Important CCSA Exam Information

[albertvandenburg]

Hi, I have been using this forum for quite some time now and I would like to
add some important information about the CCSA NGX exam. I took the exam
Checkpoint CCSA NGX 156-215.1 on April 21 and failed the test with only 67%.

I had prepared myself very well and was amazed by the idiotic questions that
appeared on this exam. I studied real hard and took the exam again on may 5
and passed with 81%. I would like to give you a little exam-cram of the topics you will be tested on. Expect the questions to be tough, so prepare
yourself well. I bought the Boson test-exams but I'm not sure that these test
exams will prepare yourself for this test. I am an experienced Checkpoint administrator, but that does not let you pass this test. I downloaded the VMware Checkpoint image and tested all configurations, especially NAT and such. You must know where to find all various options, it's sick but unofrtunately required to pass the test. I've written down everything I can remember in the following lines, hope this helps !!! Good luck.

Albert.

Various:

* SmartDefense- DShield Storm Center
* Web Intelligence- Host configuration
* NAT- Bi-Directional NAT, Static, Hide
* Security Policy- Database Revision, Anti-spoofing, implied rules, Global Policy

VPN

* Encryption- Tunneling, Hashing algorithms
* Privacy, Integrity,Authenticity
* PKI
* IKE
* IPsec
* DES/3DES/AES
* DH (Diffie Hellman) is a form of asymmetric encryption
* Pre-shared keys are a form of symmetric encryption (very fast)
* Public-keys are a form of asymmetric encryption, there is a private and a public key (poor performance)
* A hash function is a one-way mathematical function that maps variable values into smaller values of a fixed length (simple/fast/unique/irreversible)
* A digital signature uniquely identifies the the sender of a message, the purpose of a digital signature is to guarantee that the sender is who he claims to be
* ICA (Internal Certificate Authority)
* tunnel-mode encryption works by encapsulation an entire IP packet and then adding it's own encryption header to the packet (encrease of total packet size)

SMartConsole- alot of SmartMonitor & SMartTracker SIC Authentication- mostly Client authentication sign-on options, and refreshable timeouts CLI commands- fw unloadlocal, fw ctl SmartDirectory- LDAP Content Security- UFP & CVP SMartCenter High Availability- Strange because I though HA was a CCSE topic

Authentication

* It is possible to set a refreshable time-out for client authentication. This means that for every new connection

the time-out is reset (default=30 minutes)

* user-auth: telnet/ftp/rlogin/http/https. Two connections are created after successfull authentication, 3 auth attempts by default
* session-auth: any service, requires session auth agent which performs automatic authentication
* client-auth: grants access on a per host/ip address basis, any service. Best used for workstations, single-user machines such as PC's. Telnet to security gateway port 259 or http port 900


CVP = TCP port 18181 UFP = TCP port 18182

SmartCenter HA --> know the different status. I got a question about status COLLISION and what this means. Hint, study the Checkpoint PDF docs for this.

Checkpoint rulebase

* Rule 0 = implied rules (derived from Policy,Global properties). To show click, View,Implied rules. These rules have no numbering.

* Which traffic is automatically permitted by implied rules: IKE,RDP,FW-CONTROL/LOG/KEY-EXCHANGE,RADIUS,CVP,TACACS,LDAP and logical servers
* RIP,ICMP and UDP are not permitted by default

* Rule 1 = first explicit rule (user-created), there rules are numbered

* Address spoofing is not logged with a rule number, just as a SmartDefense event. This is because they are

enforced before any rule in the security policy's rule base.

* Stealth rule: drop all traffic to the firewall and log,if you use client authentication,encryption or CVP, these rules must be positioned before the Stealth rule

* Cleanup rule: drop all traffic and log, this needs to be the last rule in the rulebase

* Hidden rules: you can hide rules, but they still apply to the security policy. The hide feature is used

for managing complex security policy's. To unhide: click Rules, Hide, Unhide all.

