100% Valid And Pass With latest Checkpoint 156-215 exam dumps, you will never fail your Checkpoint 156-215 exam.All the questions and answers are updated and added to the new version timely by our experts.Also now Flydumps is offering free Checkpoint 156-215 exam VCE player and PDF files for free on their website.
QUESTION 30
Cara wants to monitor the tap services on her Security Gateway (fw-chicago), but she is getting an error message. Other security gateways are reporting except a new security gateway just recently deployed. Analyze the error message from the out put below and determine what Care can do to correct the problem?
A. She should create a firewall rule to allow the CPMI traffic back to her Smart Console.
B. She should re-install the Security Policy on her Security Gateway since it was using the default rule Base.
C. She should edit the Security gateway object and enable the monitoring Software Blade.
D. She should let the monitoring run longer in order for it to collect sampled data.
Correct Answer: C
QUESTION 31
The Internal Certificate Authority (ICA) CANNOT be used for:
A. Virtual Private Network (VPN) Certificates for gateways
B. NAT rules
C. Remote-access users
D. SIC connections
Correct Answer: B
QUESTION 32
Which of the following commands can provide the most complete restore of an R71 configuration?
A. Cpconfig
B. Upgrade_import
C. fwm db_import -p <export file>
D. cpinfo -recover
Correct Answer: B QUESTION 33
When using the Anti-Virus Content Security, how are different file types analyzed?
A. They are analyzed by their un-encoded format.
B. They are analyzed by their magic number.
C. They are analyzed by the MIME header.
D. They are analyzed by their file extension (i.e. .bat, .exe. .doc)
Correct Answer: B QUESTION 34
Because of pre-existing design constraints, you set up manual NAT rules for HTTP server are both using automatic NAT rules. All traffic from your FTP and SMTP servers are passing through a Security Gateway Way without a problem, but traffic from the Web server is dropped on rule 0 because of anti-spoofing settings. What is causing this?
A. Allow bi-directional NAT is not checked in Global Properties.
B. Manual NAT rules are not configured correctly.
C. Translate destination on client side is not checked in Global Properties under manual NAT rules.
D. Routing is not configured correctly.
Correct Answer: C QUESTION 35
You are creating an output file with the following command:
Fw monitor -e “accept (arc=10 . 20 . 30 . 40 or dst=10 , 20 , 30 – 40) ; ” -o ~/output
Which tools do you use to analyze this file?
A. You can analyze it with Wireshark or Ethereal
B. You can analyze the output file with any ASCI editor.
C. The output file format is CSV. so you can use MS Excel to analyze it
D. You cannot analyze it with any tool as the syntax should be: fw monitor -e accept ( = 10.20.30.40 or =10.20.30.40); -0 ~/output
Correct Answer: A QUESTION 36
URL filtering policy can make exceptions for specific sites by being enforced:
A. Only for specific sources and destinations.
B. For all traffic, except on specific sources and destinations.
C. For alt traffic, except blocked sites.
D. For all traffic. There are no exceptions.
Correct Answer: B QUESTION 37
Which of the following is a hash algorithm?
A. DES
B. IDEA
C. MD5
D. 3DES Correct Answer: C QUESTION 38
The SIC certificate is stored in the________ directory.
A. $FUIDIR/conf
B. $CPDIR/conf
C. $FWDIR/database
D. $CPDIR/registry
Correct Answer: C QUESTION 39
When you hide a rule in a Rule Base, how can you then disable the rule?
A. Use the search utility in SmartDashboard to view all hidden rules Select the relevant rule and click Disable Rule(s).
B. Right-click on the hidden rule place-holder bar and select Disable Rule(s).
C. Right-click on the hidden rule place-holder bar and uncheck Hide, then right-click and select Disable Rule(s), re-hide the rule.
D. Hidden rules are already effectively disabled from Security Gateway enforcement.
Correct Answer: C QUESTION 40
Which of the following can be found in cpinfo from an enforcement point?
A. The complete file objects_5_0. c
B. Policy file information specific to this enforcement point
C. Everything NOT contained in the file r2info
D. VPN keys for all established connections to all enforcement points
Correct Answer: A QUESTION 41
Which antivirus scanning method does not work if the Gateway is connected as a node in proxy mode?
A. Scan by Direction
B. Scan by File Type
C. Scan by Server
D. Scan by IP Address
Correct Answer: A QUESTION 42
Which of the following is a CLI command for Security Gateway R71?
A. fwm policy_print <policyname>
B. fw shutdown
C. fw merge
D. fw tab 璾
Correct Answer: D QUESTION 43
You are working with multiple Security Gateways that enforce an extensive number of rules. To simplify Security administration, which one of the following would you choose to do?
