESTION 247
How do you disable IPv6 on an IPSO gateway?
A. Run $FWDIR/scripts/fwipv6_enable off and reboot.

B. Remove the IPv6 license from the gateway.
C. You cannot disable IPv6.
D. In IPSO go to System Management > System Configuration, set IPv6 Support to off, and click Apply.
Correct Answer: A
QUESTION 248
Does R77 SmartDashboard support IPv6?
A. Yes provided the operating system on which Smart Dashboard is installed is configured with IPv6.
B. SmartDashboard does not support IPv6.
C. IPv6 needs to be tunneled through IPv4 to support IPv6.
D. R77.20 and above provides the support for Smart Dashboard and IPv6 support.
Correct Answer: A
QUESTION 249
Which of the following statements about Full HA support with IPv6 is NOT true?
A. There is no Dynamic Routing with IPv6.

B. Mirrored Interfaces must have IPv4 addresses.
C. Sync traffic must be IPv4.
D. IPv6 does not support a Secondary Management Server.
Correct Answer: D
QUESTION 250
When troubleshooting a VPN site-to-site to a peer, it may be necessary to "down" the tunnel. What is the best method to remove
ONLY the tunnel to this peer?
A. Change the vpn tunnel sharing parameters to force the tunnel down.
B. Reboot your gateway.
C. Remove the peer from the community and install policy.
D. Delete the IKE and IPsec Security Associations using the command vpn tu.
Correct Answer: D
QUESTION 251
In Check Point, Domain-based VPN's take precedence over route-based VPN. If implementing a route-based VPN, what is one
configuration step you must make on the gateway object taking part in the route-based VPN?
A. You should remove the gateway from all communities.

B. Check Point does not support route-based VPN's.
C. You need to create a new simple group with no objects in it and apply this as the VPN domain under that gateway's topology tab.
D. You should check the "Use route-based VPN" checkbox in the community properties.
Correct Answer: C
QUESTION 252
What utility would you use to configure route-based VPNs?
A. vpn sw_topology
B. vpn shell
C. vpn set_slim_server
D. vpn tu
Correct Answer: B
QUESTION 253
Where do you configure the file user.def to change the encryption domain of the Security Gateway?
A. Management Server
B. Endpoint Client
C. Security Gateway
D. interoperable device
Correct Answer: A
QUESTION 254
Henry is attempting to verify VPN connectivity between two hosts, x and y. Of the following commands, which could be BEST used to
verify connectivity of this VPN?
A. [Expert@HostName]# fw monitor -e "((src=x.x.x.x , dst=y.y.y.y) or (src=y.y.y.y, dst=x.x.x.x)), accept;" x-o /var/log/fw_mon.cap

B. [Expert@HostName]# fw monitor -e "host(x.x.x.x) and host(y.y.y.y), accept;" -o /var/log/fw_mon.capw monitor -e "accept;" -o /var/
log/fw_mon.cap
C. [Expert@HostName]# fw monitor -e "(ip_p=X) or (ip_p=Y, port(Z)), accept;" -o /var/log/fw_mon.cap
D. [Expert@HostName]# fw monitor -e "ip_p=X, accept;" -o /var/log/fw_mon.cap
Correct Answer: A
QUESTION 255
Which technology is not supported with route-based VPNs?
A. Unnumbered VTI
B. Numbered VTI
C. IKEv2
D. OSPF
Correct Answer: C
QUESTION 256
Which feature is not supported with unnumbered VTI?
A. Proxy interfaces
B. High availability
C. Policy based routing
D. Anti-spoofing
Correct Answer: D
QUESTION 257
In the gateway object, under topology you select the "Get All Members Interfaces with Topology" option and your newly configured
unnumbered VTIs are not populated. Why is this information missing?
A. VTI information on unnumbered interfaces should appear, so there is an issue with your configuration.
B. VTI information on unnumbered interfaces is not required information for the VPN to work.
C. VTI information on unnumbered interfaces needs to be entered manually.
D. In order to fetch VTI information on unnumbered interfaces you must add an explicit rule to the policy.
Correct Answer: C
QUESTION 258
What operating systems support unnumbered VTIs?
A. GAIA and Secure Platform

B. Solaris and IPSO
C. GAIA and IPSO
D. Secure Platform and IPSO
Correct Answer: C
QUESTION 259
You would like to configure unnumbered VTIs and your environment uses load sharing clustering. Would this clustering technology
be supported by your unnumbered VTI's?
A. No, unnumbered VTIs only support VRRP HA active-passive mode.

