CheckPoint 156-310 Certification Material Provider, Best CheckPoint 156-310 Exam Preparation Materials UP To 50% Off

Flydumps has timely updated the CheckPoint 156-310 exam questions.With all the new questions and answers, you will pass the CheckPoint 156-310 exam easily. If you want to get more CheckPoint 156-310 exam dumps, you can free download the new version VCE test engine from Flydumps.All CheckPoint 156-310 dumps are new updated and cover all aspect of the examination.

QUESTION 55
A digital signature:
A. Automatically changes shared keys.
B. Uniquely encodes the receiver of the key.
C. Provides a secure key-exchange mechanism over the Internet.
D. Guarantees the authenticity of a message.
E. Decrypts data to its original form.

Correct Answer: D
QUESTION 56
Dr bill is a Security Administrator who must define a new user for SecuRemote access to his VPN-1/ FireWall-1 VPN Domain. Dr bill has an established Remote Access VPN community for existing SecuRemote users. Dr bill creates a new user and populates the Login Name field. He then saves and installs the Security Policy. When Dr bill attempts a SecuRemote connection using the newly created user, the connection fails. Which of the following is the BEST explanation for the failure?
A. The VPN-1/Firewall-1 Enforcement Module does not have a valid license for the new SecuRemote user.
B. Dr bill did not configure Time properties for the new user. New users are restricted to No Time.
C. Dr bill did not define an authentication method or generate a certificate for the new user.
D. The new user was not placed in a group. The All Users group cannot be used for SecuRemote access.
E. Dr bill did not configure the user’s locations. The Any location is not a valid option for SecuRemote users.

Correct Answer: C
QUESTION 57
Dr bill wants to configure a custom script to launch an application for certain rules. Which of the following should Dr bill configure?
A. SNMP Trap Alert Script
B. Custom scripts cannot be executed through Alert Scripts.
C. Mail Alert Script
D. User-Defined Alert Script
E. Popup Alert Script

Correct Answer: D
QUESTION 58
Assume an intruder has succeeded in compromising your current IKE Phase 1 and Phase 2 keys. Which of the following will end the intruder’s access after the next Phase 2 exchange occurs?
A. DES Key Reset
B. MD5 Hash Completion
C. SHA1 Hash Completion
D. Phase 3 Key Revocation
E. Perfect Forward Secrecy

Correct Answer: E
QUESTION 59
To enable session tracking, you must do which of the following? (Choose two)
A. Create the path a packet takes after it leaves an Enforcement Module.
B. Define which parameters of an alert are established.
C. Define which parameters of a log are established.
D. Create the path a packet takes between an enterprise Enforcement Module and the perimeter router.
E. Create the path a packet has taken before reaching an Enforcement Module.
Correct Answer: BC
QUESTION 60
Exhibit: Dr bill wants to reduce encryption overhead for his meshed VPN Community, without compromising security. Which of the following helps Dr bill accomplish his goal?

A. Check the box Support Site to Site IP compression.
B. Check the box User aggressive mode.
C. Change the setting Use Diffie-Hellman group: to “Group 5 (1536 bit)”.
D. Check the box Use Perfect Forward Secrecy.
E. Reduce the setting Renegotiate IKE security associations every to “720”.

Correct Answer: B
QUESTION 61
You are logging into a Policy Server in orderto update or download a new Desktop Policy. Which of the following initiates an Explicit login?
A. SecureClient
B. Remote Client Manager
C. Session Authentication Agent
D. Policy Server
E. LDAP Server
Correct Answer: A QUESTION 62
Which of the following FTP Content Security settings prevents internal users from retrieving files from an external FTP Server, while allowing users to send files?
A. Block FTP_PASV.
B. Use an FTP resource, and enable the GET and PUT methods.
C. Use an FTP resource and enable the GET method.
D. Use an FTP resource and enable the PUT method.
E. Block all FTP traffic.

