20% of the exam is based on your real world experience and the other 80% on classroom material. Not using the product means you're throwing away a lot of potential points, not to mention insight into the other 80%. FireWall-1 includes a demo mode for basic policy and log work. A virtualization product like VMWare will let you simulate a real environment.
2. Know Authentication inside and out
During the exam you'll be asked about the details about authentication, and how the three methods (user, client, session) differ from each other. In addition, you'll be given scenarios, and expected to recommend the best method to use. Knowing the limitations and operation of the three methods is key to answering these types of questions.
3. Understand Network Address Translation
NAT is a fundamental part of FireWall-1, and the CCSA questions will test your knowledge of it. Understand how NAT works, from the inbound leg, through the kernel, and out the outbound interface. If you know that, understanding when to use source vs. destination NAT, or static vs. hide will be no problem.
4. Try Things Out
This one could go along with "Use the product", but here I specifically mean that if you have a question about how something works, rather than turning to a search engine, turn to your lab. While writing "CCSA Exam Cram 2" I came across a few "features" in FireWall-1 that either behaved differently than documented, or weren't adequately explained in the official documentation.
5. Read the Question Carefully
I know this one is cliché, but it's important. Check Point exams contain a lot of questions with tricky wording, often adding a negative into the question. For example, "Which of the following will not increase security?" can be easily confused with "Which of the following will increase security?" if you read it too quickly in your haste to finish the exam.
6. Make use of the "mark this question" feature
The CCSA exam lets you mark questions for further review. If you come across a question that you're not sure of, mark it for review and jot down a note to yourself on the provided paper. As you go through the rest of the test, you might come across another question that jogs your memory. After you've answered all the questions you'll be given a list of all the marked questions, so you won't waste valuable time looking for the questions.
7. Know Where you are
Many features in FireWall-1 depend on what application and screen you're in. For instance, blocking a connection is only available in the Active tab of SmartView Tracker. Why? Because that's the only place where you'll find a list of the flows currently going through the firewall.
SmartDefense is a big part of the "Application Intelligence" part of the product. You'll be expected to know different attack types, and how SmartDefense handles them. http://www.checkpoint.com/products/downloads/smartdefense_whitepaper.pdf is an excellent resource.
9. It's not just a Firewall
FireWall-1 is a network device, so you'll have to know all about TCP/IP concepts like subnetting and which service uses which port. Trying to tackle firewalls without knowing TCP/IP is like trying to be a server administrator without knowing how to use a mouse and keyboard.
10. Plan your Studies
There is a wide variety of topics on the CCSA exam, so make sure you cover them all. Following the exam outline or a good book will help you stay on track, and ensure there are no surprises come exam time.
Best of luck on your studies!
About Sean Walberg
Sean Walberg holds a degree in computer engineering and a CCSA certification. He is currently a network engineer for a large Canadian financial services company and is responsible for maintaining two large Internet hosting centers that make extensive use of Check Point products. His main focus has been on networks and Internet security. Walberg authored a weekly Linux newsletter for Cramsession.com.