156-587 Check Point Certified Troubleshooting Expert - R81.20 (CCTE) Questions and Answers

To see the list of processes monitored by the WatchDog process (CPWD), you use thecpwd_admin listcommand.

Option A (cpstat fw -f watchdog): Shows firewall status and statistics for the "fw" context, not necessarily the list of monitored processes.

Option B (fw ctl get str watchdog): Not a valid parameter for retrieving the list of monitored processes; “fw ctl” deals with kernel parameters.

Option C (cpwd_admin list): Correct command that lists all processes monitored by CPWD, their status, and how many times they have been restarted.

Option D (ps -ef | grep watchd): This will list any running process that matches the string “watchd” but will not specifically detail which processes are being monitored by CPWD.

Therefore, the best answer iscpwd_admin list.

Check Point Troubleshooting References

sk97638: Explains Check Point WatchDog (CPWD) usage and the cpwd_admin utility.

R81.20 CLI Reference Guide: Describes common troubleshooting commands including cpwd_admin list.

Check Point Gaia Administration Guide: Provides instructions for monitoring system processes and verifying CPWD.

The kernel component associated with Content Awareness and data collection from contexts (often provided by the Context Management Infrastructure - CMI) is dlpda.  

According to the Check Point R81.20 Quantum Security Gateway Administration Guide, within the listing of kernel modules, dlpda is described as follows:

Exact Extract:

Module "dlpda" (Data Loss Prevention - Download Agent for Content Awareness)

The dlpda module functions as a "Download Agent for Content Awareness." This role involves collecting data necessary for the Content Awareness blade to inspect and understand the content of traffic. The Content Awareness blade works in conjunction with the Context Management Infrastructure (CMI), which provides the initial context about the traffic. The dlpda component then uses these contexts to gather the relevant data for deeper inspection and to determine if the content matches any defined data types or policies. While the guide lists it as a "Module," exam questions in the CCTE context often refer to such components involved in kernel operations as "kernel processes." The function described clearly aligns with collecting data for Content Awareness.  

Options analysis:

A. PDP (Policy Decision Point): This process is primarily associated with Identity Awareness for making access decisions based on user identity, not directly for Content Awareness data collection from CMI contexts.

B. cpemd (Check Point Endpoint Management Daemon): This daemon is related to endpoint security management and does not fit the role of a kernel process for gateway-level Content Awareness data collection.

D. CMI (Context Management Infrastructure): CMI is an infrastructure that provides contexts to various blades, including Content Awareness. It is the source of the contexts, not the kernel process that collects data based on those contexts.

Therefore, dlpda is the kernel component specifically tasked with collecting data for Content Awareness.

When the free command on a Linux-based system (like a Check Point Gaia gateway) shows a non-zero value in the "Swap" column, it indicates that the system has utilized its swap space. Swap space is a portion of the hard disk designated to act as virtual RAM when the physical RAM is fully utilized.

The most direct and accurate explanation for swap usage is that the system's demand for Random Access Memory (RAM) exceeded the available physical RAM, forcing the operating system to move some less frequently used memory pages from RAM to the swap space on the disk. This frees up physical RAM for more active processes.

Let's analyze the options:

A. Utilization of ram is high and swap file had to be used:This is the correct and fundamental reason. Swap is used precisely because RAM utilization reached a point where the system needed more memory than was physically available.

B. Swap file is used regularly because RAM memory is reserved for management traffic:While Check Point gateways handle management traffic, operating systems do not typically use swap "regularly" due to a fixed reservation of RAM for such traffic in a way that would routinely force swapping under normal conditions. If management traffic is excessively high and consumes too much RAM, it would fall under the general case of high RAM utilization.

C. Swap memory is used for heavy connections when RAM memory is full:This describes a commoncausefor high RAM utilization on a firewall. Heavy connections can consume significant memory resources. When this consumption leads to RAM exhaustion, swap willindeed be used. However, option A is a more general and direct explanation ofwhyswap is used, regardless of the specific cause of high RAM utilization. Option C is a specific scenario leading to the condition described in A.

