[2026] CheckPoint Check Point Security Administration NGX II (156-315.1)

문제1

Yoav is a Security Administrator preparing to implement a VPN solution for his multi-site organization. To comply with industry regulations, Yoav's VPN solution must meet the following requirements:
Portability: Standard
Key management: Automatic, external PKI
Session keys: Changed at configured times during a connection's lifetime Key length: No less than 128-bit Data integrity: Secure against inversion and brute-force attacks What is the most appropriate setting Yoav should choose?

A. IKE VPNs: AES encryption for IKE Phase 1, and DES encryption for Phase 2; SHA1 hash

B. IKE VPNs: AES encryption for IKE Phase 1, and AES encryption for Phase 2; SHA1 hash

C. IKE VPNs: DES encryption for IKE Phase 1, and 3DES encryption for Phase 2; MD5 hash

D. IKE VPNs: SHA1 encryption for IKE Phase 1, and MD5 encryption for Phase 2; AES hash

E. IKE VPNs: CAST encryption for IKE Phase 1, and SHA1 encryption for Phase 2; DES hash

정답: B

문제2

In a distributed VPN-1 Pro NGX environment, where is the Internal Certificate Authority (ICA) installed?

A. On the Policy Server

B. On the Smart View Monitor

C. On the primary SmartCenter Server

D. Certificate Manager Server

E. On the Security Gateway

정답: C

문제3

Your organization has many VPN-1 Edge gateways at various branch offices, to allow VPN-1 SecureClient users to access company resources. For security reasons, your organization's Security Policy requires all Internet traffic initiated behind the VPN-1 Edge gateways first be inspected by your headquarters' VPN-1 Pro Security Gateway. How do you configure VPN routing in this star VPN Community?

A. To the Internet and other targets only

B. To the center and other satellites, through the center

C. To the center; or through the center to other satellites, then to the Internet and other VPN targets

D. To the center only

정답: C

문제4

You want to upgrade a cluster with two members to VPN-1 NGX. The SmartCenter Server and both members are version VPN-1/FireWall-1 NG FP3, with the latest Hotfix. What is the correct upgrade procedure?
1. Change the version, in the General Properties of the gateway-cluster object.
2. Upgrade the SmartCenter Server, and reboot after upgrade.
3. Run cpstop on one member, while leaving the other member running. Upgrade one member at a time, and reboot after upgrade.
4. Reinstall the Security Policy.

A. 3, 2, 1, 4

B. 2, 4, 3, 1

C. 1, 2, 3, 4

D. 1, 3, 2, 4

E. 2, 3, 1, 4

정답: E

문제5

Which type of service should a Security Administrator use in a Rule Base to control access to specific shared partitions on target machines?

A. URI

B. CIFS

C. Telnet

D. HTTP

E. FTP

정답: B

문제6

What is the consequence of clearing the "Log VoIP Connection" box in Global Properties?

A. The SmartCenter Server stops importing logs from VoIP servers.

B. IP addresses are used, instead of object names, in log entries that reference VoIP Domain objects.

C. The log field setting in rules for VoIP protocols are ignored.

D. Dropped VoIP traffic is logged, but accepted VoIP traffic is not logged.

E. VoIP protocol-specific log fields are not included in SmartView Tracker entries.

정답: E

문제7

Your network traffic requires preferential treatment by other routers on the network, in addition to the QoS Module, which Check Point QoS feature should you use?

A. Weighted Fair Queuing

B. Low Latency Queuing

C. Guarantees

D. Differentiated Services

E. Limits

정답: D

문제8

Jacob is using a mesh VPN Community to create a site-to-site VPN. The VPN properties in this mesh Community display in this graphic:Which of the following statements is TRUE?

A. If Jacob changes the setting "Perform IPSec data encryption with" from "AES-128" to
"3DES", he will increase the encryption overhead.

B. If Jacob changes the setting, "Perform key exchange encryption with" from "3DES" to
"DES", he will enhance the VPN Community's security and reduce encryption overhead.

C. Jacob's VPN Community will perform IKE Phase 1 key-exchange encryption, using the longest key VPN-1 NGX supports.

D. Jacob must change the data-integrity settings for this VPN Community. MD5 is incompatible with AES.

정답: A

문제9

Which of the following actions is most likely to improve the performance of Check Point QoS?