Correct Answer: D
QUESTION 63
If a VPN Community is included in the IF VIA field of a rule, all packets matching the rules’ criteria will be ______________, even though the rule shows Accept in the Action column.
A. user authenticated
B. encrypted
C. dropped
D. client authenticated
E. rejected

Correct Answer: B
QUESTION 64
Which of the following is configured in a rule allowing notification through SmartView Status?
A. Mail
B. Account
C. Log
D. Alert
E. SNMP Trap

Correct Answer: D
QUESTION 65
Dr bill wants to deploy SecureClient to remote users and wants to use certificate for authentication. What is the proper order to properly generate and deploy user certificates on the Internal Certificate Authority (ICA)?
1.
Securely distribute the certificate.

2.
Create the user.

3.
Require the user to change the password protecting the certificate.

4.
Generate the user certificate.
A. 4, 1, 3, 2
B. 2, 3, 4, 1
C. 3, 4, 2, 1
D. 2, 4, 1, 3
E. 1, 3, 4, 2
Correct Answer: D
QUESTION 66
Which of the following statements about Hybrid IKE are FALSE? (Choose two)
A. The final packet size is increased after it is encrypted.
B. Only pre-shared secrets or certificates may be used.
C. SecureClient and Hybrid IKE are incompatible.
D. TCP/IP headers are encrypted along with the payload.
E. Any authentication mechanism supported by VPN-1/FireWall-1 is supported.

Correct Answer: BC
QUESTION 67
VPN-1/FireWall-1 allows a Security Administrator to define four types of Certificate Authorities. Which of the following is NOT a type of Certificate Authority that can be defined in VPN-1/FirwWall-1?
A. OPSEC PKI
B. External SmartCenter Server
C. Entrust PKI
D. VPN-1 Certificate Manager
E. Caching Only Certificate Manager

Correct Answer: E
QUESTION 68
Dr bill is a Security Administrator assisting a SecuRemote user who must switch from using a pre-shared secret, to using certificates for access to the VPN domain. The user is physically located on a different continent then Dr bill. Until the user has her certificate, she cannot access the resources she needs to perform her duties. Which of the following options is the BEST method for Dr bill to deliver the certificate to the user?
A. Initiate the user’s certificate, and send the user the registration key. Allow the user to complete the registration process.
B. Generate the certificate and save it to a floppy disk. Mail the floppy disk to the user’s location.
C. The user should mail her laptop to Dr bill. Dr bill needs physical to the SecuRemote machine to load the certificate.
D. Dr bill must delete the user’s account and create a new account. It is not possible to change encryption settings on existing users.
E. Generate the certificate, and place it on FTP Server in the VPN Domain. Ask the user to fetch the certificate.
Correct Answer: E
QUESTION 69
The Internal Certificate Authority (ICA) is installed on which of the following?
A. SmartCenter Server
B. Policy Server
C. Enterprise Log Module
D. SmartConsole
E. Enforcement Module
Correct Answer: A
QUESTION 70
Exhibit Dr bill is adjusting the Global Properties > Remote Access > VPN – Advanced settings in SmartDashboard. Which of Dr bill’s VPN Communities will be affected by these changes?

A. All mesh VPN Communities
B. MyIntranet only
C. RemoteAccess only
D. All VPN Communities, regardless of type
E. All star VPN Communities

Correct Answer: C
QUESTION 71
How many certificates can one entity have from a single Certificate Authority?
A. Two
B. One
C. Four
D. Five
E. Three
Correct Answer: B QUESTION 72
Which of the following statements correctly describes a difference between pre-shared secrets and certificates, as implemented in gateway-to-gateway encryption in VPN-1/FireWall-1?
A. A pre-shared secret is an attribute of a single entity, but a certificate is an attribute of a pair of entities.
B. A pre-shared secret is an attribute of a pair of entities, but a certificate is an attribute of a single entity.
C. Both a pre-shared secret and a certificate are attributes of a pair of entities.
D. Both a pre-shared secret and certificate are attributes of a single entity.
E. None of the above.

