156-115.77 Check Point Certified Security Master Questions and Answers

Check Point QoS

IPv6

Overlapping NAT

Route-based VPN

This is not possible CoreXL is best left to manage the Kernel to CPU core mappings. It is only when a daemon is bound to a dedicated core that CoreXL will ignore that CPU core when mapping Kernel instances to CPU cores.

fw ctl affinity -s -k 3 5

Run fwaffinity_apply –t 3 -k 5 and then check that the settings have taken affect with the command fw ctl multik stat.

Edit the file fwaffinity.conf and add the line “k3 cpuid 5”

fw tab –t connections –s

fw -i FW_INSTANCE_ID tab -t connections [flags]

fw tab –t connection | grep fw

fw tab –t connections

sim affinity -l

cat fwkern.conf

fw CTL pstat

fw ctl multik stat

Static NAT does not adjust the destination IP

Between the “i” and “I”

Between the “I” and “o”

Between the “o” and “O”

IPv6 is enabled by default.

Under WebUI go to System Management > System Configuration, turn on IPv6 Support, click apply and reboot.

Enable the IPv6 Software Blade for the gateway in Smart Dashboard.

Run the IPv6 script $FWDIR/scripts/fwipv6_enable and reboot.

An interface on the Gateway can either have IPv4 or IPv6 IP address or have both.

As of version R77, IPv6 is only supported on Security Management Server.

IPv4 will be completely disabled when IPv6 has been enabled.

An interface on the Gateway can either have IPv4 or IPv6 IP address but cannot have both.

There is no Dynamic Routing with IPv6.

Mirrored Interfaces must have IPv4 addresses.

Sync traffic must be IPv4.

IPv6 does not support a Secondary Management Server.

show ipv6-stat

show ipv6 all

show ipv6 status

show ipv6-status

Site-to-site VPN

Domain-based VPN

Route-based VPN

Remote-access VPN

The names for your peers have been reversed.

You have not issued the command “vpn write config’ command.

You have not licensed your gateways for VTIs.

All VTIs going to the same remote peer must have the same name.

WebUI

VPN shell

Security Gateway Object

vpn_route.conf

Both numbered and unnumbered

Unnumbered interfaces

Numbered interfaces

Neither numbered and unnumbered

fw ctl chain -po 1ffffe0 -o monitor.out

fw monitor -po -0x1ffffe0 -o monitor.out

fw monitor -e 0x1ffffe0 -o monitor.out

fw monitor -pr 1ffffe0 -o monitor.out

Inbound/Outbound chain

Function Pointer

Chain position

Module location

setenv TDERROR_ALL_ALL=5

fwm –d load A-GW Standard

setenv TDERROR_ALL_ALL=5

fwm –d load Standard A-GW

export TDERROR_ALL_ALL=5

fwm –d load Standard A-GW

export TDERROR_ALL_ALL=5

fwm –d load A-GW Standard

There is an active fw monitor running.

There is an environment variable of TDERROR_ALL_ALL set on the gateway.

There is an active debug on the SmartConsole.

There is an active debug on the FWM process.

Additional hmem details

General Security Gateway statistics

Additional kmem details

Additional smem details

Connections are being “forward to firewall” (“f2f”).

Connections are being “forwarded” to the accelerating engine.

Connections are accelerated (“fastpath”).

Connections have the fragment flag set.

Modify the /etc/sysctl.conf: net.ipv4.neigh.default.gc_thresh3 = 1024.

echo 1024 > /proc/sys/net/ipv4/neigh/default/gc_thresh3

arp cache table > 1024

You cannot increase the size of the ARP cache on the fly.

sysconfig

fw ctl pstat

fw ctl get int fw_frag_stats

cat /proc/cpuinfo

fw debug 0

fw debug off

fw ctl debug default

fw ctl debug 0

RDP is being blocked upstream.

You have selected IKEv2 only in Global Properties > Remote Access > VPN – Authentication and Encryption.

Remote access clients are all behind NAT devices.

Implied rule is not set to accept control connections.

Virtual Tunnel Interface (VTI) Mode can bypass firewall for all encrypted traffic

Hub Mode can be used to bypass stateful inspection

There is no such mode that can bypass firewall enforcement

Wire mode can be used to bypass stateful inspection

$FWDIR/log/ikev2.xmll

$FWDIR/log/ike.xmll

$FWDIR/log/ike.elg

$FWDIR/log/vpnd.elg

$FWDIR/conf on the Management Server

$FWDIR/scripts on the Management Server

$FWDIR/conf on the gateway

$FWDIR/scripts on the gateway

You should use vulnerability tools to perform an assessment of your environment.

Work through turning on each protection to see which signatures get alerts.

You should set all protections to “Detect”.

You should not disable any IPS protections.

It is not possible. In this case no enable IPS

Bypass Under Load. (In IPS Option on Gateway Properties)

Bypass Inspection. (In IPS Option on Gateway Properties)

Disable Inspection. (In IPS Option on Gateway Properties)

Run command fw ctl set int enable_inspect_debug  1 from the command line.

Toggle the checkbox in Global Properties > Firewalls > Inspection section.

WebUI

Set the following parameter to true using GuiDBedit: enable_inspect_debug_compilation.

fw tab –t connections –x –d “0,a128c22,89,0a158508,89,11"

fw tab –t connections –x –e "0,a128c22,00000089,0a158508,00000089,00000011"

fw tab –t connections –x –d “00000000,a128c22,00000089,0a158508,00000089,00000011"

fw tab –t connections –x –e “0,a128c22,89,0a158508,89,11"

Flush and ACK

Stateful Inspection

SYN Defender

State Synchronization

Run the command fw tab –t connections –x

In Gateway Properties > Optimizations click Clear connections table

Run the command fw tab –t conns –c

Run the command fw tab –t connections –c

Edit the relevant table.def on the Management Server and add the line no_hide_services_ports = { <17, 123> }; and then push policy.

Edit the relevant table.def on the gateway and add the line no_hide_services_ports = { <17, 123> };.

Edit the relevant table.def on the Management Server and add the line no_hide_services_ports = { <123, 17> }; and then push policy.

Edit the relevant table.def on the gateway and add the line no_hide_services_ports = { <123, 17> }.

fwaccel conns

fw tab –t connections –p

fwaccel stats

fw ctl pstat

The working member will ARP for the default gateway.

The working member will look for replies to traffic sent from internal hosts.

The working member will automatically assume connectivity.

The working member will Ping IPs in the subnet until it gets a response.

fw ctl sync stop, fw ctl sync start

fw ctl setsync off, fw ctl setsync start

fw ctl setsync stop, fw ctl setsync on

fw ctl setsync off, fw ctl setsync on

show cluster

cphaprob stat

cp ha prob stat

show cluster ha status

Rule 6 will be eligible but Rule 7 will not.

All subsequent rules below Rule 5 will not be templated, regardless of the rule

No effect. Rules 6 and 7 will be eligible for templating.

The restriction on one rule does not affect later rules with regards to templates.

With the command fwaccel stat followed by the command fwaccel stats.

At the top of the Rule Base.

Using the hit count column.

Using the Compliance Software Blade.

Only when ‘Unauthenticated Guests’ is included in the access role.

Never, the inclusion of an IDA role disables SecureXL.

The inclusion of an IDA role has no bearing on whether the connection for the rule is accelerated.

Always, the inclusion of an IDA role guarantees the connection for the rule is accelerated.

fw tab –t connections –s

fw tab -t cphwd_db –s

fw tab –t connection –s | grep template

fwaccel conns