Latest Real 156-215.13 Tests Dumps and VCE Exam Questions 321-330

April 24, 2014


Question 321

Your company is still using traditional mode VPN configuration on all Gateways and policies. Your manager now requires you to migrate to a simplified VPN policy to benefit from the new features. This needs to be done with no downtime due to critical applications which must run constantly. How would you start such a migration?

A. This can not be done as it requires a SIC- reset on the Gateways first forcing an outage.

B. This cannot be done without downtime as a VPN between a traditional mode Gateway and a simplified mode Gateway does not work.

C. Convert the required Gateway policies using the simplified VPN wizard, check their logic and then migrate Gateway per Gateway.

D. You first need to completely rewrite all policies in simplified mode and then push this new policy to all Gateways at the same time.


Answer: C



Question 322

Your manager requires you to setup a VPN to a new business partner site. The administrator from the partner site gives you his VPN settings and you notice that he setup AES 128 for IKE phase 1 and AES 256 for IKE phase 2. Why is this a problematic setup?

A. All is fine as the longest key length has been chosen for encrypting the data and a shorter key length for higher performance for setting up the tunnel.

B. All is fine and can be used as is.

C. The two algorithms do not have the same key length and so don’t work together. You will get the error ¬°­. No proposal chosen¬°­.

D. Only 128 bit keys are used for phase 1 keys which are protecting phase 2, so the longer key length in phase 2 only costs performance and does not add security due to a shorter key in phase 1.


Answer: D



Question 323

Why are certificates preferred over pre-shared keys in an IPsec VPN?

A. Weak security: PSKs can only have 112 bit length.

B. Weak Security: PSK are static and can be brute-forced.

C. Weak scalability: PSKs need to be set on each and every Gateway.

D. Weak performancE. PSK takes more time to encrypt than Diffie-Hellman.


Answer: B



Question 324

What is a possible reason for the IKE failure shown in this screenshot?

<!–[if !vml]–>image024<!–[endif]–>

A. Mismatch in preshared secrets.

B. Mismatch in Diffie-Hellman group.

C. Mismatch in VPN Domains.

D. Mismatch in encryption schemes.


Answer: A



Question 325

When using an encryption algorithm, which is generally considered the best encryption method?


B. CAST cipher


D. Triple DES


Answer: C



Question 326

Which do you configure to give remote access VPN users a local IP address?

A. Office mode IP pool

B. Encryption domain pool

C. NAT pool

D. Authentication pool


Answer: A



Question 327

You install and deploy GAiA with default settings. You allow Visitor Mode in the Gateway object’s Remote Access properties and install policy; but SecureClient refuses to connect. What is the cause of this?

A. Set Visitor Mode in Policy > Global Properties > Remote-Access > VPN – Advanced.

B. Office mode is not configured.

C. You need to start SSL Network Extender first, then use Visitor Mode.

D. The WebUI on GAiA runs on port 443 (HTTPS). When you configure Visitor Mode it cannot bind to default port 443, because it’s used by another program (WebUI). You need to change the WebUI port, or run Visitor Mode on a different port.


Answer: D



Question 328

With deployment of SecureClient, you have defined in the policy that you allow traffic only to an encrypted domain. But when your mobile users move outside of your company, they often cannot use SecureClient because they have to register first (i.e. in Hotel or Conference rooms). How do you solve this problem?

A. Allow traffic outside the encrypted domain

B. Allow your users to turn off SecureClient

C. Allow for unencrypted traffic

D. Enable Hot Spot/Hotel Registration


Answer: D



Question 329

What statement is true regarding Visitor Mode?

A. All VPN traffic is tunneled through UDP port 4500.

B. VPN authentication and encrypted traffic are tunneled through port TCP 443.

C. Only ESP traffic is tunneled through port TCP 443.

D. Only Main mode and Quick mode traffic are tunneled on TCP port 443.


Answer: B



Question 330

When attempting to connect with SecureClient Mobile you get the following error message:

The certificate provided is invalid. Please provide the username and password. What is the probable cause of the error?

A. Your user configuration does not have an office mode IP address so the connection failed.

B. There is no connection to the server, and the client disconnected.

C. Your certificate is invalid.

D. Your user credentials are invalid.


Answer: C