Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
116 Cards in this Set
- Front
- Back
|
What type of organizations/infrastructures would benefit the most from using Provider-1?
|
Management Service Provider (MSPs), Data Centers, and Large Enterprises
|
|
|
What does CMA stand for?
|
Customer management Add-on
|
|
|
What does MDS stand for?
|
Multi-Domain Server
|
|
|
What are the two "types" of MDS?
|
Manager, which contains the Provider-1 system information, and a Container, which holds the CMAs
|
|
|
True/False - Can a manager and container be installed on the same system
|
True
|
|
|
What are the three databases contained on the MDS manager?
|
MDS, Global Policy, and ICA
|
|
|
True/False - if there is more than one MDS Manager in the system, each manager contains all the information regarding the provider-1 management system such as administrator hierarchy, Customer, and network data.
|
True
|
|
|
When is the MDS database synchronized between MDS managers?
|
Whenever changes are made
|
|
|
When is the Global policy database synchronized?
|
Either at configurable intervals and/or events, or synchronized manually
|
|
|
True/False - MDS manager synchronization mirrors all CMA-specific data
|
False - CMA-specific data is not mirrored by the MDS manager
|
|
|
What is the function of a MLM?
|
A Multi-Domain log Module (MLM) is an optional server that is dedicated to log collection, separating critical management activities from logging traffic.
|
|
|
True/False - A customer log module (CLM) is a log server for multiple customers.
|
False - a CLM is for a single customer
|
|
|
What four types of administrators are available at the Provider-1 level.
|
provider-1 superuser, customer superuser, global manager, customer manager
|
|
|
Summarize the permissions that the Provider-1 Superuser has.
|
- Add, edit, or delete MDSs, including manager servers, containers, HA servers, logging servers, etc.
- Enable or disable a computer's permission to access the MDG |
|
|
Summarize the permission of a Customer Superuser
|
Manage the networks of all Customers in the system. However, they cannot manage or change the MDS environment or manage Provider-1 Superusers
|
|
|
Summarize the permissions of the Global Manager administrator profiles.
|
- Access the General, Global Policies, High Availability, and Connected Administrators views
- See and manage (add, edit, and delete) the network object of their Customeres |
|
|
Summarize the permissions of the Customer Manager
|
- Can manage their assigned set of customers networks. However they cannot access the Global SmartDashboard, meaning they cannot edit Global Objects of Global Policy.
|
|
|
Do all MDS's share one Internal Certificate Authority?
|
Yes
|
|
|
Which two options are available for authenticating administrators when they log into the MDG (hint: it's the same options for SmartDashboard admins)
|
username/password or certificates (per sk40697, external RADIUS authentication is possible for SmartConsole user....imagine the same would apply to the MDG)
|
|
|
What options are available for external authentication with provider-1?
|
RADIUS, TACACS, and SecurID
|
|
|
What steps are necessary to configure external authentication for admins?
|
1. Open MDG > Administrators
2. Create a new admin 3. In the General tab, enter the same username that was created on the authentication server 4. Mark the administrator's permissions 5. On the Authentication tab, select the Authentication Scheme. If using RADIUS or TACACS, choose the appropriate server that was configured in the Global smartDashboard |
|
|
What are the additional config steps if using ACE/SecurID for external authentication?
|
a. Generate the sdconf.rec on the ACE/Server and configure the user to use Tokencode only.
b. Copy the sdconf.rec to /var/ace on the MDS c. Edit the file /etc/services and add the following lines: secured 5500/udp securid 5510/tcp d. Reboot the MDS machine |
|
|
Explain the CPMI protocol.
|
The Check Point Management Interface protocol is a generic open protocol that allows third party vendors to interoperate with Check Point management products.
|
|
|
What is the command to disable the trial period license on a CMA before the license expires?
|
cpprod_util CPPROD_SetPnPDisable 1
|
|
|
What are the conditions where a Plug-in Mismatch could occur?
