CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E

 

Page 1 of 2 12 LastLast
Results 1 to 20 of 22

Thread: Important CCSA Exam Information

  1. #1
    Join Date
    2006-05-11
    Location
    NL
    Posts
    7
    Rep Power
    0

    Default Important CCSA Exam Information

    Hi, I have been using this forum for quite some time now and I would like to
    add some important information about the CCSA NGX exam. I took the exam
    Checkpoint CCSA NGX 156-215.1 on April 21 and failed the test with only 67%.

    I had prepared myself very well and was amazed by the idiotic questions that
    appeared on this exam. I studied real hard and took the exam again on may 5
    and passed with 81%. I would like to give you a little exam-cram of the topics you will be tested on. Expect the questions to be tough, so prepare
    yourself well. I bought the Boson test-exams but I'm not sure that these test
    exams will prepare yourself for this test. I am an experienced Checkpoint administrator, but that does not let you pass this test. I downloaded the VMware Checkpoint image and tested all configurations, especially NAT and such. You must know where to find all various options, it's sick but unofrtunately required to pass the test. I've written down everything I can remember in the following lines, hope this helps !!! Good luck.

    Albert.

    Various:

    * SmartDefense- DShield Storm Center
    * Web Intelligence- Host configuration
    * NAT- Bi-Directional NAT, Static, Hide
    * Security Policy- Database Revision, Anti-spoofing, implied rules, Global Policy

    VPN

    * Encryption- Tunneling, Hashing algorithms
    * Privacy, Integrity,Authenticity
    * PKI
    * IKE
    * IPsec
    * DES/3DES/AES
    * DH (Diffie Hellman) is a form of asymmetric encryption
    * Pre-shared keys are a form of symmetric encryption (very fast)
    * Public-keys are a form of asymmetric encryption, there is a private and a public key (poor performance)
    * A hash function is a one-way mathematical function that maps variable values into smaller values of a fixed length (simple/fast/unique/irreversible)
    * A digital signature uniquely identifies the the sender of a message, the purpose of a digital signature is to guarantee that the sender is who he claims to be
    * ICA (Internal Certificate Authority)
    * tunnel-mode encryption works by encapsulation an entire IP packet and then adding it's own encryption header to the packet (encrease of total packet size)

    SMartConsole- alot of SmartMonitor & SMartTracker SIC Authentication- mostly Client authentication sign-on options, and refreshable timeouts CLI commands- fw unloadlocal, fw ctl SmartDirectory- LDAP Content Security- UFP & CVP SMartCenter High Availability- Strange because I though HA was a CCSE topic

    Authentication

    * It is possible to set a refreshable time-out for client authentication. This means that for every new connection

    the time-out is reset (default=30 minutes)

    * user-auth: telnet/ftp/rlogin/http/https. Two connections are created after successfull authentication, 3 auth attempts by default
    * session-auth: any service, requires session auth agent which performs automatic authentication
    * client-auth: grants access on a per host/ip address basis, any service. Best used for workstations, single-user machines such as PC's. Telnet to security gateway port 259 or http port 900


    CVP = TCP port 18181 UFP = TCP port 18182

    SmartCenter HA --> know the different status. I got a question about status COLLISION and what this means. Hint, study the Checkpoint PDF docs for this.

    Checkpoint rulebase

    * Rule 0 = implied rules (derived from Policy,Global properties). To show click, View,Implied rules. These rules have no numbering.

    * Which traffic is automatically permitted by implied rules: IKE,RDP,FW-CONTROL/LOG/KEY-EXCHANGE,RADIUS,CVP,TACACS,LDAP and logical servers
    * RIP,ICMP and UDP are not permitted by default

    * Rule 1 = first explicit rule (user-created), there rules are numbered

    * Address spoofing is not logged with a rule number, just as a SmartDefense event. This is because they are

    enforced before any rule in the security policy's rule base.

    * Stealth rule: drop all traffic to the firewall and log,if you use client authentication,encryption or CVP, these rules must be positioned before the Stealth rule

    * Cleanup rule: drop all traffic and log, this needs to be the last rule in the rulebase

    * Hidden rules: you can hide rules, but they still apply to the security policy. The hide feature is used

    for managing complex security policy's. To unhide: click Rules, Hide, Unhide all.

