Passed CCSA NGX (156.215.1) with 85%

[ddiniz]

I've passed the test with 85% score.

I used many tips from this forum and the following material:

* Sybex CCSA NG Study Guide (From Justin Menga)
* Firewall & Smartdefense.PDF
* SmartDefense Technical White Paper
* SmartCenter.PDF
* VMWare SecurePlat hands on for testing some things
*Testking v_14
*Post from albert (very good) and actual
* Real World experience as Check Point firewall admin (Since NG FP3)

So, the next challenge will be the CCSE exam. Does anyone here have previous experience with this exam to give some advice?
Do you guys have the dumps for the exam (156.315.1) to share? I've some material to the PIX exam, if anyone is interested in exchange.
Anyone that have actually passed this CCSE exam could please help us with informations about the test and the diffculty profile of the questions?

Cheers
Diniz

[thanhdt]

I have passed CCSE NGX (156 - 315.1) with 81% today.

this is the tesking 156-315
http://rapidshare.de/files/29443007/156-315.pdf.html

it's good for preparing.

Can u up your docs about PIX exam to Rapidshare.
:)

[yogeshkamat]

Congrats for clearing CCSA

We have downloaded secure platform r60 VMware image from opsec

Can u help us on how to configure and practice scenarios with it.?

rgds,
Yogesh

[sz-cisa]

I cleared the ccsa today, I used the same materials.

[MONIQUE]

2 questions. I have the testking version 14.0 for the exam 156-215, but I noted that the up-to-date certification now is 156-215.1. Go well the testking that I have? In the new testking that you have 156-215.1 is write?
Thanks and greetings

[Pascal01]

Hi, I'm going next Friday for my exam and I found version 16.1 on this forum.
It also says 156-215 but it is dealing about the 156-215.1 exam, there are 121 questions in it.
Version 16.1 should be the latest version from testking, but most people who used this as a study guide only score 25% on the NAT questions so you should be carefull on this!

[Pascal01]

Here is the link to version 16.1, if you notice wrong answers, share them with me if you want:
hxxp://rapidshare.com/files/1803157/156-215.1-ver16.1.pdf.html

[polax]

Q 88:
tc says E, which is not correct imo, even page 298 student hand book says otherwise (chapter manual nat)- As long as client-side translation is implemented, no anti-spooofing issues exist with Manual NAT rules.
So i would pick B!
From real world experience because i had such troubles in the past with this.

EDIT:
Q 95: is wrong in ver 14 and 16 as well imo, B is wrong and D as well, because user auth is not limited to only Telnet, FTP, and rlogin, but to http and https as well.
And in the student hand book 350 is written The security Server first check if the connection can be allowed by a rule that doesnt need authetication. So correct is imo answer A!

Q 115: A is incorrect, because you see hiden rules but you cannot dissable them, check unhide or as answer E say Clear hide from rules drop-down menu ..

[onnig]

Quote:

Originally Posted by polax

Q 88:
tc says E, which is not correct imo, even page 298 student hand book says otherwise (chapter manual nat)- As long as client-side translation is implemented, no anti-spooofing issues exist with Manual NAT rules.
So i would pick B!
From real world experience because i had such troubles in the past with this.

EDIT:
Q 95: is wrong in ver 14 and 16 as well imo, B is wrong and D as well, because user auth is not limited to only Telnet, FTP, and rlogin, but to http and https as well.
And in the student hand book 350 is written The security Server first check if the connection can be allowed by a rule that doesnt need authetication. So correct is imo answer A!

Q 115: A is incorrect, because you see hiden rules but you cannot dissable them, check unhide or as answer E say Clear hide from rules drop-down menu ..

You are correct for question 115, another clue is that answer A says "Rule" menu, it is actually "Rules" menu.

I also agree with question 95.

I also agree with question 88.

Shouldn't question 85 be A? CPCONFIG does not have reset sic in the SmartCenter Server. It only has reset sic in the gateway. The fwm sic_reset command works on the SmartCenter server and then you can go into the SmartDashboard and reinitialize sic on the gateway object.

Shouldn't question 109 be B? A logexport (fw log) is different from a log switch(fw logswitch). It does not start a new active log file and therefore would allow Desired #2.

[polax]

Q 85: my colleague passed this exam last week and he denies those answers which are present in this question, he told me that there is another option or different text within the answers and one of them is correct.
Sic reset is done: log on cp module (gateway) lunch cpconfig and pick reset secure internal communication then exit cpconfig and then from Smartdashboard manually reset and reestablish sic. (this is not exact text but this is how it works) So all answers are incorrect.

