Question 1 ( Topic 1 )
When troubleshooting and trying to understand which chain is causing a problem on the
Security Gateway, you should use the command:
A. fw ctl zdebug drop
B. fw tab –t connections
C. fw monitor -e "accept;" -p all
D. fw ctl chain
Answer : C
Question 2 ( Topic 1 )
True or False: Software blades perform their inspection primarily through the kernel chain modules.
A. False. Software blades do not pass through the chain modules.
B. True. Many software blades have their own dedicated kernel chain module for inspection.
C. True. All software blades are inspected by the IP Options chain module.
D. True. Most software blades are inspected by the TCP streaming or Passive Streaming chain module.
Answer : B
Question 3 ( Topic 1 )
Which of the following BEST describes the command fw ctl chain function?
A. View how CoreXL is distributing traffic among the firewall kernel instances.
B. View established connections in the connections table.
C. View the inbound and outbound kernel modules and the order in which they are applied.
D. Determine if VPN Security Associations are being established.
Answer : C
Question 4 ( Topic 1 )
When using the command fw monitor, what command ensures the capture is accurate?
A. export TDERROR_ALL_ALL=5
B. fwaccel off
C. fwaccel on
D. fw accel off
Answer : B
Explanation:
C1O2 - Chain Modules -
Question 5 ( Topic 1 )
What flag option(s) must be used to dump the complete table in friendly format, assuming there are more than one hundred connections in the table?
A. fw tab -t connections -f
B. fw tab -t connect -f -u
C. fw tab -t connections -s
D. fw tab -t connections -f –u
Answer : B
Question 6 ( Topic 1 )
Compare these two images to establish which blade/feature was disabled on the firewall.
A. IPS
B. VPN
C. NAT
D. L2TP
Answer : B
Question 7 ( Topic 1 )
John is a Security Administrator of a Check Point platform. He has a mis-configuration issue that points to the Rule Base. To obtain information about the issue, John runs the command:
A. fw debug fw on and checks the file fwm.elg.
B. fw kdebug fwm on and checks the file fwm.elg.
C. fw debug fwm on and checks the file fwm.elg.
D. fw kdebug fwm on and checks the file fw.elg.
Answer : C
Question 8 ( Topic 1 )
What command would you use for a packet capture on an absolute position for TCP streaming (out) 1ffffe0
A. fw ctl chain -po 1ffffe0 -o monitor.out
B. fw monitor -po -0x1ffffe0 -o monitor.out
C. fw monitor -e 0x1ffffe0 -o monitor.out
D. fw monitor -pr 1ffffe0 -o monitor.out
Answer : B
Question 9 ( Topic 1 )
A fwm debug provides the following output. What prevents the customer from logging into
SmartDashboard?
A. There are not any policy to login in SmartDashboard
B. FWM process is crashed and returned null to access
C. User and password are incorrect
D. IP not defined in $FWDIR/conf/gui-clients
Answer : D
Question 10 ( Topic 1 )
Which process should you debug when SmartDashboard authentication is rejected?
A. fwm
B. cpd
C. fwd
D. DAService
Answer : A
Question 11 ( Topic 1 )
When you perform an install database, the status window is filled with large amounts of text. What could be the cause?
A. There is an active fw monitor running.
B. There is an environment variable of TDERROR_ALL_ALL set on the gateway.
C. There is an active debug on the SmartConsole.
D. There is an active debug on the FWM process.
Answer : D
Question 12 ( Topic 1 )
Which commands will properly set the debug level to maximum and then run a policy install in debug mode for the policy Standard on gateway A-GW from an R77 GAiA Management
Server?
A. setenv TDERROR_ALL_ALL=5fwm –d load A-GW Standard
B. setenv TDERROR_ALL_ALL=5fwm –d load Standard A-GW
C. export TDERROR_ALL_ALL=5fwm –d load Standard A-GW
D. export TDERROR_ALL_ALL=5fwm –d load A-GW Standard
Answer : C
Question 13 ( Topic 1 )
For URL Filtering in the Cloud in R75 and above, what table is used to contain the URL
Filtering cache values?
