Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
90 Cards in this Set
- Front
- Back
In a Domain-based VPN, where can you configure VPN routing?
|
Either directly through SmartDashboard or by editing the VPN routing-configuration files on the gateways.
|
|
What must be done in the Rule base in order for VPN routing to succeed in a Domain-based VPN?
|
A single rule must cover traffic in both directions, inbound and outbound, and on the central gateway. (148)
|
|
A VTI is an _____________ level virtual interface that can be used as a Security Gateway to the VPN domain of the peer gateway.
|
operating system (149)
|
|
How many tunnels can each VTI be associated with?
|
1
|
|
Where are all of the VPN properties defined for a route based vpn?
|
VPN community in SmartDashboard
|
|
After setting up a VTI for a route based vpn, the peer gateway should be configured with a ___________ _______
|
corresponding VTI
|
|
Which type of VPN allows the use of dynamic routing?
|
route based
|
|
How far away does a peer gateway appear in a route based vpn?
|
single hop
|
|
What operating systems support route based vpn?
|
SecurePlatform and IPSO 3.9 and higher
|
|
In a route based vpn, where is the decision whether or not to encrypt a packet made?
|
Routing to a virtual interface or not
|
|
What operating system supports numbered VTI?
|
SecurePlatform
|
|
What operating system supports unnumbered VTI?
|
IPSO 3.9+
|
|
Can numbered VTIs share an IP address?
|
Yes, but they cannot use an already existing physical-interface IP address
|
|
What kind of interface must be assigned for unnumbered VTIs?
|
proxy interface
|
|
What must all gateways in a route based vpn multicast transfer have configured?
|
VTI for each VPN tunnel and a multicast routing protocol must be enabled
|
|
A VPN tunnel guarantees what three means of security?
|
Authenticity - standard encryption methods
Privacy - encrypting data Integrity - using standard integrity-assurance methods |
|
What is the purpose of a permanent tunnel?
|
Keeps VPN tunnels active, allowing real-time monitoring capabilities.
|
|
What is the purpose of VPN tunnel sharing?
|
This feature provides greater interoperability and scalability between gateways. It also controls the number of VPN tunnels created between peer gateways.
|
|
How is a permanent VPN tunnel monitored?
|
By sending "tunnel test" packets. The tunnel is considered "up" if a response is received and "down" otherwise.
|
|
What three options do you have for configuring the specificity of VPN tunnels?
|
Specified for entire community
Specified for a specific gateway Specified for a single VPN tunnel |
|
What technologies allow packets to fail over in non-clustered gateways in a permanent VPN tunnel?
|
Multiple Entry Point environment where the Route Injection Mechanism is enabled.
|
|
What are the four type fields in a tunnel test packet?
|
test
reply connect connected |
|
For how long are connect messages retransmitted in VPN tunnel testing configuration?
|
Up to 10 seconds after the IKE negotiation is over
|
|
What is the purpose of vpn tunnel testing to use various lengths in test packets?
|
To discover the Path Maximum Transmission Unit
|
|
What are the three levels of scalability for VPN tunnels created in VPN tunnel sharing?
|
1 tunnel per each pair of hosts
1 per subnet pair 1 per gateway pair |
|
In case of a conflict between the tunnel properties of a VPN community and a gateway object that is a member of the same community, which setting is followed?
|
The "stricter" setting (e.g. 1 tunnel per pair of hosts would be selected above 1 tunnel per subnet pair)
|
|
How does Wire Mode enable VPN connections to successfully fail over?
|
By avoiding Stateful Inspection
|
|
What questions does Wire Mode ask to determine if Stateful Inspection needs to be enforced?
|
Is this information coming from a trusted source?
Is this information going to a trusted destination? |
|
On what platforms are Wire Mode supported?
|
SecurePlatform and IPSO
|
|
In directional VPN enforcement, clear text connections originating from what three sources are not subject to enforcement?
|
Any Traffic
External_clear Internal_clear |
|
In regards to physical restrictions, what is the difference between MEP and ClusterXL?
|
MEP has no physical restriction
ClusterXL gateways need to be int he same location, directly connected via a sync interface |
|
In regards to management, what is the difference between MEP and ClusterXL?
|
MEP gateways can be managed by different SmartCenter Servers
|
|
What is the difference between MEP and ClusterXL in regards to state synchronization?
|
MEP has no state synchronization
|
|
How does the decision on which gateway to use differ in ClusterXL and MEP?
|
In MEP, the decision is taken on the remote side. In ClusterXL, the decision is taken on the gateway side.
|
|
To route traffic to a host behind a gateway what must be configured for that gateway?
|
A VPN domain.
|
|
What are the 2 ways configuration for VPN routing is performed?
|
SmartDashboard or bey editing the VPN routing-configuration files on the Gateways.
|
|
(T/F) VPN does not require access-control rules be entered in the rule base.
|
False
|
|
What must be covered in a rule, if a rule is necessary, for VPN routing to succeed.
|
It must cover traffic in both directions, inbound and outbound, and on the central gateway.
|
|
A ____ is an operating system virtual interface that can be used as a Security Gateway to the VPN domain of the peer gateway.
|
VTI
|
|
How many tunnels is each VTI associated with?
|
One
|
|
Route-based VPN is supported using what platforms?
|
SPLAT and IPSO 3.9 and higher
|
|
(T/F) Gateways do not need to be in the same Community for route-based VPNs.
|
False
|
|
Are VPN domains for each peer gateway necessary for route-based VPNs?
|
No.
|
|
How is the decision to encrypt handled in route-based VPN?
