156-587 Check Point Certified Troubleshooting Expert - R81.20 (CCTE) Questions and Answers

To see the list of processes monitored by the WatchDog process (CPWD), you use the cpwd_admin list command.

Option A (cpstat fw -f watchdog): Shows firewall status and statistics for the "fw" context, not necessarily the list of monitored processes.

Option B (fw ctl get str watchdog): Not a valid parameter for retrieving the list of monitored processes; “fw ctl” deals with kernel parameters.

Option C (cpwd_admin list): Correct command that lists all processes monitored by CPWD, their status, and how many times they have been restarted.

Option D (ps -ef | grep watchd): This will list any running process that matches the string “watchd” but will not specifically detail which processes are being monitored by CPWD.

Therefore, the best answer is cpwd_admin list.

Check Point Troubleshooting References

sk97638: Explains Check Point WatchDog (CPWD) usage and the cpwd_admin utility.

R81.20 CLI Reference Guide: Describes common troubleshooting commands including cpwd_admin list.

Check Point Gaia Administration Guide: Provides instructions for monitoring system processes and verifying CPWD.

 The fw ctl zdebug command is a powerful tool that can be used to collect debug messages from the kernel, clean the buffer, and automatically allocate a 1MB buffer. However, it cannot be used to debug additional modules, such as SecureXL, CoreXL, or VPN. For those modules, other commands or tools are needed, such as fwaccel dbg, fw ctl affinity, or vpn debug.

References:

2: “fw ctl zdebug” - Helpful Command Combinations

3: How to use " fw ctl zdebug" command

Troubleshooting Expert R81.1 (CCTE) Course Outline) - Module 4: Debugging Tools and Methods

If you have modified kernel parameters (in fwkern.conf, for example) and the gateway starts dropping traffic or behaving abnormally after a reboot, the best practice is to restore the original or a known-good configuration from backup. Then, reboot again so that the gateway loads the last known stable settings.

Option A (fw ctl set int fw1_kernel_all_disable=1) is not a standard or documented method for “undoing” all kernel tweaks.

Option B (Restore fwkem.conf from backup and reboot the gateway) is the correct and straightforward approach.

Option C (fw unloadlocal) removes the local policy but does not revert custom kernel parameters that have already been loaded at boot.

Option D (Remove all kernel parameters from fwkem.conf and reboot) might help in some cases, but you risk losing other beneficial or necessary parameters if there were legitimate custom settings. Restoring from a known-good backup is safer and more precise.

Hence, the best answer:“Restore fwkem.conf from backup and reboot the gateway.”

Check Point Troubleshooting References

sk98339 – Working with fwkern.conf (kernel parameters) in Gaia OS.

sk92739 – Advanced System Tuning in Gaia OS.

Check Point Gaia Administration Guide – Section on kernel parameters and system tuning.

Check Point CLI Reference Guide – Explanation of using fw ctl, fw unloadlocal, and relevant troubleshooting commands.

 The CpmiHostCkp table in the Postgres database contains the data for CPMI objects, such as gateways, clusters, and servers. The table column that should be selected to query for the object instance is the objid column, which is the primary key of the table and uniquely identifies each object. The objid column can be used to join with other tables that reference CPMI objects, such as CpmiClusterMember, CpmiCluster, and CpmiServer. The objid column can also be used to retrieve the object name, IP address, type, and other attributes from the CpmiHostCkp table itself. References:

Check Point Database Tool (GuiDBedit Tool) - Section: How to use the Check Point Database Tool (GuiDBedit Tool) - Subsection: How to view the data in the database

Check Point Certified Troubleshooting Expert (CCTE) - Exam Topics - Module 6: Advanced Management Server Troubleshooting

[Check Point R81 Database Schema] - Section: CPMI Tables - Subsection: CpmiHostCkp Table

URL Filtering is an essential part of Web Security in the Gateway that allows the administrator to control the access to web sites based on the site categorization and reputation. For the Security Gateway to perform a URL lookup when a client makes a URL request, the following steps are involved12:

The URLF Kernel Client is the component that intercepts the URL request from the client and extracts the URL information, such as the host name, the path, and the query parameters. The URLF Kernel Client then checks the local cache to see if the URL has been previously categorized. If the URL is found in the cache, the URLF Kernel Client returns the cached category to the Security Policy and enforces the relevant action. If the URL is not found in the cache, the URLF Kernel Client sends a sync-request to the URLF User Space.

