CCSA R77.30

Check Point Security Administration gives an understanding of the fundamental concepts and skills require to configure Check Point Security Gateway and Management Software Blades. During this training program you will configure a Security Policy and learn about monitoring and managing a secure network, upgrading and configuring a Security Gateway and implementing a virtual private network.

System Administrators, Network Engineers, Security Managers and Individual seeking CCSA certification.


Working knowledge of windows NT/2000/2003 or Unix, with expertise in TCP/IP & routing.
Duration of the course :Part Time : 20 Days (2 hrs/day), Full Time : 4 Days (8 hrs/day)

Key Benifits:

As a CCSA, security professionals possess the requisite skills to define and configure security policies that enable secure access to information across corporate networks.

Course outline:

  • Describe Check Point's unified approach to network management, and the key elements of it.
  • Design a distributed environment.
  • Install the Security Gateway in a distributed environment.
  • Perform a backup and restore the current Gateway installation from the command line.
  • Identify critical files needed to purge or backup, import and export users and groups and add or delete administrators from the command line.
  • Deploy Gateways using the Gaia web interface.
  • Create and configure network, host and gateway objects.
  • Verify SIC establishment between the Security Management Server and the Gateway using SmartDashboard.
  • Create a basic Rule Base in SmartDashboard that includes permissions for administrative users, external services, and LAN outbound use.
  • Configure NAT rules on Web and Gateway servers.
  • Evaluate existing policies and optimize the rules based on current corporate requirements.
  • Maintain the Security Management Server with scheduled backups and policy versions to ensure seamless upgrades with minimal downtime.
  • Use Queries in SmartView Tracker to monitor IPS and common network traffic and trouble-shoot events using packet data.
  • Use packet data to generate reports, trouble-shoot system and security issues, and ensure network functionality.
  • Using SmartView Monitor, configure alerts and traffic counters, view a Gateway's status, monitor suspicious activity rules, analyze tunnel activity and monitor remote user access.
  • Monitor remote Gateways using SmartUpdate to evaluate the need for upgrades, new installations, and license modifications.
  • Use SmartUpdate to apply upgrade packages to single or multiple VPN-1 Gateways.
  • Upgrade and attach product licenses using SmartUpdate.
  • Centrally manage users to ensure only authenticated users securely access the corporate network either locally or remotely.
  • Manage users to access the corporate LAN by using external databases.
  • Use Identity Awareness to provide granular level access to network resources.
  • Acquire user information used by the Security Gateway to control access.
  • Define Access Roles for use in an Identity Awareness rule.
  • Implement Identity Awareness in the Firewall Rule Base.
  • Configure a pre-shared secret site-to-site VPN with partner sites.
  • Configure permanent tunnels for remote access to corporate resources.
  • Configure VPN tunnel sharing, given the difference between host-based, subunit-based and gateway-based tunnels.

CCSE R77.30

Check Point Security Engineer is an Advanced 3-day course that teaches how to build, modify,deploy and troubleshoot Check Point Security Systems on the GAiA Operating system. Hands-on lab exercises teach how to debug firewall processes, optimize VPN performance and upgrade Management Servers.We will study firewall processes and take a close look at kernel and user processing and Stateful Inspection. Labs contain implementing VPNs, configuring security gateways, and performing advanced troubleshooting tasks on the firewall.

System Administrators, Security Managers, Network Engineers and Individual seeking CCSE certification.


Must be CCSA Certified with good knowledge of FireWall.
Duration of the course : Part Time : 18 Days (2 hrs/day), Full Time : 3 days (8 hrs/day)

Key Benifits:

On completion of this course you will be able to implement and deploy site- to-site and remote VPN, Content Vectoring, URL filtering and Load balancing between firewalls.

