156-587 Questions and Answers

CPWD (Check Point WatchDog)is the process that monitors, terminates (if necessary), and restarts critical Check Point processes (e.g., FWD, FWM, CPM) when they stop responding or crash.

CPM(Check Point Management process) is a process on the Management Server responsible for the web-based SmartConsole connections, policy installations, etc.

FWD(Firewall Daemon) handles logging and communication functions in the Security Gateway.

FWM(FireWall Management) is an older reference to the management process on the Management Server for older versions.

Therefore, the best answer isCPWD.

Check Point Troubleshooting References

sk97638: Check Point WatchDog (CPWD) process explanation and commands.

R81.20 Administration Guide– Section on CoreXL, Daemons, and CPWD usage.

sk105217: Best Practices – Explains system processes, how to monitor them, and how CPWD is utilized.

The Resource Advisor (RAD) service on the Security Gateways is responsible for online categorization of URLs and resources for Application Control and Threat Prevention blades. RAD has two components: a kernel module and a user space module. The kernel module looks up the kernel cache for URLs and resources, notifies the client about hits and misses, and forwards asynchronous requests to the user space module. The user space module handles the communication with the Check Point online web service and updates the kernel cache with the results. RAD can operate in three modes: hold, background, and custom, depending on the configuration of the blades and the policy. References:

Check Point Processes and Daemons - Section: Security Gateway Software Blades and Features - Subsection: URL Filtering Blade

Solved: Re: RAD’s high utilization - Post by @PhoneBoy

Check Point Certified Troubleshooting Expert (CCTE) - Exam Topics - Module 5: Advanced Access Control

 Dynamic log distribution is a feature that allows the Security Gateway to distribute logs between the active Log Servers, instead of sending a copy of every log to each Log Server. This feature was introduced in Check Point R81.10 version, and it requires boththe Management and the Gateways to be at least on version R81.10 for this to be supported12. With dynamic log distribution, the Gateway can optimize the disk space usage and network bandwidth consumption of the Log Servers, and also improve theperformance and reliability of the logging system3. References: Dynamic logs distribution - Check Point CheckMates1, (CCTE) - Check Point Software2, SmartLog and SmartEvent R81.10 Administration Guide3

1: https://community.checkpoint.com/t5/Management/Dynamic-logs-distribution/td-p/142732  2: https://www.checkpoint.com/downloads/training/DOC-Training-Data-Sheet-CCTE-R81.10-V1.0.pdf  3: https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_LoggingAndMonitoring_AdminGuide/html_frameset.htm

The correct Check Point command to display status and statistics information for various Check Point products and applications is cpstat. This command provides a dynamic real-time view of the system, showing the information such as the number of connections, packets, drops, CPU usage, memory usage, disk space, license status, and blade status. The cpstat command can be customized by using various options and flags to specify the product, the interval, the fields, and the format of the output. For example, to display the status and statistics of the firewall module every 5 seconds, the command would be:

cpstat fw -f all -i 5

The other commands are incorrect because:

A. CPview is a Check Point tool that displays information about the system performance, such as the CPU, memory, disk, network, and firewall. It does not show information about other products and applications, such as VPN, Identity Awareness, Anti-Virus, etc.

C. fwstat is not a valid command. The correct command is fw ctl pstat, which displays information about the firewall kernel, such as the number of connections, packets, drops, memory, and synchronization. It does not show information about other products and applications, such as VPN, Identity Awareness, Anti-Virus, etc.

D. CPstat is not a valid command. The correct command is cpstat, which is case-sensitive.

In Check Point Gaia, you can enable core dumping through the command line interface (clish) using the following command:

set core-dump enable

This command activates the core dump mechanism, allowing the system to generate core dump files when user processes crash. Remember to save the configuration after enabling core dumps with the command:

save config

Why other options are incorrect:

B. set core-dump total:This command is used to set the total disk space limit for core dump files, not to enable core dumping itself.

