1
What is the most efficient way to view large fw monitor captures and run filters on the file?
wireshark
snoop
CLI
CLISH
2
Check Point's self-service knowledge base of technical documents and tools covers everything from articles describing how to fix specific issues, understand error messages and to how to plan and perform product installation and upgrades. This knowledge base is called:
SecureKnowledge
SupportDocs
SupportCenterBase
SecureDocs
3
Which of the following System Monitoring Commands (Linux) shows process resource utilization, as well as core and memory utilization?
df
top
free
ps
4
Is it possible to analyze ICMP packets with tcpdump?
No, use fw monitor instead
No, tcpdump works from layer 4. ICMP is located in the network layer (layer 3), therefore is not applicable to this scenario
No, since ICMP does not have any source or destination ports, but specification of port numbers
is mandatory
Yes, tcpdump is not limited to tcp specific issues
5
Which of the following is NOT a way to insert fw monitor into the chain when troubleshooting packets throughout the chain?
Absolution position
Relative position using alias
Relative position using id
Relative position using location
6
The Check Point FW Monitor tool captures and analyzes incoming packets at multiple points in the traffic inspections. Which of the following is the correct inspection flow for traffic?
(I) — pre-inbound, (i)- post-inbound, (0) — pre-outbound, (o) — post-outbound
(o) — pre-outbound, (0)- post-inbound, (i) — pre-inbound, (I) — post-inbound
(i) — pre-inbound, (I)- post-inbound, (o) — pre-outbound. (O) — post-outbound
(I) — pre-inbound, (i)- post-inbound, (0) — pre-outbound, (o) — post-outbound
7
Which of the following CLI commands is best to use for getting a quick look at appliance performance information in Gaia?
cphaprob stat
top
fw stat
fw monitor
8
Which of the following is a valid way to capture general packets on Check Point gateways?
Network taps
Wireshark
tcpdump
Firewall logs
9
What are the four ways to insert an FW Monitor into the firewall kernel chain?
Relative position using geolocation, relative position using inertial navigation, absolute position, all positions
Absolute position using location, relative position using alias, general position, all positions
Relative position using location, relative position using alias, absolute position, all positions
Absolute position using location, absolute position using alias, relative position, all positions
10
Some users from your organization have been reporting some connection problems with CIFS since this morning. You suspect an IPS issue after an automatic IPS update last night. So you want to perform a packet capture on uppercase I only directly after the IPS chain module (position 4 in the chain) to check if the packets pass the IPS. What command do you need to run?
tcpdump -eni any <fitterexpression>
fw monitor -mI -pI 5 -e <filterexperession>
fw monitor -pi 5 -e <filterexpression>
fw monitor -pI asm <filterexpression>
11
When running a debug with fw monitor, which parameter will create a more verbose output?
-i
-I
-d
-D
12
Which is the correct 'fw monitor syntax for creating a capture file for loading it into Wireshark?Which is the correct 'fw monitor syntax for creating a capture file for loading it into Wireshark?
fw monitor -e 'accept <FILTER EXPRESSION>; -o Output.cap
fw monitor -e 'accept <FILTER EXPRESSION>: -file Output.cap
fw monitor -e 'accept <FILTER EXPRESSION>; » Output.cap
This cannot be accomplished as it is not supported with R80.10
13
Johnny works as a firewall administrator in ALPHA Corporation. He is also an Account Administrator in the Check Point UserCenter for his company. When searching through SecureKnowledge he found an article which can help him but he couldn't access the article, because has no permission to access it. What could cause this problem?
Only Check Point Support Engineers have access to articles with higher Technical Level
Johnny must be Check Point Certified Security Master to get access articles with higher Technical Level
ALPHA Corporation's Support contract expired
ALPHA Corporation's Support contract expired, or he is not Check Point certified professional
14
Which of the following is true about tcpdump?
The tcpdump has to be run from Cish mode in Gaia
A tcpdump session can be initiated from the SmartConsole
Running tcpdump without the correct switches will negatively impact the performance of the
Firewall
The tcpdump can only capture TCP packets and not UDP packets
15
If you run the command "fw monitor -e “accept src.10.1.1.101 or src=172.21.201.10 or src=192.0.2.11 from the Cli.sh. What will be captured?
