156-587 Sample Questions Answers

 The top command is a Linux command that displays information about resource utilization for running processes and shows additional information for core utilization and memory. The top command provides a dynamic real-time view of the system, showing the processes that are consuming the most CPU, memory, and other resources. The top command also shows the total number of processes, the system load average, the uptime, and the CPU usage by user, system, andidle. The top command can be customized by using various options and interactive commands to change the display, sort the processes, filter the output, and kill processes.

The other commands are incorrect because:

B. vmstat is a Linux command that displays information about the virtual memory, CPU, disk, and system activity. It does not show information about individual processes or core utilization.

C. cptop is a Check Point command that displays information about the firewall kernel activity, such as the number of connections, packets, drops, and rejects. It does not show information about other processes or memory usage.

D. mpstat is a Linux command that displays information about the CPU utilization by each processor or core. It does not show information about processes or memory usage.

The correct command to enter the PostgreSQL interactive shell is psql_client cpm postgres. This command allows the administrator to view and manipulate the database of the Check Point Management (CPM) module, which stores the configuration and policy data. The psql_client command is a Check Point wrapper for the psql command, which is the native PostgreSQL interactive shell. The psql_client command takes two arguments: the first one is the name of the database module, and the second one is the name of the database user. In this case, the database module is cpm and the database user is postgres.

The other commands are incorrect because:

A. mysql_client cpm postgres is not a valid command. The mysql_client command is used to access the MySQL database, which is not used by Check Point. The Check Point database is based on PostgreSQL, not MySQL.

B. mysql -u root is not a valid command. The mysql command is used to access the MySQL database, which is not used by Check Point. The Check Point database is based on PostgreSQL, not MySQL. Moreover, the -u option specifies the MySQL user name, which is not relevant for Check Point.

D. psql_client postgres cpm is not a valid command. The psql_client command takes the database module name as the first argument, and the database user name as the second argument. In this case, the database module name is cpm and the database user name is postgres. The order of the arguments is reversed in this command.

cpsemd is the process responsible for logging into the SmartEvent GUI. Therefore, you need to check the status of this process and debug it, if necessary. Usually, the issue withthe cpsemd process is that it is crashing, or not coming up. What causes this process to crash or not come up is that the PostgreSQL database is down. Therefore, in order to run the cpsemd process successfully, you need to run the PostgreSQL database successfully.

SmartEvent is a unified security event management and analysis solution that collects and analyzes data from multiple sources to identify and respond to security threats. SmartEvent consists of three main components: Log Server, Correlation Unit, and SmartEvent Server1. The three main processes that govern these SmartEvent components are:

eventiasv: This process is responsible for indexing the logs received from the Log Server and storing them in the SmartEvent database. It also performs log consolidation and compression to optimize the diskspace usage2.

eventiarp: This process is responsible for running the predefined and custom correlation rules on the indexed logs and generating security events based on the rule criteria. It also sends notifications and triggers automatic responses for the security events3.

eventiacu: This process is responsible for providing the web-based user interface for SmartEvent, which allows the administrators to view, analyze, and manage the security events. It also provides the SmartEvent API for external integration4. References: Check Point Processes and Daemons5, SmartEvent Administration Guide1

1: https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_SmartEvent_AdminGuide/html_frameset.htm  2: https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_SmartEvent_AdminGuide/Content/Topics-SmartEvent/SmartEvent-Components.htm#_Toc64167467  3: https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_SmartEvent_Adm inGuide/Content/Topics-SmartEvent/SmartEvent-Components.htm#_Toc64167468 4: https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_SmartEvent_AdminGuide/Content/Topics-SmartEvent/SmartEvent-Components.htm#_Toc64167469  5: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails= &solutionid=sk97638

The input that is suitable for debugging HTTPS inspection issues is fw debug tls on TDERROR_ALL_ALL=5. This input will enable the TLS debug mode and set the debug level to 5, which is the highest level of verbosity. The fw debug command is used to control the debug features of the firewall modules, such as TLS, CPTLS, HTTP, etc. The tls option will enable the debug mode for the TLS module, which is responsible for handling the HTTPS inspection feature. The TDERROR_ALL_ALL environment variable will set the debug level to 5, which will generate the most detailed and comprehensive debug output. The debug output will be written to the $FWDIR/log/tls.elg file, whichcan be collected and analyzed with the TLSView tool1 to see the details of the HTTPS inspection process, such as certificate validation, SSL/TLS negotiation, encryption/decryption, etc. The other options are incorrect because:

fw ctl debug -m fw + conn drop cptls will enable the kernel debug mode for the firewall module, with the flags conn, drop, and cptls. The kernel debug mode will generate the kdebug.txt file in the $FWDIR/log directory, which contains information about the firewall traffic processing in the kernel. The kernel debug mode is useful for troubleshooting issues related to policy, NAT, routing, and inspection, but not for issues related to HTTPS inspection, which is handled by the TLS module in the user space2.

vpn debug cptls on will enable the IKE debug mode for the CPTLS module, which is a component of the VPN module. The IKE debug mode will generate the ike.elg and ikev2.xmll files in the $FWDIR/log directory, which contain information about the IKE negotiation, authentication, and key exchange between the VPN peers. The CPTLS module is responsible for handling the SSL/TLS encryption/decryption for the VPN traffic, but not for the HTTPS inspection traffic3.

fw diag debug tls enable is not a valid command and will not enable the TLS debug mode. The fw diag command is used to control the diagnostic features of the firewall, such as packet capture, core dump, etc. The debug option is not a valid option for the fw diag command, and the tls option is not a valid option for the debug option. References:

