Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Study Guide
TRADEMARKS
©2003-2010 Check Point Software Technologies Ltd. All rights reserved. Check
Point, AlertAdvisor, Application Intelligence, Check Point Endpoint Security,
Check Point Endpoint Security On Demand, Check Point Express, Check Point
Express CI, the Check Point logo, ClusterXL, Confidence Indexing, ConnectCon-
trol, Connectra, Connectra Accelerator Card, Cooperative Enforcement, Coopera-
tive Security Alliance, CoreXL, CoSa, DefenseNet, Dynamic Shielding
Architecture, Eventia, Eventia Analyzer, Eventia Reporter, Eventia Suite, FireWall-
1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, Hybrid
Detection Engine, IMsecure, INSPECT, INSPECT XL, Integrity, Integrity Client-
less Security, Integrity SecureClient, InterSpect, IPS-1, IQ Engine, MailSafe, NG,
NGX, Open Security Extension, OPSEC, OSFirewall, Pointsec, Pointsec Mobile,
Pointsec PC, Pointsec Protector, Policy Lifecycle Management,Power-1, Provider-
1, PureAdvantage, PURE Security, the puresecurity logo, Safe@Home,
Safe@Office, SecureClient, SecureClient Mobile, SecureKnowledge, SecurePlat-
form, SecurePlatform Pro, SecuRemote, SecureServer, SecureUpdate, SecureXL,
SecureXL Turbocard, Security Management Portal, Sentivist, SiteManager-1,
SmartCenter, SmartCenter Express, SmartCenter Power, SmartCenter Pro, Smart-
Center UTM, SmartConsole, SmartDashboard, SmartDefense, SmartDefense Advi-
sor, Smarter Security, SmartLSM, SmartMap, SmartPortal, SmartProvisioning,
SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView
Status, SmartViewTracker, SMP, SMP On-Demand, SofaWare, SSL Network
Extender, Stateful Clustering, Total Security, the totalsecurity logo, TrueVector,
Turbocard, UAM, UserAuthority, User-to-Address Mapping, UTM-1, UTM-1
Edge, UTM-1 Edge Industrial, UTM-1 Total Security, VPN-1, VPN-1 Accelerator
Card, VPN-1 Edge, VPN-1 Express, VPN-1 Express CI, VPN-1 Power, VPN-1
Power Multi-core, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1
SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX,
Web Intelligence, ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm Antivirus,
ZoneAlarm ForceField, ZoneAlarm Internet Security Suite, ZoneAlarm Pro,
ZoneAlarm Secure Wireless Router, Zone Labs, and the Zone Labs logo are trade-
marks or registered trademarks of Check Point Software Technologies Ltd. or its
affiliates. ZoneAlarm is a Check Point Software Technologies, Inc. Company. All
other product names mentioned herein are trademarks or registered trademarks of
their respective owners. The products described in this document are protected by
U.S. Patent No. 5,606,668, 5,835,726, 5,987,611, 6,496,935, 6,873,988, 6,850,943,
and 7,165,076 and may be protected by other U.S. Patents, foreign patents, or pend-
ing applications.
DISCLAIMER OF WARRANTY
Check Point Software Technologies Ltd. makes no representation or warranties,
either express or implied by or with respect to anything in this document, and shall
not be liable for any implied warranties of merchantability or fitness for a particular
purpose or for any indirect special or consequential damages.
International Headquarters: 5 Ha’Solelim Street
Tel Aviv 67897, Israel
Tel: +972-3-753 4555
U.S. Headquarters: 800 Bridge Parkway
Redwood City, CA 94065
Tel: 650-628-2000
Fax: 650-654-4233
Technical Support, Education & Profes- 8333 Ridgepoint Drive, Suite 150
sional Services: Irving, TX 75063
Tel: 972-444-6612
Fax: 972-506-7913
E-mail any comments or questions about our
courseware to courseware@us.checkpoint.com.
For questions or comments about other Check
Point documentation, e-mail
CP_TechPub_Feedback@checkpoint.com.
