My Check Point CCSA R76 Study

Hi All,

Long time lurker and love this site, so I thought i would give a little back.... I have seen people asking about the CCSA and lab setup, exam cost, course value and the like so I thought i would pot up my studies to date. I plan to take this exam in the next 1-2 weeks so hopefully this thread will be of some benefit to someone! I also have my own blog that i will be posting on, so feel free to check it out (mods I hope this is ok to link?) - weight.mn

I’m starting down the path to increase my networking security knowledge and having worked with a great guy on a previous project from Check Point, I think I’ve found a nice way to get some new knowledge and potentially a CCSA certification! Now if I’m going to do this then I’ll need to get cracking and get serious!

Study Resources:
R76 Security Administration - Student Manual

R76 Security Administration - Lab Manual

CBT Nuggets CCSA Gaia 156-215.76 Videos - cannot recommend these enough!

Check Point Security Administration - Study Guide - 2013 Edition

I’ll have to look around to see if I can find any practice exams…. any ideas guys?

Lab setup:
Although I had initially intended to use XenServer 6.2 and XenCenter, it has been initially scrapped as it just didnt play nicely with the Realtek 8111E onboard NIC. XS installs but the networking on it is horrid for this board that I have… I’ve chosen to download and install VMWare ESXi 5.1 U1 as it has much better support for my hardware and so far I havent run into any trouble. With all that said here is the hardware list - its not a pricey build!

Physical ESXi Host:

MB: Asrock 970 Extreme 4 - Supports AMD-V (AMD’s equivilent of VT-x)
CPU: AMD FX(tm)-4300 Quad-Core Processor - this lab isnt CPU intensive, so something basic
RAM: 16GB generic
PSU: Corsair 860 Plat
GFX: Old AMD 3450 as MB doesnt have onboard
Drives: 1xSeagate Constellation 1tb - enterprise class drive. This will have ESXi installed on it and will also be used as the main Datastore. If I find a SSD in the future I may add it in to speed things up.
OS: ESXi 5.1

I’ll be using my current media server (HP N54L) to access the ESXi host with the vSphere client.

This setup easily runs the following VM's:

2 x R76 Gaia Gateway Firewalls. Each has 3 interfaces.

1 x R76 Gaia Management Server. 1 interface
2 x Windows 7 “HQ” and “Branch” VM’s. 1 Interface each
2 x W2K8 R2 “DMZ” servers. 1 interface each

Other Considerations:

You need to take into consideration how a Check Point deployment might work in the real world. For example, you might have LDAP integration (read: AD, OpenLDAP, etc.) which means you need to know how to get these running in you lab, you might have multiple internal networks and multiple firewalls. You will need to look through firewall logs, so you will need to generate traffic on your virtual network and by this i mean a web server or ftp server (Tinyweb is great little web server for labs).

Study Plan:

I will be going through each of Keith Barkers CBT nuggets videos and answering the example questions (mods, is it ok to post those questions and answers?) as well as questions and answers from the Check Point study material. If there is any interest, I can post these up... I will also be using the study guide provided by Check Point for the exam.

Find more posts tagged with

Comments

atech

Now, IMO, one of the first things I do when studying is to find out what the actual requirements are for the course. Thankfully, Check Point have made this easy and have laid it all out in their CCSA R76 Study Guide! I have had a chat to a friend who works for Check Point Professional Services and, having completed the CCSA, thinks that the study material covers only about 80% of the exam questions with the other 20% being made up of real-world "knowledge" which you would only get in using the product. Now the exam only requires a 70% pass rate, so simply by studying the material and ensuring that I've got everything covered I should be OK! Check Point also offer a free practice exam for the R76 CCSA - found here and there is also one for the R75 exam here which may help as well because the R75 is not so hugely different from R76 (SPLAT vs. GAiA, sysconfig vs. cpconfig) but it should lead you to researching (googling) the terms and products more which will hopefully provide some easy "real-world" experience!

Exam Topics [Time permitting, I'll go through each of these in subsequent posts]:

Describe Check Point's unified approach to network management, and the key elements of this architecture.

Design a distributed environment using the network detailed in the course topology.

Install the Security Gateway version R76 in a distributed environment using the network detailed in the course topology.

Given network specifications, perform a backup and restore the current Gateway installation from the command line.

Identify critical files needed to purge or backup, import and export users and groups and add or delete administrators from the command line.