Correct Answer: B
QUESTION 73
Dr Bill is assisting a SecureClient user who is not able to access resources in the VPN Domain. Which of the following is NOT a possible cause for the user’s inability to access resources?
A. A key-exchange protocol is initiated with the VPN-1/FireWall-1 Enforcement Module. The user’s ISP may be blocBill the protocol.
B. SecureClient holds the first packet without transmitting it. If the user’s Internet connection is very slow, the connection may be timed out.
C. SecureClient challenges users for authentication. The user may be supplying an incorrect user name or password.
D. The VPN-1/FireWall-1 Enforcement Module pushes topology information to the SecureClient. If the user’s is behind a NAT device, the Enforcement Module cannot push the topology.
E. SecureClient examines the packet, to determine the responsible Enforcement Module. The user may have supplied incorrect information about the Enforcement Module.
Correct Answer: E
QUESTION 74
In the following graphic, the remote SecureClient machine does not have an installed Desktop Policy.

The SecureClient User tries to connect to a host in Rome’s VPN Domain. Because Romeis a Policy Server:
A. It will initiate Explicit Logon only, before it allows a connection to its VPN Domain.
B. It will initiate Explicit Logon an attempt to install a Desktop Policy on the SecureClient machine, before it allows a connection to its VPN Domain.
C. The SecureClient user will not be allowed to connect to a host in Rome’s VPN Domain.
D. It will initiate Implicit Logon and attempt to install a Desktop Policy on the SecureClient machine, before it allows a connection to its VPN Domain.
E. It will initiate Implicit Logon only, before it allows a connection to its VPN Domain.

Correct Answer: D
QUESTION 75
Dr bill is a Security Administrator for a financial firm with very strict policies for remote access. Preventing users from modifying settings is a priority. Dr bill has selected SecureClient as his firm’s remote access solution. Dr bill is reviewing site definition solutions and attempting to decide which is appropriate for his environment. Which of the following should he choose?
A. Allow SecureClient users to connect to a trusted, third party site-distribution server and download the site.
B. Allow SecureClient users to download the site information from a VPN-1/FireWall-1 Enforcement Module.
C. Configure a SecureClient User Access Token, and allow users to attach the token to the client.
D. Establish a SecureClient connection and allow subsequent SecureClient connections to fetch site information from their peers.
E. Prepare a standard userc.C file for SecureClient users and predefine the site for them

Correct Answer: B
QUESTION 76
Which of the following Action column options is NOT available for use in a simplified mode Rule Base?
A. Drop
B. Accept
C. Reject
D. Client Auth
E. Encrypt

Correct Answer: E
QUESTION 77
Dr bill is preparing to implement remote-access VPNs, using VPN-1/FireWall-1 and SecureClient. When Dr bill selects an authentication method, it must meet the following requirements:
1.
The authentication method must support existing authentication methods, including OS passwords and
RADIUS, for ClientAuthentication.
2.
The Enforcement Module must use certificates, to authenticate itself to the client.
3.
The authentication method must be flexible, allowing other authentication solutions to be added,
including SecureID and TACACS.
Which authentication method should Dr bill choose?

A. Digital Certificates

B. Pre-shared Secrets

C. LDAP

D. Public Key Signatures

E. Hybrid Mode
Correct Answer: E
QUESTION 78
Dr bill is a security consultant. Dr bill’s client uses a 56-bit DES encryption key for its VPN-1/FireWall-1 VPNs. Dr bill informs his client that as a banking concern, the client is not using a long enough key to comply with new industry regulations. New industry regulations require a key length of no less then 120 bits. The new industry standards expressly prohibit the use of proprietary algorithms. Which of the following solutions could Dr bill suggest to his client, to help the client achieve regulatory compliance? (Choose two)
A. BlowFish
B. RC4
C. AES
D. 3DES
E. CAST

Correct Answer: CD
QUESTION 79
Arne is a Security Administrator for a small company in Oslo. He has just been informed that a new office is opening in Madrid, and he must configure each site’s Enforcement Module to encrypt all data being passed between the offices. Because Arne controls both sites, he decides to use a shared-secret key to configure an IKE VPN. Which of the following tasks does Arne NOT need to perform to configure the IKE VPN?
A. Configure the Rule Base to allow encrypted traffic between the VPN Domains.
B. Configure IKE encryption parameters for the Madrid and Oslo Enforcement Modules.
C. Establish a secure channel for the exchange of the shared secret.
D. Define VPN Domains for the Madrid and Oslo Enforcement Modules.
E. Create certificates for the Madrid and Oslo Enforcement Modules.