Revision: R70001
The Check Point Certified Security Administrator R70 exam covers the following
topics:
Describe Check Point’s unified approach to network management, and the key
elements of this architecture
Design a distributed environment using the network detailed in the course
topology
Install the Security Gateway version R70 in a distributed environment using
the network detailed in the course topology
Given Check Point’s latest integration of CoreXL technology, select the best
security solution for your corporate environment
Given network specifications, perform a backup and restore the current
Gateway installation from the command line
1
Preface: The Check Point Certified Security Administrator Exam
Identify critical files needed to purge or backup, import and export users and
groups and add or delete administrators from the command line
Deploy Gateways using sysconfig and cpconfig from the Gateway command
line
Use the Command Line to assist support in troubleshooting common problems
on the Security Gateway
Given the network topology, create and configure network, host and gateway
objects
Verify SIC establishment between the SmartCenter Server and the Gateway
using SmartDashboard
Create a basic Rule Base in SmartDashboard that includes permissions for
administrative users, external services, and LAN outbound use
Configure NAT rules on Web and Gateway servers
Evaluate existing policies and optimize the rules based on current corporate
requirements
Maintain the Security Management Server with scheduled backups and policy
versions to ensure seamless upgrades and minimal downtime
Use queries in SmartView Tracker to monitor IPS and common network traffic
and troubleshoot events using packet data
Using packet data on a given corporate network, generate reports, troubleshoot
system and security issues, and ensure network functionality
Using SmartView Monitor, configure alerts and traffic counters, view a
Gateway's status, monitor suspicious activity rules, analyze tunnel activity and
monitor remote user access based on corporate requirements
Monitor remote Gateways using SmartUpdate to evaluate the need for
upgrades, new installations, and license modifications
Use SmartUpdate to apply upgrade packages to single or multiple VPN-1
Gateways
Upgrade and attach product licenses using SmartUpdate
Centrally manage users to ensure only authenticated users securely access the
corporate network either locally or remotely
Manage users to access to the corporate LAN by using external databases
Select the most appropriate encryption algorithm when securing
communication over a VPN, based on corporate requirements
Establish VPN connections to partner sites in order to establish access to a
central database by configuring Advanced IKE properties
Configure a pre-shared secret site-to-site VPN with partner sites
Configure a certificate based site-to-site VPN using one partner's internal
Configure a certificate based site-to-site VPN using a third-party CA
Configure permanent tunnels for remote access to corporate resources
Configure VPN tunnel sharing, given the difference between host-based,
subnet-based and gateway-based tunnels
Configure Check Point Messaging Security to test IP Reputation, content based
anti-spam, and zero hour virus detection
Based on network analysis disclosing threats by specific sites, configure a
Web-filtering and antivirus policy to filter and scan traffic
Implement default or customized profiles to designated Gateways in the
corporate network
Manage profiles by tracking changes to the network, including performance
degradation, and troubleshoot issues with the network related to specific IPS
policy rules
Create and install IPS policies
Question Answer
What are the Check Point rec- Check Point recommends you have at least 6
ommendations and prerequi- months to 1 year of experience with the prod-
sites? ucts, before attempting to take the CCSA R70
exam. In addition, you should also have basic
networking knowledge, knowledge of Win-
dows Server and/or UNIX, and experience with
TCP/IP and the Internet.
Check Point also recommends you take the
Check Point Security Administrator R70 class
from a Check Point Authorized Training Cen-
ter (ATC). We recommend you take this class
before taking the CCSA R70 exam. To locate
an ATC, see:
http://atc.checkpoint.com/
atclocator/locateATC
How do I register? Check Point exams are offered through Pearson
VUE, a third-party testing vendor with more
than 3,500 testing centers worldwide.
Pearson VUE offers a variety of registration
options. Register via the Web or visit a specific
testing center. Registrations at a testing center
may be made in advance or on the day you
wish to test, subject to availability. For same-
day testing, contact the testing center directly.
Locate a testing center from the VUE Pearson
Web site:
www.pearsonvue.com
What is the exam structure? The exams are composed of multiple-choice
and scenario questions. There is no partial
credit for incorrectly marked questions.
