VCP – Security 2021 Study Guide

The VMware Certified Profession – Security 2021 exam is a relatively new exam. When I first looked into the exam I thought it would be more challenging than other VCP exams. The reason being, the VCP Security covers several of VMware’s security solutions including NSX-T DC, Workspace ONE, and Carbon Black Cloud. Considering NSX-T and Workspace ONE (WS1) have their own VCP exams I was a little concerned. Carbon Black also has a series of exams outside the VCP tracks. The big difference here is that instead of focusing on all of the features within each product, the Security exam looks at each product from a security lens. This is critical to remember. Take NSX-T for example where the main component could be considered the Distributed Firewall (DFW). The firewall features of NSX-T fall in line with a security solution, but NSX-T overlay networking does not. So instead of digging into the networking side of NSX-T we only need to focus on the security aspect, typically the DFW and the gateway firewall. When you start looking at it with a security lens it becomes more palatable.

I’ve covered my thoughts on preparing and studying for a VCP and VCAP with previous posts. I’ll link them below. Overall the same strategy could apply here, but I went about this one slightly differently and wanted to share how I organized my review of the VCP – Security topics.

VCP-DW 2021 Study Guide

VCAP-DTM Deploy Study Guide

VCP-SEC Study Approach

Before getting started, if you are not familiar with the VCP process or the VCP-SEC exam, check out VMware Certification for details on the process. You should also review the Certification Details which can be downloaded here to ensure you have completed the requirements for the VCP-SEC. Please be sure to reference the latest information as this blog could be out of date.

Similar to my previous study guides I followed a rough plan.

  1. Grab the latest Exam Guide to understand what topics are going to be on it.
  2. Break down the exam guide into the topics I need to read about and the ones I’d like to lab out. All while eliminating the topics I already know.
  3. Review relevant documentation or get hands on with the products.
  4. Final review before the exam.
  5. Pass the exam.

Exam Content

At the time I took the exam (July 2021) the product versions were the following:

NSX-T DC 3.0

Workspace ONE 20.X

Carbon Black Cloud

Here is where this exam was a little different due to the number of products involved. The exam guide is a bit messy because they used topics and then listed each product within it. I prefer to focus on one product at a time when preparing. Therefore I needed to reorganize the exam guide to my approach.

Below are the exam topics reorganized by product. I’ve included my comments/tips in blue after each topic. These are based on my exam experience. Some are self-explanatory and may not have comments.

Workspace ONE

  • Installing, Configuring, and Settings
    • Configure firewall rules to enable and secure WS1 components
      • Think Access and UEM requirements, but don’t forget about other dependencies of these components such as database communication or AD.
    • Configure compliance policies and profiles in Workspace ONE UEM
      • It’s helpful getting hands on creating these or at least be aware of the options you have within the policy and profile creation.
    • Configure access policies in Workspace ONE Access
      • Running through the various policy options within Access and being familiar with how to step-up authentication or apply to network ranges can be valuable.
    • Configure and administer identity providers in Workspace ONE Access
      • If you can run through this process it will be helpful, or simply familiarize yourself with the steps and requirements to add an IDP.
    • Configure and administer authentication methods in Workspace ONE Access
      • I found it helpful to run through various auth methods in my lab, but if you cannot do that be familiar with the various scenarios and options for authentication.
  • Troubleshooting and Repairing
    • Troubleshoot Workspace ONE issues around endpoint security
  • Administrative and Operational Tasks
    • Perform patch management in Workspace ONE
      • This is in reference to endpoint patch management, such as Windows Updates from within Workspace ONE UEM.
    • Manage access policies for Single Sign-On and third party Identity Provider federation
      • Knowing how to add a 3rd party IDP and the options you have is helpful. Also knowing the various SSO and Mobile SSO requirements and settings will be key.

NSX-T

  • Installing, Configuring, and Settings
    • Deploy and configure NSX-T
      • At least understand the main components and architecture for NSX-T. Knowing what it would take to install a basic enterprise deployment can go a long way.
    • Outline the installation and preparation workflow of NSX-T data center
      • Understanding the order of installation and basic standup steps is helpful.
    • Configure and manage firewalls rules for NSX-T
      • This may be one of the most important pieces to be familiar with as it’s the main focus of NSX-T from a security perspective. Knowing how the firewalls(DFW & Gateway) operate and the various ways you can set up rules is key. If you can set some up in a lab it may go a long way to properly answering the questions. If not there are some great blogs and videos showing how to do this. Pay attention to the order rules are applied and displayed within the GUI.
    • Connect NSX-T Manager to User Directory for user based firewall rules
      • Understand the steps and pay attention to how you perform the actions within NSX-T.
    • Configure and manage security groups and security policies in NSX-T
    • Install and configure Guest Introspection agent components in VMTools
  • Troubleshooting and Repairing
    • Compare and contrast tools available for troubleshooting (vRNI vs NSX Intelligence)
      • You should know the high level differences of the two products, but you don’t necessarily need to be an expert in using the tools.
    • Troubleshoot common NSX component issues. Both install/config and firewall policy issues.
      • Be familiar with how to gather logs. Not just from the managers, but also the NSX-T logs and troubleshooting options on an ESXi host. Be aware of the basic troubleshooting commands to look at firewall rules and communication flows.
    • Troubleshoot connectivity issues
      • This is doesn’t call out which product so assume all of them, but I felt you should be familiar with NSX connectivity based on my exam experience.
  • Administrative and Operational Tasks
    • Identify data center traffic flows
      • This may be referencing NSX-T components and traffic flow or it may be in reference to NSX Intelligence. I feel there were questions around both. Review what NSX Intelligence can do from a flow perspective as well as built in NSX-T features.
    •  Identify automation mechanisms for security policy configuration
      • Be familiar with the automation aspect fo NSX Intelligence.
    • Manage firewall policies
      • Similar to the earlier firewall topic. Be familiar with the options and how you would manage them.

Additional Topics

There were a few topics that are not clear on which product they apply to. Arguably they could apply to all 3. I’d recommend at least thinking about these topics, but from what I can recall I did not have questions related to this on my exam. That doesn’t mean you won’t or I simply forgot. If you do get some feel free to comment and let me know.

  • Troubleshoot multi-cloud security issues
  • Troubleshoot common physical infrastructure issues
  • Manage security policies for business continunity and disaster recovery    

Helpeful Tips

If you’re like me one of the best ways to practice and learn a new technology is to use it. Implement, configure, break it, fix it until I understand. You could use your own personal lab or a lab environment at work if you have access. VMware offers free Hands-on Labs where you should be able to run through many of the topics discussed here.

If you can’t get hands-on with the products I’d recommend heavily reviewing the documentation related to the topics discussed above. Another helpful option can be to read blogs or watch videos that walk through steps to configure many of these products and features.

Helpful Links

One blog stood out for me when reviewing Workspace ONE Access topics: Workspace ONE Access. Workspace ONE Access: Best Practices in Policy Management He has several other helpful blog posts that relate as well.

VMware NSX YouTube

VMware NSX-T DC Documentation

VMware EUC YouTube – where you can find lots of videos on WS1.

VMware Workspace ONE Documentation

VMware Carbon Black YouTube

VMware Carbon Black Cloud Documentation

Good Luck in your pursuit of the VCP-Security and thank you for reading!

Leave a Reply

Your email address will not be published. Required fields are marked *