Checkpoint 156-310 Dumps
Exam: Check Point NG with Application Intelligence - Management II (156-310.4)
Checkpoint 156-310 Exam Tutorial
Question No : 1 - Topic 1
Which of the following actions does Secure Configuration Verification perform?
Secure Configuration Verification confirms that the:
A. Desktop Policy is installed on all client interfaces.
B. TCP/IP is enabled on the desktop.
C. User name and password cached on the desktop are correct.
E. IP address of the client is correct for entrance into the VPN Domain.
Question No : 2 - Topic 1
Dr Billis setting up a new VPN-1/FireWall-1 Enforcement Module. The Rule Base is
configured to allow all traffic, and the Enforcement Module is set up as shown in the
screen capture below. Dr Billcannot get the new system to pass any traffic. What is
the MOST likely cause of the problem?
? Processor: 2.2 GHz
? RAM: 256 MB
? Hard Disk: 10 GB
? OS: Windows 2000 Server
Results of ipconfig/all
View the following exhibit for the results of ipconfig/all.
A. Routing is not properly configured.
B. The machine does not have enough RAM.
C. The processor is not fast enough.
D. The operating system is not supported.
E. The Rule Base is blocking traffic.
Question No : 3 - Topic 1
Ken us assisting a user whose SecurityClient password has expired. The
SecureClient user can no longer access resources in the VPN Domain. Which of the
following solutions is likely to resolve the issue?
A. Ken must ask the VPN-1/FireWall-1 Security Administrator to change the setting Password Expires to a date in the future. Users cannot adjust their SecureClient passwords.
B. Ken should as the user to change his password, using the New Password option on SecureClients Passwords menu. The user can change his password, then stop and start SecureClient.
C. If the SecureClient password is allowed to expire, the software will no longer function. Ken should help the user uninstall and reinstall SecureClient. The user will be prompted to supply a new password during installation.
D. When the SecureClient password expires while a session is in progress, the session will not exit properly. Ken should ask the user to shut down and restart his computer. The user will be prompted to supply a new password after login.
E. The user must edit the userc.C file, to change the expiration date on his password. Ken should help the user make the necessary modifications to the userc.C file, using a text editor that does not insert Unicode characters.
Question No : 4 - Topic 1
Dr Billis a security consultant. Dr Kings client uses a 56-bit DES encryption key for
its VPN-1/FireWall-1 VPNs. Dr Billinforms his client that as a banking concern, the
client is not using a long enough key to comply with new industry regulations. New
industry regulations require a key length of no less then 120 bits. The new industry
standards expressly prohibit the use of proprietary algorithms. Which of the
following solutions could Dr Billsuggest to his client, to help the client achieve
regulatory compliance? (Choose two)
Question No : 5 - Topic 1
Which of the following statements, about Hybrid Ike, are FALSE? Choose two.
A. The final packet size is increased after it is encrypted
B. Only pre-shared secrets or certificates may be used.
C. SecureClient and Hybrid Ike are incompatible
D. TCP/IP headers are encrypted along with the payload.
E. Any authentication mechanism supported by VPN-1/Firewall-1 is supported.
Question No : 6 - Topic 1
Which of the following is configured in a rule allowing notification through
E. SNMP Trap
Question No : 7 - Topic 1
Diffie-Hellman uses which type of key exchange?
Question No : 8 - Topic 1
If the Use Aggressive Mode check box in the IKE Properties dialogue box is enabled:
A. The standard six-packet IKE Phase 1 exchange is replaced by a three-packet exchange.
B. The standard three-packet IKE Phase 2 exchange is replaced by a six-packet exchange.
C. The standard three-packet IKE Phase 1 exchange is replaced by a six-packet exchange.
D. The standard six-packet IKE Phase 2 exchange is replaced by a three-packet exchange.
E. The standard three-packet IKE Phase 3 exchange is replaced by a six-packet exchange.
Question No : 9 - Topic 1
Which of the following actions should be taken before deploying VPN-1/FireWall-1 in
a production role? (Choose three)
A. Edit the ARP table for NAT.
B. Disable all network services.
C. Install and patch operating system(s).
D. Obtain licenses.
E. Configure routing.
Question No : 10 - Topic 1
Assume an intruder has succeeded in compromising your current IKE Phase 1 and
Phase 2 keys. Which of the following will end the intruders access after the next
Phase 2 exchange occurs?
A. DES Key Reset
B. MD5 Hash Completion
C. SHA1 Hash Completion
D. Phase 3 Key Revocation
E. Perfect Forward Secrecy
Question No : 11 - Topic 1
Arne is a Security Administrator for a small company in Oslo. He has just been
informed that a new office is opening in Madrid, and he must configure each sites
Enforcement Module to encrypt all data being passed between the offices. Because
Arne controls both sites, he decides to use a shared-secret key to configure an IKE
VPN. Which of the following tasks does Arne NOT need to perform to configure the
A. Configure the Rule Base to allow encrypted traffic between the VPN Domains.
B. Configure IKE encryption parameters for the Madrid and Oslo Enforcement Modules.
C. Establish a secure channel for the exchange of the shared secret.
D. Define VPN Domains for the Madrid and Oslo Enforcement Modules.
E. Create certificates for the Madrid and Oslo Enforcement Modules.
Question No : 12 - Topic 1
Dr Billis a Security Administrator preparing to install and deploy VPN-1/FireWall-1 to
protect his companys information assets. Dr Billonly has one machine to dedicate
to security enforcement. Which of the following VPN-1/FireWall-1 installation options
is MOST appropriate for Dr Kings environment?