B. Yes, unnumbered VTIs only support clustering load sharing.
C. Yes, all HA modes are supported.
D. No, unnumbered VTIs do not support any HA modes.
Correct Answer: A
QUESTION 260
You are configuring dynamic routing on Secure Platform, as the administrator you run the command pro enable and reboot. You are
confident that your configuration has been done correctly. When you check, you find the dynamic routing daemon has not started.
What is the likely cause of this issue?
A. Secure Platform does not support dynamic routing.

B. You need to apply the license and push the policy.
C. Dynamic routing needs to be enabled in cpconfig.
D. You must push the policy after your reboot.
Correct Answer: B
QUESTION 261
What is the prefix name for the interface when creating an unnumbered VTI in GAIA?
A. VTii
B. tun
C. vpnt
D. VTI
Correct Answer: C
QUESTION 262
How can an administrator stay up-to-date on the status of their VPN Tunnels?
A. Tracking settings can be configured on the Tunnel Management screen of the Community Properties screen for all VPN tunnels.
B. Make a change in /proc/net/tun.
C. Run vpn tu and select the option Live Monitoring.
D. In Smartview Tracker.
Correct Answer: A
QUESTION 263
Where would an administrator set an email alert for a specific permanent VPN tunnel?
A. Edit the file vpnconf.

B. Run sysconfig.
C. In the Tunnel Properties select Mail Alert.
D. You can only enable logging or SNMP traps.
Correct Answer: C
QUESTION 264
Which of the these dynamic route protocols CANNOT be used along with VTI (VPN Tunnel Interface).
A. OSPFR
B. IGRP
C. IPv1
D. BGP4
Correct Answer: B
QUESTION 265
When configuring a Numbered VPN-Tunnel, what parameters are necessary?
A. VPN Tunnel ID, Local Address, Remote Address

B. Peer, Local Address, Remote Address
C. VPN Tunnel ID, Peer, Local Address, Remote Address
D. VPN Tunnel ID, Peer, Physical Device
Correct Answer: C
QUESTION 266
You have to establish a VPN communication between 2 spokes, routed through the Hub gateway.
Where do you configure VPN routing?
A. Security Gateway Object

B. WebUI
C. vpn_route.conf
D. VPN shell
Correct Answer: C
QUESTION 267
Where do you enable Route-based VPN?
A. WebUI
B. VPN shell
C. Security Gateway Object
D. vpn_route.conf
Correct Answer: C
QUESTION 268
The current release of Check Point R77, what is a potential performance-related drawback to using Virtual Tunnel Interfaces (VTI)
rather than Domain-based VPNs?
A. Use of VTIs will disable CoreXL and therefore will negatively impact hardware platforms running more than one CPU core.
B. Dynamic routing protocols will work across a domain-based VPN, but will not work across a VTI.
C. Use of VTIs will disable the entire SecureXL mechanism and prevent any traffic acceleration.
D. Domain-based VPNs are easier to configure than VTIs and therefore is the preferred implementation.
Correct Answer: A
QUESTION 269
What type(s) of VTI interfaces do Edge gateways support?
A. Both numbered and unnumbered

