156-210 Checkpoint "Check Point Certified Security Administrator NG, Management I" Braindumps.com.ua: Dump information.

Great study questions for Checkpoint NG CCSA

Checkpoint NG CCSA Exam

1. You
are working with multiple firewalls that have extensive Rule Bases. To simplify administration task, which of the following would you choose to
do?
a. Create Network range objects that restrict all applicable rules to only certain networks.
b. Run separate GUI clients for external and
internal firewalls
c. Eliminate all possible contradictory rules such as stealth and clean-up rules.
d. Save a different Rule Base for each
remote firewall.
e. None of the above.

answer: D

2. Consider the following network.
The public servers are a web form. Since the web
servers accepts and initiate connections
Dynamic translation is required.
a. True
b. False

answer: B

3. Assume that you
are working on a Windows NT operating system. What is the default expiration for a Dynamic NAT connection NOT showing any LJDP activity?

a. 30
Seconds
b. 60 Seconds
c. 40 Seconds
d. 600 Seconds
e. 3000 Seconds

answer: c

4. Assume there have been no change made to default
policy properties. To allow a telnet connection into your network, you must create two rules. One to allow the initial Telnet connection in. One to
allow the destination machine to send information back to the client.

a. True
b. False

answer: B

5. In Windows NT to force log entries
other than the default directory.

a. you must use the epconfig command.
b. Change thefivIog environment variable
c. Modify the registry
d.
Change the directory in log viewer
e. Use the fw log switch command

answer: E

6. Session authentication provides an authentication method
NOT supported by protocols that can be integrated with any application.

a. True
b. False

answer: a

7. How do recover communications
between your management module and enforcement module if you lock yourself out via a rule or policy that is configured incorrectly?

a. cp delete
all all
b. cp pause all all
C. cp stop all all
d. cp unload all all
e. cp push all all

answer: d

8. You have set up a firewall and
management module on one NT box and a remote module on
a different location. You receive only sporadic logs from the local firewall and
only and
control message from remote firewall. All rules on both the firewalls are logging and you
know the traffic is flowing through
the firewall using these rules. All the firewall related
services are running and you are using NAT and you receive few logs from the
local
firewall.
What actions from the choices below would you perform to find ou why you can not see logs?

a. Make sure there is no
masters file in SFWDIRJconf on the remote module.
b. Make sure there is no masters file in SFWDIR/conf on the local NT box.
c. See if you
can do a fwfetch from the module
d. Run the fw logexport -t -n from the command line prompt on the remote module.
e. Use pulist.exe from
the Windows NT resource kit.

answer: C

9. As a firewall administrator you encounter the following you error message:
Authentication
for command failed. What is the most logical reasoning for this type of error message?

a. The Rule Base has been
corrupted.
b. The kernel cannot communicate with the management module.
c. The administrator does not have the ability to push the
policy.
d. Remote encryption keys cannot be fetched.
e. Client authentication has failed.

answer: B

10. Where i s the external if
file located in VPN I /Firewall- I NG?
a. FWDIR conf directory
b . Database directory
c. State Directory
d. Temp Directory
e. Not used in
VPN I /Firewall- I NG

answer: E

11. Which log viewer mode allows you to actually see the contents of the files HTTP-ed by the
corporation's Chief Executive Officer?

a. Security Log
b. Active Connections Log
c. Accounting Log
d. Administrative Log
e. None of the
above

answer: E

12. When you select the Alert radio button on the topology tab of the interface properties
window

a. The action
specified in the Action element of the Rule Base is taken.
b. The action specified in the Anti-Spoofing Alert field in the Global properties window
is
taken.
c. The action specified in the Pop up Alert Command in the Global properties window is
taken.
d. Both A and B
e. Both B
and C

answer: E

13. You are the firewall administrator with one management server managing one firewall. The system status displays a
computer icon with a '!' symbol in the status column. Which are the following most like cause?

a. The destination object has been defined as
external
b. The Rule Base is unable to resolve the IP address.
c. The firewall has been halted.
d. The firewall is unprotected, no security
policy is loaded.
e. Nothing is wrong.