A. urlf_blade_on_gw
B. urlf_cache_tbl
C. urlf_cache_table
D. url_scheme_tab
Answer : C
Question 14 ( Topic 1 )
What causes the SIP Early NAT chain module to appear in the chain?
A. The SIP traffic is trying to pass through the firewall.
B. SIP is configured in IPS.
C. A VOIP domain is configured.
D. The default SIP service is used in the Rule Base.
Answer : D
Question 15 ( Topic 1 )
When finished running a debug on the Management Server using the command fw debug fwm on how do you turn this debug off?
A. fwm debug off
B. fw ctl debug off
C. fw debug off
D. fw debug fwm off
Answer : D
Question 16 ( Topic 1 )
The user tried to connect in SmartDashboard and did not work. You started a FWM debug and receive the logs below:
What is the error cause?
A. IP not defined in $FWDIR/conf/gui-clients
B. Wrong user and password
C. Wrong password
D. Wrong user
Answer : D
Question 17 ( Topic 1 )
Which directory below contains the URL Filtering engine update info? Here you can also go to see the status of the URL Filtering and Application Control updates.
A. $FWDIR/urlf/update
B. $FWDIR/appi/update
C. $FWDIR/appi/urlf
D. $FWDIR/update/appi
Answer : B
Question 18 ( Topic 1 )
You are running a debugging session and you have set the debug environment to
TDERROR_ALL_ALL=5 using the command export TDERROR_ALL_ALL=5. How do you return the debug value to defaults?
A. fw ctl debug 0x1ffffe0
B. fw debug 0x1ffffe0
C. export TDERROR_ALL_ALL
D. unset TDERROR_ALL_ALL
Answer : D
Question 19 ( Topic 1 )
The command fw ctl kdebug <params> is used to:
A. list enabled debug parameters.
B. read the kernel debug buffer to obtain debug messages.
C. enable kernel debugging.
D. select specific kernel modules for debugging.
Answer : B
Question 20 ( Topic 1 )
The command fw monitor -p all displays what type of information?
A. It captures all points of the chain as the packet goes through the firewall kernel.
B. This is not a valid command.
C. The -p is used to resolve MAC address in the firewall capture.
D. It does a firewall monitor capture on all interfaces.
Answer : A
Question 21 ( Topic 1 )
What command would give you a summary of all the tables available to the firewall kernel?
A. fw tab
B. fw tab -s
C. fw tab -h
D. fw tab -o
Answer : B
Question 22 ( Topic 1 )
You are troubleshooting a Security Gateway, attempting to determine which chain is causing a problem. What command would you use to show all the chains through which traffic passed?
A. [Expert@HostName]# fw ctl chain
B. [Expert@HostName]# fw monitor -e "accept;" -p all
C. [Expert@HostName]# fw ctl debug –m
D. [Expert@HostName]# fw ctl zdebug all
Answer : B
Question 23 ( Topic 1 )
What does the IP Options Strip represent under the fw chain output?
A. IP Options Strip is not a valid fw chain output.
B. The IP Options Strip removes the IP header of the packet prior to be passed to the other kernel functions.
C. The IP Options Strip copies the header details to forward the details for further IPS inspections.
D. IP Options Strip is only used when VPN is involved.
Answer : B
Question 24 ( Topic 1 )
The command _____________ shows which firewall chain modules are active on a gateway.
A. fw stat
B. fw ctl debug
C. fw ctl chain
D. fw ctl multik stat
Answer : C
Question 25 ( Topic 1 )
The command that lists the firewall kernel modules on a Security Gateway is:
A. fw list kernel modules
B. fw ctl kernel chain
C. fw ctl debug -m
D. fw list modules
Answer : C
Question 26 ( Topic 1 )
Which of the following items is NOT part of the columns of the chain modules?
A. Inbound/Outbound chain
B. Function Pointer
C. Chain position
D. Module location
Answer : A
Question 27 ( Topic 1 )
When performing a fwm debug, to which directory are the logs written?
A. $FWDIR/log
B. $FWDIR/log/fwm.elg
C. $FWDIR/conf/fwm.elg
D. $CPDIR/log/fwm.elg
Answer : B
Question 28 ( Topic 1 )
What command would you use to view which debugs are set in your current working environment?