    * The default rule: this rule will default to any any drop don't log

    * Rule base enforcement order:
    * 1. IP spoofing/IP options
    * 2. NAT
    * 3. Security policy FIRST rule
    * 4. Administrator-defined rulebase
    * 5. Security policy BEFORE-LAST rule
    * 6. Cleanup rule or security policy LAST rule

    * Policy package: security rulebase and NAT,QoS,Desktop Security
    * Database revision control: create fallback configuration package. All policies,objects,users,smartdefense and global settings. You must know when to use these two packages !!!
    * Network configuration and IP routing is not included in any of the above packages. You will need to create a backup of the system configuration in order to save this information.

    SmartView Tracker

    * Three modes: LOG-mode,ACTIVE-mode,AUDIT-mode
    * How to block an intruder: Go to Active-mode, select a connection, click Tools, click Block Intruder
    * You can block based on source, destination, or source-destination-service
    * How to monitor changes to the security policy: audit-mode
    * The name of the logs is dependant of the MODE:

    LOG=.log ACTIVE=.vlog AUDIT=.alog

    * Export to .txt is possible from the File menu
    * Switch logfile: current fw.log is closed and will be written to disk with a name that contains the current date and time.
    * Only one logfile can be open at a time

    Eventia Reporter

    * Only connections that are logged by the firewall policy are available for Eventia reporting
    * Reports are saved in HTML format and in CSV format
    * To change the Eventia database-cache size to match the memory in the server, edit the $RTDIR/DATABASE/CONF/MY.INI

    (.INI=windows and .CNF=UNIX)

    * rmdstop: stop all Eventia Reporter services
    * rmdstart: start all Eventia Reporter services
    * Change Eventia database settings with utility UpdateMySQLConfig (stop Eventia Reporter services first!)
    * Eventia Reporter is licensed per gateway

    Encryption

    * DH (Diffie-Hellmann) is a assymetrical encryption algorythm
    * SIC (secure internal communications)

    Installation How many users can be created during setup: only one admin user with read-write permissions


    Commandline

    * cpstart: launches all Checkpoint applications
    * cpstop: stop all Checkpoint applications
    * fw start
    * fw stop
    * fw ver: display Checkpoint version
    * fw fetch [target]: fetches last policy
    * cpstop -fwflag -default: stop all Checkpoint processes and leave the default filter running
    * cpstop -fwflag -proc: stop all Checkpoint processes and leave the security policy running
    * fw ctl arp: Display the firewall ARP entry's voor automatic NAT objects
    * fw dbexport -f bla.ldif -l -s "o=bla,c=nl"
    * fw unloadlocal: unload the local security policy. This is a very convenient feature if you are not able to access the SmartDashboard, for example a to strict security policy
    * fwm unload [target]: unload a policy on target enforcement module
    * cplic print: print the details of the installed Checkpoint licenses

    NAT (expect tough questions about NAT!) Know how many NAT entry's are created for automatic/manual and host/network object NAT.

    * If u use automatic NAT on a network object, there will be two NAT rules added to the firewal
    * Static NAT
    * Hide NAT
    * RFC 1918 - Address allocation for private IP networks, these IP networks cannot traverse public IP networks
    * Port numbers are assigned dynamically: 600-1.023 10.000-60.000. If the original port number is less than 1024, a port number is assigned from te first pool. Else a port number is assigned from the second pool.
    * The high port number pool can be changed with DbEdit
    * Automatic NAT rules
    * Manual NAT rules (example: necessary to do PAT for 1 static IP adress, smtp to 192.168.1.1 and http to 192.168.1.2)
    * Several Global properties influence the way NAT is handled by the firewall:
    * bi-drectional NAT,automatic ARP,
    * For a manual NAT static a manual ARP entry is necessary in the firewall OS
    * When the option Translate Destination on Client side is not enabled for automatich and/or manual NAT rules

    problems can occur with anti-spoofing. Make sure to configure anti-spoofing correctly. Furthermore when using manual static NAT and this option is disabled you need host routing entries in the FW ip routing table to the private IP address.