answer: D

14. You can edit VPE objects before they are actualized (translated from virtual network
objects to real).
a. True
b. False

answer: B

15. System Administrators use session authentication when they want users to

a.
Authenticate each time they use a supported service
b. Authenticate all services
c. Use only TENET, FTP, RLOGIN, and HTTP services.
d.
Authenticate once, and then be able to use any service until logging off.
e. Both B and D

answer: B

16. Stateful inspection is a firewall
technology introduced in Checkpoint VPN- I /Firewall- I software. It is designed to meet which of the following security requirements?
1-Scan
information from all layers in the packet
2-Save state information derived from previous communications, such as the outgoing PORT command of an
FTP session, so that incoming data communication can be verified against it.
3- Allow state information derived from other applications access
through the firewall for authorized services only, such as previously authenticated users.
4-Evaluate and manipulate flexible expressions based on
communication and application derived state information.

a. 1,2,3
b. 1,3,4
c. 1,2,4
d. 2,3,4
e. 1,2,3,4

answer: E

17. If the security
policy editor or system status GUI is open, you can open the log viewer GUI from the window menu.
a. True
b. False

answer: a

18. NAT can
NOT be configured on which of the objects?

a. Hosts
b. Gateways
c. Networks
d. Users
e. Routers

answer: d

19. Your customer has
created a rule so that every time a user wants to go to Internet, that user must be authenticated. Which is the best method of authentication for
users who must use specific computers for Internet access?

a. Session
b. User
c. Client
d. Connection
e. None of the above.

answer:
B

20. As a firewall administrator if you want to log packets dropped by "implicit drop anything not covered" rules, you must explicitly define
a Clean-up rule. This must be the last rule in the rule base.

a. True
b. False

answer: A

2 1. Fully Automatic Client authentication
provides authentication for all protocols, whether supported by these protocols or not.

a. True
b. False

answer: A

22. VPN- l/Firewall-
I NG differs from Packet filtering and Application Layer Gateways, because

a. VPN-I/Firewall-I NG provides only minimal logging and alerting
mechanism.
b. VPN-I/Firewall-I NG uses Statefirl inspection which allows packet to be examined at the top of the layers of the OSI model.
c. VPN-
I /Firewall- I NG has access to a limited part of the packet header only.
d. VPN- I /Firewall- I NG requires a connection from a client to a
firewall and firewall to a server.
e. VPN-I/Firewall-I NG has access to packets passing through key locations in a network.

answer: a

23.
Which of the following user actions would you insert as an INTERNAL Authentication scheme?

a. The user enters the security dynamics passcode.
b.
The user prompted for a response from the RADIUS server.
c. The user prompted for a response from the AXENT server.
d. The user prompted for a
response from the TACACS server.
e. The user enters an operating system account password.

answer: E

24. When configuring Static NAT, you
can not map the routable IP address to the external IP address of the Firewall if attempted; the security policy installation fails with the
following error "rule X conflicts with rule Y".

a. True
b. False

answer: A

25. The advantage of client authentication is that it can
be used for any number of connections and for any services, but the authentication is only valid for a specified length of time.

a. True
b.
False

answer: B

26. You have set up Static NAT on a VPN-I/Firewall-I to allow Internet traffic to an internal web server. You notice that
any HTTP attempts to that machine being dropped in the log due to rule 0. Which of the following is the most likely cause?

a. Spoofing on the
internal interface is set to Network defined by Interface IP and Net Mask
b. Spoofing on the external interface is set to Not Defined
c. You do
NOT have a rule that allows HTTP access to the internal Web Server.
d. You do NOT have a rule that allows HTTP from the Web Server to Any
destination.
e. None of the above.

answer: A

27. As a fiTewall administrator, you are required to create VPN-I/Firewall- I users for
authentication. When you create a user for user authentication, the data is stored in the
a. Inspect Engine
b. Rule base
c. Users database

d. Rulebase fws file
e. Inspect module

answer: C

28. If users authenticated successfully, they have matched the User and Authentication
rule restriction of the user group to which they belong.

a. True
b. False

answer: A

29. When you disable a rule the rule is NOT
disabled until you verify your Security Policy.
a. True
b. False

Answer: B

30. Static Source NAT translates public internal source IP
addresses to private external source IP addresses.
a. True
b. False

Answer: B

31. What is the command that lists the interfaces to which
VPN-I/FireWall-I bound?
a. fW ctl iflist
b. ifconfig -a
c. ifconfig \all
d. netstat rn
e. cp bind all

Answer: B

32. Your customer
has created a rule so that every time a user wants to go to Internet, that user must be authenticated. Which of the following is the best
authentication method for roaming users, such as doctors updating patient records at various floor stations in a hospital?
a. Session
b. User

c. Client
d. Connection
e. None of the above.