A. env and fw ctl debug -
B. cat /proc/etc -
C. fw ctl debug all -
D. export -
Answer : A Topic 2, NAT
Question 29 ( Topic 2 )
How do you set up Port Address Translation?
A. Since Hide NAT changes to random high ports it is by definition PAT (Port Address Translation).
B. Create a manual NAT rule and specify the source and destination ports.
C. Edit the service in SmartDashboard, click on the NAT tab and specify the translated port.
D. Port Address Translation is not support in Check Point environment
Answer : B
Question 30 ( Topic 2 )
While troubleshooting a connectivity issue with an internal web server, you know that packets are getting to the upstream router, but when you run a tcpdump on the external interface of the gateway, the only traffic you observe is ARP requests coming from the upstream router. Does the problem lie on the Check Point Gateway?
A. Yes – This could be due to a misconfigured route on the firewall.
B. No – This is a layer 2 connectivity issue and has nothing to do with the firewall.
C. No The firewall is not dropping the traffic, therefore the problem does not lie with the firewall.
D. Yes – This could be due to a misconfigured Static NAT in the firewall policy.
Answer : D
Question 31 ( Topic 2 )
Where in a fw monitor output would you see destination address translation occur in cases of inbound automatic static NAT?
A. Static NAT does not adjust the destination IP
B. Between the “i” and “I”
C. Between the “I” and “o”
D. Between the “o” and “O”
Answer : B
Question 32 ( Topic 2 )
You are attempting to establish an FTP session between your computer and a remote server, but it is not being completed successfully. You think the issue may be due to IPS.
Viewing SmartView Tracker shows no drops. How would you confirm if the traffic is actually being dropped by the gateway?
A. Search the connections table for that connection.
B. Run a fw monitor packet capture on the gateway.
C. Look in SmartView Monitor for that connection to see why it’s being dropped.
D. Run fw ctl zdebug drop on the gateway.
Answer : D
Question 33 ( Topic 2 )
By default, the size of the fwx_alloc table is:
A. 65535
B. 65536
C. 25000
D. 1024
Answer : C
Question 34 ( Topic 2 )
In your SecurePlatform configuration you need to set up a manual static NAT entry. After creating the proper NAT rule what step needs to be completed?
A. Edit or create the file local.arp.
B. No further actions are required.
C. Edit or create the file discntd.if.
D. Edit the file netconf.conf.
Answer : A
Question 35 ( Topic 2 )
The "Hide internal networks behind the Gateway's external IP" option is selected. What defines what traffic will be NATted?
A. The Firewall policy of the gateway
B. The network objects configured for the network
C. The VPN encryption domain of the gateway object
D. The topology configuration of the gateway object
Answer : D
Question 36 ( Topic 2 )
When viewing a NAT Table, What represents the second hexadecimal number of the 6- tuple:
A. Source port
B. Protocol
C. Source IP
D. Destination port
Answer : C
Question 37 ( Topic 2 )
Since switching your network to ISP redundancy you find that your outgoing static NAT connections are failing. You use the command _________ to debug the issue.
A. fwaccel stats misp
B. fw ctl pstat
C. fw ctl debug -m fw + nat drop
D. fw tab -t fwx_alloc -x
Answer : C
Question 38 ( Topic 2 )
Tom is troubleshooting NAT issues using fw monitor and Wireshark. He tries to initiate a connection from the external network to a DMZ server using the public IP which the firewall translates to the actual IP of the server. He analyzes the captured packets using Wireshark and observes that the destination IP is being changed as required by the firewall but does not see the packet leave the external interface. What could be the reason?
A. The translation might be happening on the client side and the packet is being routed by the OS back to the external interface.
B. The translation might be happening on the server side and the packet is being routed by OS back to the external interface.
C. Packet is dropped by the firewall.
D. After the translation, the packet is dropped by the Anti-Spoofing Protection.
Answer : B
Question 39 ( Topic 2 )
Remote VPN clients can initiate connections with internal hosts, but internal hosts are unable to initiate connections with the remote VPN clients, even though the policy is configured to allow it. You think that this is caused by NAT. What command can you run to see if NAT is occurring on a packet?