B. Unnumbered interfaces
C. Numbered interfaces
D. Neither numbered and unnumbered
Correct Answer: C
QUESTION 270
What does the command vpn shell interface add numbered 192.168.0.1 192.168.0.2 Gateway_A to_B accomplish?
A. Between Security Gateways A and B, 192.168.0.1 is assigned as the endpoint IP address to Gateway A. 192.168.0.2 is assigned
to Gateway B.
B. Between Security Gateways A and B 192.168.0.2 is assigned as the endpoint IP address to Gateway A. 192.168.0.1 is assigned
to Gateway B.
C. shell is not a valid option for the command vpn.
D. This command can be used to create a VPN tunnel from the command line without having any VPN configuration in Smart
Dashboard (although "IPSec VPN" must still be enabled on the gateway).
Correct Answer: A
QUESTION 271
You are configuring a VTI in a clustered environment. Which of the following must be TRUE?
A. Every interface on each member requires a unique IP address.

B. Each member must have the same source IP address.
C. You do not need to have cluster IP addresses.
D. You cannot set up a VTI in a clustered environment.
Correct Answer: A
QUESTION 272
You are configuring VTIs in a clustered environment. On Peer A the VTI name is VT_Cluster_GWA and on Peer B the VTI name is
VT_Cluster_GWB. You find that the route- based tunnel is not coming up. What could be the cause?
A. The names for your peers have been reversed.

B. You have not issued the command "vpn write config' command.
C. You have not licensed your gateways for VTIs.
D. All VTIs going to the same remote peer must have the same name.
Correct Answer: D
QUESTION 273
What are the common Best Practices for configuring QoS over a route-based VPN?
A. IKE traffic must have a minimum Guarantee of 50% of the external interface throughput.
B. QoS is not supported.
C. Ensure the VTI is numbered.
D. Ensure the VTI is unnumbered.
Correct Answer: B
QUESTION 274
Where do you configure VTIs on your R77 gateway in VSX mode?
A. VTIs are configured in each VS context.

B. VTIs are configured in VS0 context.
C. VTIs are not supported in VSX mode.
D. VTIs are configured in SmartDashboard.
Correct Answer: C
QUESTION 275
Which Dynamic Routing Protocols are supported in GAiA in a Route-based VPN configuration?
A. OSPF,BGP
B. OSPF
C. OSPF,BGP,RIPv2
D. OSPF,BGP,RIPv1,RIPv2
Correct Answer: A
QUESTION 276
Jane wants to create a VPN using OSPF. Which VPN configuration would you recommend she use?
A. Site-to-site VPN
B. Domain-based VPN
C. Route-based VPN
D. Remote-access VPN
Correct Answer: C
QUESTION 277
You are configuring dynamic VPN routing using OSPF. You have defined the gateways, created a fully meshed VPN Community that
includes all participating Gateways; created a rule to accept OSPF and configured dynamic routing. OSPF adjacencies are not
establishing. Which of the following could explain why?
A. You have overlapping encryption domains.

B. You have not configured VTIs.
C. You must to create a VPN star community.
D. Check Point does not support dynamic VPN routing using OSPF.
Correct Answer: B
QUESTION 278
Which routing protocols are not supported with GAIA OS running VTIs?
A. RIPv1; RIPv2
B. BGP
C. Static routes
D. OSPF
Correct Answer: A
QUESTION 279
You want to enable OSPF on Secure Platform, but you notice that the required gated daemon is not running. How can you enable
this?
A. Enter cpconfig, type Y to enable OSPF, type Y to restart Check Point services.
B. Enter cpconfig, type Y to enable Advanced Routing, type Y to restart Check Point services.
C. At the command prompt enter tellpm gated.
D. Add an OSPF rule to your Rule Base.
Correct Answer: B
QUESTION 280
You are configuring OSPF on your Secure Platform firewall. You are in expert mode and run the commands:
interface vt-Gateway_C
IP ospf 1 area 0.0.0.0
exit
When you run show running-config you do not see your OSPF configuration listed Why?
A. You did not run command save running config before you exited.
B. You should not have moved to expert mode to make these configurations.
C. You did not run command save configuration before you exited.
D. You did not run command enable before you exited.
Correct Answer: D
QUESTION 281
Where can you configure OSPF on a GAiA firewall?
A. cpconfig
B. WebUI
C. SmartDashboard
D. sysconfig
Correct Answer: B
QUESTION 282
Why would you choose to combine dynamic routing protocols and VPNs?
A. All options listed.

