Checkpoint 156-587 Check Point Certified Troubleshooting Expert - R81.20 (CCTE) Exam Practice Test

 The correct command to check the subscription status on the CLI of the gateway is show license status. This command displays the current license information, such as the license type, expiration date, and subscription status for various blades, such as Anti-Bot, Anti-Virus, IPS, etc. The command also shows the contract status for each blade, such as valid, expired, or invalid. If John has renewed his NPTX license, but he gets an error that the contract for Anti-Bot expired, he can use this command to verify the contract status and the subscription status for the Anti-Bot blade.

The other commands are incorrect because:

A. fwm lie print is not a valid command. The correct command is fwm lic print, which displays the license information on the Security Management Server, not on the gateway. This command does not show the subscription status or the contract status for the blades.

B. fw monitor license status is not a valid command. The correct command is fw monitor, which is a tool for capturing network traffic on the gateway, not for checking the license status.

C. cpstat antimalware-f subscription status is not a valid command. The correct command is cpstat antimalware -f subscription_status, which displays the subscription status for the Anti-Virus blade, not for the Anti-Bot blade. This command does not show the contract status for the blade.

The simplest and most efficient way to check all dropped packets in real time is C. fw ctl zdebug + drop in expert mode. This command is a shortcut command that sets the kernel debug flags to a predefined value and prints the debug output to the standard output. It is useful for general debugging of common issues, such as traffic drops, NAT, VPN, or clustering. It has a small buffer size and does not require additional steps to start or stop the debugging. However, it has some limitations, such as it cannot be used with SecureXL, it cannot filter the output by chain modules, and it cannot save the output to a file12.

The other commands are not as simple or efficient as the fw ctl zdebug + drop command. The command tail -f $FWDIR/log/fw.log |grep drop in expert mode will only show the drops that are logged in the fw.log file, which may not include all the drops that occur in the kernel. The command cat /dev/fw1/log in expert mode will show the raw binary data of the kernel debug buffer, which is not human-readable and may contain irrelevant information. The command Smartlog will show the drops that are indexed and stored in the SmartEvent database, which may not be in real time and may depend on the log server performance12.

1: https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_AdvancedTechnicalReferenceGuide/html_frameset.htm  2: https://www.checkpoint.com/downloads/training/DOC-Training-Data-Sheet-CCTE-R81.10-V1.0.pdf

The Check Point R81.20 Gaia Administration Guide describes fw ctl zdebug as a key troubleshooting tool for real-time packet analysis, particularly for drops. The CCTE R81.20 course emphasizes using fw ctl zdebug for kernel-level debugging, including monitoring dropped packets.

For precise details, refer to:

Check Point R81.20 Gaia Administration Guide, section on “fw ctl zdebug” (available via Check Point Support Center).

CCTE R81.20 Courseware, which covers advanced troubleshooting techniques for packet drops (available through authorized training partners).

 The CpmiHostCkp table in the Postgres database contains the data for CPMI objects, such as gateways, clusters, and servers. The table column that should be selected to query for the object instance is the objid column, which is the primary key of the table and uniquely identifies each object. The objid column can be used to join with other tables that reference CPMI objects, such as CpmiClusterMember, CpmiCluster, and CpmiServer. The objid column can also be used to retrieve the object name, IP address, type, and other attributes from the CpmiHostCkp table itself. References:

Check Point Database Tool (GuiDBedit Tool) - Section: How to use the Check Point Database Tool (GuiDBedit Tool) - Subsection: How to view the data in the database

Check Point Certified Troubleshooting Expert (CCTE) - Exam Topics - Module 6: Advanced Management Server Troubleshooting

[Check Point R81 Database Schema] - Section: CPMI Tables - Subsection: CpmiHostCkp Table

 The CPD process controls logging on the Security Management Server or the Log Server. It is responsible for receiving logs from the Security Gateways, storing them in the log files, and forwarding them to the SmartLog and SmartEvent servers. It also handles the communication with the SmartConsole clients and the CPM process. The CPD process runs on the Security Management Server or the Log Server as part of the Management High Availability module.

When a process isfrozen(hung or unresponsive), the typical method to resolve it is tokill the process. On Check Point, you can use cpwd_admin kill -name or a standard Linux kill -9 command if necessary. You then allowCPWD(the Check Point watchdog) to restart it, or manually restart it if needed.