|
- the Plug-in is not installed on every MDS
- The Plug-in is installed on every MDS, but not every MDS was restarted afterwards. |
|
|
What command will stop/start the MDS services on the MDS management server, but not stop the customer components if the manager is also a container?
|
mdsstart -m/mdsstop -m
|
|
|
At what level are plug-ins installed?
|
MDSs
|
|
|
What tool is used to activate and deactivate Plug-ins, review their status, and see basic info regarding the new types of objects?
|
MDG
|
|
|
Which component of provider-1 is used to manage the new Plug-ins in objects and handle the new features provided by an installed and activated Plug-in?
|
SmartDashboard for a CMA
|
|
|
What are the two views in the MDG under the "Management Plug-ins" Tab?
|
Management Plug-ins and MDS Plug-in Mismatches
|
|
|
True/False - when a Plug-in is activated for a customer, if one or more of the Customer's CMAs are running, the MDS restarts those CMAs
|
True
|
|
|
You've attempted to activate a Plug-in for a Customer, but it's only succeeded on one CMA and not the other in a mirrored pair. This causes synchronization between the mirrored CMAs to fail. What troubleshooting step should you take first to resolve this?
|
Select Reactivate all Plug-ins from the Plug-in menu
|
|
|
True/False - Once a Plug-in has been activated for a customer, and objects have been created, you can still deactivate the Plug-in without removing those objects.
|
False - all objects must be removed before the Plug-in can be deactivated.
|
|
|
What is the function of a Management Plug-in?
|
A management plug-in allows admins to manage certain features without performing a complete management upgrade.
|
|
|
True/False - Secondary CMAs can be created on the same MDS as the primary CMA.
|
False - secondary (mirrored) CMAs must reside on a different MDS than the primary CMA.
|
|
|
True/False - Customers can edit the global rules that appear in their own rulebases.
|
False - Customer admins cannot edit global rules or global objects from SmartDashboard in their rulebases.
|
|
|
How does a customer admin utilize Global dynamic objects after the Global dynamic object is created in the Global rulebase?
|
To "translate" the dynamic object, the admin creates an object in SmartDashboard with the same name, but with an IP address and other details. The customer's rulebase subs the dynamic global object with the local object from the CMA database.
|
|
|
Which part of an object's name triggers the reference replacement mechanism for global dynamic objects?
|
_global
|
|
|
True/False - like the Global Rulebase, Global IPS policy is read-alone and cannot be modified by the customer administrator
|
False - CMA administrators for each Customer can assign different policies to each gateway and modify the IPS protections in certains ways once they have been installed.
|
|
|
How would you subscribe an existing customer to global IPS services?
|
MDG > enable the "Customer Contents Mode"
Selection bar > General > Double click the customer name on the list > In the Customer Configuration window, Select the "Assign Global Policy" tab > enable the "Subscribe Customer to IPS Service" option |
|
|
True/False - As of R71, the Merge and Override IPS subscriptions are no longer supported in Provider-1
|
TRUE
|
|
|
What is the default Global Name syntax?
|
g<GATEWAY>_of_<CUSTOMER>
|
|
|
Explain Traditional VPN mode.
|
In Traditional VPN mode, a single rule, with the Encrypt rule action, deals with both access control and encryption. VPN properties are defined for gateways in the regular rule base, and rules are per pair of gateways: source and destination.
|
|
|
Define what encryption domain means.
|
refers to the hosts behind the gateway. The encryption domain can be whole network that lies behind the gateway, or just a section of that network.
|
|
|
What is the purpose of enabling a gateway for global use?
|
One CMA's gateway is not "known" to other CMAs of other customers. In order for all CMAs to "recognize" another CMA's gateway, the gateway must first be enabled for global use, which "promotes" the gateway object from the customer level to the P-1 level.
|
|
|
Where in the MDG would you go to modify the default global name template?
|
Manage > Provider-1 Properites > Global Names Format
|
|
|
In what three ways does provider-1 provide HA?
|
- Gateway level - clusterXL
- CMA level - multiple CMAs (one Active, at least one Standby) are supported, as is one Security Management backup server, per Customer. - MDS level |
|
|
True/False - Provider-1 R71 supports more than two CMAs per Customer.