B. In the case of one tunnel failure, other tunnels may be used to route the traffic.
C. Dynamic-routing information can propagate over the VPN, utilizing the VPN as just another point-to-point link in the network.
D. The VPN device can be automatically updated with network changes on any VPN peer Gateway without the need to update the
VPN Domain's configuration.
Correct Answer: A
QUESTION 283
In Wire mode. if a packet reaches the gateway from a trusted source and is destined to a trusted destination, will the firewall do
stateful inspection?
A. No, but IPS inspection will still be enforced.

B. Yes, the Firewall always performs stateful inspection.
C. Yes, but only if SecureXL is disabled.
D. No
Correct Answer: D
QUESTION 284
What considerations are required when configuring IPV6 with Wire mode?
A. IPv6 in Wire mode is only supported in R77.

B. IPV6 must be configured on both end points.
C. IPV6 is not supported in Wire mode.
D. You must use internal IPv6 addressing space to use Wire mode.
Correct Answer: C
QUESTION 285
Which operating systems support Wire mode?
A. SecurePlatform and GAIA

B. Solaris and SecurePlatform
C. IPSO and SecurePlatform
D. IPSO and GAIA
Correct Answer: A
QUESTION 286
You are having issues with dynamic routing after a failover. The traffic is now coming from the backup and is being dropped as out of
state. What is the BEST configuration to avoid stateful inspection dropping your dynamic routing traffic?
A. Implement Wire mode.

B. In Global Properties select Accept other IP protocols stateful replies for unknown services.
C. Enable Visitor mode.
D. Create additional explicit rules.
Correct Answer: A
QUESTION 287
Where can you configure Wire mode?
A. In the gateway object in "Stateful Inspection"

B. In the VPN community in "Advanced Settings"
C. In cpconfig
D. In Global Properties
Correct Answer: B
QUESTION 288
Where can you configure Wire mode?
A. In Global properties
B. In the gateway object on the "IPSec VPN" > "VPN Advanced" page
C. In sysconfig
D. In CLISH
Correct Answer: B
QUESTION 289
When you have your directional VPN enforcement rule set to "Internal_Clear" , what does this represent?
A. All interfaces are designated "External"

B. VOIP traffic
C. Do not perform directional VPN enforcements on this traffic
D. All interfaces are designated as "Internal"
Correct Answer: D
QUESTION 290
You are using an IPV6 environment and find that you need additional access control and want to set up some directional VPN rules.
How can you restrict access based on destination?
A. This can only be done in Traditional Mode VPN.

B. Directional VPN enforcement feature is not supported for IPv6.
C. Enable Global Properties > Advanced > IPv6 for directional VPN enforcement.
D. Set your rule match to "All_gwtogw" and create a new rule.
Correct Answer: B
QUESTION 291
You are trying to set "VPN Directional Match" on the VPN column but the "Directional Match Condition" option is not there. Why is
this missing?
A. The peer does not support this feature.

B. This can only be done in Traditional Mode.
C. You must turn this feature on through Global Properties > VPN > Advanced, then select Enable VPN Directional Match in VPN
column.
D. This must be enabled on the Gateway in "Advanced Settings".
Correct Answer: C
QUESTION 292
How do you designate the "enforcement point gateway" for the peers involved in "VPN Directional Enforcement"?
A. From the WebUI's of the peers add a static route to the "designated enforcement point".
B. In the file $FWDIR/conf/user.def on each peer with a route entry to the enforcement point gateway.
C. Designate this gateway in the VPN community properties.
D. Editing file $FWDIR/conf/vpn_route.conf on each peer with a route entry to the enforcement point gateway.
Correct Answer: D
QUESTION 293
What is the limit to the number of VPN directions that can be configured in a single rule?
A. There is no limit.
B. It is limited to the number of communities that exist in your dashboard.
C. You may only configure one direction per rule.
D. After configuring ten you must use a standard bi-directional condition.
Correct Answer: A
QUESTION 294
How does the "Directional Enforcement" rule manage subsequent packet inspection?
A. "Directional Enforcement" is only applied to the first packet of the connection, including packets in the opposite direction.
B. "Directional Enforcement" is applied to all packets in the connection.
C. "Directional Enforcement" applies only to the first packet of the connection, but does not include the packets in the opposite
direction.
D. "Directional Enforcement" is considered trusted traffic and therefore is not inspected.
Correct Answer: A
QUESTION 295
How do you add the route entry for the "Enforcement Point Gateway" on the Management Server?
A. Designate this gateway in the VPN community properties.