|
traffic routed through the VTI is encrypted.
|
|
What 2 ways can VTI be configured?
|
Numbered and Unnumbered
|
|
What is assigned to the interface if the VTI is numbered? (2)
|
a local and remote IP address.
|
|
(T/F) VTIs may share an IP address but cannot use an already existing physical-interface IP.
|
True
|
|
Numbered VTIs are only supported using which OS?
|
SPLAT
|
|
(T/F) IP addresses are configured for unnumbered VTIs.
|
False
|
|
Unnumbered VTIs must be assigned a _______ interface. This interface is used as the _________ for outbound traffic.
|
Proxy
Source IP |
|
What is a benefit of unnumbered VTIs?
|
It eliminates the need to allocate and manage and manage an IP per interface.
|
|
Unnumbered VTIs are only supported on which OS?
|
IPSO (3.9 and higher)
|
|
What kind of IPSO interfaces may make use of unnumbered VTIs? (2)
|
physical or loopback.
|
|
(T/F) Multicast traffic can be encrypted and forwarded across VPN tunnels that were configured using VTIs.
|
True
|
|
What does a VPN tunnel guarantee? (3)
|
1. Authenticity
2. Privacy 3. Integrity |
|
What feature keeps VPN tunnels active, allowing real-time monitoring capabilities?
|
Permanent Tunnels
|
|
What feature provides greater interoperability and scalability between gateways and controls the number of VPN tunnels created between peer gateways?
|
VPN Tunnel Sharing
|
|
(T/F) Permanent tunnels are constantly monitored and failure generates a log, alert, or other user defined action.
|
True
|
|
(T/F) Both peer gateways do not have to be Check Point firewalls to establish permanent tunnels.
|
False
|
|
Where does the configuration of permanent tunnels take place?
|
the Community level.
|
|
What are the 3 levels of granularity for specifying permanent tunnels?
|
Community
Gateway VPN tunnel |
|
What are the 4 types of tunnel testing packets?
|
Type 1 Test
Type 2 Reply Type 3 Connect Type 4 Connected |
|
How many gateways are required for tunnel testing, and how is configuration accomplished?
|
2. One is configured to ping and the other configured to respond.
|
|
What port does a responder gateway listen to for tunnel testing?
|
18234
|
|
The pinging gateway sends _______ and ________ packets and the responder sends ________ and _______ packets, respectively.
|
Type 1 Test
Type 3 Connect Type 2 Reply Type 4 Connected |
|
In what 2 ways is the tunnel tested during the connect phase.
|
1) A connect message is sent to the gateway.
2) A series of test messages with various lengths is sent to discover the Path Maximum Transmission Unit of the connection. |
|
(T/F) In a MEP environment, gateways can either PING or Respond for tunnel testing.
|
False. They may only respond.
|
|
What is a Multiple Entry Point (MEP) environment?
|
An environment in which active VPN tunnels are rerouted from the predefined primary gateway to the backup gateway if the primary becomes unavailable.
|
|
What are the 3 settings available for VPN Tunnel Sharing?
|
1)One VPN tunnel per each pair of hosts.
2) One VPN tunnel per subnet pair. 3) One VPN tunnel per Gateway pair. |
|
Where is the configuration set for VPN Tunnel Sharing for a Community?
|
in the Tunnel Management dialog box of the Community Properties window.
|
|
Where do you set the configuration for VPN Tunnel Sharing for a specific gateway?
|
in the VPN Advanced dialog box of the gateway's properties window.
|
|
(T/F) VPN Tunnel Sharing can be set on both the VPN Community and Gateway object.
|
True
|
|
What happens in the case of a conflict between the tunnel properties of a Community and a gateway object that is a member of that community?
|
The most strict setting is followed.
|
|
What was designed to improve connectivity by allowing existing connections to fail over successfully by bypassing firewall enforcement?
|
Wire mode
|
|
How is a gateway bypassed for VPN connection in wire mode?
|
The internal interface of that gateway is defined as "trusted"
|
|
What 2 questions are considered when a packet reaches a gateway in wire mode?
|
1) Is it coming from a trusted source?
2) Is it going to a trusted destination? |
|
At what level is Wire Mode Enabled?
|
The Community
|
|
Wire mode is supported for _______ and higher gateways.
|
NGX (R60) and higher
|
|
Wire mode is only supported on _________ and ________ platforms.
|
SPLAT
IPSO |
|
What is used if an administrator does not want VPN traffic to be bi-directional?
|
directional VPN
|
|
What is specified with directional VPN?
|
Where the source IP must be and where the destination IP must be.
|
|
Directional VPN enforcement can can take place in what two ways?
|
Within a single VPN community
Between VPN communities |
|
in directional VPN enforcement, Cleartext connections originating from which 3 objects are not subject to enforcement.
|
Any Traffic
External_clear Internal_clear |
|
How many VPN directions can be configured in a single rule?
|
there is no limit.
|
|
What is recommended if you have many directional enforcements?
|
a bi-directional rule.
|
|
How do you enable directional enforcement?
|
Global Properties > VPN > Advanced > check box Enable VPN Directional Match in VPN Column
|
|
Is there a physical restriction on the location of MEP gateways?
|
No. They can be geographically separated.
|
|
(T/F) MEP Gateways can be managed by different SCSs.
|
True
|
|
(T/F) State is syncronized between MEP gateways.
|
False
|
|
In a MEP environment, the decision about which gateway to use is made on the ________ side. In a cluster it is on the _________ side.
|
remote
gateway |