Answer: B

33. Once installed the VPN-I/FireWall-I NG resides directly below what layer of
the TCP/IP stack?

a. Data
b. Transport
c. Physical
d. Application
e. Network

Answer: E

34. Client Authentication rules should be
placed above the Stealth rule, so users can authenticate to the firewall.
a. True
b. False

Answer: A

35. Consider the following
network.

The administrator wants to take all the local and DMZ hosts behind the gateway except the
HTTP server 192.9.200.9. The hup
server will be providing public services and must be
accessible from Internet. Select the best NAT solution below that meets these
requirements.

a. Use automatic NAT that creates a static NAT to the HTTP server.
b. To hide the private addresses set the address
translation for Private Net
c. To hide the private addresses set the address translation for 192.9.200.0
d. Use automatic NAT rule creation to
hide NAT Local net and Private Net
e. Both A and D

Answer: E

36. What NAT mode is necessary if you want to start an HTTP session on a
Reserved or Illegal IP address?

a. Static Source
b. Static destination
C.Dynamic Source
D.Dynamic
E.None of the above

Answer: B

37.
The following rule base tells you any automatically created NAT rules have simply hidden but have not been deleted from the Rule
Base.
a. True
b. False

Answer: B

3 8. You are using static Destination NAT. You have VPN- I /FireWall- I NG running on Windows
NT/Solaris platform. By default, routing occurs after the address translation when the packet is passing from the client towards the
server.

a. True
b. False

Answer: B

39. Which of the following statements is FALSE?

a. Dynamic NAT can not be used for
protocols where the port number can not be changed.
b. Dynamic NAT can not be used when a n external server must distinguish between clients based
on their IP addresses.
c. With Dynamic NAT, packet's source port numbers are modified.
d. In Dynamic NAT, public internal addresses
are hidden behind a single private external address using dynamically assigned port numbers to distinguish between them.
e. Dynamically assigned
post numbers are used to distinguish between hidden private addresses

Answer: D

40. AlphaBravo Corp has 72 privately addressed internal
addresses. Each network is a piece of the 10-net subnetted to a class C address. AlphaBravo uses Dynamic NAT and hides all of the internal networks
behind the external IP addresses of the Firewall. The Firewall administrator for AlphaBravo has noticed that policy installation takes significantly
longer since adding all 72 internal networks to the address translation rule. What should the firewall administrator do to reduce the time it takes
to install a policy?

a. Create an object for the entire 10-net and use the object for the translation rule instead of the individual network
objects.
b. Use automatic NAT rule creation on each network object. Hide the network behind the firewall's external IP
addresses.
c. Match packets to the state table, so packets are not dropped. Increase the size of the NAT tables.
d. Reinstall the firewall and
Security Policy Editor. The policy is corrupting firewall's binaries.
e. Increase the size of state table. Use automatic NAT rule creation to
hide the networks behind an IP address other than firewall's external IP.

Answer: A

41. How does VPN- I/Firewall- I NG implement Transparent
authentication?

a. Unknown users receive error messages indicating that the firewalled gateway does not know the user names on the
gateway.
b. 'VTN-I/Firewall-I NG prompts for user names even though the authentication data may not be recognized by the firewall's user
database.
c. VPN- I /Firewall- I NG allows connections, but hides the firewall from authenticated users.
d. Unknown users error messages
indicating that the host does not know the users names on the server
e. VPN- I /Firewall- I NG does not allow connections from users who do
not know the name of the firewall.

Answer: C

42 When creating user authentication rule, select intersect with user database for source and
destination to allow access according to the source specified in the rules.
a. True
b. False

Answer: B

43. A connection initiated by
the client in the figure below will be hidden behind the IP address of the interface through which the connection was routed on the server side of
the gateway (behind either interface 2 or interface 3). Specifying 0.0.0.0 as the address is convenient because of network address translation (NAT)
is performed dynamically. And if the IP addresses of the gateway are changed, it is not necessary to reconfigure the NAT parameters.