Other options:

A. Power off the machine: This is too drastic and not recommended just for a single frozen process.

B. Restart the process: While this sounds viable, you typicallymust killthe frozen process first, then let WatchDog or an admin restart it.

C. Reboot the machine: Similar to powering off—too disruptive for just one stuck process.

Hence, the most direct and standard approach:

“Kill the process.”

Check Point Troubleshooting References

sk97638– Explanation of CPWD (Check Point WatchDog) and how to manage processes.

sk43807– How to gracefully stop or kill a Check Point process.

Check Point CLI Reference Guide– Details on using cpwd_admin commands to kill or restart processes.

The doctor-log script is a tool that provides information about the logging system and helps to identify and troubleshoot common issues. The script runs automatically every night and generates a report that contains the following information:

Current and daily average logging rates: This shows how many logs are being generated and received by the log server per second. It can help to monitor the logging performance and identify any spikes or drops in the logging rate.

Indexing status: This shows the status of the log indexing process, which enables faster and more efficient log searches. It can help to identify any issues with the indexing system, such as delays, failures, or errors.

Size: This shows the size of the log files and the disk space used by the logging system. It can help to manage the disk space and plan for log rotation and backup.

The doctor-log script also provides some troubleshooting tips and repair options for common logging issues, such as corrupted log files, missing log indexes, or low disk space. The script can be run manually or scheduled to run at a specific time. The script output can be viewed in the SmartConsole or in the log server file system.

Usermode core files are generated when a user mode process crashes. They are located in the $CPDIR/var/log/dump/usermode directory on the Security Gateway or Security Management server. The core files can be used to analyze the cause of the crash and troubleshoot the issue. The core files are named according to the process name, date, and time of the crash. For example, cpd_2023_02_03_16_40_55.core is a core file for the cpd process that crashed on February 3, 2023 at 16:40:55

 Log indexing is a feature that enables faster and more efficient log searches in SmartLog and SmartEvent. To enable log indexing on the Security Management Server (SMS), you need to edit the SMS object in SmartConsole and go to the “Logs” tab. There you can configure the log indexing settings, such as the index location, the index size, the index frequency, and the index retention123. References:

1: CCTE Courseware, Module 2: Advanced Logs and Monitoring, Slide 9

2: Check Point R81 Logging and Monitoring Administration Guide, Chapter 2: Log Indexing, Page 17

3: Check Point R81 Logging and Monitoring Administration Guide, Chapter 2: Log Indexing, Page 18

 Identity Awareness is a feature that enables the Security Gateway to identify users and groups behind IP addresses, and apply security policies based on their identity12. Identity Awareness uses different methods to acquire identities, such as AD Query, Identity Collector, and Browser-Based Authentication12. To debug Identity Awareness issues, you need to use the command pdp debug on the gateway, where pdp stands for Policy Decision Point, the component that handles the identity acquisition and enforcement13. The command pdp debug has different flags for different identity sources, such as adlog for AD Query, ic for Identity Collector, and nac for Browser-Based Authentication13. The flag extended enables more detailed debug output13. Therefore, the correct command to debug the problem of users not being able to browse internet sites with Identity Awareness using AD Query, Identity Collector, and Browser-Based Authentication is pdp debug nac extended on the gateway13. The other options are incorrect because they either use the wrong command (ad debug instead of pdp debug), the wrong flag (ad query instead of nac), or the wrong location (on the management instead of on the gateway). References:

1: CCTE Courseware, Module 9: Advanced Identity Awareness Troubleshooting, Slide 4

2: Check Point R81 Identity Awareness Administration Guide, Chapter 1: Introduction to Identity Awareness, Page 7

3: Check Point R81 Identity Awareness Administration Guide, Chapter 5: Troubleshooting Identity Awareness, Page 49

When troubleshootingcrasheson a Security Gateway (or any Linux-based system), the file type that is typically generated and used for in-depth analysis is acore dump.

A core dump captures the memory state of a process at the time it crashed and is critical for root-cause analysis.

Other options:

A. tcpdump: A packet capture file, not a crash-related file.

C. fw monitor: A Check Point packet capture tool, but not for crash debugging.

D. CPMIL dump: Not a common or standard crash dump reference in Check Point.

In Check Point’s Security Management Architecture, SmartConsole is the graphical user interface used to manage the Security Management Server. The communication between SmartConsole and the Security Management Server relies on specific processes and ports, which are critical for troubleshooting connectivity issues.