B. Update file $FWDIR/conf/user.def on each peer with a route entry to the enforcement point gateway.
C. Edit file $FWDIR/conf/vpn_route.conf with a new route entry.
D. Edit peers' WebUI to add a static route to the "designated enforcement point".
Correct Answer: C

Certify4Sure 156-115 77

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Certify4Sure 156-115 77

Uploaded by

Copyright:

Available Formats

Checkpoint 156-115.

Exam Code: 156-115.77

Title : Check Point Certified Security Master

A. fw ctl chain -po 1ffffe0 -o monitor.out

A. IP Options Strip is not a valid fw chain output.

A. fw list kernel modules

A. list enabled debug parameters.

A. [Expert@HostName]# fw ctl chain

A. False. Software blades do not pass through the chain modules.

A. fw ctl debug 0x1ffffe0

A. "env" and "fw ctl debug"

A. The SIP traffic is trying to pass through the firewall.

A. There is an active fw monitor running.

A. fwm debug off

A. fw debug fw on and checks the file fwm.elg.

A. IP not defined in $FWDIR/conf/gui-clients

A. fw ctl zdebug drop

A. Search the connections table for that connection.

;[cpu_1];[fw_0];fw_log_drop: Packet proto=17 10.216.14.108:67 > 172.31.2.1:67 dropped by fw_handle_first_packet Reason:

A. fw ctl debug -m fw + conn drop nat vm xlate xltrc

A. fwaccel stats misp

A. Between the "I" and "o"

A. Static NAT does not adjust the destination IP

A. This will cause a policy verification error.

A. Edit or create the file local.arp.

A. WebUI or add proxy ARP ... commands via CLISH

A. nat, route, conn, fwd, zeco, err

A. $FWDIR/lib/base.def on the cluster members

A. The Firewall policy of the gateway

A. fw ctl zdebug drop

A. set ccp broadcast

A. fw ctl get int fwha_cul_mechanism_enable

A. Flush and ACK

A. fw tab t connections x d "0,a128c22,89,0a158508,89,11"

A. destination port number

A. serial number of the real entry.

A. The source IP of the packet.

A. Run the command fw tab t connections x

A. Increased memory consumption

Cluster B> cphaprob -i list

Device Name: Interface Active Check Current state: OK

Device Name: HA Initialization Current state: OK

Device Name: Recovery Delay Current state: OK

A. There is an interface down on Cluster A

A. definitions of various kernel tables for Security Gateways.

A. To allow for automatic upgrades.

A. fwha_magic_mac and fw_forward_magic_mac

A. Optimal Service Upgrade

fw ctl debug -buf 32000

Which of the following commands would be best to troubleshoot a clustering issue?

A. fw ctl zdebug -m cluster + all

A. Synchronization is not working between the two members

A. Packet 1 proposes a symmetrical key

A. vpn debug ikeon

A. IKEv1 is not supported by the peer.

A. You have an encryption method mismatch.

A. VPN-1 kernel debug logs

A. There is a time mismatch

A. VPN PSK authentication

A. You don't have an "encrypt" rule

A. Rule 6 will be eligible but Rule 7 will not.

A. Accelerator status, accept templates, drop templates