C. set user-dump enable:There is no such command in Gaia clish for enabling core dumps.

D. set core-dump per_process:This command sets the maximum number of core dump files allowed per process, but it doesn't enable core dumping.

Check Point Troubleshooting References:

Check Point R81.20 Security Administration Guide:This guide provides comprehensive information about Gaia clish commands, including those related to system configuration and troubleshooting.

Check Point sk92764:This knowledge base article specifically addresses core dump management in Gaia, explaining how to enable and configure core dumps.

Enabling core dumps is a crucial step in troubleshooting process crashes as it provides valuable information for analysis and debugging.

The Check Point process responsible for Mobile VPN connections, particularly those associated with the Mobile Access Software Blade (which includes SSL VPN and clientless access), is cvpnd (Connectra VPN Daemon).

Exact Extracts and Supporting Information:

Check Point CLI Reference Guide (for cvpnd_admin):

"cvpnd_admin. Description. Changes the behavior of the Mobile Access cvpnd process."

This command utility directly interacts with cvpnd for Mobile Access functionalities.  

Check Point Daemon Lists (e.g., from "tech :: stuff - Checkpoint Daemons and Processes Explained" or similar CCTE R81.20 documentation):

Under the "Mobile Access Blade" section, CVPND is typically listed as:"CVPND - Connectra VPN Daemon. Main daemon for the Mobile Access Software Blade."  

It's also often noted that the cpwd_admin list command (Check Point WatchDog) shows this process as "CVPND".  

Commands like cvpnstart and cvpnstop are used to manage this daemon.  

Exam Preparation Materials (e.g., ExamTopics for 156-586):

A question directly asking "Which process is responsible for Mobile VPN connections?" with options including cvpnd, vpnk, fwk, and vpnd, typically indicates cvpnd as the correct answer.

Explanation of other options:

B. fwk: This is a general suffix often related to firewall worker processes or kernel modules, not a specific high-level daemon for Mobile VPN.

C. vpnd: This is the main VPN daemon, primarily responsible for site-to-site IPsec VPNs and some traditional IPsec remote access clients. While it handles VPN functions, cvpnd is specialized for Mobile Access.  

D. vpnk: This refers to VPN kernel-level operations and modules (e.g., handling the actual encryption/decryption of traffic processed by IPsec SAs). It is not the user-space daemon that manages Mobile VPN sessions and policies.

Therefore, cvpnd is the specific process dedicated to managing Mobile VPN connections within the Check Point architecture.

Reference (based on official Check Point documentation naming and functionality):

Check Point R81.20 CLI Reference Guide (details for cvpnd_admin).

Check Point R81.20 Administration Guides (sections discussing Mobile Access architecture and daemons).

Commonly known Check Point process lists available in CCTE study materials.

When a user space process crashes unexpectedly, the operating system often creates acore dumpfile. This file is a snapshot of the process's memory at the time of the crash, including information such as:

Program counter:This indicates where the program was executing when it crashed.

Stack pointer:This shows the function call stack, which can help trace the sequence of events leading to the crash.

Memory contents:This includes the values of variables and data structures used by the process.

Register values:This shows the state of the processor registers at the time of the crash.

Core dump files can be analyzed using debuggers like GDB to understand the cause of the crash.

Why other options are incorrect:

B. kernel_memory_dump dbg:This refers to a kernel memory dump, which is generated when the operating system kernel itself crashes.

C. core analyzer:This is a tool used to analyze core dump files, not the file itself.

D. coredebug:This is not a standard term for any type of crash dump file.

Check Point Troubleshooting References:

Check Point's documentation mentions core dumps in the context of troubleshooting various processes, such as fwd (firewall) and cpd (Check Point daemon). You can find information on enabling core dumps and analyzing them in the Check Point administration guides and knowledge base articles.

