Publicidade
What is the most efficient way to view large fw monitor captures and run filters on the file?
CLI
snoop
CLISH
wireshark
Publicidade
Check Point's self-service knowledge base of technical documents and tools covers everything from articles describing how to fix specific issues, understand error messages and to how to plan and perform product installation and upgrades. This knowledge base is called:
SupportDocs
SupportCenterBase
SecureKnowledge
SecureDocs
Which of the following System Monitoring Commands (Linux) shows process resource utilization, as well as core and memory utilization?
top
free
ps
df
Publicidade
Is it possible to analyze ICMP packets with tcpdump?
No, tcpdump works from layer 4. ICMP is located in the network layer (layer 3), therefore is not applicable to this scenario
No, use fw monitor instead
Yes, tcpdump is not limited to tcp specific issues
No, since ICMP does not have any source or destination ports, but specification of port numbers
is mandatory
Which of the following is NOT a way to insert fw monitor into the chain when troubleshooting packets throughout the chain?
Absolution position
Relative position using location
Relative position using id
Relative position using alias
Publicidade
The Check Point FW Monitor tool captures and analyzes incoming packets at multiple points in the traffic inspections. Which of the following is the correct inspection flow for traffic?
(i) — pre-inbound, (I)- post-inbound, (o) — pre-outbound. (O) — post-outbound
(I) — pre-inbound, (i)- post-inbound, (0) — pre-outbound, (o) — post-outbound
(o) — pre-outbound, (0)- post-inbound, (i) — pre-inbound, (I) — post-inbound
(I) — pre-inbound, (i)- post-inbound, (0) — pre-outbound, (o) — post-outbound
Which of the following CLI commands is best to use for getting a quick look at appliance performance information in Gaia?
fw stat
top
cphaprob stat
fw monitor
Publicidade
Which of the following is a valid way to capture general packets on Check Point gateways?
Network taps
Wireshark
Firewall logs
tcpdump
What are the four ways to insert an FW Monitor into the firewall kernel chain?
Relative position using location, relative position using alias, absolute position, all positions
Absolute position using location, absolute position using alias, relative position, all positions
Relative position using geolocation, relative position using inertial navigation, absolute position, all positions
Absolute position using location, relative position using alias, general position, all positions
Publicidade
Some users from your organization have been reporting some connection problems with CIFS since this morning. You suspect an IPS issue after an automatic IPS update last night. So you want to perform a packet capture on uppercase I only directly after the IPS chain module (position 4 in the chain) to check if the packets pass the IPS. What command do you need to run?
fw monitor -pi 5 -e <filterexpression>
tcpdump -eni any <fitterexpression>
fw monitor -mI -pI 5 -e <filterexperession>
fw monitor -pI asm <filterexpression>
When running a debug with fw monitor, which parameter will create a more verbose output?
-I
-d
-i
-D
Publicidade
Which is the correct 'fw monitor syntax for creating a capture file for loading it into Wireshark?Which is the correct 'fw monitor syntax for creating a capture file for loading it into Wireshark?
fw monitor -e 'accept <FILTER EXPRESSION>: -file Output.cap
fw monitor -e 'accept <FILTER EXPRESSION>; » Output.cap
fw monitor -e 'accept <FILTER EXPRESSION>; -o Output.cap
This cannot be accomplished as it is not supported with R80.10
Johnny works as a firewall administrator in ALPHA Corporation. He is also an Account Administrator in the Check Point UserCenter for his company. When searching through SecureKnowledge he found an article which can help him but he couldn't access the article, because has no permission to access it. What could cause this problem?
Only Check Point Support Engineers have access to articles with higher Technical Level
ALPHA Corporation's Support contract expired, or he is not Check Point certified professional
Johnny must be Check Point Certified Security Master to get access articles with higher Technical Level
ALPHA Corporation's Support contract expired
Publicidade
Which of the following is true about tcpdump?
A tcpdump session can be initiated from the SmartConsole
The tcpdump can only capture TCP packets and not UDP packets
The tcpdump has to be run from Cish mode in Gaia
Running tcpdump without the correct switches will negatively impact the performance of the
Firewall
If you run the command "fw monitor -e “accept src.10.1.1.101 or src=172.21.201.10 or src=192.0.2.11 from the Cli.sh. What will be captured?