Question Answer
How long is the exam? The following countries are given 120 minutes
Do I get extra time, if I am not to complete the exam. All other regions get 150
a native English speaker? minutes:
Australia
Bermuda
Canada
Japan
New Zealand
Ireland
South Africa
UK
US
Objectives:
Describe Check Point’s unified approach to network management, and the key
elements of this architecture
Design a distributed environment using the network detailed in the course
topology
Install the Security Gateway version R70 in a distributed environment using the
network detailed in the course topology
7
Chapter 1: Check Point Technology Overview Check Point Technology Overview Topics
Page
Topic Key Element
Number
Page
Topic Key Element
Number
Answer
What would be the benefit of upgrading from SmartDefense to IPS
R70?:
1. Completely rewritten engine provides improved security
performance and reporting.
2. There is no difference - IPS R70 is the new name.
3. The SmartDefense technology expands IPS-1 to IPS R70.
4. The SmartDefense is replaced by the technology of IPS-1
Objectives:
Given Check Point’s latest integration of CoreXL technology, select the best
security solution for your corporate environment.
13
Chapter 2: Check Point Software Blades Check Point Software Blades Topics
Page
Topic Key Element
Number
Answer
Select the correct statement about Secure Internal Communications
(SIC) Certificates. SIC Certificates:
1. Increase network security by securing administrative communication
with a two-factor challenge response authentication.
2. Uniquely identify machines installed with Check Point software only.
They have the same function as RSA Authentication Certificates.
3. Can be used for securing internal network communications
between the Security Gateway and an OPSEC device.
4. For R70 Security Gateways are created during the Security
Management Server installation.
Objectives:
Given network specifications, perform a backup and restore the current Gateway
installation from the command line.
Identify critical files needed to purge or backup, import and export users and
groups and add or delete administrators from the command line.
Use command line utilities to assist support in troubleshooting common
problems on the Security Gateway.
Deploy Gateways using sysconfig and cpconfig from the Gateway command line.
17
Chapter 3: Deployment Platforms Deployment Platforms Topics
Page
Topic Key Element
Number
Page
Topic Key Element
Number
Answer
What is the primary benefit of using upgrade_export over either
backup or snapshot?
Objectives:
Given the network topology, create and configure network, host and gateway
objects.
Verify SIC establishment between the Security Management Server and the
Gateway using SmartDashboard.
Create a basic Rule Base in SmartDashboard that includes permissions for
administrative users, external services, and LAN outbound use.
Configure NAT rules on Web and Gateway servers.
Evaluate existing policies and optimize the rules based on current corporate
requirements.
Maintain the Security Management Server with scheduled backups and policy
versions to ensure seamless upgrades and minimal downtime.
23
Chapter 4: Introduction to the Security Policy Introduction to the Security Policy Topics
Page
Topic Key Element
Number
Page
Topic Key Element
Number
Page
Topic Key Element
Number
Answer
A Web server behind the Security Gateway is set to Automatic Static
NAT. Client side NAT is not checked in the Global Properties. A client
on the Internet initiates a session to the Web Server. Assuming there is a
rule allowing this traffic, what other configuration must be done to allow
the traffic to reach the Web server?
1. Nothing else must be configured.
2. Automatic ARP must be unchecked in the Global Properties.
3. A static route must be added on the Security Gateway to the
internal host.
4. A static route for the NAT IP must be added to the Gateway's
upstream router.
Objectives:
29
Chapter 5: Monitoring Traffic and ConnectionsIntroduction to the Monitoring Traffic and Connec-
Page
Topic Key Element
Number
Page
Topic Key Element
Number
Answer
A third-shift Security Administrator configured and installed a new
Security Policy early this morning. When you arrive, he tells you that he
has been receiving complaints that Internet access is very slow. You
suspect the Security Gateway virtual memory might be the problem.
Which SmartConsole component would you use to verify this?
1. This information can only be viewed with fw ctl pstat command from
the CLI.
2. SmartView Tracker.
3. Eventia Analyzer.
4. SmartView Monitor
Objectives:
35
Chapter 6: Using SmartUpdate Introduction to the SmartUpdate Topics
Page
Topic Key Element
Number
Answer
You are a Security Administrator preparing to deploy a new HFA
(Hotfix Accumulator) to ten Security Gateways at five geographically
separate locations. What is the BEST method to implement this HFA?
1. Send a Certified Security Engineer to each site to perform the update.
2. Use SmartUpdate to install the packages to each of the Security
Gateways remotely.