D. Its ole Swap is used to increase performance:This statement is incorrect. Swapping to disk is significantly slower than accessing RAM. Therefore, swap usage generally indicates a performance bottleneck (or potential for one) rather than a performance enhancement. While virtual memory (which includes swap) allows a system to run more or larger applications than its physical RAM would normally allow, the act of swapping itself is detrimental to performance.

Conclusion:The best answer is A because it directly and accurately describes the immediate reason for swap usage: high RAM utilization necessitating the use of the swap file. Option C, while plausible as acauseof high RAM utilization, is a specific instance, whereas A is the overarching reason swap comes into play.

Reference (General Linux/System Administration Principles and supported by CCTE exam preparation materials):This understanding is based on fundamental principles of how operating systems manage memory and swap space. Check Point CCTE R81.20 exam preparation materials also affirm this understanding for similar questions. For instance, a question identical to this one appearing in CCTE exam preparation resources typically points to option A as the correct answer.

cpsemd is the process responsible for logging into the SmartEvent GUI. Therefore, you need to check the status of this process and debug it, if necessary. Usually, the issue withthe cpsemd process is that it is crashing, or not coming up. What causes this process to crash or not come up is that the PostgreSQL database is down. Therefore, in order to run the cpsemd process successfully, you need to run the PostgreSQL database successfully.

The input that is suitable for debugging HTTPS inspection issues is fw debug tls on TDERROR_ALL_ALL=5. This input will enable the TLS debug mode and set the debug level to 5, which is the highest level of verbosity. The fw debug command is used to control the debug features of the firewall modules, such as TLS, CPTLS, HTTP, etc. The tls option will enable the debug mode for the TLS module, which is responsible for handling the HTTPS inspection feature. The TDERROR_ALL_ALL environment variable will set the debug level to 5, which will generate the most detailed and comprehensive debug output. The debug output will be written to the $FWDIR/log/tls.elg file, whichcan be collected and analyzed with the TLSView tool1 to see the details of the HTTPS inspection process, such as certificate validation, SSL/TLS negotiation, encryption/decryption, etc. The other options are incorrect because:

fw ctl debug -m fw + conn drop cptls will enable the kernel debug mode for the firewall module, with the flags conn, drop, and cptls. The kernel debug mode will generate the kdebug.txt file in the $FWDIR/log directory, which contains information about the firewall traffic processing in the kernel. The kernel debug mode is useful for troubleshooting issues related to policy, NAT, routing, and inspection, but not for issues related to HTTPS inspection, which is handled by the TLS module in the user space2.

vpn debug cptls on will enable the IKE debug mode for the CPTLS module, which is a component of the VPN module. The IKE debug mode will generate the ike.elg and ikev2.xmll files in the $FWDIR/log directory, which contain information about the IKE negotiation, authentication, and key exchange between the VPN peers. The CPTLS module is responsible for handling the SSL/TLS encryption/decryption for the VPN traffic, but not for the HTTPS inspection traffic3.

fw diag debug tls enable is not a valid command and will not enable the TLS debug mode. The fw diag command is used to control the diagnostic features of the firewall, such as packet capture, core dump, etc. The debug option is not a valid option for the fw diag command, and the tls option is not a valid option for the debug option. References:

How to use the TLSView tool

How to debug the Firewall kernel (fw) module

How to debug VPN issues on Quantum Spark (SMB) Appliances

[fw diag - Check Point CLI Reference Card]

The correct directory where an administrator can find vpn debug log files generated during Site-to-Site VPN troubleshooting is $FWDIR/log/. This directory contains the following files related to vpn debug:

vpnd.elg: This file contains the high-level VPN debug information, such as the VPN tunnel establishment, deletion, and negotiation messages. It can be enabled by using thevpn debug oncommand on the Security Gateway CLI.

legacy_ike.elg: This file contains the low-level IKE debug information for IKEv1, such as the IKE packets, encryption, decryption, and authentication. It can be enabled by using thevpn debug ikeoncommand on the Security Gateway CLI.

legacy_ikev2.xml: This file contains the low-level IKE debug information for IKEv2, such as the IKE packets, encryption, decryption, and authentication. It can be enabled by using thevpn debug ikev2oncommand on the Security Gateway CLI.