Packets from 10 1.1.201 going to 192.0.2.10
Packets destined to 172.21.101.10 from 10.1.1.101
fw monitor only works in expert mode so no packets will be captured
Only packet going to 192.0.2.10
Publicidade
UserCenter/PartnerMAP access is based on what criteria?
The level of Support purchased by a company manager.
The certification level achieved by employees of an organization.
User permissions assigned to company contacts.
The certification level achieved by the partner.
What file extension should be used with fw monitor to allow the output file to be imported and read in Wireshark?
.pcap
.cap
.tgz
.exe
Publicidade
When opening a new Service Request, what feature is in place to help guide you through the
The TAC chat room
The SmartConsole Help feature
The SmartConsole Help feature
A SR wizard
When using "fw monitor" in R80.30, it is highly recommended that you:
Use the "-e parameter to specify an expression
Disable SecureXL
Clear the kernel debug buffers
Disable cluster membership
Publicidade
Which would be a good reason to let "fw monitor' display results to the console, rather the output to a file?
You want to review full traffic details at a later time
You would like to search results for specific reasons for dropping traffic
You only need quick. simplified results
You would like to save system resources
What does the FWD daemon instruct the gateway to do when communication issues between the gateway and SMS/Log Server occurs?
It instructs the gateway to store logs locally as it continues to try to restore communication.
It instructs the gateway to stop logging until it can restore communication.
It instructs the gateway to only log a specified number of logs as defined in the Security Policy.
It instructs the gateway to continue forwarding logs to SKIS/Log Server and the logs with be
stored in a holding queue for the server until communication is restored
Publicidade
Jerry is firewall administrator in BRAVO Company. He gets a call from the R&D department Manager who says that some employees from R&D could not access new development server (192.168.60.100), which is in server network behind the Data Center Firewall. Jerry looks at FW logs and found no log records for that server. What should he do next?
He must check if the packets are being dropped at the firewall by using command cppcap -f "arp and host 192.168.80.10" -DNT -o /var/log/capture.pcap
He must check if the packets are being dropped at the firewall by using command tcpdump -i interface host 192.168.60.100
He must check if the packets are being dropped at the firewall by using command fw ctl zdebug + drop grep 192.168.60.100
He must check if the packets are being dropped at the firewall by using command fw ctl zdebug +drop dst=192.168 60.100
Where would you look to find the error log file to investigate a logging issue on the Security Management Server?
$CPDIR/log/cpd.elg
$MDS_FWDIR/log/cpm.elg
$FWDIR/log/fwd.elg
$FWDIR/log/fwm.elg
Publicidade
What is a primary advantage of using the fw monitor tool?
It can capture packets in various positions as they move through the firewall
It has no negative impact on firewall performance
It always captures all packets hitting the physical layer
It is menu-driven, making it easy to configure
To verify that communication is working between the Security Management Server and the Security Gateway, which service port should be checked? To verify that communication is working between the Security Management Server and the Security Gateway, which service port should be checked?
259
19009
257
18209
Publicidade
How can a firewall admin check if the logs are coming from Security Gateway Cluster to Management Server?
fw monitor -e 'accept host(p_address of GW) and dport=2571"
fw monitor -e 'accept host(ip_address of GW) and spon=257"
tcpdump -ni interface_pointing_to_Gateway tcp port 257
tcpdump -ni interface_pointing_from_Gateway tcp port 257
The communication between the Security Management Server and Security Gateway to forward logs is done using the following process and port number.
fwm, TCP 18190
cpm, 19009
fwm, TCP 257
fwd, TCP 257
Publicidade
How would you check the connection status of a gateway to the Log server?
run netstat -anp I grep :257 in expert mode on Log server
run netstat -anp I grep :18187 in CLISH on Log server
run netstat -anp I grep :18187 in expert mode on Log server
run netstat -anp I grep :257 in CLISH on Log server
Which of these would be the best way to alter the chain insertion point of fw monitor"?
Setting the "monitor" parameter with "fw ctl chain"
Using the "-p" parameter in the command line
Altering the "monitor" value in kernel parameters
Changing its settings in dbedit or Guldbedit
Publicidade
One of most common reasons that firewall administrator couldn't login anymore into a newly installed R80.x Security Management via SmartConsole is, that the 15-day trial license was expired. How can the firewall administrator install a valid license on the security management, if he only has access to the management via SmartConsole or via Gaia Portal?