3. Use a SSH connection to SCP the HFA to each Security Gateway.
Once copied locally, initiate a remote installation command and
monitor the installation progress with SmartView Monitor.
4. Send a CD-ROM with the HFA to each location and have local
personnel install it.
Objectives:
39
Chapter 7: Upgrading to R70 Introduction to the Upgrading to R70
Page
Topic Key Element
Number
Answer
You currently do not have a Check Point software subscription for one
of your products. What will happen if you attempt to upgrade the license
for this product?
1. The license is not upgraded.
2. It is upgraded with new available features, but cannot be activated.
3. It is deleted.
4. The license will be upgraded with a warning.
Authentication confirms the identity of valid users authorized to access your com-
pany network. Staff from different departments are assigned access permissions,
based on their level of responsibility and role within the organization. Authentica-
tion ensures that all users trying to access the system are valid users, but does not
define their access rights.
Check Point authentication features enable you to verify the identity of users log-
ging in to the Security Gateway, but also allow you to control security by allowing
some users access and disallowing others. Users authenticate by proving their iden-
tities, according to the scheme specified under a Gateway authentication scheme,
such as LDAP, RADIUS, SecurID and TACACS.
43
Chapter 8: User Management and Authentication
Objectives:
Page
Topic Key Element
Number
Page
Topic Key Element
Number
Answer
Choose the BEST sequence for configuring user management in
SmartDashboard, using an LDAP server.
1. Configure a server object for the LDAP Account Unit, and create an
LDAP resource object.
2. Configure a workstation object for the LDAP server, configure a
server object for the LDAP Account Unit, and enable LDAP in
Global Properties.
3. Configure a server object for the LDAP Account Unit, enable LDAP
in Global Properties, and create an LDAP resource object.
4. Enable LDAP in Global Properties, configure a host-node
object for the LDAP server, and configure a server object for the
LDAP Account Unit.
Objectives:
49
Chapter 9: Encryption and VPNs Introduction to the Encryption and VPNs Topics
Page
Topic Key Element
Number
Page
Topic Key Element
Number
Answer
Your organization maintains several IKE VPNs. Executives in your
organization want to know which mechanism Security Gateway R70
uses to guarantee the authenticity and integrity of messages. Which
technology should you explain to the executives?
1. Certificate Revocation Lists
2. Application Intelligence.
3. Digital signatures.
4. Key-exchange protocols.
Objectives:
55
Chapter 10: User Management and Authentication Introduction to the Introduction to VPNs Topics
Page
Topic Key Element
Number
Page
Topic Key Element
Number
Page
Topic Key Element
Number
Answer
You have traveling salesmen connecting to your VPN community from
all over the world. Which technology would you choose?
1. IPsec: It allows complex setups that match any network situation
available to the client, i.e. connection from a private customer
network or various hotel networks.
2. IPsec: It offers encryption, authentication, replay protection and all
algorithms that are state of the art (AES) or that perform very well. It
is native to many client operating systems, so setup can easily be
scripted.
3. SSL VPN: It only requires HTTPS connections between client
and server. These are most likely open from all networks, unlike
IPsec, which uses protocols and ports which are blocked by
many sites.
4. SSL VPN: It has more secure and robust encryption schemes than
IPsec.
Objectives:
61
Chapter 11: Messaging and Content Security Introduction to the Messaging and Content Security
Page
Topic Key Element
Number
Page
Topic Key Element
Number
Answer
Which Security Servers can perform authentication tasks, but
CANNOT perform content security tasks?
1. HTTP
2. RLOGIN
3. FTP
4. HTTPS
Objectives:
67
Chapter 12: Check Point IPS Introduction to the Check Point IPS Topics
Page
Topic Key Element
Number
Page
Topic Key Element
Number
Answer
You just upgraded to R70 and are using the IPS Software Blade. You
want to enable all critical protections while keeping the rate of false
positive very low. How can you achieve this?
1. The new IPS system is based on policies and gives you the
ability to activate all checks with critical severity and a high
confidence level.
2. This can't be achieved; activating any IPS system always causes a high
rate of false positives.
3. As in SmartDefense, this can be achieved by activating all the critical
checks manually.
4. The new IPS system is based on policies, but it has no ability to
calculate or change the confidence level, so it always has a high rate
of false positives.