Packets from 10 1.1.201 going to 192.0.2.10
Packets destined to 172.21.101.10 from 10.1.1.101
fw monitor only works in expert mode so no packets will be captured
Only packet going to 192.0.2.10
16
UserCenter/PartnerMAP access is based on what criteria?
The certification level achieved by employees of an organization.
User permissions assigned to company contacts.
The certification level achieved by the partner.
The level of Support purchased by a company manager.
17
What file extension should be used with fw monitor to allow the output file to be imported and read in Wireshark?
.exe
.cap
.tgz
.pcap
18
When opening a new Service Request, what feature is in place to help guide you through the
A SR wizard
The SmartConsole Help feature
The TAC chat room
The SmartConsole Help feature
19
When using "fw monitor" in R80.30, it is highly recommended that you:
Disable SecureXL
Disable cluster membership
Use the "-e parameter to specify an expression
Clear the kernel debug buffers
20
Which would be a good reason to let "fw monitor' display results to the console, rather the output to a file?
You only need quick. simplified results
You want to review full traffic details at a later time
You would like to search results for specific reasons for dropping traffic
You would like to save system resources
21
What does the FWD daemon instruct the gateway to do when communication issues between the gateway and SMS/Log Server occurs?
It instructs the gateway to stop logging until it can restore communication.
It instructs the gateway to continue forwarding logs to SKIS/Log Server and the logs with be
stored in a holding queue for the server until communication is restored
It instructs the gateway to store logs locally as it continues to try to restore communication.
It instructs the gateway to only log a specified number of logs as defined in the Security Policy.
22
Jerry is firewall administrator in BRAVO Company. He gets a call from the R&D department Manager who says that some employees from R&D could not access new development server (192.168.60.100), which is in server network behind the Data Center Firewall. Jerry looks at FW logs and found no log records for that server. What should he do next?
He must check if the packets are being dropped at the firewall by using command tcpdump -i interface host 192.168.60.100
He must check if the packets are being dropped at the firewall by using command cppcap -f "arp and host 192.168.80.10" -DNT -o /var/log/capture.pcap
He must check if the packets are being dropped at the firewall by using command fw ctl zdebug +drop dst=192.168 60.100
He must check if the packets are being dropped at the firewall by using command fw ctl zdebug + drop grep 192.168.60.100
23
Where would you look to find the error log file to investigate a logging issue on the Security Management Server?
$CPDIR/log/cpd.elg
$MDS_FWDIR/log/cpm.elg
$FWDIR/log/fwd.elg
$FWDIR/log/fwm.elg
24
What is a primary advantage of using the fw monitor tool?
It can capture packets in various positions as they move through the firewall
It always captures all packets hitting the physical layer
It is menu-driven, making it easy to configure
It has no negative impact on firewall performance
25
To verify that communication is working between the Security Management Server and the Security Gateway, which service port should be checked? To verify that communication is working between the Security Management Server and the Security Gateway, which service port should be checked?
18209
259
257
19009
26
How can a firewall admin check if the logs are coming from Security Gateway Cluster to Management Server?
tcpdump -ni interface_pointing_from_Gateway tcp port 257
fw monitor -e 'accept host(ip_address of GW) and spon=257"
fw monitor -e 'accept host(p_address of GW) and dport=2571"
tcpdump -ni interface_pointing_to_Gateway tcp port 257
27
The communication between the Security Management Server and Security Gateway to forward logs is done using the following process and port number.
fwd, TCP 257
fwm, TCP 257
fwm, TCP 18190
cpm, 19009
28
How would you check the connection status of a gateway to the Log server?
run netstat -anp I grep :257 in CLISH on Log server
run netstat -anp I grep :18187 in CLISH on Log server
run netstat -anp I grep :257 in expert mode on Log server
run netstat -anp I grep :18187 in expert mode on Log server
29
Which of these would be the best way to alter the chain insertion point of fw monitor"?
Altering the "monitor" value in kernel parameters
Setting the "monitor" parameter with "fw ctl chain"
Changing its settings in dbedit or Guldbedit
Using the "-p" parameter in the command line
30
One of most common reasons that firewall administrator couldn't login anymore into a newly installed R80.x Security Management via SmartConsole is, that the 15-day trial license was expired. How can the firewall administrator install a valid license on the security management, if he only has access to the management via SmartConsole or via Gaia Portal?
