EMT Practice Test

1. Question Content...


Question List

Question1: The "Man in the Middle" threat consists of the possibility of a third party intercepting the private keys of you and another correspondent, even though you think you're communicating directly with each other.

Question2: When you connect to a site referenced in your database SecuRemote:

Question3: You are the VPN-1/Firewall-1 administrator for a company WAN. You want all users to communicate across WAN securely. You must use an encryption scheme that does not change packet size, to allow for better network performance. You must also be able to define the Certificate Authority from your local VPN-1/Firewall-1 Management Module. Which encryption scheme do you choose?

Question4: Which of the following is NOT a method used to configure SIP?

Question5: When licensing a VPN-1/Firewall-1 Management Server, for central licensing you must provide:

Question6: Which type of encryption encapsulates the entire packet including the headers inside a packet with its own set of headers?

Question7: Which of the following levels of encryption supports a key length of between 128 and 256 bits?

Question8: Which of the following desktop policies can be modified by the Secure Client user?

Question9: What are the two types of HTTP Security Server authentication methods that may be used?

Question10: Exhibit

Dr Billis adjusting the Global Properties > Remote Access > VPN - Advanced settings in SmartDashboard. Which of Dr Bill's VPN Communities will be affected by these changes?

Question11: When upgrading a configuration to NG with Application Intelligence: (Choose the FALSE answer)

Question12: The encryption key for SecuRemote connections, for two phase exchange, remains valid by default for ________.

Question13: Which form of overlapping encryption domain is NOT supported by VPN-1/FW-?

Question14: Which commands would you use to stop and start Firewall1?

Question15: What is the default name for a user defined script or program?

Question16: Which phase of the IKE process uses a previously negotiated security association (SA) to encrypt and authenticate?

Question17: Which of the following statements BEST describes the difference between VPN Domains and VPN Communities?

Question18: Which command is used to export a group of users from VPN-1/Firewall?

Question19: What is NOT true about a SEP VPN?

Question20: Which of the following happens if the userc.C syntax is incorrect? (Choose all that apply)

Question21: Secure Client can use Reliable Datagram Protocol (RDP) status queries to check that the gateway is still alive. Which parameters in userc.C control this action? (Choose all that apply)

Question22: Which VPN-1/FireWall-1 Security Server does NOT perform authentication?

Question23: What is true about the Secure Client users ability to disable policy on the desktop?
(Choose all that apply)

Question24: What are the two modes for phase 1 of the ISAKMP scheme? (Choose two)

Question25: Where would you configure a pre-shared secret for the IKE scheme?

Question26: What is AMC used for?

Question27: Which of the following statements, about Hybrid Ike, are FALSE? Choose two.

Question28: What is the VPN type that is between two firewalls?

Question29: How many certificates can one entity have from a single Certificate Authority?

Question30: What is the name given to a server giving anti virus protection for transferred files?

Question31: Some VPN-1/Firewall-1 tracking options generate log entries and trigger executables. These executables take the form of:

Question32: Which encryption schemes are supported by SecuRemote? (Choose all that apply)

Question33: Exhibit

Dr Billwants to reduce encryption overhead for his meshed VPN Community, without compromising security. Which of the following helps Dr Billaccomplish his goal?

Question34: Your Manager has requested that you implement a policy that prevents users on the network from transferring confidential files out of the intranet using FTP. You also want to check for virus signatures on those files entering the intranet. You setup an FTP resource and add it to the Service field of a rule. You have only redefined the FTP resource and selected the Get option under the Match tab. Does this meet all of the requirements of your manager?

Question35: What is NOT true about in-place encryption?

Question36: When you upgrade VPN-1/FireWall-1, what components are carried over to the new version? (Choose two)

Question37: Which product is NOT under the "mobile/desktop components" section of the Checkpoint product installation menu?

Question38: When a Secure Client user logs on the password is remembered by the daemon. How long will the password be remembered?