Course Outline:

  • Perform a backup of a Security Gateway and Management Server using your understanding of the differences between backups, snapshots and update-exports.
  • Upgrade and troubleshoot a Management Server using a database migration.
  • Upgrade and troubleshoot a clustered Security Gateway deployment.
  • Use knowledge of Security Gateway infrastructures, chain modules, packet flow and kernel tables to perform debugs on firewall processes.
  • Build, test and troubleshoot a ClusterXL Load Sharing deployment on an enterprise network.
  • Build, test and troubleshoot a ClusterXL High Availability deployment on an enterprise network.
  • Build, test and troubleshoot a management HA deployment on an enterprise network.
  • Configure, maintain and troubleshoot SecureXL and CoreXL acceleration solutions on the corporate network traffic to ensure noted performance enhancement.
  • Using an external user database such as LDAP, configure User Directory to incorporate user information for authentication services on the network.
  • Manage internal and external user access to resources for Remote Access or across a VPN.
  • Troubleshoot user access issues found when implementing Identity Awareness.
  • Troubleshoot a site-to-site or certificate-based VPN on a corporate gateway using IKE View, VPN log files and command-line debug tools.
  • Optimize VPN performance and availability by using Link Selection and Multiple Entry Point solutions.
  • Manage and test corporate VPN tunnels to allow for greater monitoring and scalability with multiple tunnels defined in a community including other VPN providers.
  • Create events or use existing event definitions to generate reports on specific network traffic using SmartReporter and SmartEvent to provide industry compliance information to management.
  • Troubleshoot report generation given command-line tools and debug-file information.


CCMSE NGX (Provider-1) course gives in depth knowledge on managing and deploying Check Point Provider-1 NGX. You will learn how to configure Security Policies for multiple remote Security Gateways using the Multi-Domain GUI (MDG), and learn about controlling multiple firewall-secured environments using the Multi-Domain Server (MDS). You can also learn how to perform advanced configuration tasks, such as establishing redundant Multi-Domain Servers for High Availability management functions and migrating existing servers into the Provider-1 database.

Security managers, system administrators, or network engineers implementing Provider-1 NGX in an enterprise setting.


Check Point Security Administration NGX I Rev 1.1 and Check Point Security Administration NGX II Rev 1.1, or equivalent knowledge and experience in the prerequisites.
Duration of the course : Part Time : N/A, Full Time : 2 Days (8 Hours per day)

Course Outline:

Provider-1 Overview and Deployment:

  • Example MSP Deployment.
  • Multi-Domain GUI and Server.
  • Types of MDs.
  • Communication between CMA and Security Gateway.
  • Multi-Domain Log Modules.
  • CheckPoint Management Infrastructure.
  • OPSEC Support.
  • Provider-1 Communication.
  • Security Gateway Deployment.
  • Point-of-Presence Provider-1 NGX Configuration.
  • NOC Security.
  • Log Management.
  • Benefits of Provider-1 NGX.

MDS Installation and Configuration:

  • Choosing the Type of MDS.
  • Licensing Provider-1/SiteManager-1.
  • License Details and Upgrading Licenses.
  • Provider-1/Site Manager System Requirements.
  • Secure Platform Appliances.
  • IP Allocation and Routing.
  • Command Line and File Structure.
  • MDS and CMA Command Line Options.
  • Overview of the Multi-Domain GUI.
  • Establishing Communication with Remote Security Gateways.
  • Multi-Domain GUI Functionality.
  • Provider-1 Administrative Modes.
  • Customer Contents Mode.
  • Security Policies Modes.
  • SmartUpdate View.
  • SmartUpdate Toolbar Buttons.
  • High Availability View.
  • Customer Contents Mode.
  • MDS Contents Mode.
  • High Availability Toolbar Buttons.
  • Connected Administrators Views.
  • Connected Administrators Toolbar Buttons.

NOC Firewall Installation and Configuration:

  • Network Operations Center Security.
  • MDG Communication.
  • Enhancing NOC Security.
  • Rule Base Configurations.