|
True - In versions NGX R65 and earlier, only two CMAs are supported per customer; One active and one standby
|
|
|
True/False - MDSs may use different operating systems. All MDSs in the provider-1 environment must be running the same version of Provider-1
|
True
|
|
|
What makes an MDS "Active"?
|
- The administrator can log into SmartDashboard with Read/Write permissions from the MDS
- The MDS acts as the MDS Certificate Authority |
|
|
Describe the contents of the MDS database.
|
Holds data objects describing MDSs, Customers, CMAs, gateways, licenses, administrators, GUI-clients, and information about assignment of Global Policies to customers.
|
|
|
Describe the contents of the Global Policies database.
|
Hold the global objects (network objects, services, servers, etc) and global rules. In terms of the Global Policies database, one of the MDS Managers is Active (the first one logged into), while the rest are Standy
|
|
|
Describe the Internal Certificate Authority Database for MDSs
|
This database holds certificates for MDSs, administrators, and CRLs (certificate revocation lists)
|
|
|
True/False - a MDS Container holds a copy of the MDS ICA database.
|
FALSE - the MDS container does NOT hold a copy of the MDS ICA database.
|
|
|
Is MDS database synchronization per object?
|
yes
|
|
|
Is Global Policy synchronization per object?
|
No - the entire contents of the Global Policies database are synchronized.
|
|
|
What is the default time that synchronization statuses are updated in the MDG?
|
5 minutes
|
|
|
List the sync states from the High Availability tab in the MDG.
|
- Unknown: No info has been received about this CMA/MDS
- Never synched: This CMA/MDS has never been synced with other CMA/MDS to which the MDG is connected - Synchronized: this CMA/MDS is synchronized with the other CMA/MDS to which the MDG is connected - Lagging: the data of this CMA/MDS is less updated than the data of the other CMA/MDS to which the MDS is connected - Advanced: the data from this CMA/MDS is more updated then the other CMA/MDS to which the MDG is connected. - Collision: The data from this CMA/MDS conflicts with the data of the other CMA/MDS to which the MDG is connected. |
|
|
What CLI command enables a new MDS to become a mirror of an existing MDS?
|
mdscmd mirrorcma <-s source MDS> <-t target MDS> [-m MDS server -u user -p password]
|
|
|
What is the process to reset CMAs whose primary CMA was on a failed MDS?
|
1) Choose a CMA to be made primary. If the CMA is standby, first make it active by opening SD for it. SD will prompt you to change the CMA status to Active. Close SD
2) Promote the Customer's active CMA from secondary to primary by setting it's host MDS's environment of that CMA: promote_util 3) In the SD for the promoted CMA, locate and remove all uses of the failed CMA, and the failed CMA itself. Save the policy 4) Synchronize the Customer's CMAs manually, if necessary, and re-assign Global Policies and install policies on all gateways 5) If the promoted CMA is using an HA CMA license, replace it with a regular CMA license. |
|
|
Describe what a MLM is.
|
A Multi-Customer Log Module (MLM) is a special MDS container that hosts only CLMs, and is actually dedicated to housing logs for multiple Customers.
|
|
|
What is the name of the name of the active log file for the CLM?
|
fw.log
|
|
|
How can you start/stop a customer from the command line?
|
mdsstart_customer
mdsstop_customer |
|
|
What are the steps to configure an MDS to enable log export.
|
1) Stop the MDS processes
2) Install and configure the Oracle Client 3) Define the environment variable ORACLE_HOME according to the installation. 4) Add $ORACE_HOME/lib to the $LD_LIBRARY_PATH 5) Add $ORACLE_HOME/bin to the $PATH 6) Restart the MDS processes |
|
|
Which utility transfers (and upgrades, if necessary) the global policies from one MDS to the global policies database of another MDS.
|
migrate_global_policies
Usage: migrate_global_policies <path> migrate_global_policies /var/tmp/exported global_db.22Jul2007-124547.tgz |
|
|
What does the utility migrate_assist perform?
|
It copies all relevant files from the original source database (from a security management server or CMA) to the MDS machine. It uses FTP to transfer the original source database directories to current disk storage. This file copy is NOT encrypted. Once finished with migrate_assist, you can run cma_migrate whose input directory is the output directory of migrate_assist.
