EMT Practice Test

1. Question Content...


Question List

Question1: Which Check Point QoS feature allows a Security Administrator to define special classes of service for delay-sensitive applications?

Question2: You want only RAS signals to pass through H.323 Gatekeeper and other H.323 protocols, passing directly between end points. Which routing mode in the VoIP Domain Gatekeeper do you select?

Question3: Wayne configures an HTTP Security Server to work with the content vectoring protocol to screen forbidden sites. He has created a URI resource object using CVP with the following settings:
Use CVP
Allow CVP server to modify content
Return data after content is approved
He adds two rules to his Rule Base: one to inspect HTTP traffic going to known forbidden sites, the other to allow all other HTTP traffic.
Wayne sees HTTP traffic going to those problematic sites is not prohibited.
What could cause this behavior?

Question4: Steve tries to configure Directional VPN Rule Match in the Rule Base. But the Match column does not have the option to see the Directional Match. Steve sees the following screen. What is the problem?

Question5: You configure a Check Point QoS Rule Base with two rules: an H.323 rule with a weight of
10, and the Default Rule with a weight of 10. The H.323 rule includes a per-connection guarantee of 384 Kbps, and a per-connection limit of 512 Kbps. The per-connection guarantee is for four connections, and no additional connections are allowed in the Action properties. If traffic passing through the QoS Module matches both rules, which of the following statements is true?

Question6: The following is cphaprob state command output from a ClusterXL New mode High Availability member:When member 192.168.1.2 fails over and restarts, which member will become active?

Question7: You are reviewing SmartView Tracker entries, and see a Connection Rejection on a Check Point QoS rule. What causes the Connection Rejection?

Question8: Which Security Server can perform content-security tasks, but CANNOT perform authentication tasks?

Question9: Cody is notified by blacklist.org that his site has been reported as a spam relay, due to his SMTP Server being unprotected. Cody decides to implement an SMTP Security Server, to prevent the server from being a spam relay. Which of the following is the most efficient configuration method?

Question10: Your primary SmartCenter Server is installed on a SecurePlatform Pro machine, which is also a VPN-1 Pro Gateway. You want to implement Management High Availability (HA).
You have a spare machine to configure as the secondary SmartCenter Server. How do you configure the new machine to be the standby SmartCenter Server, without making any changes to the existing primary SmartCenter Server? (Changes can include uninstalling and reinstalling.)

Question11: In a distributed VPN-1 Pro NGX environment, where is the Internal Certificate Authority (ICA) installed?

Question12: Assume an intruder has compromised your current IKE Phase 1 and Phase 2 keys. Which of the following options will end the intruder's access, after the next Phase 2 exchange occurs?

Question13: How do you control the maximum mail messages in a spool directory?

Question14: You are running a VPN-1 NG with Application Intelligence R54 SecurePlatform VPN-1 Pro Gateway. The Gateway also serves as a Policy Server. When you run patch add cd from the NGX CD, what does this command allow you to upgrade?

Question15: How can you completely tear down a specific VPN tunnel in an intranet IKE VPN deployment?

Question16: If you check the box "Use Aggressive Mode", in the IKE Properties dialog box:

Question17: Which Security Server can perform authentication tasks, but CANNOT perform content security tasks?

Question18: The following configuration is for VPN-1 NGX:Is this configuration correct for Management High Availability (HA)?

Question19: In a Management High Availability (HA) configuration, you can configure synchronization to occur automatically, when:
1.The Security Policy is installed.
2.The Security Policy is saved.
3.The Security Administrator logs in to the secondary SmartCenter Server, and changes its status to active.
4.A scheduled event occurs.
5.The user database is installed.
Select the BEST response for the synchronization sequence. Choose one.

Question20: VPN-1 NGX supports VoIP traffic in all of the following environments, except which environment?

Question21: What is a requirement for setting up Management High Availability?

Question22: Regarding QoS guarantees and limits, which of the following statements is FALSE?

Question23: You are preparing to deploy a VPN-1 Pro Gateway for VPN-1 NGX. You have five systems to choose from for the new Gateway, and you must conform to the following requirements:
Operating-system vendor's license agreement
Check Point's license agreement
Minimum operating-system hardware specification
Minimum Gateway hardware specification
Gateway installed on a supported operating system (OS)
Which machine meets ALL of the following requirements?

Question24: A cluster contains two members, with external interfaces 172.28.108.1 and 172.28.108.2.
The internal interfaces are 10.4.8.1 and 10.4.8.2. The external cluster's IP address is
172.28.108.3, and the internal cluster's IP address is 10.4.8.3. The synchronization interfaces are 192.168.1.1 and 192.168.1.2. The Security Administrator discovers State Synchronization is not working properly. cphaprob if command output displays as follows:What is causing the State Synchronization problem?