 = The RFL process is the Remote File Log process that is responsible for transferring logs from the Security Gateway to the Security Management Server1. If the RFL process is with status T, it means that it is terminated and not running2. This could explain why the logs are not seen in the SMS. To resolve this issue, one possible command to run is smartlog_server stop and smartlog_server restart3. This command will stop and restart the SmartLog server, which is the process that indexes and displays the logs in the SmartConsole. By restarting the SmartLog server, it may also restart the RFL process and resume the log transfer. Alternatively, one can also try to restart the RFL process directly by running cpwd_admin stop -name RFL and cpwd_admin start -name RFL. References: Check Point Processes and Daemons, sk97638 - Check Point Processes and Daemons, sk144192 - How to restart SmartLog server, [sk98348 - SmartLog / SmartView server functionality], [sk97638 - Check Point Processes and Daemons]

Usermode core files are generated when a user mode process crashes. They are located in the $CPDIR/var/log/dump/usermode directory on the Security Gateway or Security Management server. The core files can be used to analyze the cause of the crash and troubleshoot the issue. The core files are named according to the process name, date, and time of the crash. For example, cpd_2023_02_03_16_40_55.core is a core file for the cpd process that crashed on February 3, 2023 at 16:40:55

The Application Database on a Check Point Security Gateway stores information about applications and categories used by the Application Control and URL Filtering blades. This database is maintained in specific files on the Gateway.

Option A: Incorrect. api_db.C and api_custom_db.C are not standard files related to the Application Database. These names may be confused with API-related configurations.

Option B: Incorrect. apcl_db.C and apd_custom_db.C are not recognized as Application Database files. These names do not align with Check Point’s file naming conventions.

Option C: Correct. The Application Database is stored in application_db.C (the main database) and application_custom_db.C (custom application definitions). These files are located in the $FWDIR/conf directory on the Security Gateway.

Option D: Incorrect. appi_db.C and appi_custom_db.C are close but incorrect. The correct prefix is application_, not appi_.

The doctor-log script is a tool that provides information about the logging system and helps to identify and troubleshoot common issues. The script runs automatically every night and generates a report that contains the following information:

Current and daily average logging rates: This shows how many logs are being generated and received by the log server per second. It can help to monitor the logging performance and identify any spikes or drops in the logging rate.

Indexing status: This shows the status of the log indexing process, which enables faster and more efficient log searches. It can help to identify any issues with the indexing system, such as delays, failures, or errors.

Size: This shows the size of the log files and the disk space used by the logging system. It can help to manage the disk space and plan for log rotation and backup.

The doctor-log script also provides some troubleshooting tips and repair options for common logging issues, such as corrupted log files, missing log indexes, or low disk space. The script can be run manually or scheduled to run at a specific time. The script output can be viewed in the SmartConsole or in the log server file system.

The input that is suitable for debugging HTTPS inspection issues is fw debug tls on TDERROR_ALL_ALL=5. This input will enable the TLS debug mode and set the debug level to 5, which is the highest level of verbosity. The fw debug command is used to control the debug features of the firewall modules, such as TLS, CPTLS, HTTP, etc. The tls option will enable the debug mode for the TLS module, which is responsible for handling the HTTPS inspection feature. The TDERROR_ALL_ALL environment variable will set the debug level to 5, which will generate the most detailed and comprehensive debug output. The debug output will be written to the $FWDIR/log/tls.elg file, whichcan be collected and analyzed with the TLSView tool1 to see the details of the HTTPS inspection process, such as certificate validation, SSL/TLS negotiation, encryption/decryption, etc. The other options are incorrect because:

fw ctl debug -m fw + conn drop cptls will enable the kernel debug mode for the firewall module, with the flags conn, drop, and cptls. The kernel debug mode will generate the kdebug.txt file in the $FWDIR/log directory, which contains information about the firewall traffic processing in the kernel. The kernel debug mode is useful for troubleshooting issues related to policy, NAT, routing, and inspection, but not for issues related to HTTPS inspection, which is handled by the TLS module in the user space2.

vpn debug cptls on will enable the IKE debug mode for the CPTLS module, which is a component of the VPN module. The IKE debug mode will generate the ike.elg and ikev2.xmll files in the $FWDIR/log directory, which contain information about the IKE negotiation, authentication, and key exchange between the VPN peers. The CPTLS module is responsible for handling the SSL/TLS encryption/decryption for the VPN traffic, but not for the HTTPS inspection traffic3.

