Check Point Certified Security Administrator (CCSA)

Back in March, I did Palo Alto’s PCNSA exam. Since then I’ve been working with Check Point firewalls, so I decided to do their CCSA exam (for R81.20).

Normally, I would start by looking at the exam objectives. However, in this case I can’t, because they’re behind a paywall! The nearest thing that’s publicly available is the course overview. This is unusual: I haven’t seen any other exams that do this. It’s also notable that Palo Alto give out a free study guide (pdf), whereas Check Point ask you to pay $3250 for their course; I’m not sure whether that includes the exam itself ($250). However, you can book the exam without doing their course, and that’s what I did.

As with any certification, it’s worth asking a couple of questions:

  • If I’m applying for jobs, will this certification give me an advantage?
  • If I’m recruiting for a job, should I favour people with this certification?

In other words, what does this certification actually measure? What does it tell you about the person who has it? In brief, I’d say that a lot of the questions will be very easy if you have hands-on experience, and very difficult if you’ve just seen someone else do it in a video.

I can’t discuss specific exam questions because of the Non-Disclosure Agreement (NDA), so I’ll use London Underground (aka the Tube) as an analogy. If you’ve lived or worked in central London for a while, you’ll probably be familiar with the tube map, e.g. you’ll know that the Central line is red and the Circle line is yellow. That isn’t something you’d specifically sit down and memorise, but you’ll pick it up by repeated exposure. So, if I asked you which line is green on the map, that should be pretty easy.

On the other hand, suppose that I asked you what time the last train runs each night (from a station that you use regularly). Some people will know the answer by heart, because they often end up running for that train. Other people might be in bed by 10pm every night, so they’ve never needed to know.

Coming back to Check Point, there are some situations which will come up on a daily basis, and other situations which are less common. So, you might need to go out of your way to practice those scenarios, e.g. in a lab environment.

Now that I’ve got the CCSA, I’m going to start studying for the Check Point Certified Security Expert (CCSE). This includes some additional topics, such as High Availability (ClusterXL).

NB You need to be CCSA certified before you can get the CCSE. (Cisco used to have a similar policy, e.g. you needed CCNA before CCNP, but they’ve relaxed that now to just say that you need equivalent knowledge.) I think the CCSE will be more useful, but the CCSA is a necessary step along the way.

Topics

After I finished the exam, I received a score report. This gave my overall score, and my score for each section. I think it’s ok to repeat that list of sections here (without breaking the NDA):

  • Chapter 1: Introduction to Check Point Quantum Security Management
  • Chapter 2: Check Point Gateway and Server Deployment
  • Chapter 3: Check Point Security Administration
  • Chapter 4: Check Point Licensing and Contracts
  • Chapter 5: Security Policy Management
  • Chapter 6: Policy Layers
  • Chapter 7: Check Point NAT
  • Chapter 8: Security Elevation
  • Chapter 9: Site-to-Site VPN
  • Chapter 10: Monitoring Operations
  • Chapter 11: Security Maintenance
  • Security Admin Issues

I assume that those chapters correspond to the official study guide (which you’d get by attending the course). So, it gives an indication of what you should be covering if you do self-study. In particular, look for anything that you’re not already familiar with.

Preparation

The study method you choose will partly depend on prior knowledge. In my case, I’ve worked with other firewalls before (e.g. Microsoft ISA/Forefront TMG, Cisco ASA, and Palo Alto). I also had 6 months of experience working with Check Point firewalls; as part of that, I’d read through the documentation for specific tasks. So, I was just looking to fill the gaps, rather than starting from scratch.

On YouTube, I recommend watching the videos by Magnus Holmberg. He doesn’t cover the entire syllabus, but there’s some useful content (free of charge) and he knows what he’s talking about.

There are several courses available on Udemy, and I paid for this one:
Checkpoint Firewall R81 CCSA (Updated 2023) | Udemy
Right now, that has the “Bestseller” badge, i.e. it’s the course that most students have purchased in this category. However, I don’t recommend it. There is some useful material in there, but you have to sit through hours of tedium to get to it. It feels like watching a recording of a livestream, where there’s been no real attempt at video editing.