The Firewall administrator should run SmartDistributor.exe, located in, login and install the valid license on management server.
The Firewall administrator should run GuidBedit.exe, located in \, login and install the valid license
on management server
The Firewall administrator should run SmartUpdate.exe, located in \bin\, login and install the valid license on management server.
The Firewall administrator should run SmartProvider.exe, located in, login and install the valid license on management server.
What is the difference between the "Super User" and "Read Write All SmartConsole permission profiles?
"Super User" has the extra ability to make changes within the Gaia operating system
"Super User" has the extra ability to administer other administrative accounts
"Read Write All" has the extra ability to make changes within the Gaia operating system
"Super User' had the extra ability of being able to use the Management API
Publicidade
During the policy installation process, compiled policies are located in three different directories, which directory contains the last policy which was compiled successfully on the management side?
$FWDIR/state_tmp/FW1
$FWDIR/state/local/FW1
$FWDIR/state/<gateway_name>/FW1
$FWDIR/log/fwd.elg
After manipulating the rulebase and objects with SmartConsole the application crashes and closes immediately. To troubleshoot you will need to review the crash report. In which directory on the host PC will you find this
<SmartConsole Directory>\Crash_report\data\
<FW1 Directory>\data\crash_report
<SmartFirewall Directory>\data\crash_report\
<SmartConsole Directory>\data\Crash_report\
Publicidade
What can be a good troubleshooting tip for the error message "load on module failed?"
Verify that SIC is established between management server and the gateway
Run fwm debug to determine why the process is slow
Restart services on the gateway using cpstop and cpstart
Reboot the management server
Which version of SmartConsole is recommended?
The latest release based on the version running on the management server
The latest release based on the version running on the most up-to-date gateway
The latest stable release available
The latest release available
Publicidade
After reviewing the Install Policy report and error codes listed in it, you need to check if the policy installation port is open on the Security Gateway. What is the correct port to check?
19009
18210
18190
18191
The default time out for policy installation is
300 seconds
90 seconds
600 seconds
150 seconds
Publicidade
Chuck is a firewall administrator. He runs into some issues with policy installation, so he wants to check if all policy ports are open. How should he do it? Select the best answer.
He should run following command on both management and gateway server: netstat – anp | grep :18191
He should run following command on management server: netstat – anp | grep :18192
He should run following command on both management and gateway server: netstat - anp |
grep :18192
He should run following command on gateway server: netstat - anp | grep :18191
What would be the most likely response when attempting to use SmartConsole to connect to a management server with the wrong credentials?
"Authentication to server failed"
"invalid username or password"
"Server down on unresponsive"
"Incorrect name or IP address"
Publicidade
After successful policy installation, the gateway stores a copy of the most recently installed policy package in which location?
$FWDIR/state/<gateway_name>/FW1
$FWDIR/state/current/FW1
$FWDIR/state/_tmp/FW1
$FWDIR/state/local/FW1
The Identity Awareness process that enforces network access restrictions on traffic based on the identity and negotiates with PDP about shared identities is called?
Iacontrol
pdp
Pep
Iaenforce
Publicidade
The Identity Awareness process that receives identity data from the identity sources and organizes it in tables before forwarding the data to the enforcement module is called
iasend
pep
iaforward
pdp
On which port do Identity Agents communicate with the gateway?
4434
18191
15365
443
Publicidade
Johnny has connectivity issues on datacenter firewall. His access to Finance department server suddenly stopped working. He is constantly redirected to Captive Portal and asked to login. After some research he gets information that the Windows administrator had to reinstall one of the DCs because of hardware failure. How can Johnny check what is causing connectivity problems between gateway and this DC?
He should run CLI command 'adlog a dc' on perimeter firewall to verify connections to all DCs
He should run CLI command 'adlog a dc' on datacenter firewall to verify connections to all DCs
He should run CLI command 'adlog a query on datacenter firewall to verify connections to all DCs
He should run CLI command 'adlog a statistic on perimeter firewall to verify connections to all DCs
The module responsible for communicating with Active Directory services to gather identity information is called
PdP
adlog
pep
ADagent
Publicidade
Application Control and URL Filtering update files are located in which directory?
