What a firewall certification actually tests
The CSNA is an honest exam about a specific thing: can you drive a Stormshield appliance? Objects, filter policies, NAT in its several directions, IPsec tunnels, the IPS profiles and their inspection levels. Preparing for it is genuinely useful — the SNS interface stops being a wall of menus and becomes a machine whose defaults you understand and whose sharp edges you have already cut yourself on in a lab. I passed in March and the knowledge is real. But it is worth being precise about what was measured, because the industry routinely confuses it with something larger.
What a certification cannot test is the lifecycle. A filter policy at minute zero is an intention; a filter policy after a year of production is an archaeology. Every rule in it was once urgent for someone. The exam asks whether you can write the rule. Operations asks the harder questions: who requested it, does it still have an owner, when does it expire, and would anyone notice if it were removed? Rule sprawl is not a configuration error — every individual rule was correct the day it shipped. It is an accumulation error, and no multiple-choice question can represent an accumulation. The difference between a certified administrator and a good one is that the second treats the rulebase as a liability to be paid down, not a text to be appended to.
The second untested discipline is reading what the appliance says back. A firewall is the best-placed sensor in the building: it sees every flow that crosses a boundary, it already classifies them, and its logs are structured. Most organisations use it exclusively as an actuator — packets stop or pass — and let the sensor half run write-only into a syslog nobody queries. Studying for the IPS sections, I kept noticing how much of the value assumed someone downstream was actually looking: an inspection profile that raises alarms into a void is indistinguishable from one that is switched off. The blue-team habit of treating deny logs as telemetry, baselining them, and asking what changed this week costs nothing at purchase time and is worth more than most of what does.
None of this is an argument against the certification — I would sit it again, and the discount on ego that comes from scoring 80% on a tool you thought you knew is its own education. It is an argument about what the paper attests. A certificate says: this person has seen the machine before and will not improvise the basics. Trustworthy infrastructure comes from somewhere else — from change discipline, from expiry dates on exceptions, from logs that get read. The exam is a snapshot; operating is a time series. Hiring processes that treat the first as a proxy for the second are measuring the wrong axis, and administrators who believe their own certificate are the mechanism by which good firewalls quietly go bad.