The Firewall administrator should run SmartProvider.exe, located in, login and install the valid license on management server.
The Firewall administrator should run GuidBedit.exe, located in \, login and install the valid license
on management server
The Firewall administrator should run SmartDistributor.exe, located in, login and install the valid license on management server.
The Firewall administrator should run SmartUpdate.exe, located in \bin\, login and install the valid license on management server.
31
What is the difference between the "Super User" and "Read Write All SmartConsole permission profiles?
"Super User" has the extra ability to administer other administrative accounts
"Read Write All" has the extra ability to make changes within the Gaia operating system
"Super User" has the extra ability to make changes within the Gaia operating system
"Super User' had the extra ability of being able to use the Management API
32
During the policy installation process, compiled policies are located in three different directories, which directory contains the last policy which was compiled successfully on the management side?
$FWDIR/state/<gateway_name>/FW1
$FWDIR/log/fwd.elg
$FWDIR/state_tmp/FW1
$FWDIR/state/local/FW1
33
After manipulating the rulebase and objects with SmartConsole the application crashes and closes immediately. To troubleshoot you will need to review the crash report. In which directory on the host PC will you find this
<SmartFirewall Directory>\data\crash_report\
<FW1 Directory>\data\crash_report
<SmartConsole Directory>\data\Crash_report\
<SmartConsole Directory>\Crash_report\data\
34
What can be a good troubleshooting tip for the error message "load on module failed?"
Verify that SIC is established between management server and the gateway
Restart services on the gateway using cpstop and cpstart
Reboot the management server
Run fwm debug to determine why the process is slow
35
Which version of SmartConsole is recommended?
The latest release available
The latest release based on the version running on the most up-to-date gateway
The latest stable release available
The latest release based on the version running on the management server
36
After reviewing the Install Policy report and error codes listed in it, you need to check if the policy installation port is open on the Security Gateway. What is the correct port to check?
18191
19009
18210
18190
37
The default time out for policy installation is
600 seconds
90 seconds
150 seconds
300 seconds
38
Chuck is a firewall administrator. He runs into some issues with policy installation, so he wants to check if all policy ports are open. How should he do it? Select the best answer.
He should run following command on gateway server: netstat - anp | grep :18191
He should run following command on management server: netstat – anp | grep :18192
He should run following command on both management and gateway server: netstat – anp | grep :18191
He should run following command on both management and gateway server: netstat - anp |
grep :18192
39
What would be the most likely response when attempting to use SmartConsole to connect to a management server with the wrong credentials?
"invalid username or password"
"Server down on unresponsive"
"Incorrect name or IP address"
"Authentication to server failed"
40
After successful policy installation, the gateway stores a copy of the most recently installed policy package in which location?
$FWDIR/state/local/FW1
$FWDIR/state/current/FW1
$FWDIR/state/<gateway_name>/FW1
$FWDIR/state/_tmp/FW1
41
The Identity Awareness process that enforces network access restrictions on traffic based on the identity and negotiates with PDP about shared identities is called?
pdp
Iacontrol
Iaenforce
Pep
42
The Identity Awareness process that receives identity data from the identity sources and organizes it in tables before forwarding the data to the enforcement module is called
iasend
pep
pdp
iaforward
43
On which port do Identity Agents communicate with the gateway?
4434
443
15365
18191
44
Johnny has connectivity issues on datacenter firewall. His access to Finance department server suddenly stopped working. He is constantly redirected to Captive Portal and asked to login. After some research he gets information that the Windows administrator had to reinstall one of the DCs because of hardware failure. How can Johnny check what is causing connectivity problems between gateway and this DC?
He should run CLI command 'adlog a query on datacenter firewall to verify connections to all DCs
He should run CLI command 'adlog a statistic on perimeter firewall to verify connections to all DCs
He should run CLI command 'adlog a dc' on perimeter firewall to verify connections to all DCs
He should run CLI command 'adlog a dc' on datacenter firewall to verify connections to all DCs
45
The module responsible for communicating with Active Directory services to gather identity information is called
PdP
ADagent
pep
adlog
46
Application Control and URL Filtering update files are located in which directory?