fw diag debug tls enable is not a valid command and will not enable the TLS debug mode. The fw diag command is used to control the diagnostic features of the firewall, such as packet capture, core dump, etc. The debug option is not a valid option for the fw diag command, and the tls option is not a valid option for the debug option. References:

How to use the TLSView tool

How to debug the Firewall kernel (fw) module

How to debug VPN issues on Quantum Spark (SMB) Appliances

[fw diag - Check Point CLI Reference Card]

 Log indexing is a feature that enables faster and more efficient log searches in SmartLog and SmartEvent. To enable log indexing on the Security Management Server (SMS), you need to edit the SMS object in SmartConsole and go to the “Logs” tab. There you can configure the log indexing settings, such as the index location, the index size, the index frequency, and the index retention123. References:

1: CCTE Courseware, Module 2: Advanced Logs and Monitoring, Slide 9

2: Check Point R81 Logging and Monitoring Administration Guide, Chapter 2: Log Indexing, Page 17

3: Check Point R81 Logging and Monitoring Administration Guide, Chapter 2: Log Indexing, Page 18

 The top command is a Linux command that displays information about resource utilization for running processes and shows additional information for core utilization and memory. The top command provides a dynamic real-time view of the system, showing the processes that are consuming the most CPU, memory, and other resources. The top command also shows the total number of processes, the system load average, the uptime, and the CPU usage by user, system, andidle. The top command can be customized by using various options and interactive commands to change the display, sort the processes, filter the output, and kill processes.

The other commands are incorrect because:

B. vmstat is a Linux command that displays information about the virtual memory, CPU, disk, and system activity. It does not show information about individual processes or core utilization.

C. cptop is a Check Point command that displays information about the firewall kernel activity, such as the number of connections, packets, drops, and rejects. It does not show information about other processes or memory usage.

D. mpstat is a Linux command that displays information about the CPU utilization by each processor or core. It does not show information about processes or memory usage.

When a Security Gateway performs a URL lookup and the URL is not found in the local caches, a request for online categorization is necessary. This process involves the Resource Advisor Daemon (RAD), which has components in both kernel space and user space.

Based on descriptions of the URL Filtering categorization process (often cited in CCTE R81.20 materials):

A client (internal component, potentially the URLF Kernel Client or a similar kernel module handling the traffic) initiates a URL lookup.

The URL is first checked against kernel caches.

If the URL is not found in the kernel cache (a cache miss), the RAD kernel component is notified.

The client component then typically sends an asynchronous request to the RAD kernel component.

The RAD Kernel Space component is then responsible for forwarding this request to the RAD User Space module.

The RAD User Space module handles the actual online categorization, often by querying the URLF Online Service (Check Point's cloud-based categorization service).

The result is then returned, and the kernel cache is updated.

The question asks where the sync-request (or a request requiring immediate online lookup) is forwarded from. In this flow, the RAD Kernel Space acts as the intermediary that forwards the request from the initial kernel-level lookup mechanism to the user-space RAD process for further handling.

Supporting Information (derived from CCTE R81.20 related materials/discussions):

The typical flow for URL categorization when an online lookup is needed involves these steps:

"The kernel cache notifies the RAD kernel of hits and misses."

"The client sends an a-sync request back to RAD if the URL was not found." (This request goes to the RAD Kernel Space).

"The a-sync request is forwarded to the RAD User space via the RAD kernel for online categorization."

This indicates that the RAD Kernel (RAD Kernel Space) is the component that forwards the request to the RAD User Space.

Therefore, if a sync-request (a request needing immediate online lookup) is required, it is forwarded from the RAD Kernel Space to the RAD User Space.