A. Create a separate Security Policy package for each remote Security Gateway.
B. Run separate SmartConsole instances to login and configure each Security Gateway directly.
C. Eliminate all possible contradictory rules such as the Stealth or Cleanup rules.
D. Create network objects that restrict all applicable rules to only certain networks.
Correct Answer: A
QUESTION 44
The customer has a small Check Point installation which includes one Windows 2003 server as the Smart Console and a second server running secure Platform as both Security Management Server and the Security Gateway. This is an example of a (n):
A. Unsupported configuration.
B. Hybrid Installation.
C. Distributed Installation.
D. Stand-Alone Installation.
Correct Answer: C
QUESTION 45
Which set of objects have an Authentication tab?
A. Networks. Hosts
B. Users, Networks
C. Users, User Groups
D. Templates, Users
Correct Answer: C
QUESTION 46
Which operating system is NOT supported by Endpoint Connect R71?
A. MacOS X
B. Windows XP SP2 O C.
C. Windows Vista 64-bit SP1
D. Windows 2000 SP1
Correct Answer: D
QUESTION 47
Security Servers can perform authentication tasks, but CANNOT perform content security tasks?
A. RHV HTTPS
B. FTP
C. RLOGIN
D. HTTP
Correct Answer: C
QUESTION 48
When launching SmartDashboard, what information is required to log into R7?
A. User Name, Management Server IP, certificate fingerprint file
B. User Name, Password. Management Server IP
C. Password. Management Server IP
D. Password, Management Server IP, LDAP Server IP
Correct Answer: B QUESTION 49
SmartView Tracker R71 consists of three different modes. They are
A. Log, Active, and Audit
B. Log, Active, and Management
C. Log, Track, and Management
D. Network & Endpoint, Active, and Management
Correct Answer: D QUESTION 50
Can you upgrade a clustered deployment with zero downtime?
A. No, this is not possible.
B. Yes, if you select the option zero downtime, it will keep one member active
C. No, you must bring all gateways down.
D. Yes, this is the default setting.
Correct Answer: B QUESTION 51
What action CANNOT be run from SmartUpdate R71?
A. Get all Gateway Data
B. Fetch sync status
C. Reboot Gateway
D. Preinstall verifier
Correct Answer: D QUESTION 52
When john first installed the system, he forgot to configure DNS server security Gateway. How could john configure DNS servers now that his security gateway is in production?
A. Login to the firewall using SSH and run cpconfig, then select Domain Name Servers.
B. Login to the firewall using SSH and run fwm, then select System Configuration and Domain Name Servers.
C. Login to the SmartDashboard, edit the firewall Gateway object, and select the tab Interface, than domain name servers.
D. Login to the firewall using SSH and run aysconfig, then select Domain Name Servers.
Correct Answer: D QUESTION 53
Using the out put below, what type of VPN is configured for fw-stlouis?
A. Traditional
B. Meshed
C. Domain-Based
D. Star
Correct Answer: B
QUESTION 54
A clean up rule is used to:
A. Drop without logging connections that would otherwise be dropped and logged fry default
B. Log connections that would otherwise be accepted without logging by default.
C. Log connections that would otherwise be dropped without logging by default.
D. Drop without logging connections that would otherwise be accepted and logged by default
Correct Answer: C
QUESTION 55
When check point translation method allows an administrator to use fewer ISP-assigned IP addresses then the number of internal hosts requiring internet connectivity?
A. Static Destination
B. Hide
C. Dynamic Destination
D. Static Source
Correct Answer: B
QUESTION 56
If you were NOT using IKE aggressive mode for your IPsec tunnel, how many packets would you see for normal Phase 1 exchange?
B. 2
C. 3
D. 9
Correct Answer: A
QUESTION 57
Identify the correct step performed by SmartUpdate a remote Security Gateway. After selecting packages Select / Add from CD, the:
A. entire contents of the CD-ROM arc copied to the packages directory on the selected remote Security Gateway
B. selected package is copied to the Package Repository on the Security Management: Server
C. entire contents of the CD-ROM are copied to the Package Repository on the Security Management Server
D. selected package is copied to the packages directory on the selected remote Security Gateway
Correct Answer: B
QUESTION 58
You would use the Hide Rule feature to:
A. Make rules invisible to incoming packets.
B. View only a few rules without the distraction of others
C. Hide rules from read-only administrators.
D. Hide rules from a SYN/ACK attack.
Correct Answer: A
QUESTION 59
Which of the following methods will provide the most complete backup of an R71 configuration?
A. Policy Package Management
B. Copying the $PWDIR\conf and $CPDIR\conf directories to another server
C. upgrade_export command
D. Database Revision Control
Correct Answer: B
QUESTION 60
To monitor all traffic between a network and the internet on a Security Platform Gateway, what is the best utility to use?
A. Snoop
B. Cpinfo
C. Infoview
D. Tcpdump
Correct Answer: D
QUESTION 61
Where are automatic NAT rules added to the Rule Base?