    * When using automatic static/hide NAT, two NAT rules are always created

    SmartDefense

    * MAIL
    * FTP
    * Microsoft Networks
    * DNS
    * VOIP
    * SmartDefence is subscription based
    * Common attacks: Teardrop,LAND,SmallPMTU,PingOfDeath (know how these attacks work!)
    * Dshield.org integrates with SmartDefense by using a blocklist which is refreshed every 3 hours. The object that needs to be created is called CPDShield and this object must be used in a rule in the rulebase. Place the rule as high as possible, but below authentication rules
    * Host port scan, sweep scan

    Web Intelligence

    * This is a seperate TAB in the SmartDashboard interface
    * HTTP worm catcher
    * Cross-site-scripting
    * HTTP procotol inspection
    Last edited by albertvandenburg; 2006-05-11 at 04:16.

  2. #2
    Join Date
    2006-04-24
    Posts
    8
    Rep Power
    0

    Default Re: Important CCSA exam information

    "* user-auth: telnet/ftp/rlogin/http/https. Two connections are created after successfull authentication, 3 auth attempts by default
    "

    I thought https was not able to be used in user auth....is https something new to NGX for user Auth?

    thanks

  3. #3
    Join Date
    2006-01-26
    Location
    Moscow, Russia
    Posts
    704
    Rep Power
    15

    Default Re: Important CCSA exam information

    I thought https was not able to be used in user auth....is https something new to NGX for user Auth?
    From R55 manual "User Authentication provides authentication for five services: TELNET, FTP, HTTP, HTTPS, and RLOGIN."

  4. #4
    Join Date
    2006-04-24
    Posts
    8
    Rep Power
    0

    Default Re: Important CCSA exam information

    just took the test and passed. the above brain dump is pretty accurate. had specific Smartt defense attack questions, a lot of ldap and smart directory, NAT, smartview tracker, and had that collision question - but none of the answers match the KB article for that problem on checkpoints site LOL. i would have done much better if i had studied LDAP\smart directory as i did not at all. i studied for 215 not 215.1 - but at least i passed.

  5. #5
    Join Date
    2005-09-21
    Posts
    83
    Rep Power
    15

    Default Re: Important CCSA exam information

    Quote Originally Posted by albertvandenburg
    I downloaded the VMware Checkpoint image and tested all configurations....
    VMWare image!

    What is this about? Do you have a source I can use possibly

  6. #6
    Join Date
    2006-01-26
    Location
    Moscow, Russia
    Posts
    704
    Rep Power
    15

    Default Re: Important CCSA exam information

    VMWare image!

    What is this about? Do you have a source I can use possibly
    Use search on forum
    http://cpug.org/forums/showthread.ph...ghlight=vmware

  7. #7
    Join Date
    2006-05-11
    Location
    NL
    Posts
    7
    Rep Power
    0

    Default Re: Important CCSA exam information

    Check out this link http://www.vmware.com/vmtn/appliances/checkpoint.html
    Hope this helps !
    Albert

  8. #8
    Join Date
    2006-05-02
    Posts
    76
    Rep Power
    15

    Default Re: Important CCSA exam information

    Thanks for the question about CCSA NGX exam... I will try in this thursday, 18 May..


    Regards,
    Renato.

  9. #9
    Join Date
    2005-09-21
    Posts
    83
    Rep Power
    15

    Default Re: Important CCSA exam information

    Thanks for the link

  10. #10
    Join Date
    2006-05-02
    Posts
    76
    Rep Power
    15

    Default Re: Important CCSA exam information

    I am failed.... :'(

    The NAT questions is a lot... And, I am bad in the NAT question....

    I got a question about status collision and what means too....

    Your guide line is good, but I not good enought....


    Whell, I will try the exam again !!!

    Regards...

  11. #11
    Join Date
    2006-05-08
    Location
    Walkertown, N.C.
    Posts
    15
    Rep Power
    0

    Default Re: Important CCSA exam information

    renato_rj,

    According to the CheckPoint NGX SmartCenter User Guide, Chapter 10 High Availability, page 207 (Acrobat Reader says it's page 211 though):

    Collision - the Active SCS and its peer have different installed policies and databases. The administrator must perform manual synchronization and decide which of the SCSs to overwrite.

