Create a Post
Showing results for 
Search instead for 
Did you mean: 

Check Point Certified Troubleshooting Administrator (CCTA) 156-580 Exam Preparation Tips

Good day everyone. The following, I hope  , will help you to prepare better for the exam as there is no information I could find anywhere.

Links to all the resources I mention in the text are at the end. Also, for obvious reasons this article does not contain actual questions from the exam.

First, the exam wasn’t easy by any means and I’ve been passing #Checkpoint exams starting with R60. Still, it is doable. There are all in all 75 questions. There were no long-winded questions as in the past spanning 4-5 lines. I didn’t need to actually type anything - only multiple answer types of questions. I took the exam via the PearsonVue online proctoring and had 0 issues with the technical side of it. If you plan on taking it online for the first time, make sure to see Youtube walk-throughs of the process to prevent any surprises and run System Test software from PearsonVue BEFORE actually ordering the exam. Now, to the exam preparation itself.

  • Official materials. Start your preparation with the exam topics in the official preparation course syllabus. As I understand from bits of information found on the Checkpoint Community forum and elsewhere, the distinction between CCTA and Check Point Certified Troubleshooting Expert (CCTE) exam is not in the level of expertise, but rather in the topics. I haven’t taken CCTE yet. By this I want to say - don’t be fooled by "Administrator" versus "Expert" in the exam title. I didn’t take the official Checkpoint course, so can’t comment how it helps to pass the exam. In theory, you can buy just the official courseware from Checkpoint catalog website (about 650$ last time I checked). The catch, though, is that you can’t directly buy it from Checkpoint - when trying to pay for it, the website refers you to your Account Manager. And from, again, reports on the Checkpoint Community forum - they (AM) will refer you back to ATC center, which of course will have no incentive to sell you just courseware, without the instructor based course of their own (2000$-3000$ depending on location).

  • CCSM R80 overlap. The exam, unfortunately, had very few questions from CCSM R80, my rough estimate would be about 15 out of 75. It means it is NOT possible to pass the exam on CCSM R80 knowledge/study materials/experience only.

  • New: UserCenter TAC website procedures questions. That was a surprise. I answered one such question wrong just because lacking context, the question asked about specifics of the UserCenter website and I didn’t understand that they were actually testing on TAC website and not on technical issue of the firewall. To prepare for such questions, I would suggest dry run opening ALL types of tickets, stopping just before hitting "Submit" button. Know what types of tickets exist, how they differ, what information each one requires, etc. 

  • This is R80.20+ Based Exam. The official preparation course is titled "R80.30 …​", so it is expected. The point to remember , especially for those who have experience with pre-R80.30 versions and exams (like me), is when in doubt - think it is R80.30 specific exam only. Many features we’ve known for years in Checkpoint have changed in R80.30 and you may fall in the trap of answering the R77.30/R80.10-way. E.g. (not from real exam, but it could be) - fw monitor questions, which are always present in such exams. Before R80.20 Take xxx and R80.30, it was the Checkpoint recommendation to disable SecureXL before running fw monitor and exams followed the suite. Not any more - starting with R80.30 GA, you don’t have to disable SecureXl to see all the traffic. So, today, the answer containing "Disable SecureXL before running fw monitor …​" will be wrong. (See correction post by Tim Hall below - so far, we DO need to disable the SecureXL for the exam purpose, confusing ah?). Kernel debug, which is always present as well, changed too. Refresh your knowledge even for the well known topics.

  • More than usual questions on fw monitor. fw monitor questions were always on this exam (CCSE+, CCSM), but I felt this time they increased in number and depth. So, know all the switches/options and how to work with this sniffer well. And again - refresh your knowledge for R80.30 as new options such as filtering/insertion points appeared.

  • Blades that are on the topics list - know their debug well. Obvious, but still - Security Blades listed on the official course syllabus make a large portion of the exam. Know their specific debug, daemon names, files they create/use, their databases locations.

  • Kernel debug. No news here - you have to remember general steps in running kernel debug for at least popular modules like ClusterXL, NAT, IPSec VPN. Pay attention that usual 𝚏𝚠 𝚌𝚝𝚕 𝚍𝚎𝚋𝚞𝚐 𝚏𝚠 +`…​ syntax is not enough in R80.30. That is - learn both 𝚣𝚍𝚎𝚋𝚞𝚐 and 𝚔𝚍𝚎𝚋𝚞𝚐.

  • Daemons and their ports. This sort of questions is present in, seems like, all the Checkpoint exams. In the References section below I put   Heiko Ankenbrand’s (@HeikoAnkenbrand) complete cheat sheet on what port which daemon works, including the changes in R80.30. Memorize this cheat sheet, you’ll thank me and Heiko later.

  • Read ATRGs on relevant topics. Reading Advanced Technical Reference Guides (ATRG) is my way to prepare extra for the exam. I can’t say this is strictly necessary, but helps to feel more confident. If you do, read only ATRGs on the topics mentioned in the official course list.