Which of the
following is true about the following figure?

a. A connection initiated by the client will be hidden behind the EP address of the
exit
interface.
b. A connection initiated by the server will be hidden behind the IP address of the exit
interface.
c. A connection
initiated by the server will be hidden by the IP address of the client.
d. Source addresses of outbound packets from the client will be
translated to 0.0.0.0
e. Source addresses of outbound packets from the server will be translated to 0.0.0.0

Answer: A

44. Which of the
following describes the behavior of VPN- I /Firewall- I NG?

a. Traffic not expressly prohibited is permitted.
b. Traffic not expressly
permitted is prohibited.
c. TELNET, SMTP and HTTP are allowed by default.
d. Secure connections are authorized by default, unsecured connections
are not.
e. All traffic is controlled by explicit rules.

Answer: B

45. New users are created from templates. What is the name of the standard
template from which you would create a new user?
a. New
b. User
c. Group
d. Standard User
e. Default

Answer: E

46. In a distributed
management environment, the firewall administrator has removed the default check from Accept VPN-IlFirewall- I control connections under the
Security Policy tab of the properties setup dialogue box. In order for the management module and the Firewall to communicate, you must create a rule
to allow the Management Module to communicate to the firewall on port

a. 80
b. 256
c. 259
d. 900
e. 23

Answer: B

47. What is the
command for installing a Security Policy from a *.W file?
a. fw genandthen thename ofthe.W file
b. fw load and then the name of.W file.
c. fW
regen and then the name of the W file
d. fW reload and then the directory location of the W file
e. fW import and then the name of the. W
file

Answer: B

48. Your customer has created a rule so that every time a user wants to go to Internet, that user must be authenticated. The
customer requires an authentication scheme that provides transparency for the user and granular control for the administrator. Users must also be
able to log in from any location. Based on this information, which authentication schemes meets the customer's needs?

a. Session
b. User
c.
Client
d. Dual
e. Reverse

Answer: B

49. Implementing Dynamic NAT would enable an internal machine behind the firewall to act as an FTP
Server for external clients.
a. True
b. False

Answer: B

50. The Enforcement Module (part of the VPN-l/FircWall-l Module)
a. Examines all
communications according to an Enterprise Security Policy.
b. Is installed on a host enforcement point.
c. Can provide authentication and
Content Security features at the application level.
d. Is usually installed on a multi-homed machine.
e. All of the above.

Answer: E

51.
Your customer has created a rule so that every time a user wants to go to the Internet, that user must be authenticated. Firewall load is a concern
for the customer. Which authentication method does not result in any additional connections to the firewall?
a. Session
b. User
c. Client
d.
Connection
e. None of the above

Answer: A

52. What variable is used to extend the interval of the Timeout in a NAT to prevent a hidden UDP
connection from losing its port?
a. Fwx udptodefaultextend
b. Fwxudp expdefaultextend
c. Fwd udp todefaultext
d. Fwx udp_~cout
e. Fwx
udp_expiration

Answer: D

53. To hide a data filed in the log viewer

a. Select Hide ftom the Log Viewer menu
b. Right-click anywhere in a
column of the Log Viewer GUI and select Show Details
c. Right-click anywhere in the column of the Log Viewer GUI and select Disable
d. Right-click
anywhere in the column of the Log Viewer GUI and select Hide
e. Select Hide from the Log Viewer tool bar

Answer: D

54. You are following the
procedure to setup user authentication for TELNET to prompt for a
distinct destination. This allows the firewall to simulate a TELNET Proxy.
After you
defined the user on the Firewall and use VPN- I /FireWall- I Authentication, you would

a. Stop the firewall
b. Restart the
Firewall
c. Start the Policy Editor and go to Manage service, and edit TELNET service.
d. Ensure that the Authentication method used is enabled in
the firewall object.
e. Ensure that there are no existing rules already allowing TELNET.

Answer: D

55. Omanan Enterprises has the premier
reclamation system for scrap aluminum in the western hemisphere. Then phenomenal growth over the last 10 years has led to the decision to establish
a presence in the Internet in order to their customers. To that end, Omnam

Enterprise network administrator, Jason has acquired a Web Server, an
email server and 14 IP addresses from their I SP. Jason also purchased a Checkpoint VPN- I /FireWall- I stand alone gateway module, with these
interfaces, to protect Omanarn enterprises' corporate data their ISP will be providing DNS services. The Web Server and email server must have
Static routable IP addresses. The eight member executive counsel Omanam Enterprises would to have routable IP addresses also, so that they can video-
conference with the company's suppliers. Omanarn Enterprises' remaining 200 employees would like to have access to Internet, and the executive
counsel believes that granting them access might improve company morale.