These files can be viewed by using thevpn debug viewcommand on the Security Gateway CLI, or by using theIKEViewtool on the Security Management Server GUI.

The Application Database on a Check Point Security Gateway stores information about applications and categories used by the Application Control and URL Filtering blades. This database is maintained in specific files on the Gateway.

Option A: Incorrect. api_db.C and api_custom_db.C are not standard files related to the Application Database. These names may be confused with API-related configurations.

Option B: Incorrect. apcl_db.C and apd_custom_db.C are not recognized as Application Database files. These names do not align with Check Point’s file naming conventions.

Option C: Correct. The Application Database is stored in application_db.C (the main database) and application_custom_db.C (custom application definitions). These files are located in the $FWDIR/conf directory on the Security Gateway.

Option D: Incorrect. appi_db.C and appi_custom_db.C are close but incorrect. The correct prefix is application_, not appi_.

The Unified Policy is a feature that allows you to create a single policy layer that combines the functionality of Access Control, Threat Prevention, and HTTPS Inspection12. To debug the Unified Policy, you need to use the command fw ctl debug with the module name UP and the flag all or specific flags for different aspects of the Unified Policy inspection34. The possible flags for the Unified Policy module are:

up_match: Shows the matching process of the Unified Policy rules.

up_inspect: Shows the inspection process of the Unified Policy rules.

up_action: Shows the action process of the Unified Policy rules.

up_log: Shows the logging process of the Unified Policy rules.

up_tls: Shows the TLS inspection process of the Unified Policy rules.

up_clob: Shows the CLOB (Content Limitation and Optimization Blade) inspection process of the Unified Policy rules.

up_rulebase: Shows the rulebase loading process of the Unified Policy rules.

up_connection: Shows the connection tracking process of the Unified Policy rules.

The flag tls is not a valid flag for the Unified Policy module, as it is used for the TLS Inspection module5. Therefore, the correct answer is A. tls. The other options are valid flags for the Unified Policy module, as explained above34. References:

1: CCTE Courseware, Module 8: Advanced Access Control, Slide 7

2: Check Point R81 Security Gateway Architecture and Packet Flow, Chapter 5: Unified Policy, Page 29

3: CCTE Courseware, Module 8: Advanced Access Control, Slide 17

4: Check Point R81 Security Gateway Architecture and Packet Flow, Chapter 5: Unified Policy, Page 32

5: Check Point R81 Security Gateway Architecture and Packet Flow, Chapter 6: TLS Inspection, Page 36

The ADLOG function receives the AD log event information from the Domain Controllers. The ADLOG function is part of the Identity Awareness feature that enablesthe Security Gateway to identify users and machines in the network and enforce Access Control policy rules based on their identities. The ADLOG function uses the AD Query (ADQ) method to connect to the Active Directory Domain Controllers using WMI and subscribe to receive Security Event logs that are generated when users perform login. The ADLOG function then extracts the user and machine information that maps to an IP address from the event logs and sends it to the PEP function, which enforces the policy based on the identity information.

The Resource Advisor (RAD) service on the Security Gateways is responsible for online categorization of URLs and resources for Application Control and Threat Prevention blades. RAD has two components: a kernel module and a user space module. The kernel module looks up the kernel cache for URLs and resources, notifies the client about hits and misses, and forwards asynchronous requests to the user space module. The user space module handles the communication with the Check Point online web service and updates the kernel cache with the results. RAD can operate in three modes: hold, background, and custom, depending on the configuration of the blades and the policy. References:

Check Point Processes and Daemons - Section: Security Gateway Software Blades and Features - Subsection: URL Filtering Blade

Solved: Re: RAD’s high utilization - Post by @PhoneBoy

Check Point Certified Troubleshooting Expert (CCTE) - Exam Topics - Module 5: Advanced Access Control

The Global Domain is one of the relational database domains in the Postgres database that stores the management configuration. The purpose of the Global Domain is to serve as the global database for Multi-Domain Security Management (MDSM) and contain the global objects and policies that are shared across all domains. The Global Domain also stores the global settings, such as the administrator roles, the LDAP servers, the IPS profiles, and the SmartEvent views. The Global Domain can be managed by the Global Domain Administrator or the Super User Administrator using the SmartConsole. The Global Domain can be backed up and restored using the mds_backup and mds_restore commands.