A. fw tab -t fwx_alloc -x
B. fw ctl pstat
C. fwaccel stats misp
D. fw ctl debug -m fw + conn drop packet xlate xltrc nat
Answer : D
Question 40 ( Topic 2 )
Ann wants to hide FTP traffic behind the virtual IP of her cluster. Where is the relevant file table.def located to make this modification?
A. $FWDIR/log/table.def
B. $FWDIR/conf/table.def
C. $FWDIR/bin/table.def
D. $FWDIR/lib/table.def
Answer : D
Question 41 ( Topic 2 )
Which file should be edited to modify ClusterXL VIP Hide NAT rules, and where?
A. $FWDIR/lib/base.def on the cluster members
B. $FWDIR/lib/table.def on the SMC
C. $FWDIR/lib/table.def on the cluster members
D. $FWDIR/lib/base.def on the SMC
Answer : B
Question 42 ( Topic 2 )
While troubleshooting a DHCP relay issue, you run a fw ctl zdebug drop and see the following output:
;[cpu_1];[fw_0];fw_log_drop: Packet proto=17 10.216.14.108:67 > 172.31.2.1:67 dropped by fw_handle_first_packet Reason: fwconn_init_links (INBOUND) failed;
Where 10.216.14.108 is the IP address of the DHCP server and 172.31.2.1 is the VIP of the Cluster. What is the most likely cause of this drop?
A. An inbound collision due to a connections table check on pre-existing connections.
B. An outbound collision due to a Rule Base check, and dropped by incorrectly configuring DHCP in the firewall policy.
C. A link collision due to more than one NAT symbolic link being created for outgoing connections to the DHCP server.
D. A link collision due to more than one NAT symbolic link being created for connections returning from the DHCP server back to the VIP of the Cluster.
Answer : D
Question 43 ( Topic 2 )
Server A is subject to automatically static NAT and also resides on a network which is subject to automatic Hide NAT. With regards to address translation what will happen when
Server A initiates outbound communication?
A. This will cause a policy verification error.
B. This is called hairpin NAT, the traffic will return to the server.
C. The static NAT will take precedence.
D. The Hide NAT will take precedence.
Answer : C
Question 44 ( Topic 2 )
Where in a fw monitor output would you see source address translation occur in cases of automatic Hide NAT?
A. Between the “I” and “o”
B. Hide NAT does not adjust the source IP
C. Between the “o” and “O”
D. Between the “i” and “I”
Answer : C
Question 45 ( Topic 2 )
You are trying to troubleshoot a NAT issue on your network, and you use a kernel debug to verify a connection is correctly translated to its NAT address. What flags should you use for the kernel debug?
A. fw ctl debug -m fw + conn drop nat vm xlate xltrc
B. fw ctl debug -m fw + conn drop ld
C. fw ctl debug -m nat + conn drop nat xlate xltrc
D. fw ctl debug -m nat + conn drop fw xlate xltrc
Answer : A
Question 46 ( Topic 2 )
Which FW-1 kernel flags should be used to properly debug and troubleshoot NAT issues?
A. nat, route, conn, fwd, zeco, err
B. nat, xlate, fwd, vm, ld, chain
C. nat, xltrc, xlate, drop, conn, vm
D. nat, drop, conn, xlate, filter, ioctl
Answer : C
Question 47 ( Topic 2 )
Since R76 GAiA, what is the method for configuring proxy ARP entries for manual NAT rules?
A. WebUI or add proxy ARP ... commands via CLISH
B. SmartView Tracker
C. local.arp file
D. SmartDashboard
Answer : A
Question 48 ( Topic 2 )
Given the screen configuration shown, the failure’s probable cause is:
A. Packet 1 Proposes SA life Type , Sa Life Duration, Authentication and Encapsulation Algorithm.
B. Packet 1 proposes a symmetrical key.
C. Packet 1 proposes a subnet and host ID, an encryption and hash algorithm.
D. Packet 1 proposes either a subnet or host ID, an encryption and hash algorithm, and ID data.
Answer : D
Question 49 ( Topic 2 )
The fw tab –t ___________ command displays the NAT table.