Provider-1 Logging Features:

  • Log Management
  • Customer Log Module
  • Multi-Domain Log Module System
  • MLM Deployment
  • Using Eventia Reporter

Global Policies:

  • Global Policy Rules
  • Global Objects and Services
  • Global Policy Database
  • Customer History
  • Global SmartDefense
  • Configuring SmartDefense in Global SmartDashboard
  • Subscribing an Customer to the Global SmartDefense Service
  • Modifying SmartDefense from the SmartDashboard of a CMA
  • Creating Global Objects and Rules
  • Configuring a Global VPN
  • Global VPN Communities

Advanced MDS Function:

  • Migrating Existing Management Servers into Provider-1
  • MDS High Availability Features
  • Methodology of MDS Synchronization
  • MDS Synchronization
  • SmartCenter Server HA of a CMA
  • MDS Clock Synchronization
  • Backing Up a CMA
  • MDS Archiving Utilities
  • Archiving Scripts
  • Restoring the MDS
  • Using the mds_restore command


CCMSE NGX Plus VSX course will give you with an understanding of key concepts and skills necessary to effectively deploy and configure VPN-1 VSX, to control multiple customer sites. This course provides hands-on training for installing VSX on Secure Platform. You will configure Security Policies for multiple remote firewalls, using the Provider-1 NGX Multi-Domain GUI (MDG). You can also learn about managing multiple firewall-secured environments and Virtual Routers in a VSX configuration and using Virtual Systems. You will understand how to perform advanced configuration tasks such as establishing redundant VSX Gateways for High Availability functions.

Security managers, network engineers, or system administrators implementing VSX in an enterprise environment.


CCSE, CCMSE, CCSA or equivalent experience and knowledge.
Duration of the course :Part Time : N/A, Full Time : 3 Days (8 hours per day)

Course Outline:

VPN-1 VSX Architecture and Deployment:

  • VSX Overview.
  • VSX Building Blocks.
  • Managing the VSX Gateway.
  • Clustering in VSX.
  • IP Address Allocation for VSX Implementation.
  • VSX Packet Flow and Routing.
  • Routing from Virtual System to Virtual System.
  • Overlapping IP Address-Space Support.

VSX Management Server Installation and Configuration:

  • VSX Management.
  • SmartCenter Management Model.
  • Provider-1 Management Model.
  • Check Point Licenses.
  • Upgrading Previous Deployments.
  • VSX NGX System Requirements.
  • Installing and Configuring VSX.
  • Installing Provider-1 NGX for VSX on a Secure Platform Machine.
  • Installing the Provider-1 NGX MDG on Windows.

VSX Gateway Installation and Configuration:

  • VSX Gateway's Virtual Topology.
  • Management of Virtual Devices.
  • Installing the VSX Gateway on SecurePlatform.
  • Unique State-Table Configuration.
  • Security Policy Separation.
  • Unique Configuration Parameters.
  • Management Virtual System.
  • VSX Interface Support.
  • External Virtual Routers.
  • Management Server Communication.
  • Provisioning and Network-Configuration Channel.
  • System Virtualization.
  • Advanced Routing Configurations.

VSX and Layer2 Communications:

  • Virtual Switch.
  • Virtual Switch in a Cluster.
  • Virtual Switch and Dynamic Routing using OSPF.

VSX and VLAN Tagging:

  • VLAN Technology.
  • VLAN Tagging.
  • VLAN Tag Composition.
  • VLAN Trunking and Membership.
  • Implicit/Explicit VLAN Membership.
  • VLAN Configuration in a VSX Environment.
  • Configuring Interfaces to Allow VLAN-Tagged Traffic.
  • Associating VLAN Traffic with specific Virtual Systems.

Deploying Virtual Systems in a Bridged Configuration:

  • Virtual System in Bridge Mode.
  • Security for Virtual Systems in Bridge Mode.
  • Clustering Virtual Systems in Bridge Mode (ClusterXL Only).