I think that video 89 (“Infinity Threat Prevention”) is the clearest example of what’s wrong. It starts with a couple of minutes where the instructor describes the concepts, which is fine. He then says that there will be a new page called “Infinity Threat Prevention”, and spends 30 seconds looking for it before he realises that it was already visible under a different name (“Autonomous Policy”). When he clicks that, he says that “You will see a very important page”. Except that we don’t. There’s just a blank white page, with a spinning circle (equivalent to an hourglass) which goes away after a while. He then spends 2 minutes trying to get this working, mostly in silence, while he clicks back and forth between different pages. Eventually he gives up.

Another video has someone reading a pdf, and it’s very obvious that this is the first time he’s seen it. At one point, he doesn’t understand something, and literally says “I’m guessing that it means this”, but his guess was wrong.

I understand that people will get stuck and make mistakes, and there’s no shame in that. However, the professional approach would be to re-record the video. Even if they can’t get it working, they could summarise, e.g. “This isn’t working right now, but it would normally show XYZ.” There’s no reason to make their paying customers watch them fumbling around.

If you’ve ever watched “What we do in the Shadows”, think of the energy vampires: this is the type of course that they’d make on purpose, to be as frustrating as possible!

The course also has some pdfs as resources, and I noticed that a couple of them were labelled as “CP4B”. You can access that material free of charge on the Check Point website:
Check Point for Beginners – Check Point CheckMates
(The Udemy course doesn’t mention that website, i.e. they’ve taken someone else’s content without attribution.) I’ve only glanced at the CP4B material, so it’s not essential, but I’d say that it’s worth a look for any topics that you’re not confident about.

Booking the exam

I booked the exam via Pearson Vue:
Check Point :: Pearson VUE

It’s worth keeping an eye on that page, because they often have discounts. For instance, there was a 25% discount in September 2023 to celebrate the launch of the new exams (for R81.20). They also offered discounts in October 2023 for Cyber Security Awareness Month, and it wouldn’t surprise me if they do something at the end of November for Black Friday.

In my case, I saw an offer where I could get a 30% discount and a free retake if I failed. The condition was that I had to do my first exam attempt that week (by 21st October), and then the second attempt was valid until 31st December. That was sooner than I’d intended to take the exam, but I figured that I could treat the first one as a practice attempt (to identify any weak spots), then I’d have another 2 months to prepare for do my “real” attempt. As it turned out, I passed first time. So, I didn’t need the second attempt, but the discount was still welcome.

I’ll also quote this section from the Pearson Vue page:

Check Point offers practice exams for the CCSA and CCSE certification exams. Each practice exam is a subset of questions from the actual exam. Each question is accompanied by the correct answer. These 40-question exams are $50 USD.

Before I heard about the discount, I’d considered paying for a practice exam, because that would be cheaper than 2 attempts at the full exam. I don’t use “dump” sites (with copies of exam questions) but this is an official Check Point exam so I don’t think it counts as cheating.

Taking the exam

I sat the exam at home, via online proctoring. I’ve done that for several other exams; there’s a bit of extra hassle (e.g. taking photos of the room), but it was easier than getting to a test centre.

Once the exam starts, you have 90 minutes to answer 100 questions. These were all multiple-choice (no simulations), and you can go back to previous questions.

It took me 55 minutes for my first pass (so I averaged about 30 seconds per question), and I flagged several for review. I then spent another 20 minutes reviewing my answers: I started with the questions I’d flagged, then went through all 100 again. That left me with 15 minutes on the clock when I finished the exam. So, if you’re prepared then I don’t think you need to worry about running out of time in this exam.

After the exam

When I finished the exam (on Saturday morning), it displayed the results on the screen right away, and I received an email a few minutes later with my detailed score report (as mentioned above).

I then received two further emails from Check Point on Monday evening.

The first message said “Congratulations on becoming CCSA”, which included a link to a downloadable certificate (pdf). This also said that I now have access to SecureKnowledge (i.e. their knowledge base articles) for 24 months, but I already had access to that before the exam with a free account, and I haven’t noticed any difference.

The second message said that I’d earned a digital badge, which is linked to my Credly account.

NB Although this was Monday evening in the UK, it was Monday morning in the USA. So, I’m guessing that someone has to manually review the exam results and click a button to make everything official. In any case, it won’t take long.

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.