Check Point Certified Security Master v6.1

Page:    1 / 20   
Exam contains 295 questions

Where in a fw monitor output would you see destination address translation occur in cases of inbound automatic static NAT?

  • A. Static NAT does not adjust the destination IP
  • B. Between the “i” and “I”
  • C. Between the “I” and “o”
  • D. Between the “o” and “O”


Answer : B

You are attempting to establish an FTP session between your computer and a remote server, but it is not being completed successfully. You think the issue may be due to IPS.
Viewing SmartView Tracker shows no drops. How would you confirm if the traffic is actually being dropped by the gateway?

  • A. Search the connections table for that connection.
  • B. Run a fw monitor packet capture on the gateway.
  • C. Look in SmartView Monitor for that connection to see why it’s being dropped.
  • D. Run fw ctl zdebug drop on the gateway.


Answer : D

By default, the size of the fwx_alloc table is:

  • A. 65535
  • B. 65536
  • C. 25000
  • D. 1024


Answer : C

In your SecurePlatform configuration you need to set up a manual static NAT entry. After creating the proper NAT rule what step needs to be completed?

  • A. Edit or create the file local.arp.
  • B. No further actions are required.
  • C. Edit or create the file discntd.if.
  • D. Edit the file netconf.conf.


Answer : A

The "Hide internal networks behind the Gateway's external IP" option is selected. What defines what traffic will be NATted?

  • A. The Firewall policy of the gateway
  • B. The network objects configured for the network
  • C. The VPN encryption domain of the gateway object
  • D. The topology configuration of the gateway object


Answer : D

When viewing a NAT Table, What represents the second hexadecimal number of the 6- tuple:

  • A. Source port
  • B. Protocol
  • C. Source IP
  • D. Destination port


Answer : C

Since switching your network to ISP redundancy you find that your outgoing static NAT connections are failing. You use the command _________ to debug the issue.

  • A. fwaccel stats misp
  • B. fw ctl pstat
  • C. fw ctl debug -m fw + nat drop
  • D. fw tab -t fwx_alloc -x


Answer : C

Tom is troubleshooting NAT issues using fw monitor and Wireshark. He tries to initiate a connection from the external network to a DMZ server using the public IP which the firewall translates to the actual IP of the server. He analyzes the captured packets using Wireshark and observes that the destination IP is being changed as required by the firewall but does not see the packet leave the external interface. What could be the reason?

  • A. The translation might be happening on the client side and the packet is being routed by the OS back to the external interface.
  • B. The translation might be happening on the server side and the packet is being routed by OS back to the external interface.
  • C. Packet is dropped by the firewall.
  • D. After the translation, the packet is dropped by the Anti-Spoofing Protection.


Answer : B

Remote VPN clients can initiate connections with internal hosts, but internal hosts are unable to initiate connections with the remote VPN clients, even though the policy is configured to allow it. You think that this is caused by NAT. What command can you run to see if NAT is occurring on a packet?

  • A. fw tab -t fwx_alloc -x
  • B. fw ctl pstat
  • C. fwaccel stats misp
  • D. fw ctl debug -m fw + conn drop packet xlate xltrc nat


Answer : D

Ann wants to hide FTP traffic behind the virtual IP of her cluster. Where is the relevant file table.def located to make this modification?

  • A. $FWDIR/log/table.def
  • B. $FWDIR/conf/table.def
  • C. $FWDIR/bin/table.def
  • D. $FWDIR/lib/table.def


Answer : D

Which file should be edited to modify ClusterXL VIP Hide NAT rules, and where?

  • A. $FWDIR/lib/base.def on the cluster members
  • B. $FWDIR/lib/table.def on the SMC
  • C. $FWDIR/lib/table.def on the cluster members
  • D. $FWDIR/lib/base.def on the SMC


Answer : B

While troubleshooting a DHCP relay issue, you run a fw ctl zdebug drop and see the following output:
;[cpu_1];[fw_0];fw_log_drop: Packet proto=17 10.216.14.108:67 > 172.31.2.1:67 dropped by fw_handle_first_packet Reason: fwconn_init_links (INBOUND) failed;
Where 10.216.14.108 is the IP address of the DHCP server and 172.31.2.1 is the VIP of the Cluster. What is the most likely cause of this drop?

  • A. An inbound collision due to a connections table check on pre-existing connections.
  • B. An outbound collision due to a Rule Base check, and dropped by incorrectly configuring DHCP in the firewall policy.
  • C. A link collision due to more than one NAT symbolic link being created for outgoing connections to the DHCP server.
  • D. A link collision due to more than one NAT symbolic link being created for connections returning from the DHCP server back to the VIP of the Cluster.


Answer : D

Server A is subject to automatically static NAT and also resides on a network which is subject to automatic Hide NAT. With regards to address translation what will happen when
Server A initiates outbound communication?

  • A. This will cause a policy verification error.
  • B. This is called hairpin NAT, the traffic will return to the server.
  • C. The static NAT will take precedence.
  • D. The Hide NAT will take precedence.


Answer : C

Where in a fw monitor output would you see source address translation occur in cases of automatic Hide NAT?

  • A. Between the “I” and “o”
  • B. Hide NAT does not adjust the source IP
  • C. Between the “o” and “O”
  • D. Between the “i” and “I”


Answer : C

You are trying to troubleshoot a NAT issue on your network, and you use a kernel debug to verify a connection is correctly translated to its NAT address. What flags should you use for the kernel debug?

  • A. fw ctl debug -m fw + conn drop nat vm xlate xltrc
  • B. fw ctl debug -m fw + conn drop ld
  • C. fw ctl debug -m nat + conn drop nat xlate xltrc
  • D. fw ctl debug -m nat + conn drop fw xlate xltrc


Answer : A

Page:    1 / 20   
Exam contains 295 questions

Talk to us!


Have any questions or issues ? Please dont hesitate to contact us

Certlibrary doesn't offer Real Microsoft Exam Questions.
Certlibrary Materials do not contain actual questions and answers from Cisco's Certification Exams.
CFA Institute does not endorse, promote or warrant the accuracy or quality of Certlibrary. CFA® and Chartered Financial Analyst® are registered trademarks owned by CFA Institute.