TheCPM (Check Point Management)process is the primary process on the Security Management Server responsible for handling management operations, including interactionswith SmartConsole. The default port for this communication is18190(TCP), used for the SIC (Secure Internal Communication) and management GUI connections.

Option A: Correct. SmartConsole communicates with the Security Management Server using the CPM process over port 18190. This port is used for GUI client connections to the management server.

Option B: Incorrect. The FWM (Firewall Management) process is an older process used in earlier Check Point versions (pre-R80) for management tasks. In R81.20, CPM has largely replaced FWM for SmartConsole communications. Additionally, port 19009 is used for other purposes, such as the Check Point REST API, not SmartConsole.

Option C: Incorrect. While CPM is the correct process, port 19009 is not used for SmartConsole communication. Port 19009 is associated with the Check Point Management API (e.g., for mgmt_cli or REST API calls).

Option D: Incorrect. While CPM is involved, SmartConsole does not use both ports 19009 and 18191. Port 18191 is typically used for log server communications (e.g., SmartConsole to Log Server), not direct management server communication.

 The fw ctl zdebug command is a powerful tool that can be used to collect debug messages from the kernel, clean the buffer, and automatically allocate a 1MB buffer. However, it cannot be used to debug additional modules, such as SecureXL, CoreXL, or VPN. For those modules, other commands or tools are needed, such as fwaccel dbg, fw ctl affinity, or vpn debug.

When a user space process crashes unexpectedly, the operating system often creates acore dumpfile. This file is a snapshot of the process's memory at the time of the crash, including information such as:

Program counter:This indicates where the program was executing when it crashed.

Stack pointer:This shows the function call stack, which can help trace the sequence of events leading to the crash.

Memory contents:This includes the values of variables and data structures used by the process.

Register values:This shows the state of the processor registers at the time of the crash.

Core dump files can be analyzed using debuggers like GDB to understand the cause of the crash.

Why other options are incorrect:

B. kernel_memory_dump dbg:This refers to a kernel memory dump, which is generated when the operating system kernel itself crashes.

C. core analyzer:This is a tool used to analyze core dump files, not the file itself.

D. coredebug:This is not a standard term for any type of crash dump file.

Check Point Troubleshooting References:

Check Point's documentation mentions core dumps in the context of troubleshooting various processes, such as fwd (firewall) and cpd (Check Point daemon). You can find information on enabling core dumps and analyzing them in the Check Point administration guides and knowledge base articles.

SmartEvent is a unified security event management and analysis solution that collects and analyzes data from multiple sources to identify and respond to security threats. SmartEvent consists of three main components: Log Server, Correlation Unit, and SmartEvent Server1. The three main processes that govern these SmartEvent components are:

eventiasv: This process is responsible for indexing the logs received from the Log Server and storing them in the SmartEvent database. It also performs log consolidation and compression to optimize the diskspace usage2.

eventiarp: This process is responsible for running the predefined and custom correlation rules on the indexed logs and generating security events based on the rule criteria. It also sends notifications and triggers automatic responses for the security events3.

eventiacu: This process is responsible for providing the web-based user interface for SmartEvent, which allows the administrators to view, analyze, and manage the security events. It also provides the SmartEvent API for external integration4. References: Check Point Processes and Daemons5, SmartEvent Administration Guide1

1: https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_SmartEvent_AdminGuide/html_frameset.htm  2: https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_SmartEvent_AdminGuide/Content/Topics-SmartEvent/SmartEvent-Components.htm#_Toc64167467  3: https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_SmartEvent_Adm inGuide/Content/Topics-SmartEvent/SmartEvent-Components.htm#_Toc64167468 4: https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_SmartEvent_AdminGuide/Content/Topics-SmartEvent/SmartEvent-Components.htm#_Toc64167469  5: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails= &solutionid=sk97638

ClusterXL is Check Point’s high-availability and load-sharing solution, which monitors critical components to ensure cluster functionality. PNOTEs (Problem Notifications) are specific conditions or processes monitored by ClusterXL to detect failures or issues that could impact the cluster’s operation. When a PNOTE is triggered, ClusterXL may initiate a failover to maintain service continuity.

Option A: Correct. TED (Threat Emulation Daemon) is not monitored as a PNOTE by ClusterXL. TED is part of the Threat Emulation blade, which handles sandboxing and emulation tasks, but it is not a critical cluster component monitored by ClusterXL.