Question39: In the event that an unauthorized user attempts to compromise a valid SecureClient connection, the SecureClient machine can remain protected by:

Question40: There are certain general recommendations for improving the performance of Check Point VPN-1/Firewall-1, Choose all that apply.

Question41: Which of the following uses an external certificate authority in a VPN1/FW1 implementation?

Question42: Having configured a content security resource how would you use it in a rule base entry?

Question43: What is the purpose of HTML weeding when a defining a URI resource?

Question44: Which is NOT a valid policy for a Secure Client desktop?

Question45: The Internal Certificate Authority (ICA) is installed on which of the following?

Question46: For each connection that is established through a VPN-1/Firewall-1 Security Server, security administrators control specific access according to information defined in the Resource field.

Question47: Which of the following is NOT a function of the Internal Certificate Authority (ICA)?

Question48: Which is NOT a valid term used in relation to the IKE encryption scheme?

Question49: What is NOT true if you add a SecuRemote site and its encryption domain overlaps an already configured site?

Question50: Which load balancing algorithm uses pings to determine the best server to use?

Question51: You are importing a URI specification file from the Match tab on the URI Resource Properties screen. Where is the editable URI specification file stored?

Question52: Which of the following selections lists the three security components essential to guaranteeing the security of network connections?

Question53: What is the name given to a globally unique entity within an LDAP server?

Question54: When configuring an FTP resource for content security where would you specify that the security should be based on a file get or a file put command?

Question55: Which of the following levels of encryption is used by financial institutions throughout the world and other customers with special permits?

Question56: How do determine what version of firewall kernel a customer is using?

Question57: If the Persistent Server mode check box is selected in the Logical Server Properties window, which of the following is TRUE?

Question58: In which tab of an SMTP definition screen would you specify the maximum size of an email to be allowed through when using content security?

Question59: Determine the appropriate routing mode for a Voice over IP (VoIP) Domain Gateway object that supports Q.931.

Question60: Which options are NOT available on the personal tab when configuring a new user using AMC? (Choose all that apply)

Question61: Secure Client only supports Microsoft TCP stacks. True or false?

Question62: Which load balancing algorithm chooses the server closest to the client?

Question63: What is the term given to a number of VPN-1/FW-1 gateways that are synchronized together?

Question64: What is the correct protocol sequence when opening a TCP session?

Question65: Content Vectoring Protocol (CVP), by default uses which TCP? port 10101, and:

Question66: If a web user has requested a URL that contains unsuitable material it is possible, with content security, to specify a replacement URI that will warn the user. Where is that replacement URI specified?

Question67: Which of the following statements best describe the purpose of the Transparent Connection method shown below in the URI Resources Properties window?

Question68: If there is NAT in the path of a Secure Client connection it will still operate as normal.
True or false?

Question69: Which of the following statements is FALSE concerning Policy Servers?

Question70: The Solaris command to install the Enforcement Module software without using the Installation Wrapper is:

Question71: TCP services must have a rule in the Policy Editor Rule Base to be used by TCP resources.

Question72: What is NOT true about single signon?

Question73: The four policies that can be applied to a Secure Client desktop are known collectively as a what?

Question74: MD5 is the only data integrity method applicable to the FWZ scheme.
True of false?

Question75: Dr Billis his organization's Chief Technology Officer. He is seeking a solution to control the impact if unauthorized software on his corporate network. Dr Billhas established the following guidelines for any solution implemented:
Dr King's Security Administrator proposes SecureClient with Policy Servers, internal Enforcement Modules, and Desktop policies as a solution. Based on the information, which of the following is the BEST answer?

Question76: SecuRemote operates between the _______and the ______.

Question77: The IKE encryption scheme encrypts the original TCP and IP headers along with the packet data.

Question78: What is the name given to the ability of a CVP manager to sequentially use the services of several CVP servers as part of a single request from a firewall?

Question79: Ann would like to deploy H.323 with a gatekeeper and gateway on her internal network. This network is behind a VPN-1/FireWall-1 Enforcement Module. Which of the following objects is NOT required to configure VPN-1/FireWall-1 for H.323 in this scenario?