    I would highly recommend a good read of this entire chapter...


    Russ Aspinwall
    CCSA, CCSE

  12. #12
    Join Date
    2006-05-02
    Posts
    76
    Rep Power
    15

    Default Re: Important CCSA exam information

    Astinius 1, this question I know... This chapter I read... My trouble is NAT, Manual NAT...

    Whell, I will try the exam again...

    Thanks folks...

  13. #13
    Join Date
    2006-06-06
    Posts
    12
    Rep Power
    0

    Default Re: Important CCSA exam information

    80% of the questions in the exam are from the Check Point manuals i.e. the Official Courseware. Some of them word for word.

    From past experience the Bosons etc. do not help to prepare for this exam other than to get you into a test taking frame of mind.

    in my opinion it would be better to get the manuals & study them as well as practice on a test system.

  14. #14
    tinger1 Guest

    Default Re: Important CCSA exam information

    I failed test at first time, too, very helpful information. I will retake it next week.

  15. #15
    Join Date
    2006-06-10
    Posts
    5
    Rep Power
    0

    Default Re: Important CCSA exam information

    Hi,

    .THe questions which have come from NAT is too difficult to analyse.eventhough i have been woking in checkpoint for the past 1 year i couldn"t pass.;

    Pls anyone help me for dumps.156.215.1


    Selva

  16. #16
    Join Date
    2006-06-03
    Posts
    34
    Rep Power
    0

    Default Re: Important CCSA exam information

    I have got my exam in a fortnight! Please could i have any dumps anyone as got.

  17. #17
    Join Date
    2005-11-04
    Posts
    2
    Rep Power
    0

    Default Re: Important CCSA exam information

    Hi to all
    i tried this link http://cpug.org/forums/showthread.ph...ghlight=vmware but it does'nt works. Is there another source for the image

  18. #18
    Join Date
    2006-05-11
    Location
    NL
    Posts
    7
    Rep Power
    0

    Default Re: Important CCSA exam information

    The VMware SPLAT can be downloaded here:
    http://www.vmware.com/vmtn/appliances/checkpoint.html

  19. #19
    Join Date
    2006-05-11
    Location
    NL
    Posts
    7
    Rep Power
    0

    Default Re: Important CCSA exam information

    Update on manual static NAT.

    If you decide to use manual static nat rules, for example when you must do
    PAT (port address translation) and you have only 1 public IP address, the
    processing order is different then the Checkpoint automatic nat processing.

    1. anti-spoofing
    2. rulebase
    3. nat

    So in order to make the manual static nat rules work you must define the public IP address in the rulebase. Normally you would configure automatic
    nat on an object and in the rulebase you would see an object/host with a
    private/internal IP address. You need only 1 NAT/PAT entry per translation.

    Enjoy,
    Albert

  20. #20
    Join Date
    2005-11-04
    Posts
    2
    Rep Power
    0

    Default Re: Important CCSA exam information

    Thanks Albert,
    but this is the link i tried. I 've got a "Server Error" for the registration form.

    Tip to all: Download only SmartConsole from CheckPoint and use it in Demo-Mode. So you do'nt need some further installations

Page 1 of 2 12 LastLast

Similar Threads

  1. CCSA exam..r65
    By ericwkc in forum CCSA NGX R65 Exam 156-215.65
    Replies: 0
    Last Post: 2009-08-24, 22:23
  2. Questions about CCSA exam, 156-215.1 R60 exam
    By scucci in forum CCSA NGX Exam 156-215.1 (No Longer Offered)
    Replies: 1
    Last Post: 2008-11-07, 10:19
  3. CCSA Exam
    By jatin.lakhani in forum CCSA NGX Exam 156-215.1 (No Longer Offered)
    Replies: 2
    Last Post: 2008-01-02, 19:46
  4. Information for this Exam
    By grooveminister in forum CCSE Plus NGX Exam 156-515 (No Longer Offered)
    Replies: 0
    Last Post: 2007-05-30, 09:20
  5. Information required for CCSA Exam
    By etachoires in forum CCSA NGX Exam 156-215 (No Longer Offered)
    Replies: 1
    Last Post: 2006-02-28, 20:41

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •