Best Deal for Unlimited Exam Access
The Fastest Way to Pass Any Exam for Only $149.00

Exam Code: 156-708.70
Exam Name: Check Point Endpoint Specialist - Media Encryption(CPEPS-ME)
Certifications: View All..
Vendor: Checkpoint

58 Questions & Answers
Last update: Oct 30,19
Verified by IT Certification Professionals

Get Instant Access to 156-708.70 Exam and 1,200+ More

Unlimited Lifetime Access Package

  • Access any exam on the entire ActualTests site for life!

  • Our $149.00 Unlimited Access Package buys unlimited access to our library of downloadable PDFs for 1200+ exams.

  • You download the exam you need, and come back and download again when you need more. Your PDF is ready to read or print, and when there is an update, you can download the new version. Download one exam or all the exams - its up to you.


Actual Test Exam Engine

Upgrade your Unlimited Lifetime Access with our interactive Exam Engine! Working with the ActualTests Exam Engine is just like taking the actual tests, except we also give you the correct answers. See More >>

Total Cost: $348.00

Checkpoint 156-708.70 Exam Reviews 156-708.70 Exam Engine Features

Checkpoint 156-708.70 Exam Tips

Dr Bill is troubleshooting a VPN problem. He wants to use SmartView Tracker to determine if the key exchange is successful, and if any errors are being generated. The Global Properties Log and Alert page settings for Dr King's system uses default settings for VPN-1/FireWall-1. Will Dr Bill be able to get the information he needs from SmartView Tracker?

A. No, Dr Bill will not be able to find entries in SmarView Tracker for successful VPN key exchanges. By default, only failed VPN key exchanges and VPN configuration errors are logged.
B. No, Dr Bill will not be able to find entries in SmartView Tracker for VPN configuration and key-exchange errors. By default, only successful VPN key exchanges are logged.
C. No, Dr Bill will not be able to find entries in SmartView Tracker for VPN key exchanges or VPN configuration errors. By default, these items are set to Alert, and Alerts appear in SmartView Status.
D. Yes, Dr Bill will be able to find entries in SmartView Tracker, for successful VPN key exchanges, VPN configuration and key-exchange errors. By default, these items are logged. (correct)
E. No, Dr Bill will not be able to find entries in SmartView Tracker for VPN key exchanges or VPN configuration errors. By default, VPN key exchanges and VPN configuration errors are not logged.

Hector is a security administrator for a large, global enterprise that is preparing to implement VPN-1/Firewall-1. In the first phase of the rollout all Enforcement Modules will be installed at a central warehouse before being shipped to the final sites and final set-up. Site-specific information is not available to the warehouse installer. What are the MINIMUM elements Hector must configure to complete Enforcement Module installation?

A. Management Server IP address. (correct)
B. Certificate Authority.
C. Shared Secret Key.
D. One Time Password.
E. Security Servers.


as a minimum for the enforcement module installation, you need to have the management server IP address because its necessary to retrieve the configurations and for policy installation, the management module IP address is also necessary to establish a SIC relationship for communications. Your management server is your certification authority, you only need its IP. You don't need passwords, shared secret keys or Security server at this time.

Which of the following statements is FALSE?

A. A policy Server extends security to the desktop by allowing administrators to enforce a Security Policy on desktops both inside a LAN and connecting from the Internet this preventing authorized connections from being compromised.
B. A Policy Server must be on a firewalled machine with CP shared installed.
C. A Policy Server supports all platforms. (correct)
D. To use Policy Server in a network, you must have Policy Server from which Secure Client obtains its Desktop Policy.
E. To use Policy Server in a network, you must have Secure Client software.


This is false, the policy server itself does not support all the platforms, only the server ones, you can't run a policy server in a Windows NT Workstation or a Windows 9x. Also remember, the policy server is limited to the platform compatibility of the VPN1/FW1 modules. As checkpoint states, the NG components other than the GUI client, are not supported on client platforms. However a Policy Server supports Secure Clients running on Windows Client Platforms.

A SecureClient configuration is being verified with Secure Configuration Verification (SCV) on an Enforcement Module. Which of the following is NOT true?

A. If users log off the Policy Server or disable the Security Policy, SecureClient will indicate a Secure Configuration failure.
B. The Enforcement Module checks the identity of users on specific machines, and verifies that the machines are securely configured.
C. SCV cannot be verified on an Enforcement Module. (correct)
D. Access is denied to SecureClient machines that are accidentally or intentionally misconfigured.
E. The default SCV policy requires users to log in to the Policy Server.

p360 Check Point Mgmt II Student Manual
Secure Configuration Verification (SCV)
Secure Configuration Verification (SCV) is a mechanism that determines
whether the SecureClient machine is securely configured (clean) or not
securely configured (dirty). SCV makes sure SecureClient machines that are
attempting to VPN with the firewall are protected by the Policy Server's policy
and their security is not being compromised.
The SCV process is done with an SCV Manager component running on
the Policy Server. The SCV Manager is responsible for configuration and
maintenance of the SCV state from all SCV plug-ins
. SCV plug-ins are DLLs registered with SecureClient; they contain functions that can notify the SCV
Manager of the DLL's state. When the SCV Manager wants SCV status, it
queries all registered SCV plug-ins about the SCV state for which they are
responsible. If all SCV plug-ins indicate that the machine is securely configured,
the SCV Manager sets the general SCV state to 'securely configured'.
Otherwise, it considers the SecureClient machine to be not secure. One of the
files that carries the SCV information is local.scv; it is stored on the
SecureClient machine with its other configuration files.
Future versions of SCV will support Check Point NG and third-party SCV
plug-ins such as Open Platform for Security (OPSEC) products. Administrators
will be able to configure both the SCV plug-ins and the SCV checks.
Doing so will help the administrator customize the SCV operation and gain
more control over the SecureClient machine.
The next section discusses SecureClient, its deployment, and the Secure-
Client Packaging Tool.