Option B: Incorrect. Policy installation status is monitored as a PNOTE by ClusterXL. If a policy fails to install or becomes corrupted, ClusterXL can detect this as a critical issue and trigger a failover.

Option C: Incorrect. RouteD (Routing Daemon) is monitored as a PNOTE by ClusterXL. Routing issues, such as the failure of dynamic routing protocols, are critical for cluster operations, especially in environments with dynamic routing enabled.

Option D: Incorrect. VPND (VPN Daemon) is monitored as a PNOTE by ClusterXL. VPN functionality is critical in many deployments, and ClusterXL monitors VPND to ensure VPN tunnels remain operational.

 = The RFL process is the Remote File Log process that is responsible for transferring logs from the Security Gateway to the Security Management Server1. If the RFL process is with status T, it means that it is terminated and not running2. This could explain why the logs are not seen in the SMS. To resolve this issue, one possible command to run is smartlog_server stop and smartlog_server restart3. This command will stop and restart the SmartLog server, which is the process that indexes and displays the logs in the SmartConsole. By restarting the SmartLog server, it may also restart the RFL process and resume the log transfer. Alternatively, one can also try to restart the RFL process directly by running cpwd_admin stop -name RFL and cpwd_admin start -name RFL. References: Check Point Processes and Daemons, sk97638 - Check Point Processes and Daemons, sk144192 - How to restart SmartLog server, [sk98348 - SmartLog / SmartView server functionality], [sk97638 - Check Point Processes and Daemons]

The Unified Policy is a feature that allows you to create a single policy layer that combines the functionality of Access Control, Threat Prevention, and HTTPS Inspection12. To debug the Unified Policy, you need to use the command fw ctl debug with the module name UP and the flag all or specific flags for different aspects of the Unified Policy inspection34. The possible flags for the Unified Policy module are:

up_match: Shows the matching process of the Unified Policy rules.

up_inspect: Shows the inspection process of the Unified Policy rules.

up_action: Shows the action process of the Unified Policy rules.

up_log: Shows the logging process of the Unified Policy rules.

up_tls: Shows the TLS inspection process of the Unified Policy rules.

up_clob: Shows the CLOB (Content Limitation and Optimization Blade) inspection process of the Unified Policy rules.

up_rulebase: Shows the rulebase loading process of the Unified Policy rules.

up_connection: Shows the connection tracking process of the Unified Policy rules.

The flag tls is not a valid flag for the Unified Policy module, as it is used for the TLS Inspection module5. Therefore, the correct answer is A. tls. The other options are valid flags for the Unified Policy module, as explained above34. References:

1: CCTE Courseware, Module 8: Advanced Access Control, Slide 7

2: Check Point R81 Security Gateway Architecture and Packet Flow, Chapter 5: Unified Policy, Page 29

3: CCTE Courseware, Module 8: Advanced Access Control, Slide 17

4: Check Point R81 Security Gateway Architecture and Packet Flow, Chapter 5: Unified Policy, Page 32

5: Check Point R81 Security Gateway Architecture and Packet Flow, Chapter 6: TLS Inspection, Page 36

The Resource Advisor (RAD) service on the Security Gateways is responsible for online categorization of URLs and resources for Application Control and Threat Prevention blades. RAD has two components: a kernel module and a user space module. The kernel module looks up the kernel cache for URLs and resources, notifies the client about hits and misses, and forwards asynchronous requests to the user space module. The user space module handles the communication with the Check Point online web service and updates the kernel cache with the results. RAD can operate in three modes: hold, background, and custom, depending on the configuration of the blades and the policy. References:

Check Point Processes and Daemons - Section: Security Gateway Software Blades and Features - Subsection: URL Filtering Blade

Solved: Re: RAD’s high utilization - Post by @PhoneBoy

Check Point Certified Troubleshooting Expert (CCTE) - Exam Topics - Module 5: Advanced Access Control

The PDP process is the Identity server, which is a component of the Identity Awareness blade on the Security Gateway. The PDP process is responsible for collecting and managing identity information from various sources, such as Active Directory, Identity Agents, Captive Portal, Terminal Servers, and RADIUS. The PDP process also communicates with the PEP process, which is the Policy Enforcement Point, to enforce identity-based policies on the traffic passing throughthe Security Gateway1. The other options, such as Log Sifter, Captive Portal Service, andUserAuth Database, are either not related to Identity Awareness or not processes, but rather files or services. References: 1: sk93046: Identity Awareness - How to Configure