Q 109: there is statement "Administrators should be able to view backed up logs in SmartView Tracker." - my english suck hard, that's way i don't exactly understand whether they mean "those log which are exported and backed up by organization routine backup software, or just those logs which ofcourse remain on logserver/smartcenter and are visible in Tracker :)

Q 77: Answer C is wrong as well, you need static route (when "Translate destination on client side" is turned off ), so answer is E

[MONIQUE]

Hi,
for the question nr 13, why the answer is A? I don't think so, because how do you perform the filtering by IP address? Could be answer C, 'cause allow mail to or from name...what do you think?
Thanks

[godspeedcapri]

Quote:

Originally Posted by MONIQUE

Hi,
for the question nr 13, why the answer is A? I don't think so, because how do you perform the filtering by IP address? Could be answer C, 'cause allow mail to or from name...what do you think?
Thanks

You are right..there is no option in SMTP security server for IP Addresses...
Answer C is right. Good one...cheers


In this window you can set the Match properties for the SMTP resource.

The Sender and Recipient can be matched with wildcards, and Regular expressions. For details, see Using Regular Expressions and Wildcards in Resources.

Getting here - Manage > Resources > New > SMTP


Copyright © Check Point Software

[MONIQUE]

In the question nr 54 the correct answer is C I think and not E, because "Traditional mode VPN configuration" in the Madrid gateway object's VPN screen" is not necessary on the same gateway...what do you think about it?
Thanks.

[nazaraf]

Yeah I agree with no.13,
checking the source domain as only "@mydomain" and destination any (*) - for outbound mails
checking the destination domain as only "@mydomain" and source any (*) - for inbound mails prevent your mailgateway/mailserver from being spam relay.
================================================== ======
How about no.14? Should it be C? Dynamic NAT is same as Hide NAT,
A- Use Hide NAT on the network object in the 10.1.1.0 netwok - Absurd
C- Use Dynamic NAT on network object 10.1.1.0 - better

What do you think?

[MONIQUE]

Also I thought so, but I know that Check Point works with "hide" mode and not dynamic; so I believe is more correct to talk about "hide". What do you think?

[nazaraf]

Yeah, In checkpoints course-book it says "dynamic" but in its console application the term is "hide". I just think C is expressed it better than A. If it said "Use hide NAT on network object 10.1.1.0" A would have been my prefered answer.

On question 54, I think I read a post here saying, step 4 is not really necessary but doing step four would give better control/olptions etc......

[nazaraf]

TK Question

[MONIQUE]

yes I read, but barak in the question already created the object Madrid with the features of VPN domain. Therefore the traditional mode is does not necessary, and the options already are contained. Isnt'it?

[godspeedcapri]

Quote:

Originally Posted by nazaraf

Yeah I agree with no.13,
checking the source domain as only "@mydomain" and destination any (*) - for outbound mails
checking the destination domain as only "@mydomain" and source any (*) - for inbound mails prevent your mailgateway/mailserver from being spam relay.
================================================== ======
How about no.14? Should it be C? Dynamic NAT is same as Hide NAT,
A- Use Hide NAT on the network object in the 10.1.1.0 netwok - Absurd
C- Use Dynamic NAT on network object 10.1.1.0 - better

What do you think?

Very tricky solution...

Answer C is correct.

A uses the word HIDE NAT but applies it on unknown network object in 10.1.1.0 network.
C is much clear and defined. DYNAMIC NAT on network object 10.1.1.0

Dynamic NAT Defined
When we speak of Dynamic NAT, we should simply consider this term the same as Hide NAT.Throughout this chapter, we will use the two expressions interchangeably. With that said, we will show you how to hide a single node, an address range, or an entire network behind a Hide NAT.

Cheers,
Godspeedcapri

[godspeedcapri]

Quote:

Originally Posted by MONIQUE

yes I read, but barak in the question already created the object Madrid with the features of VPN domain. Therefore the traditional mode is does not necessary, and the options already are contained. Isnt'it?

The reason I would say that E is correct.

Because Barak is moving from pre shared keys to certificates. He is required to modify the settings on Madrid,Oslo and London. This can be done using Traditional Mode VPN configuration.

Also the question says that pre shared keys was used between Oslo and London. Hence the policy was setup using Traditional Mode VPN. So to setup certificate for Madrid gateway, the Traditional Mode VPN needs to be configured. Infact the best answer/option would be configure Traditional Mode VPN on all three objects of the VPN Mesh Community(Oslo,Madrid,London).

Tats my 2 cents...


Cheers,
Godspeedcapri