$FWDIR/appi/update/
$CPDIR/appi/update
$FWDIR/conf/update
$CPDIR/apci/update
In the SmartConsole logs, you are seeing messages reporting NAT port exhaustion. What command would you use to check the status of the NAT table?
fw tab -t nat_alloc
fw tab -t xftrc_allo
fw tab -t fwx_alloc
fw tab -t xlate_alloc
Publicidade
Which of the following kernel tables can provide useful information in troubleshooting Hide NAT port exhaustion?
connections
nat_entries
fw_nat
fwx_alloc
After deploying a new Static NAT configuration, traffic is not getting through. What command would you use to troubleshoot internal problems with the NAT traffic?
cp ctl kdebug + xlate xltrc nat
fw ctl zdebug + xlate xltrc nat
cp ctt zdebug + xlate xltrc nat
fw ctl kdebug + xlate xltrc nat
Publicidade
Performing NAT on the Client Side means that translation of all packets will occur?
In the firewall kernel closest to the initiator of the connection
In the inbound firewall kernel instance
After the packets have already been routed
Prior to any routing taking place
After deploying a new Static NAT configuration traffic is not getting through. What command would you use to verify that the proxy arp configuration has been loaded?
fw ctl arp
cp ctl arp
fw ctl coon
fw arp ctl
Publicidade
After deploying a Hide NAT for a new network, users are unable to access the Internet. What command would you use to check the internal NAT behavior?
cp ctl zdebug + xlate xltrc nat
cp ctl kdebug + xlate xltrc nat
fw ctl zdebug + xlate xltrc nat
fw ctl kdebug + xlate xltrc nat
Which of the following would be the most appropriate command in debugging a HideNAT issue?
fw ctl zdebug + fwn allnat
fw ctl zdebug + dynamic natips natports
fw ctl zdebug + fwxalloc hidenat
fw ctl zdebug + xlate xltrc nat
Publicidade
Select the technology that does the following actions provides reassembly via streaming for TCP handles packet reordering and congestion handles payload overlap provides consistent stream of data to protocol parsers
fwtcpstream
Context Management
Pre-Protocol Parser
A Passive Streaming Library
Which Threat Prevention daemon is the core Threat Emulation engine and responsible for emulation files and communications with Threat Cloud?
ted
scrub
ctasd
in.msd
Publicidade
For Threat Prevention, which process is enabled when the Policy Conversion process has debug turned on using the INTERNAL_POLICY_LOADING=.1 command?
cpm
dlpd
solr
fwm
Where do Protocol parsers register themselves for IPS?
Other handlers register to Protocol parser
Protections database
Context Management Infrastructure
Passive Streaming Library
Publicidade
The customer is using Check Point appliances that were configured long ago by third-party administrators. Current policy includes different enabled IPS protections and Bypass Under Load function. Bypass Under Load is configured to disable IPS inspections if CPU and Memory usage is higher than 80%. The Customer reports that IPS protections are not working at all regardless of CPU and Memory usage. What is a possible reason of such behavior?
The kernel parameter ids_tolerance_stress is set to 10
The kernel parameter ids_tolerance_no_stress is set to 10
The kernel parameter ids_assume_stress is set to 1
The kernel parameter ids_assume_stress is set to 0
Rules within the Threat Prevention policy use the Malware database and network objects. Which directory is used for the Malware database?
$FWDIR/log/install_manager_tmp/ANTIMALWARE/log/
$FWDIR/conf/install_firewall_tmp/ANTIMALWARE/conf/
$CPDIR/conf/install_manager_tmp/ANTIMALWARE/conf/
$FWDIR/conf/install_manager_tmp/ANTIMALWARE/conf/
Publicidade
What are some measures you can take to prevent IPS false positives?
Use IPS only in Detect mode
Use Recommended IPS profile
Capture packets, Update the IPS database, and Back up custom IPS files
Exclude problematic services from being protected by IPS (sip, H.323, etc.)
The IPS detection incorporates four layers. Which one of these four layers performs various security checks to ensure compliance to protocol standards checking for any existing anomalies? The checks usually involve RFC compliance. It also logically segments the data into contexts that may be taken from the request header and body
Passive Streaming Library
Protocol Parser
Context Management
Protections
Publicidade
Publicidade
ComentáriosÚltima atualização: -
Clique aqui e seja o primeiro a comentar!
Você vai gostar também
Publicidade
Publicidade
Publicidade
Publicidade
Publicidade
Publicidade
Publicidade
Publicidade
Publicidade
