Your success in Check Point 156 215.77 pdf is our sole target and we develop all our exam 156 215.77 braindumps in a way that facilitates the attainment of this target. Not only is our checkpoint 156 215.77 study material the best you can find, it is also the most detailed and the most updated. ccsa 156 215.77 Practice Exams for Check Point CCSA ccsa 156 215.77 are written to the highest standards of technical accuracy.
Q209. - (Topic 2)
To reduce the information given to you in SmartView Tracker, what can you do to find information about data being sent between pcosaka and pctokyo?
A. Apply a source filter by adding both endpoint IP addresses with the equal option set.
B. Use a regular expression to filter out relevant logging entries.
C. Double-click an entry representing a connection between both endpoints.
D. Press CTRL+F in order to open the find dialog, and then search the corresponding IP addresses.
Answer: A
Q210. - (Topic 3)
An internal router is sending UDP keep-alive packets that are being encapsulated with GRE and sent through your R77 Security Gateway to a partner site. A rule for GRE traffic is configured for ACCEPT/LOG. Although the keep-alive packets are being sent every minute, a search through the SmartView Tracker logs for GRE traffic only shows one entry for the whole day (early in the morning after a Policy install).
Your partner site indicates they are successfully receiving the GRE encapsulated keep-alive packets on the 1-minute interval.
If GRE encapsulation is turned off on the router, SmartView Tracker shows a log entry for the UDP keep-alive packet every minute.
Which of the following is the BEST explanation for this behavior?
A. The Log Server log unification process unifies all log entries from the Security Gateway on a specific connection into only one log entry in the SmartView Tracker. GRE traffic has a 10 minute session timeout, thus each keep-alive packet is considered part of the original logged connection at the beginning of the day.
B. The log unification process is using a LUUID (Log Unification Unique Identification) that has become corrupt. Because it is encrypted, the R75 Security Gateway cannot distinguish between GRE sessions. This is a known issue with GRE. Use IPSEC instead of the non-standard GRE protocol for encapsulation.
C. The setting Log does not capture this level of detail for GRE. Set the rule tracking action to Audit since certain types of traffic can only be tracked this way.
D. The Log Server is failing to log GRE traffic properly because it is VPN traffic. Disable all VPN configuration to the partner site to enable proper logging.
Answer: A
Q211. - (Topic 3)
You want to establish a VPN, using certificates. Your VPN will exchange certificates with an external partner. Which of the following activities should you do first?
A. Manually import your partner's Access Control List.
B. Manually import your partner's Certificate Revocation List.
C. Create a new logical-server object to represent your partner's CA.
D. Exchange exported CA keys and use them to create a new server object to represent your partner's Certificate Authority (CA).
Answer: D
Q212. - (Topic 1)
An Administrator without access to SmartDashboard installed a new IPSO-based R77 Security Gateway over the weekend. He e-mailed you the SIC activation key. You want to confirm communication between the Security Gateway and the Management Server by installing the Policy. What might prevent you from installing the Policy?
A. You have not established Secure Internal Communications (SIC) between the Security Gateway and Management Server. You must initialize SIC on the Security Management Server.
B. You first need to create a new Gateway object in SmartDashboard, establish SIC via the Communication button, and define the Gateway's topology.
C. An intermediate local Security Gateway does not allow a policy install through it to the remote new Security Gateway appliance. Resolve by running the command fw unloadlocal on the local Security Gateway.
D. You first need to run the command fw unloadlocal on the R75 Security Gateway appliance in order to remove the restrictive default policy.
Answer: B
Q213. - (Topic 2)
You want to implement Static Destination NAT in order to provide external, Internet users access to an internal Web Server that has a reserved (RFC 1918) IP address. You have an unused valid IP address on the network between your Security Gateway and ISP router. You control the router that sits between the firewall external interface and the Internet.
What is an alternative configuration if proxy ARP cannot be used on your Security Gateway?
A. Publish a proxy ARP entry on the ISP router instead of the firewall for the valid IP address.
B. Publish a proxy ARP entry on the internal Web server instead of the firewall for the valid IP address.
C. Place a static host route on the firewall for the valid IP address to the internal Web server.
D. Place a static ARP entry on the ISP router for the valid IP address to the firewall's external address.
Answer: D
Q214. - (Topic 2)
Your internal network is configured to be 10.1.1.0/24. This network is behind your perimeter R77 Gateway, which connects to your ISP provider. How do you configure the Gateway to allow this network to go out to the Internet?
A. Do nothing, as long as 10.1.1.0 network has the correct default Gateway.
B. Use Hide NAT for network 10.1.1.0/24 behind the internal interface of your perimeter Gateway.
C. Use automatic Static NAT for network 10.1.1.0/24.
D. Use Hide NAT for network 10.1.1.0/24 behind the external IP address of your perimeter Gateway.
Answer: D
Q215. - (Topic 3)
Your perimeter Security Gateway’s external IP is 200.200.200.3. Your network diagram shows:
A. Required. Allow only network 192.168.10.0 and 192.168.20.0 to go out to the Internet,
using 200.200.200.5.
The local network 192.168.1.0/24 needs to use 200.200.200.3 to go out to the Internet.
Assuming you enable all the settings in the NAT page of Global Properties, how could you
achieve these requirements?
B. Create network objects for 192.168.10.0/24 and 192.168.20.0/24. Enable Hide NAT on
both network objects, using 200.200.200.5 as hiding IP address. Add an ARP entry for
200.200.200.3 for the MAC address of 200.200.200.5.
C. Create an Address Range object, starting from 192.168.10.1 to 192.168.20.254. Enable
Hide NAT on the NAT page of the address range object. Enter Hiding IP address
200.200.200.5. Add an ARP entry for 200.200.200.5 for the MAC address of
200.200.200.3.
D. Create a network object 192.168.0.0/16. Enable Hide NAT on the NAT page. Enter
200.200.200.5 as the hiding IP address. Add an ARP entry for 200.200.200.5 for the MAC
address of 200.200.200.3.
Create two network objects: 192.168.10.0/24 and 192.168.20.0/24. Add the two network
objects to a group object. Create a manual NAT rule like the following: Original source -group object; Destination - any; Service - any; Translated source - 200.200.200.5;
Destination - original; Service - original.
Answer: B
Q216. - (Topic 1)
Which command line interface utility allows the administrator to verify the Security Policy name and timestamp currently installed on a firewall module?
A. fw stat
B. fw ctl pstat
C. fw ver
D. cpstat fwd
Answer: A