Page: 1
/ 14
Total 212 questions
A host on the Internet initiates traffic to the Static NAT IP of your Web server behind the
Security Gateway. With the default settings in place for NAT, the initiating packet will translate the _________.
- A. destination on server side
- B. source on server side
- C. source on client side
- D. destination on client side
Answer : D
You are MegaCorps Security Administrator. There are various network objects which must be NATed. Some of them use the Automatic Hide NAT method, while others use the
Automatic Static NAT method. What is the rule order if both methods are used together?
Give the BEST answer.
- A. The Administrator decides the rule order by shifting the corresponding rules up and down.
- B. The Static NAT rules have priority over the Hide NAT rules and the NAT on a node has priority over the NAT on a network or an address range.
- C. The Hide NAT rules have priority over the Static NAT rules and the NAT on a node has priority over the NAT on a network or an address range.
- D. The rule position depends on the time of their creation. The rules created first are placed at the top; rules created later are placed successively below the others.
Answer : B
Which Check Point address translation method is necessary if you want to connect from a host on the Internet via HTTP to a server with a reserved (RFC 1918) IP address on your
DMZ?
- A. Dynamic Source Address Translation
- B. Hide Address Translation
- C. Port Address Translation
- D. Static Destination Address Translation
Answer : D
Your perimeter Security Gateways external IP is 200.200.200.3. Your network diagram shows:
Required: Allow only network 192.168.10.0 and 192.168.20.0 to go out to the Internet, using 200.200.200.5.
The local network 192.168.1.0/24 needs to use 200.200.200.3 to go out to the Internet.
Assuming you enable all the settings in the NAT page of Global Properties, how could you achieve these requirements?
- A. Create network objects for 192.168.10.0/24 and 192.168.20.0/24. Enable Hide NAT on both network objects, using 200.200.200.5 as hiding IP address. Add an ARP entry for 200.200.200.3 for the MAC address of 200.200.200.5.
- B. Create an Address Range object, starting from 192.168.10.1 to 192.168.20.254. Enable Hide NAT on the NAT page of the address range object. Enter Hiding IP address 200.200.200.5. Add an ARP entry for 200.200.200.5 for the MAC address of 200.200.200.3.
- C. Create a network object 192.168.0.0/16. Enable Hide NAT on the NAT page. Enter 200.200.200.5 as the hiding IP address. Add an ARP entry for 200.200.200.5 for the MAC address of 200.200.200.3.
- D. Create two network objects: 192.168.10.0/24 and 192.168.20.0/24. Add the two network objects to a group object. Create a manual NAT rule like the following: Original source - group object; Destination - any; Service - any; Translated source - 200.200.200.5; Destination - original; Service - original.
Answer : B
You want to implement Static Destination NAT in order to provide external, Internet users access to an internal Web Server that has a reserved (RFC 1918) IP address. You have an unused valid IP address on the network between your Security Gateway and ISP router.
You control the router that sits between the firewall external interface and the Internet.
What is an alternative configuration if proxy ARP cannot be used on your Security
Gateway?
A. Publish a proxy ARP entry on the ISP router instead of the firewall for the valid IP address.
B. Place a static ARP entry on the ISP router for the valid IP address to the firewall's external address.
C. Publish a proxy ARP entry on the internal Web server instead of the firewall for the valid
IP address.
D. Place a static host route on the firewall for the valid IP address to the internal Web server.
Answer : B Topic 5, User Managment and Authentication Obj 1
Your customer, Mr. Smith needs access to other networks and should be able to use all services. Session authentication is not suitable. You select Client Authentication with
HTTP. The standard authentication port for client HTTP authentication (Port 900) is already in use. You want to use Port 9001 but are having connectivity problems. Why are you having problems?
- A. The configuration file $FWDIR/conf/fwauthd.conf is incorrect.
- B. The Security Policy is not correct.
- C. You can't use any port other than the standard port 900 for Client Authentication via HTTP.
- D. The service FW_clntauth_http configuration is incorrect.
Answer : A
Security Gateway R77 supports User Authentication for which of the following services?
Select the response below that contains the MOST correct list of supported services.
- A. SMTP, FTP, TELNET
- B. SMTP, FTP, HTTP, TELNET
- C. FTP, HTTP, TELNET
- D. FTP, TELNET
Answer : C
Which Security Gateway R77 configuration setting forces the Client Authentication authorization time-out to refresh, each time a new user is authenticated? The:
- A. Time properties, adjusted on the user objects for each user, in the Client Authentication rule Source.
- B. IPS > Application Intelligence > Client Authentication > Refresh User Timeout option enabled.
- C. Refreshable Timeout setting, in Client Authentication Action Properties > Limits.
- D. Global Properties > Authentication parameters, adjusted to allow for Regular Client Refreshment.
Answer : C
As a Security Administrator, you must refresh the Client Authentication authorization time- out every time a new user connection is authorized. How do you do this? Enable the
Refreshable Timeout setting:
- A. in the user object's Authentication screen.
- B. in the Gateway object's Authentication screen.
- C. in the Limit tab of the Client Authentication Action Properties screen.
- D. in the Global Properties Authentication screen.
Answer : C
You are about to integrate RSA SecurID users into the Check Point infrastructure. What kind of users are to be defined via SmartDashboard?
- A. A group with generic user
- B. All users
- C. LDAP Account Unit Group
- D. Internal user Group
Answer : A
Which of the following are authentication methods that Security Gateway R77 uses to validate connection attempts? Select the response below that includes the MOST complete list of valid authentication methods.
- A. Proxied, User, Dynamic, Session
- B. Connection, User, Client
- C. User, Client, Session
- D. User, Proxied, Session
Answer : C
The technical-support department has a requirement to access an intranet server. When configuring a User Authentication rule to achieve this, which of the following should you remember?
- A. You can only use the rule for Telnet, FTP, SMTP, and rlogin services.
- B. The Security Gateway first checks if there is any rule that does not require authentication for this type of connection before invoking the Authentication Security Server.
- C. Once a user is first authenticated, the user will not be prompted for authentication again until logging out.
- D. You can limit the authentication attempts in the User Properties’ Authentication tab.
Answer : B
You cannot use SmartDashboards User Directory features to connect to the LDAP server.
What should you investigate?
1) Verify you have read-only permissions as administrator for the operating system.
2) Verify there are no restrictions blocking SmartDashboard's User Manager from connecting to the LDAP server.
3) Check that the login Distinguished Name configured has root permission (or at least write permission Administrative access) in the LDAP Server's access control configuration.
- A. 1, 2, and 3
- B. 2 and 3
- C. 1 and 2
- D. 1 and 3
Answer : B
Charles requests a Website while using a computer not in the net_singapore network.
What is TRUE about his location restriction?
- A. Source setting in Source column always takes precedence.
- B. Source setting in User Properties always takes precedence.
- C. As location restrictions add up, he would be allowed from net_singapore and net_sydney.
- D. It depends on how the User Auth object is configured; whether User Properties or Source Restriction takes precedence.
Answer : D
In the Rule Base displayed, user authentication in Rule 4 is configured as fully automatic.
Eric is a member of the LDAP group, MSD_Group.
What happens when Eric tries to connect to a server on the Internet?
- A. None of these things will happen.
- B. Eric will be authenticated and get access to the requested server.
- C. Eric will be blocked because LDAP is not allowed in the Rule Base.
- D. Eric will be dropped by the Stealth Rule.
Answer : D