Correct Answer: E
QUESTION 80
A Security Administrator wants to reduce the load on Web servers located in a DMZ. The servers are configured with the same Web pages for the same domain, and with identical hardware. Which of the following is the BEST answer to help balance the load on the Web servers?
A. Round Trip
B. Round Robin
C. Server Load
D. Domain
E. Cluster

Correct Answer: C
QUESTION 81
Which of the following encryption algorithms is a symmetric-key encryption method that uses a 168-bit key?
A. CAST Cipher
B. DES
C. AES (Rijndael)
D. 3DES
E. Blowfish
Correct Answer: D
QUESTION 82
Which of the following uses the same key to decrypt as it does to encrypt?
A. Certificate-based encryption
B. Static encryption
C. Asymmetric encryption
D. Dynamic encryption
E. Symmetric encryption
Correct Answer: E QUESTION 83
You are setting up an IKE VPN between two VPN-1/FireWall-1 Enforcement Modules protecting two networks. One network is using an RFC 1918 compliant address range of 10.15.0.0. The other network is using an RFC 1918 compliant address range of 192.168.9.0. Which method of address translation would you use?
A. Dynamic Source
B. Dynamic
C. Static Source
D. None
E. Static Destination

Correct Answer: D
QUESTION 84
Dr bill is using VPN-1/FireWall-1 to provide load balancing for his Web servers. When a client initiates a session with one of Dr bill’s Web servers it must be able to retain its connection with the same server for the entire session. Which load-balancing mode is MOST appropriate for Dr bill’s environment?
A. Standby Server
B. Relay Server
C. Continuous Server
D. Active Server
E. Persistent Server
Correct Answer: E
QUESTION 85
Exhibit: Dr bill is senior Security Administrator who supervises and trains junior Security Administrators. Dr bill must explain VPN-1/FireWall-1’s Diffie-Hellman settings to the junior Security Administrator. Which of the following explanations is MOST correct?

A. Diffie-Hellman key settings are in the Advanced Properties for a reason. Incorrect Diffie-Hellman key settings can stop and Enforcement Module from passing any traffic at all. Incorrect Diffie-Hellman key settings usually require a complete reinstallation.
B. Diffie-Hellman groups exist for backward compatibility. When establishing VPN tunnels between BG with Application Intelligence and older versions of VPN-1/FireWall-1, Diffie-Hellman groups allow Security Administrators to accommodate older encryption algorithms.
C. Diffie-Hellman key exchange is an encryption algorithm, which transforms clear text into ciphertext. Diffie-Hellman is vulnerable to man-in-the-middle attacks. Diffie-Hellman groups with higher numbers use stronger keys, but have no impact on performance.
D. Diffie-Hellman key exchange is a cryptographic protocol, which allows two communicators to agree on a secret key over an insecure communication channel. Diffie-Hellman groups with higher numbers use stronger keys. But have a negative impact on performance.
E. Diffie-Hellman keys are applied only when established Check Point-to-other-vendor VPNs. When creating VPN tunnels between different vendor’s software, Diffie-Hellman keys automatically negotiate IKE and IPSEC parameters.
Correct Answer: D
QUESTION 86
Which of the following conditions will cause Secure Client Verification to report that a SecureClient machine is NOT considered secured? (Choose three)
A. The local.svc file is either corrupt or miconfigured.
B. The SecureClient machine cannot contact the SmartCenter Server.
C. The user has selected Disable from the SecureClient Policy menu.
D. There are expired cookies in the machines TMP directory.
E. There is no SCV policy on the SecureClient machine.

Correct Answer: ACE
QUESTION 87
Which component of VPN-1/FireWall-1 is used for Content Security to prevent end-user access to specific URLs?
A. UFP Server
B. TACACS Server
C. URI Server
D. CVP Server
E. DEFENDER Server

Correct Answer: A
QUESTION 88
Which of the following actions does Secure Configuration Verification perform? (Choose three) Secure Configuration Verification confirms that the:
A. Desktop Policy is installed on all client interfaces.
B. TCP/IP is enabled on the desktop.
C. User name and password cached on the desktop are correct.
D. Client’s operating system has the appropriate patch level.
E. IP address of the client is correct for entrance into the VPN Domain.