A. Enterprise Primary Management
B. Enforcement Module and Primary Management
C. Enterprise Single Gateway
D. Enforcement Module
E. Enterprise Secondary Management
Question No : 13 - Topic 1
In gateway-to-gateway encryption, gateways identify themselves by presenting their
credentials. Which of the following are credentials supported by VPN-1/FireWall-1 for
a gateway-to-gateway encryption? (Choose two)
D. Pre-shared secret
Question No : 14 - Topic 1
Dr Billis a Security Administrator preparing to implement a VPN solution for his
multisite organization. To comply with industry regulations, Dr Kings VPN solution
must meet the following requirements:
? Portability: Standard
? Key Management: Automatic, External PKI
? Session Keys: Changed at configured times during a connectionís lifetime
? Key Length: No less than 128 bit
? Data Integrity: Secure against brute force and inversion attacks
Which Check Point VPN-1/FireWall-1 VPN solution meets the requirements?
A. IKE VPNs_ AES encryption for IKE Phase 1, AES encryption for Phase 2; SHA1 hash
B. IKE VPNs: DES encryption for IKE Phase 1, 3DES encryption for Phase 2; MD5 hash
C. IKE VPNs: AES encryption for IKE Phase 1, DES encryption for Phase 2; SHA1 hash
D. IKE VPNs: CAST encryption for IKE Phase 1. SHAI encryption for Phase 2: DES hash
E. IKE VPNs: SHA1 encryption for IKE Phase 1, MD5 encryption for Phase 2; AES hash
Question No : 15 - Topic 1
Ann would like to deploy H.323 with a gatekeeper and gateway on her internal
network. This network is behind a VPN-1/FireWall-1 Enforcement Module. Which of
the following objects is NOT required to configure VPN-1/FireWall-1 for H.323 in this
A. Address Range representing internal IP-addressed phones
B. Gatekeeper Node Object
C. Address range of external IP-addressed phones
D. Voice over IP (VoIP) Gateway Node Object
E. Voice over IP (VoIP) Domain Object
Question No : 16 - Topic 1
Which of the following encryption algorithms supports a key length from 128-bits to
256-bits and is outlined in the new Federal Information Processing Standard
A. AES (Ridndael)
B. CAST Cipher
Question No : 17 - Topic 1
Dr Billis assisting a SecureClient user, who cannot access resources in the VPN
Domain. Dr Billhas performed the following troubleshooting tasks.
? Confirmed that the Network Interface Card, Ethernet cable, and router port are all
? Reviewed the contents of the SecureClient machineís Address Resolution Protocol
table, and confirmed entries are consistent with the machine addresses of other
machines in the collision domain.
? Used Ping, to confirm connectivity with the default gateway and upstream router.
? Completed an FTP session to an Internet host.
? Tried to Telnet to a host in the VPN Domain, this attempt failed.
Dr Billconcluded the problem is a SecureClient problem, and not a TCP/IP
connectivity issue. Which of the following statements is TRUE of Dr Kings testing
A. Dr Kings tests and conclusion are valid. Because SecureClient operates between the Presentation and Application Layers of the OSI model, the users inability to access resources is a SecureClient problem.
B. Dr Kings methodology is sound, but his tests are insufficient to determine whether or not the problem is with SecureClient. A TCP/IP problem may exist between the upstream router and target Enforcement Module.
C. Dr Kings methodology is valid, and his conclusion is correct. BecauseDr Billhas tested all seven layers of the OSI Model on the SecureClient machine, the problem must be malfunctioning SecureClient software.
D. Dr Kings methodology is flawed. Client-side testing yields no useful information when troubleshooting SecureClient issues. Eric should have initiated all tests from the Enforcement Module.
E. Dr Kings tests and conclusion are invalid. SecureClient operates between the Presentation and Session Layers of the OSI Model, andDr Billonly tested up to the Transport Layer.
Question No : 18 - Topic 1
Which component of VPN-1/FireWall-1 is used for Content Security to prevent end-
user access to specific URLs?
A. UFP Server
B. TACACS Server
C. URI Server
D. CVP Server
E. DEFENDER Server
Question No : 19 - Topic 1
Which of the following uses the same key to decrypt as it does to encrypt?
A. Certificate-based encryption
B. Static encryption
C. Asymmetric encryption
D. Dynamic encryption
E. Symmetric encryption
Question No : 20 - Topic 1
Jacob configured a meshed VPN Community, with VPN properties set as shown
below. Which of the following statements are TRUE? (Choose two)
A. Jacob is using the default VPN property settings for a VPN-1/FireWall-1 meshed VPN Community.
B. Jacobs community will perform IKE Phase 1 key-exchange encryption, using the longest key VPN-1/FireWall-1 supports.
C. Jacob must change the data-integrity settings for this VPN Community. MD5 is incompatible with AES.
D. If Jacob changes the setting Perform IPsec data encryption with: from AES-128 to 3DES, he will increase the encryption overhead.
E. If Jacob changes the setting, Perform key exchange encryption with: from 3DES to DES, he will enhance the VPN Communitys security and reduce encryption overhead.