156-115.77 Online Practice Questions and Answers

What command would give you a summary of all the tables available to the firewall kernel?

A. fw tab

B. fw tab -s

C. fw tab -h

D. fw tab -o

True or False: Software blades perform their inspection primarily through the kernel chain modules.

A. False. Software blades do not pass through the chain modules.

B. True. Many software blades have their own dedicated kernel chain module for inspection.

C. True. All software blades are inspected by the IP Options chain module.

D. True. Most software blades are inspected by the TCP streaming or Passive Streaming chain module.

A fwm debug provides the following output. What prevents the customer from logging into SmartDashboard?

A. There are not any policy to login in SmartDashboard

B. FWM process is crashed and returned null to access

C. User and password are incorrect

D. IP not defined in $FWDIR/conf/gui-clients

Where in a fw monitor output would you see source address translation occur in cases of automatic Hide NAT?

A. Between the "I" and "o"

B. Hide NAT does not adjust the source IP

C. Between the "o" and "O"

D. Between the "i" and "I"

Which FW-1 kernel flags should be used to properly debug and troubleshoot NAT issues?

A. nat, route, conn, fwd, zeco, err

B. nat, xlate, fwd, vm, ld, chain

C. nat, xltrc, xlate, drop, conn, vm

D. nat, drop, conn, xlate, filter, ioctl

Your customer has an R77 Multi-domain Management Server managing a mix of firewalls of R70 and R77 versions. A change was made to the file $FWDIR/lib/tables.def on one of the domains. However, it was found that the change was not applied to the R70 firewalls. What could be the problem?

A. Changes to the table.def can only be applied to firewalls matching the Management Server version. The customer needs to upgrade the firewalls to the same version as the firewall.

B. R70 is end of life and is not supported. Most functions will work, but modifying the table.def will not.

C. In order to make changes on R70 machines you need work within GuiDBedit

D. To support R70, the file in the compatibility directory should have been modified.

What would the following command fw monitor tell you?

A. Only OSPF and FTP traffic between 10.10.10.86 and 192.168.10.4

B. Only traffic between 10.10.10.86 and 192.168.10.4 on port 21 or port 89

C. Only accepted traffic between 10.10.10.86 and 192.168.10.4, or any accepted FTP traffic, or any accepted OSPF traffic

D. Any communication between 10.10.10.86 and 192.168.10.4, or any FTP traffic, or any OSPF traffic

A new packet has arrived to a firewall's interface. The packet was compared with the connection table and there is no match. What process does the firewall start with that connection?

A. The packet will be then forwarded to the outbound interface for handling.

B. The new packet represents a new flow and requires a new connection table entry.

C. The packet will be rejected by the kernel firewall.

D. The packet will be forwarded to the firewall to apply the Security Policy.

When are rules that include identity awareness access roles accelerated through SecureXL?

A. Rules using Identity Awareness are always accelerated.

B. Only when `Unauthenticated Guests' is included in the access role.

C. They have no bearing on whether the connection for the rule is accelerated.

D. Rules using Identity Awareness are never accelerated.

What happens to manual changes in the file $FWDIR/conf/local.arp when adding Proxy ARP entries through the GAiA portal or Clish?

A. Nothing.

B. If the file $FWDIR/conf/local.arp has been edited manually, you are not able to add Proxy ARP entries through the GAiA portal or Clish.

C. They are merged with the new entries added from the GAiA Portal / Clish.

D. They are overwritten.

From a Best Practices perspective, what percentage of your packets should be accelerated?

A. 65%

B. 90%

C. 100%

D. 75%

What would be considered Best Practice to determine which IPS protections you can safely disable for your environment?

A. You should use vulnerability tools to perform an assessment of your environment.

B. Work through turning on each protection to see which signatures get alerts.

C. You should set all protections to "Detect".

D. You should not disable any IPS protections.

Does R77 SmartDashboard support IPv6?

A. Yes provided the operating system on which Smart Dashboard is installed is configured with IPv6.

B. SmartDashboard does not support IPv6.

C. IPv6 needs to be tunneled through IPv4 to support IPv6.

D. R77.20 and above provides the support for Smart Dashboard and IPv6 support.

When troubleshooting a VPN site-to-site to a peer, it may be necessary to "down" the tunnel. What is the best method to remove ONLY the tunnel to this peer?

A. Change the vpn tunnel sharing parameters to force the tunnel down.

B. Reboot your gateway.

C. Remove the peer from the community and install policy.

D. Delete the IKE and IPsec Security Associations using the command vpn tu.

In the gateway object, under topology you select the "Get All Members Interfaces with Topology" option and your newly configured unnumbered VTIs are not populated. Why is this information missing?

A. VTI information on unnumbered interfaces should appear, so there is an issue with your configuration.

B. VTI information on unnumbered interfaces is not required information for the VPN to work.

C. VTI information on unnumbered interfaces needs to be entered manually.

D. In order to fetch VTI information on unnumbered interfaces you must add an explicit rule to the policy.