A. Before last
B. Middle
C. First
D. Last
Correct Answer: D
QUESTION 62
You are responsible for configuration of Meg a Corn’s Check Point Firewall. You need to allow two NAT rules to match a connection. Is it possible? Give the best answer
A. Yes. it is possible to have two NAT rules which match a connection, but only when using Automatic NAT(bidirectional NAT)
B. No, it is not possible to have more one NAT rule matching a connection. When the firewall receives a packet belonging to a concentration, it compares it against the first rule in the Rule Base, then the second rule, and so on When it finds a rule that matches, it stops checking and applies that rule.
C. Yes, it is possible to have two NAT rules which match a connection, but only in using Manual NAT (bidirectional NAT)
D. Yes, there are always as many active NAT rules as there are connections.
Correct Answer: A
QUESTION 63
On of your licenses is set for an IP address no longer in use. What happens to this license during the licenser-upgrade process?
A. It is upgraded with new available features but the IP remains the same
B. It remains untouched.
C. It is upgraded with the previous features using the new IP address
D. It is dropped
Correct Answer: A
QUESTION 64
External commands can be included in SmartView Tracker via the menu Tools / Custom commands. The security management server is running under SecurePlatform, and the GUI is on a system running Microsoft Windows. How do you run the command trecert.exe to the list?
A. Use the program GUI dbedit to add the command trace route to the properties of the security management Server.
B. Go to the menu Tools I Custom Commands and configure the Windows command trecert.exe to the list.
C. There is no possibility to expand the three pre-defined options ping, whois, and nslookup.
D. Go to the menu. Tools / Custom Commands and configure the Linux command trace route to the list.
Correct Answer: B
QUESTION 65
What is used to validate a digital certificate?
A. IPsec
B. CRL
C. S/MIME
D. PKCS
Correct Answer: C
QUESTION 66
An internal router is sending UDP keep-alive packets that are being encapsulated with GRE and sent through your R71 Security Gateway to a partner site. Rules for GRE traffic is configured for ACCEPT/LOG. Although the keep-alive packets are being sent every one minute, a search through the SmartView Tracker logs for GRE traffic only shows one entry for the whole day (early in the morning after a policy install).If your partner site indicates they are successfully receiving the GRE encapsulated keep-alive packets every minute interval.If GRE encapsulation is turned off on the router. SmartView Tracker shows a log entry for the UDP keep-alive packet every minute. Which of the following is the BEST explanation for this behavior?
A. The Log Server log unification process unifies all log entries from the Security Gateway on specific connection into only one log entry in the SmartView Tracker. GRE traffic has a 10 minute session timeout, thus each keep-alive packet is considered part of the original logged. connection at the beginning of the day
B. The Log Server is failing to log GRE traffic property because it is VPN traffic. Disable all VPN configurations to the partner site to enable proper logging.
C. The log unification process is using a LUUID (Log Unification Unique Identification) that has become corrupt. Because it is encrypted, the R71 Security Gateway cannot distinguish between GRE sessions. This is a known issue with the GRE. Use IPSEC instead of the non GRE protocol for encapsulation.
D. The setting Log does not capture this level of details for GRE Set the rule tracking a action to audit since certain types of traffic can only tracked this way.
Correct Answer: A
QUESTION 67
Which do you configure to give remote access VPN users a local IP address?
A. Office mode IP pool
B. NAT pool
C. Encryption domain pool
D. Authentication pool
Correct Answer: A
QUESTION 68
You need to plan the company’s new security system. The company needs a very high level of security and also high performance and high through put for their applications. You need to turn on most of the integrated IPS checks while maintain high throughput. What would be the best solution for this scenario?
A. The IPS does not run when Core XL is enabled
B. You need to buy a strong multi-core machine and run R71 or later on Secure Platform with CoreXL technology enabled.
C. The IPS system does not affect the firewall performance and CoreXL is not needed in this scenario.
D. Bad luck, both together can not be achieved.
Correct Answer: B
QUESTION 69
You intend to upgrade a Check Point Gateway from R65 to R71. Prior to upgrading, you want to backup the gateway should there be any problems with the upgrade of the following allows for the gateway configuration to be completely backup into a manageable size in the least amount of time?
A. Backup
B. Snapshot
C. Upgrade_export
D. Database_revision
Correct Answer: B
QUESTION 70
Which of the following describes the default behavior of an R71 Security Gateway?
A. Traffic is filtered using controlled port scanning.
B. All traffic is expressly permitted via explicit rules.
C. Traffic not explicitly permitted is dropped.
D. IP protocol types listed as secure are allowed by default, i.e ICMP, TCP, UDP sessions are inspected.
Correct Answer: C
Ensure that you are provided with only the best and most updated Checkpoint 156-215 Certification training materials, we also want you to be able to access Checkpoint 156-215 easily, whenever you want.We provide all our Checkpoint 156-215 Certification exam training material in PDF format, which is a very common format found in all computers and gadgets. Now we add the latest Checkpoint 156-215 content and to print and share content.