Deploy Gateways using sysconfig and cpconfig from the Gateway command line.

Given the network topology, create and configure network, host and gateway objects

Verify SIC establishment between the Security Management Server and the Gateway using SmartDashboard.

Create a basic Rule Base in SmartDashboard that includes permissions for administrative users, external services, and LAN outbound use.

Evaluate existing policies and optimize the rules based on current corporate requirements.

Maintain the Security Management Server with scheduled backups and policy versions to ensure seamless upgrades and minimal downtime.

Configure NAT rules on Web and Gateway servers.

Use Queries in SmartView Tracker to monitor IPS and common network traffic and troubleshoot events using packet data.

Using packet data on a given corporate network, generate reports, troubleshoot system and security issues, and ensure network functionality.

Using SmartView Monitor, configure alerts and traffic counters, view a Gateway's status, monitor suspicious activity rules, analyze tunnel activity and monitor remote user access based on corporate requirements.

Monitor remote Gateways using SmartUpdate to evaluate the need for upgrades, new installations, and license modifications.

Use SmartUpdate to apply upgrade packages to single or multiple VPN-1 Gateways.

Upgrade and attach product licenses using SmartUpdate.

Centrally manage users to ensure only authenticated users securely access the corporate network either locally or remotely.

Manage users to access to the corporate LAN by using external databases.

Use Identity Awareness to provide granular level access to network resources.

Acquire user information used by the Security Gateway to control access.

Define Access Roles for use in an Identity Awareness rule.

Implementing Identity Awareness in the Firewall Rule Base.

Configure a pre-shared secret site-to-site VPN with partner sites.

Configure permanent tunnels for remote access to corporate resources.

Configure VPN tunnel sharing, given the difference between host-based, subunit-based and gateway-based tunnels.

Resolve security administration issues.

atech

Ok, so far so good. I have gone through all of Keith Barkers videos which were fantastic and I am moving onto the Check Point provided material. I've also worked my way through the first few objectives which i've listed below.

Describe Check Point's unified approach to network management, and the key elements of this architecture.

Check Points "SMART" (Security Management ARchiTechture - odd, i know :] ) architecture consists of 3 key elements. First, the Security Management Server, Secondly, the Security Gateway Server, and lastly the Security SmartConsole. The Security Management Server provides centralised administration of a Check Point network infrastructure. It also serves as a centralised policy rule distribution server to the Security Gateway Servers and is managed by the Security SmartConsole (Windows only application). Security Gateways are essentially firewalls that are managed by the Security Management server and protect internal resources based on state-full inspection rules. These can perform not only as a firewall but also for remote access (IPsec VPNs), application firewall/URL filtering, IPS/IDS, SSL inspection, Anti-Virus/Anti-Bot and Data Loss Prevention (DLP).

Design a distributed environment using the network detailed in the course topology.

Check Point R76 has two main deployment options: Distributed and Standalone. In a Standalone environment both the Security Management server and the Security Gateway are installed on the same server and managed via the SmartConsole. In a distributed environment, the Security Gateway and Management Server are installed on separate servers. In a distributed environment there is a 1-N relationship and the Management server having the capability of HA (although not covered as part of the CCSA). See below for a rough distributed topology (excuse the "AWS Cloud" label). Urgh, just realised I have a address conflict of 192.168.1.100 (i'll change that :] )

Install the Security Gateway version R76 in a distributed environment using the network detailed in the course topology.

For this, I'm not going to detail what was done here as it would be lengthy.. What I will say is that the installation is pretty straightforward, performing the following functions at a minimum:

Set /var/log, / sizes during installation. One thing to keep in mind is that SmartLog needs 15gb to be used, so make sure that you have around 20+gb space allocated for Logs if you want to use it.
Set the management interface for the two gateways and the management server during installation.
Connect to the WebGUI to set default route, messages and interface addresses. You could also use this time to take a snapshot via the WebGUI. This is done via HTTPS for the 2 GW's and Management server
Download, install, connect to Management server using SmartConsole.
Initialise and setup Trust for SIC between the Management server and 2 GW's.

Given network specifications, perform a backup and restore the current Gateway installation from the command line.

Access the gateway via console or SSH (defined during initial setup of the gateway as the management interface) using the username and password defined during creation. For Backup/Restore: In this console you type "add backup " the default "local" location is at /var/CPbackup/backup. Use the command "show backup status" for a print out of the status of the backup. To restore you can type the command "set backup restore local" where "local" can be any directory that you have specified. Once done you will need to reboot the Gateway.