USAGE: migrate_assist <source machine name/ip> <source FWDIR folder> <username> <password> <target folder> <source CPDIR folder> |
|
|
This utility is included in the export_database utility. It searches for all CMA or security management plug-ins and merges the plug-in tables with the CMA and security management tables.
|
merge_plug-in_tables
USAGE: merge_plug-in_tables <-p conf_dir> [-s] [-h] where -p conf_dir is the path of the $FWDIR directory of the CMA/Security Management |
|
|
How would you go about hosting a CMA's IP address on a different network interface?
|
Stop the CMA, remove it's IP address definition and modifying the vip_index.conf file
|
|
|
Which file determines the leading interface for the entire MDS?
|
$MDSDIR/conf/external.if
File lists the interface name of the leading interface |
|
|
True/False - when a Plug-in is activated for a Customer, the MDS restarts that CMA.
|
True
|
|
|
Give a brief overview on Configuring a New Customer.
|
1) Start the Add Customer Wizard
2) Name the Customer and Enable QoS 3) Add Customer Details 4) Assign Global Policy 5) Assign Administrators to the Customer 6) Assign Computers on which Administrators use the MDG 7) Activate Management Plugins 8) Create the CMA 9) Add CMA License Details |
|
|
If you see a red exclamation mark in the Status column of the MDG General view, what does that mean?
|
This CMA is stopped.
|
|
|
If you see a green exclamation mark in the Status column of the MDG General view, what does that mean?
|
The CMA is started
|
|
|
If you see a purple question mark in the Status column of the MDG General view, what does that mean?
|
Unknown Status information has been received regarding the Run Status of this CMA
|
|
|
True/False - before deleting a CMA, make sure to stop it.
|
True
|
|
|
How can a Global IPS profile be differentiated from the others at the CMA level dashboard
|
Once a Profile has downloaded to a CMA, there will be a 'G' prefix at the beginning of the Profile name and 'Global' appears in the activation column of the local SmartDashboard
|
|
|
What is the name of the log file that appears in the log directory of each customer that maintains a summary of all actions taken by the Global SmartDashboard that affect the Customer?
|
gpolicy.log
|
|
|
What permissions are necessary to either assign, reassign, install, or remove global policy for Customers?
|
Provider-1 Superuser, Customer Superuser (either way you must be some sort of Superuser)
|
|
|
What are the steps to add a customer's gateway to a Global VPN community?
|
1) Each customer's gateway must be enabled for global user
2) A VPN community must be defined in global SmartDashboard, including the global gateway objects representing participating customer's gateways. 3) Lastly, a Global Policy must be assigned to participating customers' CMAs, and installed on the customer's gateway, for each gateway participating in the VPN community. |
|
|
What does the Global Properties database contain?
|
All defined global objects and rules. This database is similar to that of a CMA.
|
|
|
Where can you configure the HA properties for the Global Properties Database?
|
Policy > Global Properties > Management High Availability
|
|
|
Which two ways can the Global Policy database be synchronized?
|
When policy is saved or on a scheduled event
|
|
|
How many MDSs can be considered active at one time?
|
Only one
|
|
|
What is the max number of CMAs that can be configured for a single customer on a single MDS?
|
One
|
|
|
Does a MLM also have the MDS level components (MDS, global policy database, ICA) isntalled on it as well?
|
No - it does not
|
|
|
True/False - can MDSs be running different versions of OS?
|
True - but they must all be running the same version of Provider-1 (Multi-Domain Management)
|
|
|
Can you use a security management server as a backup to a CMA?
|
yes - you can install a security management server outside of the P-1 scope and configure it to be the standby manager for a CMA
|
|
|
True/False - GUI and Administrator definitions are separate for CMAs and for Security Management Backup server.