Paul will be installing all of the components of VPN-1/Firewall-1 on a single machine. Company growth will require moving to a distributed environment as additional Enforcement Modules are added over the next six months. While installing, which option should Paul select to facilitate the transition six months from now?

A. Enterprise Primary Management.
B. Enterprise Security Management.
C. Enforcement Module & Primary Management. (correct)
D. Enforcement Module.


at this time, his option is to install both, the management server and the firewall module in the same machine because he will install all the firewall components in one place before the moving to the distributed environment in 6 months, so, at this time, he has to select Enforcement Module & Primary Management. In the future he should distribute the additional enforcement modules as standalone components to provide the distributed environment.

Which of the following statements is FALSE concerning Policy Servers?

A. The Policy Server extends security to the desktop, by allowing administrators to enforce Desktop Policies on clients connecting from the Internet.
B. The Policy Server may be installed on an Enforcement Module.
C. A Policy Server extends security to the desktop, by allowing administrators to enforce Desktop Security Polices on clients connecting from an internal LAN.
D. The Policy Server must be installed on the SmartCenter Server. (correct)
E. The SecureClient machine obtains the Desktop Policy from the Policy Server.

p49 CCSE Study Guide
What Is the Policy Server?
A Policy Server is a Check Point NG component that runs on a
VPN-1/FireWall-1 Module. It's called a Policy Server because it allows
an administrator to centrally manage desktop security by issuing a Desktop
policy to SecureClient machines. The Desktop policy can be enforced on
machines inside and outside a LAN, to prevent authorized connections from
being compromised. In addition to enforcing a Desktop policy, the Policy
Server adds security by authenticating and authorizing users, verifying memberships
to user groups, and verifying secure configuration of SecureClient
Figure below provides an example of how machines with SecureClient are
protected from unauthorized connections. Once the SecureClient machines
connect to the Policy Server and download a Desktop policy, connections
that are unauthorized or not allowed by the Desktop policy will be dropped.
In Figure below, as the unauthorized user tries to connect to the other machines
on the network, the SecureClient machines can block the connection. Meanwhile,
the machine without SecureClient is open to the unauthorized attack.
Now that you understand what the Check Point NG Policy Server is and
what it does, let's look further into its technical nature. We'll discuss licensing
and configuration as well as the Policy Server daemon and the files that
make it work.
Licensing the Policy Server and SecureClient
It's important to understand the licensing process for the Policy Server and
SecureClient. The SecureClient license is located on the SmartCenter Server
and is based on the number of SecureClient users you have. The Policy Server
license is located on each Policy Server and is independent of the number
of users.
All SecureClient licenses contain one Policy Server license, so additional
Policy Server licenses are necessary only when multiple Policy Servers are
deployed. This arrangement is different from the way licensing worked in
VPN-1 4.1. The NG method is more scalable for Policy Server High Availability
implementations. NG includes another new feature: The Policy Server can run
on gateway clusters.
The Policy Server can be installed on a Windows, Solaris, Linux, or IPSO
platform. Just like the VPN-1/FireWall-1 package, the Policy Server must be
installed or uninstalled in a certain order. The Policy Server must be installed
on an existing FireWall Module. When you're uninstalling the Policy Server,
it must be removed before the VPN-1/FireWall-1 package, which is removed
before the SVN Foundation package.

In the IKE properties window, you can use the Data Integrity drop-down menu to select:

A. The cryptographic checksum method to be used for ensuring data integrity. (correct)
B. The Certificate Authority to be used for ensuring data integrity.
C. The shared secret to be used for ensuring data integrity.
D. The CA checksum method to be used for ensuring data integrity.
E. The shared-secret checksum method to be used for ensuring data integrity.


This is true, from this drop menu at the properties of IKE you can select how do you want to ensure the data integrity, the integrity is one of the pillars of network security, it provides a guarantee that the information has not changed or tampered with from the source to the final destination. Integrity is usually achieved with digital signatures and algorithms. In IKE VPN's we can use two algorithms MD5 (Message Digest 5) and SHA1 (Secure Hashing Algorithm 1).

You must configure your firewall for Hybrid IKE Secure Client connections. Which of the following fields MUST be selected to allow backward compatibility with earlier version of the Secure Client?

A. Respond to Unauthenticated topology requests (IKE and PF1).
B. Cache static passwords on desktop.
C. Required policy for all desktops and Desktop if enforcing the required policy.
D. A and B.
E. A and C. (correct)


Respond to unauthenticated topology request, this future enables backwards-compatibility with early versions of Secure Client. The 'Require policy for all desktops' option allows system administrators to specify a desktop policy for VPN1/FW1 4.1 clients, the clients will obtain the desktop policy during the key exchange. The option 'Desktop is enforcing required Security Policy' enables only desktops enforcing the Security Policy in Required policy for all desktops to be considered as SCV (Securely Configured).
See Page 12.11 of CCSE NG Official Courseware. (VPN1-FW1 Management II NG FP-1)

Your Manager has requested that you implement a policy that prevents users on the network from transferring confidential files out of the intranet using FTP. You also want to check for virus signatures on those files entering the intranet. You setup an FTP resource and add it to the Service field of a rule. You have only redefined the FTP resource and selected the Get option under the Match tab. Does this meet all of the requirements of your manager?

A. Yes
B. No (correct)


this actions do not comply with all the requirements of the question because you want to analyze the FTP traffic for Virus, to achieve this functionality you need to use the CVP protocol in combination with an OPSEC certified Virus Signature Scanning application. Checkpoint NG does not provide Virus Scanning capabilities by default.

Related Certifications Included