Check Point Certified Troubleshooting Administrator (CCTA) 156-580 Exam Preparation Tips and Impressions
Yuri Slobodyanyuk
Network & Security Engineer and Firewall Expert | Problem Solver | Introvert in the Extroverts' Land
The following, I hope, will help you to prepare better for the exam as there is no information I could find anywhere.
NOTE: Links to all the resources I mention in the text are at the end. Also, for obvious reasons this article does not contain actual questions from the exam.
First, the exam wasn't easy by any means and I've been passing #Checkpoint exams starting with R60. Still, it is doable. There are all in all 75 questions. There were no long-winded questions as in the past spanning 4-5 lines. I didn't need to actually type anything - only multiple answer types of questions. I took the exam via the PearsonVue online proctoring and had 0 issues with the technical side of it. If you plan on taking it online for the first time, make sure to see Youtube walk-throughs of the process to prevent any surprises and run System Test software from PearsonVue BEFORE actually ordering the exam. Now, to the exam preparation itself.
- Official materials. Start your preparation with the exam topics in the official preparation course syllabus. As I understand from bits of information found on the Checkpoint Community forum and elsewhere, the distinction between CCTA and Check Point Certified Troubleshooting Expert (CCTE) exam is not in the level of expertise, but rather in the topics. I haven't taken CCTE yet. By this I want to say - don't be fooled by "Administrator" versus "Expert" in the exam title. I didn't take the official Checkpoint course, so can't comment how it helps to pass the exam. In theory, you can buy just the official courseware from Checkpoint catalog website (about 650$ last time I checked). The catch, though, is that you can't directly buy it from Checkpoint - when trying to pay for it, the website refers you to your Account Manager. And from, again, reports on the Checkpoint Community forum - they (AM) will refer you back to ATC center, which of course will have no incentive to sell you just courseware, without the instructor based course of their own (2000$-3000$ depending on location).
- CCSM R80 overlap. The exam, unfortunately, had very little questions from CCSM R80, my rough estimate would be about 15 out of 75. It means it is NOT possible to pass the exam on CCSM R80 knowledge/study materials/experience only.
- New: UserCenter TAC website procedures questions. That was a surprise. I answered one such question wrong just because lacking context, the question asked about specifics of the UserCenter website and I didn't understand that they were actually testing on TAC website and not on technical issue of the firewall. To prepare for such questions, I would suggest dry run opening ALL types of tickets, stopping just before hitting "Submit" button. Know what types of tickets exist, how they differ, what information each one requires, etc.
- This is R80.20+ Based Exam. The official preparation course is titled "R80.30 ...", so it is expected. The point to remember , especially for those who have experience with pre-R80.30 versions and exams (like me), is when in doubt - think it is R80.30 specific exam only. Many features we've known for years in Checkpoint have changed in R80.30 and you may fall in the trap of answering the R77.30/R80.10-way. E.g. (not from real exam, but it could be) - fw monitor questions, which are always present in such exams. Before R80.20 Take xxx and R80.30, it was the Checkpoint recommendation to disable SecureXL before running fw monitor and exams followed the suite. Not any more - starting with R80.30 GA, you don't have to disable SecureXl to see all the traffic. So, today, the answer containing "Disable SecureXL before running fw monitor ..." will be wrong. Kernel debug, which is always present as well, changed too. Refresh your knowledge even for the well known topics.
- More than usual questions on fw monitor. fw monitor questions were always on this exam (CCSE+, CCSM), but I felt this time they increased in number and depth. So, know all the switches/options and how to work with this sniffer well. And again - refresh your knowledge for R80.30 as new options such as filtering/insertion points appeared.
- Blades that are on the topics list - know their debug well. Obvious, but still - Security Blades listed on the official course syllabus make a large portion of the exam. Know their specific debug, daemon names, files they create/use, their databases locations.
- Kernel debug. No news here - you have to remember general steps in running kernel debug for at least popular modules like ClusterXL, NAT, IPSec VPN. Pay attention that usual ???? ?????? ?????????? ???? +... syntax is not enough in R80.30. That is - learn both ???????????? and ????????????.
- Daemons and their ports. This sort of questions is present in, seems like, all the Checkpoint exams. In the References section below I put Heiko Ankenbrand's complete cheat sheet on what port which daemon works, including the changes in R80.30. Memorize this cheat sheet, you'll thank me and Heiko later.
- Read ATRGs on relevant topics. Reading Advanced Technical Reference Guides (ATRG) is my way to prepare extra for the exam. I can't say this is strictly necessary, but helps to feel more confident. If you do, read only ATRGs on the topics mentioned in the official course list.
- Timothy Hall book. I didn't read it specifically for the exam, but for my work and recommend it not only for optimization but debug as well. The book is R80.30+ only so helps with exam topics as well.
That's all for this exam. If you have additional tips for this exam, share them in the comments for the benefit of all of us. Make sure to share this with your friends who prepare for the exam. Thanks for reading, nice and peaceful weekend to everyone.
References.
Official Checkpoint CCTA Preparation Course Syllabus
Heiko's Cheat Sheet of Daemons and Ports
List of all ATRGs on the Checkpoint site
fw monitor complete reference on Checkpoint SecureKnowledgeBase
Heiko's fw monitor Cheat Sheet, with R80.30 differences highlighted
Tim Hall's book on Checkpoint Firewall Optimization, updated for R80.30 and newer
Kernel Debug Modules and Flags, R80.40
Heiko's Visual Graph of R80.30+ Packet Flow
Collection of useful kernel debug options on Checkpoint Community
Youtube video by Mark Anthony V. Melendres walking through the PearsonVue online exam procedure
Thanks for your useful and valuable overview. It really helped me in passing this tricky exam ;).
Security Software Engineer at Check Point Software Technologies, Ltd.
3 年Hi, I just took the CCTA thinking it's a variation of the CCSM so I studied accordingly, but I failed by 1 question. I made a 90 on my CCSE btw, and study for these things intensely. I am more security though, and there were very few security related questions on my exam. It's lots of management/logging stuff and how to troubleshoot it. I had a number of questions asking for the correct syntax to troubleshoot various port 18191 and 18192 questions, and then 1 had me have to decide which one of those ports and from which device (management or firewall) to enter the syntax. The user center questions were annoying since the only ones at TAC that would know what SK's a customer could access and whether that requires a contract are Account Services. There were a number of questions on VPN SA too. Here's the sections they tested from on my CCTA. Chapter 1: An Introduction to Troubleshooting ?Chapter 2: SmartConsole and Policy Management Troubleshooting ?Chapter 3: Monitoring Logging Activity ?Chapter 4: Troubleshooting Issues with NAT ?Chapter 5: Understanding the Unified Access Control Policy ?Chapter 6: Basic VPN Troubleshooting ?Chapter 7: Monitoring ClusterXL Connections ?Chapter 8: Identity Awareness ?General Troubleshooting
Very nice write-up. Why would not you also post in to CheckMates community? It would help a lot, Training and Certification section
??Senior Security Engineer, Architect, Consultant?? | ???♂?Curious Quantum Cyber Cat ??
3 年Thanks you very much for sharing your impressions and your experienceb! Very interesting post as always ??
Network security engineer (PCNSE, CCSM-E, etc), Associate Professor (IVSPU)
3 年Thank you very much for your described experience. I will focus on it when preparing for my exam.