Jason installs and configures Checkpoint VPN- I /Firewall I stand alone
Gateway module at the perimeter of Omanarn Enterprises corporate LAN. He uses the 3 d NIC in the stand alone firewall gateway module to create DMZ.
Jason installs the Web server and the email server on the DMZ. He creates tools and objects on the checkpoint VPN-I/FireWall-I stand alone gateway
module to allow HTTP, POP3 and SMTP from the Internet to the DMZ. He creates objects to represent the web and email server and configures them for
Static NAT. Jason reconfigures his DHCP server so that each of the members of the executive counsel has reserved IP address. He then sues those
reservations to create Statically NAT-ed objects on the Checkpoint VPN/Firewall- I Standalone Gateway module. Jason creates another object
represents the internal network he configures this object for Dynamic NAT. He adds a rule allowing HTT? traffic from the internal network to any
destination. Jason created an additional rule to allow POP3 and SMTP traffic between the internal networks and DMZ.

Choose the one phrase below
that best describes Jason's proposal

a. The proposed solution meets the required objectives and none of the desired objectives.
b. The
proposed solution meets the required objectives and only one of the desired objectives.
c. The proposed solution meets the required objectives
and all desired objectives
d. The proposed solution does not meet the required objective.

Answer: C

56. Anna is a security administrator
setting up User Authentication for the first time. She has correctly configured her Authentication rule, but authentication still does not work.
What is the Check Point recommended way to troubleshoot this issue?

a. Verify the properties of the user attempting authentication and the
authentication method selected in the Authentication Properties of your firewall object.
b. Verify the firewall settings of your firewall
object, and the properties for the user attempting encryption and authentication.
c. Verify the properties for the user attempting authentication
and make sure that the file Stealth Authentication method is selected in the Authentication properties of both the peer gateway object and your
firewall object.
d. Verify both Client and User Authentication, and the authentication method selected in the Authentication properties of your
Firewall object.
e. Re-import Schema from the VPN-I/FireWall- I NG installation CD.

Answer: A

57. You have the VPN-I/Firewall-I NG product
installed. The following Rule Base order correctly implements Implicit Client Authentication fort HTTP.

a. True
b. False

Answer: B

58.
What is the software package through which all Check Point products use infrastructure services?

a. cpstart/cpstop
b. Check Point Registry
c.
CPD
d. Watch Dog for critical services
e. SVN Foundation

Answer: E

59. Choose the BEST response to finish this statement.
A
Firewall:

a. Prevents unauthorized to or from a secured network.
b. Prevents unauthorized to or from a unsecured network.
c. Prevents
authorized access to or from an Intranet
d. Prevents authorized access to or from an Internet
e. Prevents macro viruses from infecting the
network.

Answer: A

60. In most cases when you are building the Rule Base you should place the Stealth Rule above all other rules except
a.
Clean up rules
b. Implicit Rules
c. Client Authentication Rules
d. Pseudo Rules
e. Default Rules

Answer: C

61. If you change the
inspection order of any of the implied rules under the Security Policy Setup, does it change the order in which the rules are enforced?
a. True

b. False

Answer: A

62. The fw fetch command allows an administrator to specify which Security Policy a remote enforcement module
retrieves.

a. True
b. False

Answer: A

63. In the Check Point Configuration Too, you create a GUI administrator with Read
Only privileges. This allows the Firewall-I administrator for the authorized GUI client (GUI workstation) privileges to change network objects, and
create and install rules.

a. True
b. False

Answer: B

64. Hybrid Authentication allows VPN- I /Firewall- I NG to authenticate
SecuRemote/SecureClient, using which of the following?

a. RADIUS
b. 3DES
c. TACACS
d. Any authentication method supported by VPN- I/Firewall-
I
c. Both A and C

Answer: D

65. In order to install a new Security Policy on a remote firewall, what command must be issued on the remote
firewall?

a. fw unload all all
b. fw load new
c. cp clear policy
d. None of the above, the command cp policy remove is issued from the
manager.
e. None of the above, the new policy will automatically overwrite the existing policy.

Answer: E

66. Which of the following
statements about the Client Authentication is FALSE?

a. In contrast to User Authentication, which allows access per user, Client
Authentication allows access per IP address.
b. Authentication is by user name and password, but it is the host machine (client) that is
granted access.
c. Client Authentication is more secure than User Authentication, because it allows multiple users and connections from an
authorized IP address or host.
d. Client Authentication enables administration to grant access privileges to a specific IP address after successful
authentication.

Answer: C

67. When you make a rule, the rule is not enforced as part of your Security Policy.

a. True
b. False

Answer:
B

68. When you modify a User Template, any users already operating under that template will be updated to the new template properties.

a.
True
b. False

Answer: B

69. Installation time for creating network objects will decrease if you list machine names and IP addresses in the
hosts files.
a. True
b. False

Answer: A

70. Which command utility allows verification of the Security Policy installed on a firewall
module?

a. fw ctI pstat
b. fw printlic
c. fw stat
d. fw ver
C. fw pol

Answer: C

71. You are a firewall administrator with one
Management Server managing 3 different
Enforcement Modules. One of the Enforcement Modules does NOT show up in the dialog
box when
attempting to install a Security Policy. Which of the following is the most likely
cause?

a. No masters file was created
b. License for
multiple firewalls has expired.
c. The firewall has NOT been rebooted.
d. The firewall was NOT listed in the Install On column of the rule
e. The
firewall is listed as "Managed by another Management Module (external)" in the
Workstation Properties dialog box.

Answer: E

72. In
the Install On column of a rule, when you select a specific firewall object as the only configuration object, that rule is enforced on all firewalls
with in the network, with related configurations.
a. True
b. False

Answer: B

73. As an administrator, you want to force your users to
authenticate. You have selected Client Authentication as your authentication scheme. Users will be using a Web browser to authenticate. On which TCP
port will authentication be performed?

a. 23
b. 80
c. 259
d. 261
e. 900

Answer: E

74. Assume an NT system. What is the default
expiration for a Dynamic NAT connection NOT showing any TCP activity?

a. 30 Seconds
b. 60 Seconds
c. 330 Seconds
d. 660 Seconds
e. 3600
Seconds

Answer: E

75. The only way to unblock BLOCKED connections by deleting all the blocking rules from the Rules Base.

a. True
b.
False

Answer: E

76. When you perform a cpfetch, what can you expect from this command?

a. Firewall retrieves the user database from the
tables on the Management Module.
b. Firewall retrieves the inspection code from the remote Management Module and installs it
to the kernel.
c.
Management module retrieves the IP address of the target specified in the command.
d. Management module retrieves the interface information for the
target specified in the
command.
e. None of the above.

Answer: B

77. Each incoming UDP packet is looked up in the list of pending
connections. Packets are delivered if they are
a. a request
b. a response to a request
c. source routed
d. allowed by the Rule Base
e.
Both B and D

Answer: B

78. For most installations, the Clean-Up rule should be the last rule in Rule Base.
a. True
b. False

Answer:
A

79. What complements are necessary for VPN-I/FireWall-I NG to scan e-mail, passing
through the firewall, for macro viruses?

a. UFP
and OPSEC-certified scanning product.
b. CVP and OPSEC-certified virus scanning product.
c. UFP and CVP.
d. UTP, CVP and OPSEC-certified content
filter.
e. None of the above, VPN- I /FireWall- I NG scans fro macro viruses by default.

Answer: B

80. Why would you want to verify a
Security Policy before installation?

a. To install Security Policy cleanly.
b. To check up the enforcement-point firewall for errors.

c.
To identify conflicting rules in your Security Policy. d. To compress the Rule Base for faster installation. e. There is no benefit verifying a
Security Policy before installing it.

Answer: C

81. To completely set up Static NAT, you ONLY have to select Add Automatic Address
Translation rules on the NAT tab, and specify a public NAT IP address.

a. True
b. False

Answer: B

82. The fw fetch command performs
the following function:

a. Attempts to fetch the policy from the Management Server
b. Fetches users from the Management server
c. Produces an
output screen of the Rule Base
d. Fetches the logs
e. Fetches the systems status

Answer: A

83. Inclement weather and a UPS-failure cause
a firewall to reboot. Earlier that day a tornado destroyed the building where the firewall's Management Module was located. The Management Module
was not recovered and has not been replaced.

Based on the scenario, which of the following statements is FALSE?

a. The firewall will
continue to enforce the last rule base installed.
b. The firewall will log locally.
c. The firewall will fetch the last installed policy
form local host and install it.
d. Communication between the firewall and the replacement Management Module must be
established before
the replacement Management Module can install a policy on the firewall.
e. Because the firewall can not contact the Management Module, no
policy will be installed.