Identify critical files needed to purge or backup, import and export users and groups and add or delete administrators from the command line.

For adding/removing users: In the console type:

[LIST=|INDENT=1]
[*]"add user sam uid 200 userdir /home/sam
[*]"set user sam password" enter password
[*]"show users"
[*]then to delete: "delete user sam"
[*]"show users"
[/LIST]

Expert Mode setup: In the console type:

[LIST=|INDENT=1]
[*]"set expert-password"
[*]enter password
[*]"save config"
[/LIST]

Additional commands such as netstat, tcpdump, df, ps, top can then be used in expert mode. Firewall commands in the CLISH console should be used: fw stat, fw getifs, fw ver are all helpful.

Deploy Gateways using sysconfig and cpconfig from the Gateway command line.

sysconfig is only used in SPLAT and not used in GAiA. cpconfig can be used to help setup a Gateway, but you cannot define the type of install via console as this is done via the WebGUI. You can reset SIC from cpconfig, read the fingerprint for SmartConsole first time verification, setup ICA though and setting up expert mode.

Given the network topology, create and configure network, host and gateway objects

This is performed via the SmartDashboard. Need to right click > add on each "network", "CheckPoint", and "node" section and add the appropriate object. For example, for the "Alpha HQ" network, you would right click > add on the "network" tree and you would give the new object a name (Alpha-HQ), a IP network (whole network 10.1.1.0) and subnet (255.255.255.0), and define whether or not you want source or destination NAT to be performed and click save. A similar process is followed to add a "host" in the node section. To add a gateway object, the same process is followed, assuming that the previous 2 dot point have been performed first either via the GUI (HTTPS connection) or via the console/CLI. The Manager should recognize that there is a gateway(s) if it is in its default route and you will be able to enter the "management" IP of the gateway that was nominated during setup.

CCSA Lab Topology.jpg

xax

Thanks. Are very useful informations for me.

atech

Well, in between my last post and today I have successfully passed the CCSA R76 exam, my first exam in quite some time. I do have more notes to add on the course objectives but this will take some time. I thought I would quickly list some of my overall thoughts for this exam:

- The CBT Nuggets videos by Keith Barker were absolutely fantastic, and covered not only the course content but also some more "real world" scenarios and tips. These videos also walk you through setting up your lab and have a semi-live demonstration of software and server configuration. I highly recommend it, thanks Keith!
- If you have bought the R76 CCSA courseware from Checkpoint then DO THE PRACTICE EXAM included with it. Trust me. you wont regret it.
- Some key areas to ensure that you study are VPN's, Identity Awareness, Checkpoint Deployment platforms, and of course rules and policies.

Cheers, -A

sojourn

Congrats!

Nimal-sl

Thanks a lot atech and congrats on your achievement! This is very useful to me as well as I'm preping for my CCSA these days

Please do post more tips, advice as you get time

swagatsourav

I am using VBOX as opposed to vmxi. Since i am new to VM world, can some please explain, as to which interface i would need to connect the firewalls external interface to. so that when i do SIC communication, it gets recognized as external network. Do i have to create a host only adapter and assign the same ip to it as in my home network and the connect the external facing interfaces of both the adapters to that newly created adapter

atech

Thanks for the congrats guys, much appreciated! I haven't as of yet made a concerted effort to post the rest of my notes but I feel that my 3 main posts should lead into the right direction for your own study.

swagatsourav wrote: »

I am using VBOX as opposed to vmxi. Since i am new to VM world, can some please explain, as to which interface i would need to connect the firewalls external interface to. so that when i do SIC communication, it gets recognized as external network. Do i have to create a host only adapter and assign the same ip to it as in my home network and the connect the external facing interfaces of both the adapters to that newly created adapter

Hi swagatsourav, welcome!

I am going to make a couple of assumptions in answering your post, please bear with me:

By "VBOX" i assume you mean the VirtualBox product from Oracle
I assume you have 2 or more interfaces on your gateway, one designated for internal traffic and one for external traffic
I assume you have a management server installed
From your post I am going to assume you want to establish SIC communication between the mgmt server and the gateway.

You will need to define, via the WebGUI on the gateway your internal and external interfaces. Your internal interface will reside on the same subnet as your management server and your external interface will reside on a different subnet to that of the internal one. In defining the above in the WebGUI on the gateway you are helping yourself as when you go to add the gateway in the management server, it should detect the internal network interface that you have configured on the gatewat WebGui - neat!