How to use the TLSView tool

How to debug the Firewall kernel (fw) module

How to debug VPN issues on Quantum Spark (SMB) Appliances

[fw diag - Check Point CLI Reference Card]

Usermode core files are generated when a user mode process crashes. They are located in the $CPDIR/var/log/dump/usermode directory on the Security Gateway or Security Management server. The core files can be used to analyze the cause of the crash and troubleshoot the issue. The core files are named according to the process name, date, and time of the crash. For example, cpd_2023_02_03_16_40_55.core is a core file for the cpd process that crashed on February 3, 2023 at 16:40:55

The Resource Advisor (RAD) service on the Security Gateways is responsible for online categorization of URLs and resources for Application Control and Threat Prevention blades. RAD has two components: a kernel module and a user space module. The kernel module looks up the kernel cache for URLs and resources, notifies the client about hits and misses, and forwards asynchronous requests to the user space module. The user space module handles the communication with the Check Point online web service and updates the kernel cache with the results. RAD can operate in three modes: hold, background, and custom, depending on the configuration of the blades and the policy. References:

Check Point Processes and Daemons - Section: Security Gateway Software Blades and Features - Subsection: URL Filtering Blade

Solved: Re: RAD’s high utilization - Post by @PhoneBoy

Check Point Certified Troubleshooting Expert (CCTE) - Exam Topics - Module 5: Advanced Access Control

 = The RFL process is the Remote File Log process that is responsible for transferring logs from the Security Gateway to the Security Management Server1. If the RFL process is with status T, it means that it is terminated and not running2. This could explain why the logs are not seen in the SMS. To resolve this issue, one possible command to run is smartlog_server stop and smartlog_server restart3. This command will stop and restart the SmartLog server, which is the process that indexes and displays the logs in the SmartConsole. By restarting the SmartLog server, it may also restart the RFL process and resume the log transfer. Alternatively, one can also try to restart the RFL process directly by running cpwd_admin stop -name RFL and cpwd_admin start -name RFL. References: Check Point Processes and Daemons, sk97638 - Check Point Processes and Daemons, sk144192 - How to restart SmartLog server, [sk98348 - SmartLog / SmartView server functionality], [sk97638 - Check Point Processes and Daemons]

The System Domain of the Postgres database is a special domain that contains the configuration data of the Security Management Server and the Log Servers. It includes information such as the trusted GUI clients, the administrators, the licenses, the global properties, and the audit logs. The System Domain is not accessible by the user and can only be modified by the Check Point processes. The user modified configurations, such as network objects, policies, and rules, are stored in the User Domain of the Postgres database. The saved queries for applications are stored in the Application Domain of the Postgres database. 

CPWD (Check Point WatchDog)is the process that monitors, terminates (if necessary), and restarts critical Check Point processes (e.g., FWD, FWM, CPM) when they stop responding or crash.

CPM(Check Point Management process) is a process on the Management Server responsible for the web-based SmartConsole connections, policy installations, etc.

FWD(Firewall Daemon) handles logging and communication functions in the Security Gateway.

FWM(FireWall Management) is an older reference to the management process on the Management Server for older versions.

Therefore, the best answer isCPWD.

Check Point Troubleshooting References

sk97638: Check Point WatchDog (CPWD) process explanation and commands.

R81.20 Administration Guide– Section on CoreXL, Daemons, and CPWD usage.

sk105217: Best Practices – Explains system processes, how to monitor them, and how CPWD is utilized.

 The fw ctl zdebug command is a powerful tool that can be used to collect debug messages from the kernel, clean the buffer, and automatically allocate a 1MB buffer. However, it cannot be used to debug additional modules, such as SecureXL, CoreXL, or VPN. For those modules, other commands or tools are needed, such as fwaccel dbg, fw ctl affinity, or vpn debug.

ClusterXL is Check Point’s high-availability and load-sharing solution, which monitors critical components to ensure cluster functionality. PNOTEs (Problem Notifications) are specific conditions or processes monitored by ClusterXL to detect failures or issues that could impact the cluster’s operation. When a PNOTE is triggered, ClusterXL may initiate a failover to maintain service continuity.

Option A: Correct. TED (Threat Emulation Daemon) is not monitored as a PNOTE by ClusterXL. TED is part of the Threat Emulation blade, which handles sandboxing and emulation tasks, but it is not a critical cluster component monitored by ClusterXL.

Option B: Incorrect. Policy installation status is monitored as a PNOTE by ClusterXL. If a policy fails to install or becomes corrupted, ClusterXL can detect this as a critical issue and trigger a failover.

Option C: Incorrect. RouteD (Routing Daemon) is monitored as a PNOTE by ClusterXL. Routing issues, such as the failure of dynamic routing protocols, are critical for cluster operations, especially in environments with dynamic routing enabled.

Option D: Incorrect. VPND (VPN Daemon) is monitored as a PNOTE by ClusterXL. VPN functionality is critical in many deployments, and ClusterXL monitors VPND to ensure VPN tunnels remain operational.

The ADLOG function receives the AD log event information from the Domain Controllers. The ADLOG function is part of the Identity Awareness feature that enablesthe Security Gateway to identify users and machines in the network and enforce Access Control policy rules based on their identities. The ADLOG function uses the AD Query (ADQ) method to connect to the Active Directory Domain Controllers using WMI and subscribe to receive Security Event logs that are generated when users perform login. The ADLOG function then extracts the user and machine information that maps to an IP address from the event logs and sends it to the PEP function, which enforces the policy based on the identity information.