Question80: Asymmetric routing is when a return packet is not routed through the same gateway that the incoming packet came through. What can be done to overcome this in a MEP VPN?

Question81: Which operating system can NG FW1 NOT be used under? (Choose all that apply)

Question82: You are a VPN-1/FireWall-1 Security Administrator. You must discover the users who are attempting to circumvent SecureClient protection mechanisms. In which of the following logs would you MOST likely find the information you need?

Question83: The userc.C file contains information for SecuRemote and Secure Client desktops. It includes information about site topology. Under which heading would you find the topology information?

Question84: Which of the following is NOT a valid VPN configuration option available in the VPN Manager of the Simplified Rule Base?

Question85: Which CPMAD attack is defined as a SYN packet with the source IP address the same as the destination IP address?

Question86: When you select the Pre-Shared Secret check box in the IKE Properties window:

Question87: What are the disadvantages of Shared Secret Key encryption?

Question88: In VPN-1/FireWall-1, Security Administrators can define URI Resource Properties to strip which of the following from HTML? (Choose three)

Question89: In a SEP VPN when a gateway fails, a backup will take its place but all client connections will have to be remade.
True or false?

Question90: Which load balancing algorithm allocates the server based on the next physical server in the group?

Question91: What parameter in userc.C allows you to set the port for topology download?

Question92: How would you apply encryption to a rule?

Question93: Which of the following does NOT require definition for a Voice over IP (VoIP) Domain SIP object?

Question94: Which of the following is an encryption method that uses a different keys to decrypt and encrypt messages?

Question95: Respond to unauthenticated topology requests (IKE and FWI) on the Desktop Security screen in Global Properties allow backward compatibility with earlier versions of the SecuRemote /Secure Client.

Question96: If the Use Aggressive Mode check box in the IKE Properties dialogue box is enabled:

Question97: SYNDefender Gateway sends a FIN/ACK packet in immediate response to a server's SYN/ACK packet.

Question98: VPN-1/FireWall-1 allows a Security Administrator to define four types of Certificate Authorities. Which of the following is NOT a type of Certificate Authority that can be defined in VPN-1/FirwWall-1?

Question99: In the event that an unauthorized user attempts to compromise a valid Secure Client connection, the Secure Client machine can remain protected by?

Question100: Which of the following statements is FALSE?

Question101: Which of the following is a Checkpoint proprietary encryption algorithm?

Question102: The Check Point Secure Client packaging tool enables system administrators:

Question103: When a SecuRemote Client and Server key exchange occurs, the user will be re- authenticated if the password has been erased.

Question104: When configuring a URI definition what is NOT a valid URI match specification type?

Question105: What parameters are available on the SYNDefender screen of global properties to tune SYNDefender operation? (Choose all that apply)

Question106: Dr Billis a Security Administrator configuring SecuRemote as a remote-access solution for his company. Which of the following is NOT true?
Dr BillMUST:

Question107: Which of the following FTP Content Security settings prevents internal users from retrieving files from an external FTP Server, while allowing users to send files?

Question108: Which of the following statements BEST explains the difference between VPN-
1/FireWall-1 logs and alerts?
The difference between VPN-1/FireWall-1 logs and alerts is that:

Question109: What is the name given to a denial of service attack that consumes resources on a device by creating too many unacknowledged TCP sessions?

Question110: How would you configure a SEP VPN from the global properties setup screen?

Question111: When adding users to firewall, an administrator can install just the User Database without re-installing the entire Security Policy.

Question112: What is NOT true about the FWZ-1 encryption algorithm?

Question113: Which programming language cannot be used for writing user defined applications?

Question114: Exhibit

Dr Billis senior Security Administrator who supervises and trains junior Security Administrators. Dr Billmust explain VPN-1/FireWall-1's Diffie-Hellman settings to the junior Security Administrator. Which of the following explanations is MOST correct?

Question115: What is the filename of the file on a SecuRemote client that contains the topology of the site to which the client connects?