The PDP process is the Identity server, which is a component of the Identity Awareness blade on the Security Gateway. The PDP process is responsible for collecting and managing identity information from various sources, such as Active Directory, Identity Agents, Captive Portal, Terminal Servers, and RADIUS. The PDP process also communicates with the PEP process, which is the Policy Enforcement Point, to enforce identity-based policies on the traffic passing throughthe Security Gateway1. The other options, such as Log Sifter, Captive Portal Service, andUserAuth Database, are either not related to Identity Awareness or not processes, but rather files or services. References: 1: sk93046: Identity Awareness - How to Configure

 One possible solution to solve the issue of having a very large file that is difficult to open and analyze with standard text editors is to divide the debug information into smaller files. This can be done by using the fw ctl kdebug command with the -f, -o, -m, and -s options. The -f option means to write the debug output to a file instead of the screen. The -o option specifies the name of the output file. The -m option sets the maximum number of files to be created. The -s option sets the maximum size of each file in KB. For example, the command fw ctl kdebug -f -o debug -m 25 -s 1024 will create up to 25 files named debug.0, debug.1, …, debug.24, each with a maximum size of 1024KB. This way, the debug information can be split into more manageable chunks that can be opened and analyzed more easily with standard text editors.

The Core Dump Manager (CDM) is a utility that helps manage core dump files on Check Point systems. Its main functions include:  

Limiting file size and number:CDM can be configured to limit the size of individual core dump files and the total amount of disk space used for core dumps. This prevents core dumps from filling up valuable disk space.  

Compression:CDM can compress core dump files to reduce their storage size. This is particularly helpful when dealing with large core dumps.  

Process filtering:CDM allows you to specify which processes should be allowed to generate core dumps. This can help prevent unnecessary core dumps from being created.  

Remote collection:CDM can be configured to send core dump files to a remote server for analysis. This is useful in environments where direct access to the system generating the core dump is limited.

By using CDM, you can effectively manage core dump files and ensure that they are not overwhelming your system's resources.

While specific Check Point CCTE R81.20 official documentation that explicitly singles out "Handlers" from the given options as the sole component for storing Rule Base matching state-related information is not readily available in the provided search snippets, CCTE exam preparation materials consistently point to "Handlers" as the correct answer for this question.

In the broader context of Check Point's packet processing and Unified Policy architecture, several components are involved in rule base matching:

According to Check Point's sk120964 - ATRG: Unified Policy (relevant for R81.20):

Connection/Transaction: This logical entity "Saves rulebase matching state and classification objects (CLOBs)."

Manager: This component acts as a "Mediator between other components. Responsible for the whole rule base execution process. Creates connection/transactions, as required. Sends logs."  

Classifiers: These are "CMI_LOADER applications" (e.g., Network, Identity, Application Control) that provide classification data (CLOBs) used in the matching process.

Observers: An "Observer is a unit collecting CLOBs for classification refinement."

"Handlers" in a general firewall architecture are typically components (which can be kernel modules or processes) responsible for managing active connections and their progression through policy enforcement. As such, they would inherently be involved in maintaining and accessing state information related to rule base matching for those connections. The "Connection/Transaction" objects, which store the rule base matching state, are created by the Manager and would be managed by such Handlers during the lifecycle of a connection.

Therefore, in the context of the CCTE R81.20 exam, "Handlers" are understood to be the packet processing components that store this Rule Base matching state-related information. The state itself is conceptually saved within Connection/Transaction objects, which are orchestrated by the Manager and utilized by various processing components often referred to as Handlers.

Reference (based on Unified Policy component roles from official Check Point documentation):

Check Point Support Center sk120964: ATRG: Unified Policy. (Last Modified: 2024-12-29, relevant for R81.20)."Connection/Transaction. Saves rulebase matching state and classification objects (CLOBs)."

"Manager. Mediator between other components. Responsible for the whole rule base execution process. Creates connection/transactions, as required.