Reference Context (based on CCTE R81.20 materials and general Check Point URL Filtering architecture):

Discussions and explanations related to Check Point Certified Troubleshooting Expert (CCTE) R81.20 curriculum often detail this RAD architecture. For example, study materials might state: "RAD has a kernel module that looks up the kernel cache, notifies client about hits and misses and forwards a-sync requests to RAD user space module which is responsible for online categorization." The 1 "RAD kernel module" corresponds to the RAD Kernel Space, and it is this component that performs the forwarding action to the RAD User Space.(Exact page numbers like "CCTE R81.20, p338/339" have been referenced in public CCTE exam discussions pointing to this flow)

The Global Domain is one of the relational database domains in the Postgres database that stores the management configuration. The purpose of the Global Domain is to serve as the global database for Multi-Domain Security Management (MDSM) and contain the global objects and policies that are shared across all domains. The Global Domain also stores the global settings, such as the administrator roles, the LDAP servers, the IPS profiles, and the SmartEvent views. The Global Domain can be managed by the Global Domain Administrator or the Super User Administrator using the SmartConsole. The Global Domain can be backed up and restored using the mds_backup and mds_restore commands.

To troubleshoot Identity Awareness issues related to user identification and Access Role application, you need to enable debugging for both Identity Collectors (IDC) and Identity Providers (IDP). The command pdp debug set IDC all IDP all on the gateway achieves this.

Here's why this is the correct answer and why the others are not:

A. on the gateway: pdp debug set IDC all IDP all:This correctly enables debugging for all Identity Collectors and Identity Providers, allowing you to see detailed logs and messages related to user identification and Access Role assignment. This helps pinpoint issues with user mapping, authentication, or authorization.

B. on the gateway: pdp debug set AD all and IDC all:This command only enables debugging for Active Directory (AD) as an Identity Provider and all Identity Collectors. It might miss issues related to other Identity Providers if they are in use.

C. on the management: pdp debug on IDC all:This command has two issues. First, it should be executed on the gateway, not the management server, as the gateway is responsible for user identification and policy enforcement. Second, it only enables debugging for Identity Collectors, not Identity Providers.

D. on the management: pdp debug set all:While this command might seem to enable debugging for everything, it's not specific enough for Identity Awareness troubleshooting. It might generate excessive logs unrelated to the issue and make it harder to find the relevant information.

Check Point Troubleshooting References:

Check Point Identity Awareness Administration Guide:This guide provides detailed information about Identity Awareness components, configuration, and troubleshooting.

Check Point sk113963:This article explains how to troubleshoot Identity Awareness issues using debug commands and logs.

Check Point R81.20 Security Administration Guide:This guide covers general troubleshooting and debugging techniques, including the use of pdp debug commands.

The main components of Check Point’s Security Management architecture are1:

Management server: This is the central component that manages the security policy, configuration, and licenses for the Security Gateways and other Check Point devices. It also provides the SmartConsole interface for the administrators to manage the security environment.

Management database: This is the database that stores the security policy, configuration, and objects for the Security Management Server. It also stores the logs and events from the Security Gateways and other Check Point devices.

Log server: This is the component that receives and stores the logs and events from the Security Gateways and other Check Point devices. It also provides the SmartLog and SmartEvent interfaces for the administrators to view, analyze, and manage the logs and events.

Automation server: This is the component that provides the REST API and the CLI for the administrators to automate and script the security management tasks.

1: (CCTE) - Check Point Software

 The error message “SmartLog is not active or Failed to parse results from server” indicates that there is a problem with the SmartLog server process, which is responsible for indexing and querying the logs. One possible cause of this problem is a corrupted log file or a mismatched IP address in the logging configuration files. Another possible cause is a communication failure between the SmartLog server and the CPM process or the SmartConsole client. To resolve this issue, the first thing to try is to restart the SmartLog server process by running the command smartlog_server restart on the Security Management Server or the Log Server. This command will stop the SmartLog server, clean the buffer, and start it again. This may fix the corrupted log file or the communication issue. If the problem persists, other steps may be needed, such as checking the network connectivity, the firewall rules, the logging configuration files, the CPM process, or the SmartConsole client.