|
True - GUI client and Administrators that were defined on the Provider-1 server are not automatically used on the Security management backup server and vice versa.
|
|
|
How often does Check Point recommend the MDS clocks be synchronized?
|
Once a day
|
|
|
True/False - Each customer configured on the Primary MDS can have up to two CMAs.
|
True
|
|
|
Which two options exist for create a standby CMA?
|
Either configure and backup a specific CMA, or mirror an entire MDS, creating an identical file structure for each CMA loaded on a primary MDS to the Secondary or backup MDS.
|
|
|
Where would you locate the P-1 archiving scripts in the file structure of the MDS?
|
$MDSDIR/scripts - contains:
mds_backup mds_restore |
|
|
Which file would you edit if you wanted to exclude something from the mds_backup?
|
$MDSDIR/conf/mds_exclude
|
|
|
Which command is important when restoring backed-up data files?
|
mds_restore
|
|
|
What key utilities must be installed on a server before attempting to run mds_restore?
|
gzip, gunzip, gtar
|
|
|
When is it necessary to create a virtual address range when creating a secondary MDS?
|
When the secondary MDS is going to be a mirror of the primary
|
|
|
What command is used to mirror all CMAs from an active MDS to a standby MDS?
|
mdscmd mirrorcma -s MDS1 -t MS2 (use object names and not IPs)
|
|
|
True/False - the mdscmd needs to be performed while at expert
|
True
|
|
|
True/False - The $FWDIR/database directory is not copied to the MDS to migrate an existing NGX SmartCenter server into the Provider-1 environment.
|
True
|
|
|
To assign a Global IPS Policy to a Customer that preserves the Customer Administrator's previous changes, but updates any other fields with the latest global settings, which mode would you use?
|
Merge (Bonus: What are the other options?)
- Assign - Override - Merge - Update |
|
|
True/False - A Customer doesn't have to have Global Policy installed to be able to have a gateway participate in a Global VPN community.
|
False - Global Policy has to be applied to the customer in order for the customer's gateways to be part of a Global VPN community
|
|
|
What CMA information must be imported into the global Policy to configure a cross-Customer VPN?
|
- Gateway Objects
- VPN Domain objects that include the gateway objects - Certificate Authority objects and Certificates |
|
|
True/False - You can configure a Global Remote Access VPN community.
|
False - you can only configure a site-to-site community for a global VPN community
|
|
|
What must all gateways in a Global VPN community share?
|
the same VPN configuration
|
|
|
Which services defined by Security Gateway R70 are considered to be for global use by default?
|
All default services are considered for global use.
|
|
|
How are global objects visually defined in the Global SmartDashboard?
|
With an overlaid "G" icon on the objects icon
|
|
|
How many CLMs can each MDS MLM manage?
|
250 CLMs
|
|
|
How many CMA managed Security Gateways cona be configured to log to the CLMs loaded on the MLMs?
|
Unlimited
|
|
|
Which option do you select in the MDG when creating a new CLM on one of the MLMs?
|
Right-click the customer > Add Customer Log Module
|
|
|
Which type of Administrator can access all views and Customers, but cannot add or delete Multi-Domain Servers?
|
Customer Superuser
|
|
|
When adding a CMA, which IP address is used to represent the CMA on the MDS?
|
Virtual IP address
|
|
|
What two components make up the MDG installation?
|
Check Point SmartConsole package
MDG package |
|
|
Which applications can be launched directly from the MDG to manage a specific CMA?
|
Dashboard
Tracker Status Monitor SmartUpdate Provisioning |
|
|
Which directories need to be backed up in order to archive a single CMA?
|
mdsenv CMA_Customer
$FWDIR/conf $CPDIR/conf (CPshrd) $CPDIR/database (CPshrd) |
|
|
What command will show you the status of critical processes for both the MDS and CMAs along with their PIDs?
|
mdsstat
|
|
|
True/False - an import of a currently configured SCS to a CMA in a P-1 environment can still be done after the CMA has been started for the first time.
|
False - the import needs to take place before the CMA is started
|