Question116: How many attack types can be monitored by CPMAD?

Question117: What does LDAP stand for?

Question118: What are valid advantages of binding a Secure Client user id to an IP address?
(Choose all that apply)

Question119: If you have modified your network configuration by removing the firewall adapters, you can reinstall these adapters by re-installing Secure Client.

Question120: When configuring match parameters for content security resources it is possible to use a wild card character to represent anything. What is that character?

Question121: A digital signature:

Question122: Which security server or service provides protection by blocking undesirable web pages?

Question123: Choose three. The Check Point SecureClient Packaging Tool allows System Administrators to:

Question124: VPN-1/Firewall-1 gateway products (other than the GUI) are supported on Windows NT Workstation.

Question125: You are logging into a Policy Server in order to update or download a new Desktop Policy. Which of the following initiates an Explicit login?

Question126: Which of the following conditions will cause Secure Client Verification to report that a SecureClient machine is NOT considered secured? (Choose three)

Question127: If a resource is specified in the Services field of a Rule Base, which of the following occurs?

Question128: Which security server or service provides protection by: hiding IP addresses from outgoing email, strips Mime attachment types, drops large messages, and perform mail filtering?

Question129: Which VPN type is used by SecuRemote?

Question130: MEP VPN's support both SecuRemote and Secure Client connections. True or false?

Question131: Which of the following is NOT covered by FW1's content security?

Question132: When using FW1 load balancing where does the logical server exist?

Question133: If you do not configure any groups during Solaris installation, ONLY the Super-User will be able to access and execute the VPN-1/Firewall-1 Module.

Question134: You must configure your firewall for Hybrid IKE Secure Client connections. Which of the following fields MUST be selected to allow backward compatibility with earlier version of the Secure Client?

Question135: SYNDefender configuration is common to all gateways and hosts. There is no way to specify SYNDefender gateway for one host and SYNDefender passive gateway for another.
True or false?

Question136: To reduce the effectiveness of traffic sniffing inside the LAN, internal users should have the _______ installed in their desktop.

Question137: Diffie-Hellman uses which type of key exchange?

Question138: Where would you configure a user defined alert command?

Question139: The Service drop-down menu in the OPSEC Definition Properties window allows you to select a service for communication with a server from the drop-down list.
The service contains the port number to watch the filer server listens. For UFP Server, the service is:

Question140: Which of the following is NOT true about a SEP VPN?

Question141: What is the name of the FW1 facility that scans the log file and alerts the system administrator that a prespecified suspicious event has occurred?

Question142: When using an "other" load balancing server type it uses NAT to convert the logical server address to a real server address. The NAT rules have to be configured manually. True or false?

Question143: Which is NOT a valid parameter in the userc.C options section?

Question144: When you first connect to a certificate authority you get a warning message because the transaction to get the CA public key cannot be authenticated. What should you do?

Question145: Dr Billis assisting a SecureClient user who is not able to access resources in the VPN Domain. Which of the following is NOT a possible cause for the user's inability to access resources?

Question146: Dr Billis a Security Administrator for a financial firm with very strict policies for remote access. Preventing users from modifying settings is a priority. Dr Billhas selected SecureClient as his firm's remote access solution. Dr Billis reviewing site definition solutions and attempting to decide which is appropriate for his environment. Which of the following should he choose?

Question147: If there are two gateways and two encryption domains which are fully overlapped, in which of the domains will the gateways belong?

Question148: How would a Secure Client user log onto the policy server? (Choose all that apply)

Question149: When SecuRemote Client and Server key exchange occurs, the user will NOT be re- authenticated even if the Password Expires After timer on the SecuRemote Server has not expired.

Question150: In a fully overlapping encryption domain with two gateways serving the domain which one will a SecuRemote client connect to?

Question151: A load balancing logical server does not really exist therefore you need to manually arrange for an ARP to be published by the firewall that can respond to an arp request for that logical server. True or false?