Correct Answer: ABC
QUESTION 89
Dr bill is his organization’s Chief Technology Officer. He is seeking a solution to control the impact if unauthorized software on his corporate network. Dr bill has established the following guidelines for any solution implemented:
1.
Required objective: The solution must not allow access to corporate resources if user’s virus-protection software is not current.

2.
Desired objective: The solution should be able to control protocols enabled on the user’s computers.

3.
Desired objective: The solution should prevent users snooping traffic across internal segments of the corporate network, from acquiring useful information. Dr bill’s Security Administrator proposes SecureClient with Policy Servers, internal Enforcement Modules, and Desktop policies as a solution. Based on the information, which of the following is the BEST answer?
A. The proposed solution does not meet the required objective.
B. The proposed solution meets the required objective, but does not meet the desired objectives.
C. The proposed solution meets the required objective, and only one desired objective.
D. The proposed solution meets the requires objective and both desired objectives.
Correct Answer: A
QUESTION 90
Which of the following are TRUE about SecureClient? (Choose three)
A. SecureClient cannot use Hybrid IKE for its encryption method.
B. When SecureClient and Enforcement Module exchange keys, the user will be re-authenticated if the password has been erased.
C. Before you attempt to download a Security Policy, you must first define a site in which a Policy Server is contained.
D. SecureClient syntax checking can be used to monitor userc.C file parameters. This checking is used to prevent errors causing the site to which it belongs from being deleted.
E. SecureClient supports Desktop Policies issued by a Policy Server.

Correct Answer: BDE
QUESTION 91
The Check Point SecureClient Packaging Tool allows System Administrators to: (Choose three)
A. Install a package on a client machine.
B. Create customized SecuRemote/SecureClient installation packages to distribute to users.
C. Customize the flow of end-user installation processed, before SecuRemote/SecureClient is installed.
D. Configure Secu/Remote properties for users, before installation.
E. Automatically update SecureClient installation at regular intervals.

Correct Answer: BCD
QUESTION 92
Which VPN-1/FireWall-1 Security Server can hide real user names by rewriting information in the From field, while maintaining connectivity by restoring correct addresses in the response?
A. RLOGIN
B. SMTP
C. FTP
D. TELNET
E. HTTP
Correct Answer: B
QUESTION 93
If a resource is specified in the Services field of a Rule Base, which of the following occurs?
A. Users attempting to connect to the object defined in the Destination column of the rule will be required to authenticate.
B. All packets matching the resource service will by analyzed based on resource properties.
C. All packets that match the resource will be dropped.
D. SecureClient users attempting to connect to the object defined in the Destination column of the rule will receive a new Desktop Policy from the resource.
E. All packets matching that rule are either encrypted or decrypted by the defined resource.
Correct Answer: B
QUESTION 94
Exhibit In the exhibit, SecureClient can be used inside and outside the LAN. To reach Finance.net, SecureClient users must pass through the Zulu Policy Server. When this connection is made, Zulu will attempt to load its Desktop Policy on the SecureClient remote user, and:

A. Zulu will not allow an improperly configured SecureClient machine to reach its internal VPN Domain.
B. Zulu will pass SecureClient users through the FinanceNet Servers to reach their internal VPN Domains.
C. Zulu will pass SecureClient users through the FinanceNet Servers to reach their external VPN Domains.
D. Zulu will pass SecureClient users through the Remote Enforcement Module to reach Mark.
E. Zulu will allow an improperly configured SecureClient machine to reach its internal VPN Domain, if the traffic is accepted by the Rome Enforcement Module.

Correct Answer: A
QUESTION 95
Which VPN-1/FireWall-1 Security Servers provide Content Security? (Choose three)
A. HTTP
B. NTP
C. SMTP
D. TELNET
E. FTP

Correct Answer: ACE

CCNA Exam Certification Guide is a best-of-breed CheckPoint 156-310 exam study guide that has been completely updated to focus specifically on the objectives.Senior instructor and best-selling author Wendell Odom shares preparation hints and CheckPoint 156-310 tips to help you identify areas of weakness and improve both your conceptual and hands-on knowledge.CheckPoint 156-310 Material is presented in a concise manner,focusing on increasing your understanding and retention of exam topics.