Once you have added the gateway on the management server you can then test and establish SIC communication between the management server and the gateway.

I hope this makes sense, and helps!

P.S: If you are feeling a bit lost on virtual networking take a look at this blog post.

EngRob

Congrats! I'm currently studying for CCSA and exam is coming soon (too soon). Thanks for your tips!!!!

I'm running my lab on Mac in Paralles and it was a little tricky to setup. If anyone else runs into the same issue I can send the command list to configure the virtual networking and save a couple hours of time

SephStorm

Where can I download everything required to set it up?

I've found this:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk97617

But i'm not sure if I need just the Gaia or if I need other stuff, I'm looking at a blog post that mentions Secure Platform, which I don't see on that page.

FYI, i'm not seeking certification, just interested in setting up a checkpoint FW for my network.

cissptst

Hello Atech,

I get the following error in SmartDashboard "Trial period has expired on "10.1.1.25" which MGMT server..... and when i login to MGMT server and it shows that its going to be expired in 15 days..... did you face this issue before?

I have timezone and everything configured correctly.... its really weird...

Thanks

moyondizvo

SephStorm - I know that it is an old post but did you get a response for your question? If not let me know.

cissptst - How long have you been running SmartDashboard without a license? They normally give you 15 days to play around with it before you have to buy the license, unless if you are running the 30 day student copy.

roch_greg

SephStorm:

I worked with Checkpoint NGX for about 7 years at my last gig, I'll try to answer some questions for you.

GAiA - This is Checkpoint's latest Operating System which replaces Secure Platform. Prior Secure Platform you could just load Checkpoint onto a Redhat Linux kernel and you were set.

If you look at this page http://www.vue.com/checkpoint/newseries/index.asp#R75 you can see the differences in exams. If you want to stay with Secure Platform then you would need to take R75 based exam# 156-215.75. The test for the latest platform (GAiA) is 156-215.76.

Accordingly you would download the image/software for the platform you want to test on.

Both exams are current. The deciding factor for most engineers is what platform they are working with, assuming the shop they are at is relatively current. Checkpoint has major releases every 6 to 12 months and you can't get them unless you have a maintenance contract which is pricey. You have to be on maintenance even to get patches.

karnivor

Hello guys!
Hello Atech! Congratulations in your certification!
Do anyone know if the R76 CCSA courseware is worth it to pass the certification exam? How much is it and where can we buy it?
Or do you think that CBT Nuggets and some Labs are enough? If so, is there any LAB guide available?

Thanks a lot guys!!

rwent

Hello Karnivor, it is sure worth it, and yes, doing the CBT Nuggets and the Labs within are a great study help. Also read the admin, cli and VPN guides.

pizzahut

Thanks for the info.

sqadri2009

atech wrote: »

Hi All,

Long time lurker and love this site, so I thought i would give a little back.... I have seen people asking about the CCSA and lab setup, exam cost, course value and the like so I thought i would pot up my studies to date. I plan to take this exam in the next 1-2 weeks so hopefully this thread will be of some benefit to someone! I also have my own blog that i will be posting on, so feel free to check it out (mods I hope this is ok to link?) - weight.mn

I’m starting down the path to increase my networking security knowledge and having worked with a great guy on a previous project from Check Point, I think I’ve found a nice way to get some new knowledge and potentially a CCSA certification! Now if I’m going to do this then I’ll need to get cracking and get serious!

Study Resources:
R76 Security Administration - Student Manual

R76 Security Administration - Lab Manual

CBT Nuggets CCSA Gaia 156-215.76 Videos - cannot recommend these enough!

Check Point Security Administration - Study Guide - 2013 Edition

I’ll have to look around to see if I can find any practice exams…. any ideas guys?

Lab setup:
Although I had initially intended to use XenServer 6.2 and XenCenter, it has been initially scrapped as it just didnt play nicely with the Realtek 8111E onboard NIC. XS installs but the networking on it is horrid for this board that I have… I’ve chosen to download and install VMWare ESXi 5.1 U1 as it has much better support for my hardware and so far I havent run into any trouble. With all that said here is the hardware list - its not a pricey build!

