Check Point Security Master (CCSM)

The course teaches how to use advanced commands to configure and troubleshoot Check Point Security Systems. Multiple hands-on lab exercises teach how to bring optimization techniques back to your workplace.

Learn How To:

  • Identify issues and problems using commands
  • Locate the source of encryption failures
  • Identify potentially mis-configured VPNs
  • Reduce IPS false positives
  • Troubleshoot SecureXL and ClusterXL

About the instructor Dan J. Valluvassery

The instructor on Our Check Point Security Master course is Dan J. Valluvassery. Dan is Information Senior Security consultant primarily focusing on Check Point. His normal job responsibilities are to deploy Check Point solutions, upgrading and troubleshooting them. Dan is also a Check Point courseware contributor assisting in the development of new training material. He has over 10 years of experience teaching Check Point courses. He also works with other products like Stonesoft/NGFW/Forcepoint firewall, Bluecoat, Tufin, Skbox and Arbor DDoS. 


  • CCSE or equivalent knowledge
  • Windows Server, UNIX and networking skills and TCP/IP experience
  • Working knowledge of network and internet Technology


Section 1: Troubleshoot security problems

  • Given a specific internal or client problem, replicate the issues in a test environment.
  • Given a specific internal or client problem, troubleshoot and correct the issue.

Section 2: Chain Modules

  • Use command fw ctl chain to study chain module behavior. Observe how policy changes impact the chain.
  • Use the command fw debug fwm on and review the file fwm.elg to find such issues as SIC, mis-configured rules, GUI client connectivity problems, and improperly entered information.
  • Given a specific internal or client need, analyze and apply the appropriate hot fix and evaluate its effectiveness.
  • Use Check Point Debugging Tools: Reading and identifying fwmonitor outputs. Generating and interpreting kernel debugs.

Section 3: Network Address Translation (NAT)

  • Use commands fw ctl debug and fw monitor to troubleshoot the NAT stages of Automatic Hide NAT and Automatic Static NAT.
  • Configure Manual NAT to define specific rules in unique NAT environments.

Section 4: ClusterXL

  • Using commands fw ctl debug and fw ctl kdebug troubleshoot ClusterXL connections from information displayed in debug file.
  • Use commands fw tab –t connections and fw tab –t connections –x to review and clear connections table.
  • Modify file table.def to allow traffic through a specific cluster member.

Section 5: VPN Troubleshooting

  • Use command vpn debug to locate source of encryption failures.
  • Use command fw monitor to verify VPN connectivity and identify potentially mis-configured VPN`s.

Section 6: SecureXL Acceleration debugging

  • Use commands fw accel and kernel debug to view acceleration tables and verify accelerated connections.

Section 7: Hardware Optimization

  • Identify the correct Check Point Hardware/Appliances for a given scenario
  • Performance tuning and evaluation of complex networks and technologies
  • Scope proper sizing of hardware based on customer requirements
  • Use command ethtool to tune NIC performance.
  • Edit arp cache table to increase size to improve performance.
  • Use command fw ctl pstat to improve load capacity.
  • Use the fwaccel stat and fwaccel stats outputs to tune the firewall rule base.

Section 8: Software Tuning

  • Deploy NAT templates to reduce load on Rule Base application.
  • Configure cluster synchronization planning to improve network performance.
  • Identify performance limiting configurations
  • Correct and tune different scenarios
  • Identify the causes of performance limiting factors (internal and external factors)

Section 9: Enable CoreXL

  • Configure CoreXL for specific cpu task assignment.

Section 10: IPS

  • Configure IPS to reduce false positives.
  • Use command fw ctl zdebug to improve logging efficiency.
  • Use IPS Bypass to improve performance.

Section 11: IPV6

  • Deploy IPV6 in a local environment

Section 12: Advanced VPN

  • Identify differences between route-based VPNs and domain-based VPNs.
  • Configure VTI for route-based VPN gateways.
  • Configure OSPF for Dynamic VPN routing in a Community.
  • Identify the Wire Mode function by testing a VPN failover.
  • Configure Directional VPN Rule Match for Route-Based VPN.

Section 13: Dynamic Routing

  • Diagnose and solve specific routing issues in a network environment.
  • Multicast Design and troubleshooting PIM Sparse mode and Dense mode based on GateD and IPSRD
  • Design/troubleshoot OSPF/BGP in GateD and IPSO IPSRD environments
  • Static routing and network topologies


This course prepares for exam #156-115.77. The Exam is not included in the course price. 

The exam consists of 80 multiple-choice questions with a passing score of 70% in 90 minutes. 
Valid CCSE required to achieve the CCSM certification. 

Other relevant courses

11. February
3 days
Classroom Connect2Classroom
11. March
3 days
Classroom Connect2Classroom
1. April
5 days