  • Timothy Hall (Timothy_Hall)  book. I didn’t read it specifically for the exam, but for my work and recommend it not only for optimization but debug as well. The book is R80.30+ only so helps with exam topics as well.

That’s all for this exam. Make sure to share this with your friends who prepare for the exam. Thanks for reading, nice and peaceful week to everyone.

N.B. Thanks   @Valeri Loukine  for reminding to post here.

Yuri Slobodyanyuk.


4 Replies

Thanks a lot 🙂

Legend Legend

Very well-written guide and thanks for typing it up!  Also thanks for mentioning my book!  As someone who has taught this class several times, I'd like to add a few comments:

1) The CCTA class covers the same topics as CCSA but from more of a troubleshooting perspective, while the CCTE exam covers the CCSE topics in more depth.  So if preparing for the CCTA exam make sure you know the CCSA topics as well as they are very closely related.

2) While the CCTA and CCTE classes are stated for version R80.30, they were based off the topics in the R80.10 versions of the CCSA and CCSE classes respectively.  The CCSA and CCSE classes have since been updated for R80.40 with some topics switched around and/or removed in those classes.  Unfortunately this has led to some confusion about which version is covered on the exam, more on this below.

3) The R80.10/R80.30 version difference is quite apparent in regards to SecureXL which was heavily overhauled in R80.20.  In your article you mentioned that SecureXL does not need to be disabled anymore when using fw monitor.  This was technically correct during a few early Jumbo HFAs of R80.20 but is not the case any more.  For purposes of the exam (and the real world) SecureXL does need to be disabled when using fw monitor -e, and this is right in the CCTA courseware lectures and lab exercises.  

4) However what came out of this confusion in later R80.20 Jumbo HFAs (and R80.30+) was fw monitor -F which allows capturing of accelerated traffic in the sim/SecureXL driver instead of INSPECT where fw monitor -e lives.  fw monitor -F is not mentioned in the CCTA/CCTE courseware or exam at all from what I remember.  This fw monitor distinction is laid out in my Max Capture video series and 2021 CPX Presentation and took quite awhile to figure out, which is why I'm sharing it here.

5) Only other CCTA topic to brush up on that I didn't see you mention is exactly how the TCP/257 log transport mechanism works between the Security Gateways and the SMS/Log Servers.  This mechanism hasn't changed too much over the years and there are many good SK's covering how to debug logging issues; read them!

Thanks again for your great post.

Gateway Performance Optimization R81.20 Course
now available at

Thanks for the correction about fw monitor, fixed the post as well. In real life I, too, have been and will be disabling SecureXL for packet capture when possible, can't count on GA/Take promising otherwise 🙂

CCSM R80 overlap. The exam, unfortunately, had very few questions from CCSM R80, my rough estimate would be about 15 out of 75. It means it is NOT possible to pass the exam on CCSM R80 knowledge/study materials/experience only.

This is where CCTE comes in. If you take a CCTE course or take a CCTE exam you'll notice how it's over 90% identical to what was previously CCSM R80. I took my CCSM R80 last year and was doing a CCTE course as I was going to take the CCTE exam as one out of the two required specialist exams to get CCSM Elite. And to my surprise, the course and the CCTE Study Guide is pretty much the exact same material as my CCSM Study Guide with some very slight differences.

If you feel comfortable with the CCSM R80 study guide and exam, you will most likely be able to simply jump straight into a CCTE exam and pass without much of a problem.

I personally find this a bit strange. With the new certification model if you have a CCSE certification you can take two specialist exams in order to reach CCSM status. And you need to take two additional ones to reach CCSM Elite. There is no longer any CCSM R80 exams on PearsonVue so you can no longer go directly from CCSE to CCSM, which is what I did last year.

This is all fine. But I find it strange how the CCTE course and exam is almost identical to the previous CCSM R80 course and exam, but now it only counts as a single specialist exam, it won't take you directly to CCSM status. This is perhaps the most in-depth and advanced course and exam of all the specialist certifications from my experience and it feels awkward for it to provide you with the same kind of reward in the certification model as CCTA, CCVS and CCME as those are far easier if you ask me.

If you took exams last year you would reach CCSM by doing CCSA -> CCSE -> CCSM. Today if you take the "same" route you won't end up with CCSM by doing CCSA -> CCSE -> CCTE. You would still have to take one additional specialist exam in order to reach CCSM status even though the CCTE exam is identical and on the same level of difficulty as the CCSM R80 was previously.

You could obviously reach CCSM status by doing a simpler route like doing CCSA -> CCSE -> CCTA -> CCVS. But still, I feel that the CCTE in the overall scheme of things feels undervalued within the new certification model considering what it covers and how similar to the previous CCSM R80 course and exam it is.

With that being said the new certification model feels more flexible and is an overall improvement.



Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events