A. loglist
B. tablist
C. fwx_alloc
D. conns
Answer : C
Question 50 ( Topic 2 )
In a production environment, your gateway is configured to apply a Hide NAT for all internal traffic destined to the Internet. However, you are setting up a VPN tunnel with a remote gateway, and you are concerned about the encryption domain that you need to define on the remote gateway. Does the remote gateway need to include your production gateways external IP in its encryption domain?
A. No all packets destined through a VPN will leave with original source and destination packets without translation.
B. No all packets destined to go through the VPN tunnel will have the payload encapsulated in an ESP packet and after decryption at the remote site, will have the same internal source and destination IP addresses.
C. Yes all packets destined to go through the VPN tunnel will have the payload encapsulated in an ESP packet and after decryption at the remote site, the packet will contain the source IP of the Gateway because of Hide NAT.
D. Yes – The gateway will apply the Hide NAT for this VPN traffic.
Answer : B
Question 51 ( Topic 2 )
You have set up a manual NAT rule, however fw monitor shows you that the device still uses the automatic Hide NAT rule. How should you correct this?
A. Move your manual NAT rule above the automatic NAT rule.
B. In Global Properties > NAT ensure that server side NAT is enabled.
C. Set the following fwx_alloc_man kernel parameter to 1.
D. In Global Properties > NAT ensure that Merge Automatic to Manual NAT is selected.
Answer : A
Question 52 ( Topic 2 )
Tom has a Web server for which he has created a manual NAT rule. The rule is not working. He tries to initiate a connection from the external network to a DMZ server using the public IP which the firewall translates to the actual IP of the server. He analyzes the captured packets using Wireshark and observes that the destination IP is being changed as required by the firewall but does not see the packet leave the internal interface. Which box in Global Properties should be checked?
A. Automatic NAT rules > Allow bi-directional NAT
B. Automatic NAT rules > Automatic ARP Configuration
C. Automatic NAT rules > Translate destination on client side
D. Manual NAT rules > Translate destination on client side
Answer : D
Question 53 ( Topic 2 )
Which flag in the fw monitor command is used to print the position of the kernel chain?
A. -all -
B. -k -
C. -c -
D. -p -
Answer : D Topic 3, ClusterXL
Question 54 ( Topic 3 )
Which of the following commands shows the high watermark threshold for triggering the cluster under load mechanism in R77?
A. fw ctl get int fwha_cul_mechanism_enable
B. fw ctl get int fwha_cul_cluster_short_timeout
C. fw ctl get int fwha_cul_member_cpu_load_limit
D. fw ctl get int fwha_cul_policy_freeze_event_timeout_millisec
Answer : C
Question 55 ( Topic 3 )
From the output of the following cphaprob -i list, what is the most likely cause of the clustering issue?
Cluster B> cphaprob -i list -
Built-in Devices:
Device Name: Interface Active Check Current state: OK
Device Name: HA Initialization Current state: OK
Device Name: Recovery Delay Current state: OK
Registered Devices:
Device Name: Synchronization Registration number: 0 Timeout: none Current state: OK
Time since last report: 3651.5 sec
Device Name: Filter Registration number: 1 Timeout: none Current state: problem Time since last report: 139 sec
Device Name: routed Registration number: 2 Timeout: none Current state: OK Time since last report: 3651.9 sec
Device Name: cphad Registration number: 3 Timeout: none Current state: OK Time since last report: 3696.5 sec
Device Name: fwd Registration number: 4 Timeout: none Current state: OK Time since last report: 3696.5 sec
A. There is an interface down on Cluster A
B. There is a sync network issue between Cluster A and Cluster B
C. The routing table on Cluster B is different from Cluster A
D. Cluster B and Cluster A have different versions of policy installed.
Answer : D
Question 56 ( Topic 3 )
You run the commands:
fw ctl debug 0
fw ctl debug -buf 32000
Which of the following commands would be best to troubleshoot a clustering issue?