Physical ESXi Host:
MB: Asrock 970 Extreme 4 - Supports AMD-V (AMD’s equivilent of VT-x)

CPU: AMD FX(tm)-4300 Quad-Core Processor - this lab isnt CPU intensive, so something basic

RAM: 16GB generic

PSU: Corsair 860 Plat

GFX: Old AMD 3450 as MB doesnt have onboard

Drives: 1xSeagate Constellation 1tb - enterprise class drive. This will have ESXi installed on it and will also be used as the main Datastore. If I find a SSD in the future I may add it in to speed things up.

OS: ESXi 5.1

I’ll be using my current media server (HP N54L) to access the ESXi host with the vSphere client.

This setup easily runs the following VM's:

2 x R76 Gaia Gateway Firewalls. Each has 3 interfaces.

1 x R76 Gaia Management Server. 1 interface
2 x Windows 7 “HQ” and “Branch” VM’s. 1 Interface each
2 x W2K8 R2 “DMZ” servers. 1 interface each

Other Considerations:

You need to take into consideration how a Check Point deployment might work in the real world. For example, you might have LDAP integration (read: AD, OpenLDAP, etc.) which means you need to know how to get these running in you lab, you might have multiple internal networks and multiple firewalls. You will need to look through firewall logs, so you will need to generate traffic on your virtual network and by this i mean a web server or ftp server (Tinyweb is great little web server for labs).

Study Plan:

I will be going through each of Keith Barkers CBT nuggets videos and answering the example questions (mods, is it ok to post those questions and answers?) as well as questions and answers from the Check Point study material. If there is any interest, I can post these up... I will also be using the study guide provided by Check Point for the exam.

Could you please share the following resources:

Study Resources:
R76 Security Administration - Student Manual

R76 Security Administration - Lab Manual

sqadri2009

Hi Atech

Please share the links for the following resources:
Study Resources:
R76 Security Administration - Student Manual

R76 Security Administration - Lab Manual

atech

sqadri2009 wrote: »

Hi Atech Please share the links for the following resources: Study Resources: R76 Security Administration - Student Manual R76 Security Administration - Lab Manual

Persistent! Unfortunately, you will have to purchase these as the ones that I received are hard paper copies - not sure if they're available in pdf/ebook format.

Edit: wow, this post sure got popular! I thought it would just slide off into the ether that is the internet. Just thought that i'd update to say that i've moved away from technical infosec and into some IAM/Governance work. Now studying for my CISSP.

I won't be posting any more of my study materials up here on this as i'd only typed up formally what you see here. It does make me happy to see that people have enjoyed it by the number of views!

-Atech

ClShef1753

$600 for the training manual from the Checkpoint site; no wonder there are no e-books or pdfs out there.

MupEHcEH

Hello, I hope you are still following this thread.
I use VirtualBox for, same topology, just a little different addressing on the "outside network". All the interfaces on all virtual machines (MGR, FWs, PCs) are configured as internal except for the interfaces of FWs that are connecting to outside network - those are bridged to my host's WLAN card. Yesterday I had a problem with the part where we create a web server in the HQ-DMZ area. I ran apache on linux mint and the problem was that I was able to access the apache web page from the mint machine obviously and from the virtual host on the HQ-Inside network, but NOT from the physical box i am staying at. The packet tracer was showing some dropped UDP nbname packages. After some struggle i was too tired and gave it up. Today, i started everything to give it a try again - voila - i could open the apache web page from the physical box. So now, i am trying to connect the second FW - FW2 to the manager and it does not work, smartviewtracker shows lots of packets destined to google's DNS (which i have set) but there is no communication between them. Translated address of Manager and FW2 are on the same network. Traffic from inside is allowed to go outside... why i cannot link those 2 appliances together?

This is what i get when i intend to:

SIC Status for Br-FW2: Unknown

Could not establish TCP connection with 192.168.0.22

** Please make sure that Check Point Services are running on Br-FW2 and that TCP connectivity is allowed from Security Management Server to IP 192.168.0.22, Port 18191 **

MupEHcEH

Hi, not that anyone asked

but i fixed it. Deleted the FW2 and reinstalled it - on the setup wizard I noticed the clock was 1 hour behind my local (which was setup on my manager and FW1) - I don't why, however changing it to correct time fixed it.

atech

ClShef1753 wrote: »

$600 for the training manual from the Checkpoint site; no wonder there are no e-books or pdfs out there.

Yep, I had work pay for the material. You can find resources but they won't be through any legitimate means.