Question152: If you wanted to use content security on an SMTP resource which parameter can be specified on the match tab of the SMTP definition screen? (Choose all that apply)

Question153: Which encryptions schemes are supported by VPN1/FW1? (Choose all that apply)

Question154: Which encryption algorithms are supported by FWZ? (Choose all that apply)

Question155: In the following graphic, the remote Secure Client machine does not have an installed Desktop Policy. The Secure Client user tries to connect to a host in Detroit's domain. Because Detroit is a Policy Server.

Question156: Dr Billis a Security Administrator preparing to configure his VPN-1/FireWall-1 Rule Base, to accommodate Voice over IP (VoIP) traffic. Dr Billhas the information displayed below.
Does Dr Billhave enough information to configure his objects and rules?

Question157: What is the name of the Secure Client facility that can create customized installation files for distribution to users?

Question158: Dr Billwants to configure a custom script to launch an application for certain rules.
Which of the following should Dr Billconfigure?

Question159: What version of VPN1/FW1 introduced Secure Client?

Question160: Which encryption algorithm as supported by VPN1/WF1 uses a key length between
112-168 bits?

Question161: The following URL specification blocks access to the /warez/illegal.html
204.32.38.254/warez/illegal.html 1

Question162: Which of the following encryption algorithms is a symmetric-key encryption method that uses a 168-bit key?

Question163: What happens if CPMAD runs out of memory?

Question164: Where is the default SMTP error-handling server configured?

Question165: Put the following LDAP distinguished name entities in hierarchical order starting from the root.
1 - c
2 - cn
3 - o
4 - ou

Question166: What is true about proper subset encryption domains?

Question167: What is the default timeout value for SYNDefender to wait for an ACK from a client?

Question168: Which encryption algorithms are supported by IKE? (Choose all that apply)

Question169: By default where does VPN-1/Firewall-1 look for a user-defined tracking script?

Question170: Which is NOT a valid content security function under the HTML weeding category in a URI definition action tab?

Question171: If you check the "cache static passwords on the desktop" option on the desktop security tab of properties setup. What does this mean for SecuRemote users?

Question172: Secure Client adds a new pull down menu option to the SecuRemote desktop screen. What is this called?

Question173: SecuRemote requires the use of network driver interface specification (NDIS) in order to work.
True or false?

Question174: Which of the following is TRUE of the relationship between the RemoteAccess VPN Community and the Security Policy Rule Base?

Question175: Exhibit

In the exhibit, SecureClient can be used inside and outside the LAN.
To reach Finance.net, SecureClient users must pass through the Zulu Policy Server.
When this connection is made, Zulu will attempt to load its Desktop Policy on the SecureClient remote user, and:

Question176: What are the two types of login for a Secure Client user? (Choose two)

Question177: Which form of overlapping encryption domain is described as multiple gateways each having the same encryption domain?

Question178: In the following graphic, the remote SecureClient machine does not have an installed Desktop Policy.

The SecureClient User tries to connect to a host in Rome's VPN Domain. Because Rome is a Policy Server:

Question179: SYN flood attacks are used in the Denial-of-Service (Dos) attacks, or in conjunction with other exploits to block access to a server network.

Question180: Which of the following protocols open back connections on another port to that which the initial connection is made as part of the normal progression of the connection? (Choose all that apply)

Question181: When configuring an ARP entry in an windows server running a FW1. Which is the correct method?

Question182: Where would you select the load balancing server type for a group of servers?

Question183: Mark is preparing to install VPN-1/FireWall-1 and has created the installation plan below.
1. Perform the following operations below in sequential order.
2. Install the operating system.
3. Configure routing and IP forwarding.
4. Configure name resolution.
5. Patch the operating system.
6. Set $FWDIR and $CPDIR environment variables.
7. Install VPN-1/FireWall-1.
8. Patch VPN-1/FireWall-1,
Which step in Mark's installation plan is NOT necessary?

Question184: A SecureClient configuration is being verified with Secure Configuration Verification (SCV) on an Enforcement Module. Which of the following is NOT true?