A. fw ctl zdebug -m cluster + all
B. fw ctl debug -m CLUSTER + conf stat
C. fw ctl debug -m cluster + pnote stat if
D. fw ctl kdebug -m CLUSTER all
Answer : C
Question 57 ( Topic 3 )
What would be a reason for changing the “Magic MAC”?
A. To allow for automatic upgrades.
B. To allow two or more cluster members to exist on the same network.
C. To allow two or more clusters to exist on the same network.
D. To allow the two cluster members to use the same virtual IP address.
Answer : C
Question 58 ( Topic 3 )
Your customer receives an alert from their network operation center, they are seeing ARP and Ping scans of their network originating from the firewall. What could be the reason for the behaviour?
A. Check Point firewalls probe adjacent networking devices during normal operation.
B. IPS is disabled on the firewalls and there is a known OpenSSL vulnerability that allows a hacker to cause a network scan to originate from the firewall.
C. One or both of the firewalls in a cluster have stopped receiving CCP packets on an interface.
D. Check Point's Antibot blade performs anti-bot scans of the surrounding network.
Answer : C
Question 59 ( Topic 3 )
What is the function of the setting "no_hide_services_ports" in the tables.def files?
A. Preventing the secondary member from hiding its presence by not forwarding any packets.
B. Allowing management traffic to be accepted in an applied rule ahead of the stealth rule.
C. Hiding the particular tables from being synchronized to the other cluster member.
D. Preventing outbound traffic from being hidden behind the cluster IP address.
Answer : D
Question 60 ( Topic 3 )
When you have edited the local.arp configuration, to support a manual NAT, what must be done to ensure proxy arps for both manual and automatic NAT rules function?
A. In Global Properties > NAT tree select Merge manual proxy ARP configuration check box
B. Run the command fw ctl ARP –a on the gateway
C. In Global Properties > NAT tree select Translate on client side check box
D. Create and run a script to forward changes to the local.arp tables of your gateway
Answer : A
Question 61 ( Topic 3 )
Which definition best describes the file table.def function? It is a placeholder for:
A. definitions of various kernel tables for Security Gateways.
B. definitions of various kernel tables for Management Servers.
C. user defined implied rules for Security Gateways.
D. user defined implied rules for Management Servers.
Answer : A
Question 62 ( Topic 3 )
Extended Cluster Anti-Spoofing checks what value to determine if a packet with the source
IP of a gateway in the cluster is being spoofed?
A. The source IP of the packet.
B. The packet has a TTL value of less than 255.
C. The source MAC address of the packet.
D. The destination IP of the packet.
Answer : B
Question 63 ( Topic 3 )
Each connection allowed by a Security Gateway, will have a real entry and some symbolic link entries in the connections state table. The symbolic link entries point back to the real entry using this:
A. serial number of the real entry.
B. 6-tuple.
C. memory pointer.
D. date and time of the connection establishment.
Answer : B
Explanation:
C3O3 - ClusterXL -
Question 64 ( Topic 3 )
After creating and pushing out a new policy, Joe finds that an old connection is still being allowed that should have been closed after his changes. He wants to delete the connection on the gateway, and looks it up with fw tab t connections u. Joe finds the connection he is looking for. What command should Joe use to remove this connection?
<0,a128c22,89,a158508,89,11;10001,2281,25,15b,a1,4ecdfeee,ac,691400ac,7b6,3e,ffffffff,
3c,3c,0,0,0,0,0,0,0,0,0,0,0,0,0,0>
A. fw tab –t connections –x –d “0,a128c22,89,0a158508,89,11"
B. fw tab –t connections –x –e "0,a128c22,00000089,0a158508,00000089,00000011"
C. fw tab –t connections –x –d “00000000,a128c22,00000089,0a158508,00000089,00000011"
D. fw tab –t connections –x –e “0,a128c22,89,0a158508,89,11"
Answer : B
Question 65 ( Topic 3 )
How can you see a dropped connection and the cause from the kernel?
A. fw zdebug drop
B. fw ctl debug drop on
C. fw debug drop on
D. fw ctl zdebug drop
Answer : D
Check Point Security Master Questions + Answers
-
answerhappygod
- Site Admin
- Posts: 899603
- Joined: Mon Aug 02, 2021 8:13 am