$CPDIR/appi/update
$FWDIR/conf/update
$CPDIR/apci/update
$FWDIR/appi/update/
47
In the SmartConsole logs, you are seeing messages reporting NAT port exhaustion. What command would you use to check the status of the NAT table?
fw tab -t fwx_alloc
fw tab -t nat_alloc
fw tab -t xftrc_allo
fw tab -t xlate_alloc
48
Which of the following kernel tables can provide useful information in troubleshooting Hide NAT port exhaustion?
connections
fwx_alloc
fw_nat
nat_entries
49
After deploying a new Static NAT configuration, traffic is not getting through. What command would you use to troubleshoot internal problems with the NAT traffic?
cp ctl kdebug + xlate xltrc nat
fw ctl kdebug + xlate xltrc nat
fw ctl zdebug + xlate xltrc nat
cp ctt zdebug + xlate xltrc nat
50
Performing NAT on the Client Side means that translation of all packets will occur?
After the packets have already been routed
In the firewall kernel closest to the initiator of the connection
Prior to any routing taking place
In the inbound firewall kernel instance
51
After deploying a new Static NAT configuration traffic is not getting through. What command would you use to verify that the proxy arp configuration has been loaded?
fw arp ctl
fw ctl coon
cp ctl arp
fw ctl arp
52
After deploying a Hide NAT for a new network, users are unable to access the Internet. What command would you use to check the internal NAT behavior?
fw ctl kdebug + xlate xltrc nat
fw ctl zdebug + xlate xltrc nat
cp ctl zdebug + xlate xltrc nat
cp ctl kdebug + xlate xltrc nat
53
Which of the following would be the most appropriate command in debugging a HideNAT issue?
fw ctl zdebug + fwxalloc hidenat
fw ctl zdebug + fwn allnat
fw ctl zdebug + dynamic natips natports
fw ctl zdebug + xlate xltrc nat
54
Select the technology that does the following actions provides reassembly via streaming for TCP handles packet reordering and congestion handles payload overlap provides consistent stream of data to protocol parsers
Pre-Protocol Parser
Context Management
A Passive Streaming Library
fwtcpstream
55
Which Threat Prevention daemon is the core Threat Emulation engine and responsible for emulation files and communications with Threat Cloud?
ctasd
in.msd
ted
scrub
56
For Threat Prevention, which process is enabled when the Policy Conversion process has debug turned on using the INTERNAL_POLICY_LOADING=.1 command?
solr
cpm
dlpd
fwm
57
Where do Protocol parsers register themselves for IPS?
Passive Streaming Library
Protections database
Context Management Infrastructure
Other handlers register to Protocol parser
58
The customer is using Check Point appliances that were configured long ago by third-party administrators. Current policy includes different enabled IPS protections and Bypass Under Load function. Bypass Under Load is configured to disable IPS inspections if CPU and Memory usage is higher than 80%. The Customer reports that IPS protections are not working at all regardless of CPU and Memory usage. What is a possible reason of such behavior?
The kernel parameter ids_assume_stress is set to 0
The kernel parameter ids_assume_stress is set to 1
The kernel parameter ids_tolerance_no_stress is set to 10
The kernel parameter ids_tolerance_stress is set to 10
59
Rules within the Threat Prevention policy use the Malware database and network objects. Which directory is used for the Malware database?
$FWDIR/log/install_manager_tmp/ANTIMALWARE/log/
$CPDIR/conf/install_manager_tmp/ANTIMALWARE/conf/
$FWDIR/conf/install_firewall_tmp/ANTIMALWARE/conf/
$FWDIR/conf/install_manager_tmp/ANTIMALWARE/conf/
60
What are some measures you can take to prevent IPS false positives?
Use IPS only in Detect mode
Capture packets, Update the IPS database, and Back up custom IPS files
Exclude problematic services from being protected by IPS (sip, H.323, etc.)
Use Recommended IPS profile
61
The IPS detection incorporates four layers. Which one of these four layers performs various security checks to ensure compliance to protocol standards checking for any existing anomalies? The checks usually involve RFC compliance. It also logically segments the data into contexts that may be taken from the request header and body
Protocol Parser
Passive Streaming Library
Protections
Context Management