* The default rule: this rule will default to any any drop don't log

* Rule base enforcement order:
* 1. IP spoofing/IP options
* 2. NAT
* 3. Security policy FIRST rule
* 4. Administrator-defined rulebase
* 5. Security policy BEFORE-LAST rule
* 6. Cleanup rule or security policy LAST rule

* Policy package: security rulebase and NAT,QoS,Desktop Security
* Database revision control: create fallback configuration package. All policies,objects,users,smartdefense and global settings. You must know when to use these two packages !!!
* Network configuration and IP routing is not included in any of the above packages. You will need to create a backup of the system configuration in order to save this information.

SmartView Tracker

* Three modes: LOG-mode,ACTIVE-mode,AUDIT-mode
* How to block an intruder: Go to Active-mode, select a connection, click Tools, click Block Intruder
* You can block based on source, destination, or source-destination-service
* How to monitor changes to the security policy: audit-mode
* The name of the logs is dependant of the MODE:

LOG=.log ACTIVE=.vlog AUDIT=.alog

* Export to .txt is possible from the File menu
* Switch logfile: current fw.log is closed and will be written to disk with a name that contains the current date and time.
* Only one logfile can be open at a time

Eventia Reporter

* Only connections that are logged by the firewall policy are available for Eventia reporting
* Reports are saved in HTML format and in CSV format
* To change the Eventia database-cache size to match the memory in the server, edit the $RTDIR/DATABASE/CONF/MY.INI

(.INI=windows and .CNF=UNIX)

* rmdstop: stop all Eventia Reporter services
* rmdstart: start all Eventia Reporter services
* Change Eventia database settings with utility UpdateMySQLConfig (stop Eventia Reporter services first!)
* Eventia Reporter is licensed per gateway

Encryption

* DH (Diffie-Hellmann) is a assymetrical encryption algorythm
* SIC (secure internal communications)

Installation How many users can be created during setup: only one admin user with read-write permissions


Commandline

* cpstart: launches all Checkpoint applications
* cpstop: stop all Checkpoint applications
* fw start
* fw stop
* fw ver: display Checkpoint version
* fw fetch [target]: fetches last policy
* cpstop -fwflag -default: stop all Checkpoint processes and leave the default filter running
* cpstop -fwflag -proc: stop all Checkpoint processes and leave the security policy running
* fw ctl arp: Display the firewall ARP entry's voor automatic NAT objects
* fw dbexport -f bla.ldif -l -s "o=bla,c=nl"
* fw unloadlocal: unload the local security policy. This is a very convenient feature if you are not able to access the SmartDashboard, for example a to strict security policy
* fwm unload [target]: unload a policy on target enforcement module
* cplic print: print the details of the installed Checkpoint licenses

NAT (expect tough questions about NAT!) Know how many NAT entry's are created for automatic/manual and host/network object NAT.

* If u use automatic NAT on a network object, there will be two NAT rules added to the firewal
* Static NAT
* Hide NAT
* RFC 1918 - Address allocation for private IP networks, these IP networks cannot traverse public IP networks
* Port numbers are assigned dynamically: 600-1.023 10.000-60.000. If the original port number is less than 1024, a port number is assigned from te first pool. Else a port number is assigned from the second pool.
* The high port number pool can be changed with DbEdit
* Automatic NAT rules
* Manual NAT rules (example: necessary to do PAT for 1 static IP adress, smtp to 192.168.1.1 and http to 192.168.1.2)
* Several Global properties influence the way NAT is handled by the firewall:
* bi-drectional NAT,automatic ARP,
* For a manual NAT static a manual ARP entry is necessary in the firewall OS
* When the option Translate Destination on Client side is not enabled for automatich and/or manual NAT rules

problems can occur with anti-spoofing. Make sure to configure anti-spoofing correctly. Furthermore when using manual static NAT and this option is disabled you need host routing entries in the FW ip routing table to the private IP address.

* When using automatic static/hide NAT, two NAT rules are always created

SmartDefense

* MAIL
* FTP
* Microsoft Networks
* DNS
* VOIP
* SmartDefence is subscription based
* Common attacks: Teardrop,LAND,SmallPMTU,PingOfDeath (know how these attacks work!)
* Dshield.org integrates with SmartDefense by using a blocklist which is refreshed every 3 hours. The object that needs to be created is called CPDShield and this object must be used in a rule in the rulebase. Place the rule as high as possible, but below authentication rules
* Host port scan, sweep scan

Web Intelligence

* This is a seperate TAB in the SmartDashboard interface
* HTTP worm catcher
* Cross-site-scripting
* HTTP procotol inspection

[goldy]

"* user-auth: telnet/ftp/rlogin/http/https. Two connections are created after successfull authentication, 3 auth attempts by default
"

I thought https was not able to be used in user auth....is https something new to NGX for user Auth?

thanks

[kva.kva]

Quote:

I thought https was not able to be used in user auth....is https something new to NGX for user Auth?