A. Install Check Point QoS only on the external interfaces of the QoS Module.

B. Define weights in the Default Rule in multiples of 10.

C. Put the most frequently used rules at the bottom of the QoS Rule Base.

D. Turn "per rule limits" into "per connection limits".

E. Turn "per rule guarantees" into "per connection guarantees".

정답: A

문제10

Wayne configures an HTTP Security Server to work with the content vectoring protocol to screen forbidden sites. He has created a URI resource object using CVP with the following settings:
Use CVP
Allow CVP server to modify content
Return data after content is approved
He adds two rules to his Rule Base: one to inspect HTTP traffic going to known forbidden sites, the other to allow all other HTTP traffic.
Wayne sees HTTP traffic going to those problematic sites is not prohibited.
What could cause this behavior?

A. The Security Server is not configured correctly.

B. The Security Server is communicating with the CVP server, but no restriction is defined in the CVP server.

C. The Security Server is not communicating with the CVP server.

D. The Security Server Rule is after the general HTTP Accept Rule.

정답: D

문제11

If you check the box "Use Aggressive Mode", in the IKE Properties dialog box:

A. The standard three-packet IKE Phase 1 exchange is replaced by a six-packet exchange.

B. The standard six-packet IKE Phase 2 exchange is replaced by a three-packet exchange.

C. The standard three-packet IKE Phase 2 exchange is replaced by a six-packet exchange.

D. The standard six-packet IKE Phase 1 exchange is replaced by a three-packet exchange.

E. The standard six-packet IKE Phase 1 exchange is replaced by a twelve-packet exchange.

정답: D

문제12

Wayne configures an HTTP Security Server to work with the content vectoring protocol to screen forbidden sites. He has created a URI resource object using CVP with the following settings:
Use CVP
Allow CVP server to modify content
Return data after content is approved
He adds two rules to his Rule Base: one to inspect HTTP traffic going to known forbidden sites, the other to allow all other HTTP traffic.
Wayne sees HTTP traffic going to those problematic sites is not prohibited.
What could cause this behavior?

A. The Security Server is not configured correctly.

B. The Security Server is communicating with the CVP server, but no restriction is defined in the CVP server.

C. The Security Server is not communicating with the CVP server.

D. The Security Server Rule is after the general HTTP Accept Rule.

정답: D

문제13

Cody is notified by blacklist.org that his site has been reported as a spam relay, due to his SMTP Server being unprotected. Cody decides to implement an SMTP Security Server, to prevent the server from being a spam relay. Which of the following is the most efficient configuration method?

A. Configure the SMTP Security Server to allow only mail to or from names, within Cody's corporate domain.

B. Configure the SMTP Security Server to work with an OPSEC based product, for content checking.

C. Configure the SMTP Security Server to perform filtering, based on IP address and SMTP protocols.

D. Configure the SMTP Security Server to perform MX resolving.

E. Configure the SMTP Security Server to apply a generic "from" address to all outgoing mail.

정답: A

문제14

Your VPN Community includes three Security Gateways. Each Gateway has its own internal network defined as a VPN Domain. You must test the VPN-1 NGX route-based VPN feature, without stopping the VPN. What is the correct order of steps?

A. 1. Add a new interface on each Gateway.
2. Add the newly added network into the existing VPN Domain for each Gateway.
3. Create VTIs on each gateway object, to point to the other two peers.
4. Enable advanced routing on all three Gateways.

B. 1. Add a new interface on each Gateway.
2. Add the newly added network into the existing VPN Domain for each gateway object.
3. Create VTIs on each gateway object, to point to the other two peers.
4. Add static routes on three Gateways, to route the new networks to each peer's VTI interface.

C. 1. Add a new interface on each Gateway.
2. Remove the newly added network from the current VPN Domain in each gateway object.
3. Create VPN Tunnel Interfaces (VTI) on each gateway object, to point to the other two peers.
4. Add static routes on three Gateways, to route the new network to each peer's VTI interface.

D. 1. Add a new interface on each Gateway.
2. Remove the newly added network from the current VPN Domain for each Gateway.
3. Create VTIs on each Gateway, to point to the other two peers
4. Enable advanced routing on all three Gateways.

정답: C

문제15

Regarding QoS guarantees and limits, which of the following statements is FALSE?

A. If both a rule and per-connection limit are defined for a rule, the per-connection limit must not be greater than the rule limit.

B. If both a limit and guarantee per rule are defined in a QoS rule, the limit must be smaller than the guarantee.

C. A rule guarantee must not be less than the sum defined in the guarantees' sub-rules.

D. The guarantee of a sub-rule cannot be greater than the guarantee defined for the rule above it.

E. If a guarantee is defined in a sub-rule, a guarantee must be defined for the rule above it.

정답: B

CheckPoint Check Point Security Administration NGX II (156-315.1) - 156-315무료 덤프문제 풀어보기

우리와 연락하기

유용한 링크

최신 업데이트