Answer: E

84. When configuring Anti-Spoofing for VPN-I/FireWall-I NG on the firewall interfaces, al of the
following are valid address choices except:
a. Network defined by Interface IP and Net Mask
b. Not Defined
c. Security Policy Installed
d.
Specific
e. None of the above.

Answer: C

85. Currently, the Accounting Department is FTP-ing a file in the bank. Which Log Viewer Module
would show you the activity occurring at the present time?

a. Security Log
b. Active Connections Log
c. Accounting Log
d. Administrative
Log
e. None of the above

Answer: B

86. In the Client Authentication Action Properties window (below), for the required Sign On Method
section, Manual is selected.

This means:
a. If a connection matches the Rule Base and the service is an authenticated service,
the
client is signed on after a successful authentication.
b. The user must initiate the Client Authentication Session to the gateway.
C. If a
connection using any service matches Rule Base, the client is authenticated.
d. If authentication is successful, access is granted from the network
that initiated the connection.
e. The user must TELNET to the target server on port 259.

Answer: B

87. Changes made to the Security
Policy do not take effect on the Enforcement Module until the administrator performs which of the following actions?

a. Saves the
policy
b. Verifies the policy
c. Installs the policy
d. Stops firewall services on the Enforcement Module
e. Stops firewall services on
the Management Module

Answer: C

88. With Blocking Scope default settings, a selected connection is terminated

a. And all ftirther
attempts to establish a connection from the same source IP address to the same destination IP address and port will be blocked.
b. But all
further attempts to establish connections from this specific source IP address will be authenticated before being denied.
c. And all further
attempts to establish connections to this specific destination IP address will be denied.
d. And all further attempts to establish a connection
from the same source IP address to the firewall's IP address will be blocked.
e. Both And D.

Answer: A

89. The VPN-I/Firewall-I NG
User Interface consists of which of the following elements?

a. Security Policy Editor, Visual Policy Editor and Object tree view.
b. Management
Server and VPN-I/FireWall-I Module.
c. Visual Policy Editor, Object Tree view and inspection Module.
d. Security Policy Server, System GUI and
Module Log Viewer.
e. VPN-I/FireWall-I Module, Inspection Module and Security Server.

Answer: A

90. As a VPN-I /Firewall-I administrator,
you have an undistributed range of IP addresses for which you want to perform address translation. You can simplify your efforts through the use of
ADDRESS RANGE.
a. True
b. False

Answer: A

91. In the figure below, Localnet is an internal network with private addresses. A
corresponding set of public addresses is available as follows

Public IP addresses Private IP addresses
199.203.73.15-199.203.73.115
200.0.0.100-200.0.0.200

The private addresses are translated to public addresses by specifying addresses Translation in the NAT tab of
Localnet's network properties window. Source addresses for the outbound packets from hosts in Localnet will be translated to 199.203.73.23 as shown
in the figure below.

a. True
b. False

Answer: B

92. You are attemptingg to implement Client Authentication for FTP. You have the accept
firewall control connection option unchecked in the Policies and Properties dialog box.

In the following Rule base, which rule would prevent a
user from perforl-ning Client Authentication?

a. Rule I
b. Rule 2
c. Rule 3
d. Rule 4

Answer: A

93. Consider the following Rule Base
for 'vTN- I /Firewall- ING.

Assuming the default settings in global properties have NOT changed, ICMP would be allowed through the
Firewall.

a. True
b. False

Answer: B

94. Which is the correct rule in the following Rule Base?

a. Rule 2
b. Rule I
c. Rule
3
d. Rule 4
e. None of these rules allow access

Answer: B

95. The security administrator for the following configuration only allows
members of the
localnet managers group access files on BigBen (the FTP Server)

Select below the rule that allows local managers to
access the FTP server from any location

a. Rule I
b. Rule 2
c. Rule 3
d. Rule 4
e. None of these rules allow access

Answer: A

96.
If you configure the Minutes interval for a firewall in the User Authentication session timeout box, as shown below on the Authentication Tab of the
Workstation properties window, users of one time passwords must re-authenticate for each request during this time period.

***************PICTURE
NOT AVAILABLE*********

a. True
b. False

Answer: B

97. What does a status of Untrusted tell you?

a. A VPN- I /Firewall- I NG firewall
module has been compromised
b. A gateway cannot be reached

c. A module is installed and responding to status checks, but the status is
problematic
d. A gateway is connected, but the management module is not the master of the module installed on the gateway
e. None of the
above

Answer: D