From R55 manual "User Authentication provides authentication for five services: TELNET, FTP, HTTP, HTTPS, and RLOGIN."

[goldy]

just took the test and passed. the above brain dump is pretty accurate. had specific Smartt defense attack questions, a lot of ldap and smart directory, NAT, smartview tracker, and had that collision question - but none of the answers match the KB article for that problem on checkpoints site LOL. i would have done much better if i had studied LDAP\smart directory as i did not at all. i studied for 215 not 215.1 - but at least i passed.

[Youngy]

Quote:

Originally Posted by albertvandenburg

I downloaded the VMware Checkpoint image and tested all configurations....

VMWare image!

What is this about? Do you have a source I can use possibly

[kva.kva]

Quote:

VMWare image!

What is this about? Do you have a source I can use possibly

Use search on forum
http://cpug.org/forums/showthread.ph...ghlight=vmware

[albertvandenburg]

Check out this link http://www.vmware.com/vmtn/appliances/checkpoint.html
Hope this helps !
Albert

[renato_rj]

Thanks for the question about CCSA NGX exam... I will try in this thursday, 18 May..


Regards,
Renato.

[Youngy]

Thanks for the link

[renato_rj]

I am failed.... :'(

The NAT questions is a lot... And, I am bad in the NAT question....

I got a question about status collision and what means too....

Your guide line is good, but I not good enought....


Whell, I will try the exam again !!!

Regards...

[astinius1]

renato_rj,

According to the CheckPoint NGX SmartCenter User Guide, Chapter 10 High Availability, page 207 (Acrobat Reader says it's page 211 though):

Collision - the Active SCS and its peer have different installed policies and databases. The administrator must perform manual synchronization and decide which of the SCSs to overwrite.

I would highly recommend a good read of this entire chapter...


Russ Aspinwall
CCSA, CCSE

[renato_rj]

Astinius 1, this question I know... This chapter I read... My trouble is NAT, Manual NAT...

Whell, I will try the exam again...

Thanks folks...

[wandererz]

80% of the questions in the exam are from the Check Point manuals i.e. the Official Courseware. Some of them word for word.

From past experience the Bosons etc. do not help to prepare for this exam other than to get you into a test taking frame of mind.

in my opinion it would be better to get the manuals & study them as well as practice on a test system.

[tinger1]

I failed test at first time, too, very helpful information. I will retake it next week.

[selva]

Hi,

.THe questions which have come from NAT is too difficult to analyse.eventhough i have been woking in checkpoint for the past 1 year i couldn"t pass.;

Pls anyone help me for dumps.156.215.1


Selva

[dean7711]

I have got my exam in a fortnight! Please could i have any dumps anyone as got.

[monra]

Hi to all
i tried this link http://cpug.org/forums/showthread.ph...ghlight=vmware but it does'nt works. Is there another source for the image

[albertvandenburg]

The VMware SPLAT can be downloaded here:
http://www.vmware.com/vmtn/appliances/checkpoint.html

[albertvandenburg]

Update on manual static NAT.

If you decide to use manual static nat rules, for example when you must do
PAT (port address translation) and you have only 1 public IP address, the
processing order is different then the Checkpoint automatic nat processing.

1. anti-spoofing
2. rulebase
3. nat

So in order to make the manual static nat rules work you must define the public IP address in the rulebase. Normally you would configure automatic
nat on an object and in the rulebase you would see an object/host with a
private/internal IP address. You need only 1 NAT/PAT entry per translation.

Enjoy,
Albert

[monra]

Thanks Albert,
but this is the link i tried. I 've got a "Server Error" for the registration form.

Tip to all: Download only SmartConsole from CheckPoint and use it in Demo-Mode. So you do'nt need some further installations