Configuring VSX Gateway High Availability:

  • VSX Gateway High Availability.
  • NGX and VSX Clustering.
  • VSX state Synchronization.
  • Synchronization Network.
  • Synchronization Modes.
  • Deploying Multiple VSX Gateways in an HA Environment.
  • Creating VSX Gateway and EVR Cluster Objects.
  • Completing VSX System Configuration.
  • Configuring Customer Clusters.

Working with Link Aggregation:

  • Link Aggregation Overview
  • Link Aggregation Terminology
  • How Link Aggregation Works
  • High Availability Overview
  • Load Sharing Overview
  • Bond Failover
  • Failover Support for VLANs
  • Bond Interface & Interface Limitations
  • Configuring the High Availability Bond
  • Updating the Interface Topology
  • Configuring the Load Sharing Bond
  • Setting Critical Required Interfaces
  • Setting Affinities

VSX Diagnostics and Troubleshooting:

  • General Troubleshooting Steps
  • Troubleshooting Specific Problems
  • Cannot Establish SIC Trust for Gateway or Cluster
  • SIC Trust Problems with New virtual devices
  • Re-establishing SIC Trust with Virtual Devices
  • Install Policy Error Using VSX Creation Wizard
  • Internal Host Cannot Ping Virtual System
  • Command Line Reference


Course Outline:

Check Point Integrity Integrity Architecture:

  • Integrity Overview.
  • Integrity Architecture.
  • Web-based Management.
  • Management-Server Platform.
  • Administrator Role Assignments.
  • Integrity Licensing.
  • Integrity Administrator Console.
  • Integrity Client.
  • The Control Center.
  • Integrity Advanced Server Installation Process.
  • Synchronizing User Catalogs.
  • Installing Integrity Advanced Server.
  • Integrity Client Executable.
  • Auto-Updating a Client Package.

Policy Management:

  • Integrity Security Policies.
  • Enterprise Policies.
  • Personal Policy.
  • The Default Policy.
  • Policy Arbitration.
  • Policy Rules Overview.
  • Classic Firewall Rules.
  • Zone Rules and Program Rules.
  • Enforcement Rules.
  • Rule Evaluation and Precedence.
  • How Traffic Is Evaluated.
  • Policy Creation.
  • Preconfigured Policy Templates.

Enterprise Policies:

  • Understanding Firewall Rules.
  • Zone Rules.
  • Defining Zones.
  • How Zone Rules Work.
  • Workflow for Zone-Based Security.
  • Managing Access Zones.
  • Configuring the Trusted Zone.
  • Choosing Security Levels.
  • Program Control.
  • Understanding Program Control.
  • Workflow for Program Control.
  • Observing Program Activity.
  • Creating Program Rules.
  • Program Rule Types.
  • Program Permissions.
  • SmartDefense Program Advisor.
  • SmartDefense Program Advisor Process.
  • Integrity Advanced Server Program Advisor Process.

Non-secure Endpoints:

  • Understanding Enforcement Rules.
  • Cooperative Enforcement.
  • What the Restricted User Experiences.
  • Enforcement-Rule Workflow.
  • How Enforcement Rules Work.

Content Inspection:

  • Anti-Spyware.
  • Understanding Integrity.


  • Configuring Anti-Spyware.
  • Understanding Outbound Protection.
  • Enforcing Anti-Spyware Scans and Treatments.
  • Anti-Spyware Updates.
  • Preventing E-mail Attacks.
  • Setting Up Regular Anti-Spyware Scans.
  • Understanding Inbound e-mail Protection.
  • What the User Experiences.
  • Limitations of Mail Safe e-mail Protection.
  • Protecting Instant Messaging.

Monitoring Client Security:

  • Monitoring Integrity Endpoint Security.
  • Overview of Endpoint Connectivity.
  • Tracking Enforcement-Rule Compliance.
  • Current Client Compliance Status Report.
  • Tracking Client-Security Events.
  • Tracking and Observing Programs.