Question25: You want to block corporate-internal-net and localnet from accessing Web sites containing inappropriate content. You are using WebTrends for URL filtering. You have disabled VPN-
1 Control connections in the Global properties. Review the diagram and the Security Policies for GW_A and GW_B in the exhibit provided.
Corporate users and localnet users receive message "Web cannot be displayed". In SmartView Tracker, you see the connections are dropped with message "content security is not reachable". What is the problem, and how do you fix it?

Question26: In a distributed VPN-1 Pro NGX environment, where is the Internal Certificate Authority (ICA) installed?

Question27: Barak is a Security Administrator for an organization that has two sites using pre-shared secrets in its VPN. The two sites are Oslo and London. Barak has just been informed that a new office is opening in Madrid, and he must enable all three sites to connect via the VPN to each other. Three Security Gateways are managed by the same SmartCenter Server, behind the Oslo Security Gateway. Barak decides to switch from pre-shared secrets to Certificates issued by the Internal Certificate Authority (ICA). After creating the Madrid gateway object with the proper VPN Domain, what are Barak's remaining steps?
1.Disable "Pre-Shared Secret" on the London and Oslo gateway objects.
2.Add the Madrid gateway object into the Oslo and London's mesh VPN Community.
3.Manually generate ICA Certificates for all three Security Gateways.
4.Configure "Traditional mode VPN configuration" in the Madrid gateway object's VPN screen.
5.Reinstall the Security Policy on all three Security Gateways.

Question28: How does a standby SmartCenter Server receive logs from all Security Gateways, when an active SmartCenter Server fails over?

Question29: What type of packet does a VPN-1 SecureClient send to its Policy Server, to report its Secure Configuration Verification status?

Question30: Which of the following commands shows full synchronization status?

Question31: Which type of service should a Security Administrator use in a Rule Base to control access to specific shared partitions on target machines?

Question32: Your network includes ClusterXL running Multicast mode on two members, as shown in this topology:Your network is expanding, and you need to add new interfaces:
10.10.10.1/24 on Member A, and 10.10.10.2/24 on Member B.
The virtual IP address for interface 10.10.10.0/24 is 10.10.10.3. What is the correct procedure to add these interfaces?

Question33: Which Check Point QoS feature marks the Type of Service (ToS) byte in the IP header?

Question34: In a Load Sharing Unicast mode scenario, the internal-cluster IP address is 10.4.8.3. The internal interfaces on two members are 10.4.8.1 and 10.4.8.2. Internal host 10.4.8.108 Pings 10.4.8.3, and receives replies. The following is the ARP table from the internal Windows host 10.4.8.108: c:> arp According to the output, which member is the Pivot?

Question35: How can you prevent delay-sensitive applications, such as video and voice traffic, from being dropped due to long queues when using a Check Point QoS solution?

Question36: You want VPN traffic to match packets from internal interfaces. You also want the traffic to exit the Security Gateway, bound for all site-to-site VPN Communities, including Remote Access Communities. How should you configure the VPN match rule?

Question37: How would you configure a rule in a Security Policy to allow SIP traffic from end point Net_A to end point Net_B, through an NGX Security Gateway?

Question38: Where can a Security Administrator adjust the unit of measurement (bps, Kbps or Bps), for Check Point QoS bandwidth?

Question39: Which OPSEC server is used to prevent users from accessing certain Web sites?

Question40: You plan to incorporate OPSEC servers, such as Websense and Trend Micro, to do content filtering. Which segment is the BEST location for these OPSEC servers, when you consider Security Server performance and data security?

Question41: Yoav is a Security Administrator preparing to implement a VPN solution for his multi-site organization. To comply with industry regulations, Yoav's VPN solution must meet the following requirements:
Portability: Standard
Key management: Automatic, external PKI
Session keys: Changed at configured times during a connection's lifetime Key length: No less than 128-bit Data integrity: Secure against inversion and brute-force attacks What is the most appropriate setting Yoav should choose?

Question42: The following rule contains an FTP resource object in the Service field:
Source: local_net
Destination: Any
Service: FTP-resource object
Action: Accept
How do you define the FTP Resource Properties > Match tab to prevent internal users from receiving corporate files from external FTP servers, while allowing users to send files?

Question43: You have two Nokia Appliances: one IP530 and one IP380. Both Appliances have IPSO
3.9 and VPN-1 Pro NGX installed in a distributed deployment. Can they be members of a gateway cluster?

Question44: The following diagram illustrates how a VPN-1 SecureClient user tries to establish a VPN with hosts in the external_net and internal_net from the Internet. How is the Security Gateway VPN Domain created?