Get Instant Access to Checkpoint 156-110 Exam and 1,200+ More

Which of the following is TRUE, if you change the inspection order of implied rules?

Answers:
A. You must stop and start the Enforcement Module, before the changes can take place.
B. After the Security Policy is installed, the order in which rules are enforced changes.
C. You cannot change the inspection order of implied rules.
D. You must stop and start the SmartCenter Server, before the changes can take place.
E. Security Policy installation will fail.

Which of the following is NOT a step in the Session Authentication process?

Answers:
A. If authentication is successful, the VPN-1/FireWall-1 Enforcement Module allows connections to pass.
B. The Session Agent prompts users for an authentication password, after Phase 1 of IKE negotiations is complete.
C. Users initiate connections directly to a server.
D. The Session Agent prompts users for authenticated data, and returns the information to the Enforcement Module.
E. The VPN-1/FireWall-1 Enforcement Module intercepts connections, and connects to t he Session Agent.

With VPN-1/FireWall-1 central licensing, a license is linked to which of the following?

Answers:
A. Domain name of the SmartCenter Server.
B. IP address of the Enforcement Module.
C. IP address of the SmartCenter Server.
D. IP address of the SmartConsole
E. Domain name of the Enforcement Module.

Which of the following responses is TRUE about creating user templates? (Choose two)

Answers:
A. By default, users can authenticate 24 hours a day, 7 days a week.
B. If not specific source or destination is selected users can authenticate to any source or destination.
C. If no password options are selected, users will still be able to authenticate, by creating their passwords during login.
D. When you create new users, you must create a new template for each user.
E. If no encryption method is selected, users will only be able to authenticate when they receive their Certificate Authority.

What is the advantage of using VPN-1/FireWall-1 Password for the authentication scheme, rather than using OS Password?

Answers:
A. The OS Password authentication scheme can only be used with services available to user's local machine.
B. There is not advantage, because VPN-1/FireWall-1 Password can only be used, if a user has an operating-system account on the network.
C. The OS Password authentication scheme can only be used with users who are present on the local network protected by the Enforcement Module. No external users can be configured for OS Password authentication.
D. VPN-1/FireWall-1 Passwords can be cached on the Enforcement Module. If a user in the user database attempts a connection, that user will not be prompted to re-enter the password.
E. VPN1-/FireWall-1 Passwords can be used, even if a user does not have an operating-system account on the network.

When configuring Anti-Spoofing for VPN-1/FireWall-1 NG on the firewall interfaces, all of the following are valid address choices except:

Answers:
A. Network defined by Interface IP and Net Mask.
B. Not Defined.
C. Security Policy Installed. (correct)
D. Specific
E. None of the above.

Explanation:
When you are configuring anti-spoofing on a Checkpoint gateway you have the following 3 options: "Not Defined" that will disable anti-spoofing, "Network Defined by the Interface and Net Mask" that will calculate the topology in base of you current network and "Specific" where you can specify a range of addresses or a group of networks. "Security Policy Installed" is not a valid option.

The security administrator for the following configuration only allows members of the localnet managers group access files in BigBen (the FTP Server)

Answers:
A. Select below the rule that allows local managers to access the FTP server from any location. (correct)
B. {/skip}
C. Rule 1.
D. Rule 2.
E. Rule 3.
F. Rule 4.
G. None of these rules allow access.

Explanation:
Rule 1 is the appropriate rule in here because since we want the managers to access from any location we have the "@any" at the end of the source with an user authentication action that is the most appropriate authentication method because the local managers group wants to make FTP connections and User authentication provides advanced proxy services for FTP. It also supports HTTP, Telnet and Rlogin.

Assume that you are working on a Windows NT operating system. What is the default expiration for a Dynamic NAT connection NOT showing any UDP activity?

Answers:
A. 30 Seconds.
B. 60 Seconds.
C. 40 Seconds. (correct)
D. 600 Seconds.
E. 3000 Seconds.

Explanation:
As stated in the official checkpoint documentation, for default there is a time-out of 40 seconds for UDP activity in a dynamic connection. For the other part, the time-out for TCP connections is more than 2500 seconds by default. This could be changed through the Global Configuration at the policy editor. (See Checkpoint NG Help Online).

You have the VPN-1/Firewall-1 NG product installed. The following Rule Base order correctly implements Implicit Client Authentication fort HTTP. No. SOURCE DESTINATION SERVICE ACTION 1 All Users@localnet *Any TCP ftp User Auth 2 All Users@localnet *Any TCP http User Auth

Answers:
A. True
B. False (correct)

Explanation:
this is not implicit authentication, its explicit authentication because we are defining "TCP HTTP" and this is the explicit way to select a service inside a rule, with this, we are going to layer 7 of the OSI model, if we wanted implicit authentication we just have to go to Layer 4 of the model and select "TCP".