Check Point Certified Troubleshooting Administrator (CCTA) 156-580 Exam Preparation Tips and Impressions


CCTA Exam Checkpoint verification

The following, I hope, will help you to prepare better for the exam as there is no information I could find anywhere.

Note
Links to all the resources I mention in the text are at the end. Also, for obvious reasons this article does not contain actual questions from the exam.

First, the exam wasn’t easy by any means and I’ve been passing #Checkpoint exams starting with R60. Still, it is doable. There are all in all 75 questions. There were no long-winded questions as in the past spanning 4-5 lines. I didn’t need to actually type anything - only multiple answer types of questions. I took the exam via the PearsonVue online proctoring and had 0 issues with the technical side of it. If you plan on taking it online for the first time, make sure to see Youtube walk-throughs of the process to prevent any surprises and run System Test software from PearsonVue BEFORE actually ordering the exam. Now, to the exam preparation itself.

  • Official materials. Start your preparation with the exam topics in the official preparation course syllabus. As I understand from bits of information found on the Checkpoint Community forum and elsewhere, the distinction between CCTA and Check Point Certified Troubleshooting Expert (CCTE) exam is not in the level of expertise, but rather in the topics. I haven’t taken CCTE yet. By this I want to say - don’t be fooled by "Administrator" versus "Expert" in the exam title. I didn’t take the official Checkpoint course, so can’t comment how it helps to pass the exam. In theory, you can buy just the official courseware from Checkpoint catalog website (about 650$ last time I checked). The catch, though, is that you can’t directly buy it from Checkpoint - when trying to pay for it, the website refers you to your Account Manager. And from, again, reports on the Checkpoint Community forum - they (AM) will refer you back to ATC center, which of course will have no incentive to sell you just courseware, without the instructor based course of their own (2000$-3000$ depending on location).

  • CCSM R80 overlap. The exam, unfortunately, had very little questions from CCSM R80, my rough estimate would be about 15 out of 75. It means it is NOT possible to pass the exam on CCSM R80 knowledge/study materials/experience only. New: UserCenter TAC website procedures questions. That was a surprise. I answered one such question wrong just because lacking context, the question asked about specifics of the UserCenter website and I didn’t understand that they were actually testing on TAC website and not on technical issue of the firewall. To prepare for such questions, I would suggest dry run opening ALL types of tickets, stopping just before hitting "Submit" button. Know what types of tickets exist, how they differ, what information each one requires, etc.

  • This is R80.20+ Based Exam. The official preparation course is titled "R80.30 …​", so it is expected. The point to remember , especially for those who have experience with pre-R80.30 versions and exams (like me), is when in doubt - think it is R80.30 specific exam only. Many features we’ve known for years in Checkpoint have changed in R80.30 and you may fall in the trap of answering the R77.30/R80.10-way. E.g. (not from real exam, but it could be) - fw monitor questions, which are always present in such exams. Before R80.20 Take xxx and R80.30, it was the Checkpoint recommendation to disable SecureXL before running fw monitor and exams followed the suite. Then, they changed it to NOT disable for version R80.20, only later to change it again to DO disable SecureXL. So, currently, the correct answer is to disable SecureXL until further notice. Kernel debug, which is always present as well, changed too. Refresh your knowledge even for the well known topics.

  • More than usual questions on fw monitor. fw monitor questions were always on this exam (CCSE+, CCSM), but I felt this time they increased in number and depth. So, know all the switches/options and how to work with this sniffer well. And again - refresh your knowledge for R80.30 as new options such as filtering/insertion points appeared.

  • Blades that are on the topics list - know their debug well. Obvious, but still - Security Blades listed on the official course syllabus make a large portion of the exam. Know their specific debug, daemon names, files they create/use, their databases locations.

  • Kernel debug. No news here - you have to remember general steps in running kernel debug for at least popular modules like ClusterXL, NAT, IPSec VPN. Pay attention that usual 𝚏𝚠 𝚌𝚝𝚕 𝚍𝚎𝚋𝚞𝚐 𝚏𝚠 +`…​ syntax is not enough in R80.30. That is - learn both 𝚣𝚍𝚎𝚋𝚞𝚐 and 𝚔𝚍𝚎𝚋𝚞𝚐.

  • Daemons and their ports. This sort of questions is present in, seems like, all the Checkpoint exams. In the References section below I put Heiko Ankenbrand’s complete cheat sheet on what port which daemon works, including the changes in R80.30. Memorize this cheat sheet, you’ll thank me and Heiko later.

  • Read ATRGs on relevant topics. Reading Advanced Technical Reference Guides (ATRG) is my way to prepare extra for the exam. I can’t say this is strictly necessary, but helps to feel more confident. If you do, read only ATRGs on the topics mentioned in the official course list.

  • Timothy Hall book. I didn’t read it specifically for the exam, but for my work and recommend it not only for optimization but debug as well. The book is R80.30+ only so helps with exam topics as well.

That’s all for this exam. Make sure to share this with your friends who prepare for the exam. Thanks for reading, nice and peaceful weekend to everyone.