The URLF User Space is the component that handles the sync-request from the URLF Kernel Client and performs the URL lookup. The URLF User Space first checks the local database to see if the URL has been previously categorized. If the URL is found in the database, the URLF User Space returns the database category to the URLF Kernel Client. If the URL is not found in the database, the URLF User Space sends an async-request to the URLF Online Service.

The URLF Online Service is the component that handles the async-request from the URLF User Space and performs the URL lookup. The URLF Online Service is a cloud-based service that provides the most updated and accurate URL categorization and reputation. The URLF Online Service queries the Check Point cloud servers to get the category and reputation of the URL, and returns the result to the URLF User Space. The URLF Online Service also updates the local database and cache with the new URL information.

Therefore, the sync-request is forwarded from the URLF Kernel Client to the URLF User Space, if a sync-request is required.

References: Application Control Administration Guide1, (CCTE) - Check Point Software2

1: https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_ApplicationControl_AdminGuide/html_frameset.htm  2: https://www.checkpoint.com/downloads/training/DOC-Training-Data-Sheet-CCTE-R81.10-V1.0.pdf

 Identity Awareness is a feature that enables the Security Gateway to identify users and groups behind IP addresses, and apply security policies based on their identity12. Identity Awareness uses different methods to acquire identities, such as AD Query, Identity Collector, and Browser-Based Authentication12. To debug Identity Awareness issues, you need to use the command pdp debug on the gateway, where pdp stands for Policy Decision Point, the component that handles the identity acquisition and enforcement13. The command pdp debug has different flags for different identity sources, such as adlog for AD Query, ic for Identity Collector, and nac for Browser-Based Authentication13. The flag extended enables more detailed debug output13. Therefore, the correct command to debug the problem of users not being able to browse internet sites with Identity Awareness using AD Query, Identity Collector, and Browser-Based Authentication is pdp debug nac extended on the gateway13. The other options are incorrect because they either use the wrong command (ad debug instead of pdp debug), the wrong flag (ad query instead of nac), or the wrong location (on the management instead of on the gateway). References:

1: CCTE Courseware, Module 9: Advanced Identity Awareness Troubleshooting, Slide 4

2: Check Point R81 Identity Awareness Administration Guide, Chapter 1: Introduction to Identity Awareness, Page 7

3: Check Point R81 Identity Awareness Administration Guide, Chapter 5: Troubleshooting Identity Awareness, Page 49

 The CPD process controls logging on the Security Management Server or the Log Server. It is responsible for receiving logs from the Security Gateways, storing them in the log files, and forwarding them to the SmartLog and SmartEvent servers. It also handles the communication with the SmartConsole clients and the CPM process. The CPD process runs on the Security Management Server or the Log Server as part of the Management High Availability module.

References:

1: Check Point Processes and Daemons - CPD

2: Troubleshooting Check Point logging issues when Security Management Server / Log Server is not receiving logs from Security Gateway

Troubleshooting Expert R81.1 (CCTE) Course Outline) - Module 9: Logging and Status Troubleshooting.

When troubleshooting crashes on a Security Gateway (or any Linux-based system), the file type that is typically generated and used for in-depth analysis is a core dump.

A core dump captures the memory state of a process at the time it crashed and is critical for root-cause analysis.

Other options:

A. tcpdump: A packet capture file, not a crash-related file.

C. fw monitor: A Check Point packet capture tool, but not for crash debugging.

D. CPMIL dump: Not a common or standard crash dump reference in Check Point.

The simplest and most efficient way to check all dropped packets in real time is C. fw ctl zdebug + drop in expert mode. This command is a shortcut command that sets the kernel debug flags to a predefined value and prints the debug output to the standard output. It is useful for general debugging of common issues, such as traffic drops, NAT, VPN, or clustering. It has a small buffer size and does not require additional steps to start or stop the debugging. However, it has some limitations, such as it cannot be used with SecureXL, it cannot filter the output by chain modules, and it cannot save the output to a file12.

The other commands are not as simple or efficient as the fw ctl zdebug + drop command. The command tail -f $FWDIR/log/fw.log |grep drop in expert mode will only show the drops that are logged in the fw.log file, which may not include all the drops that occur in the kernel. The command cat /dev/fw1/log in expert mode will show the raw binary data of the kernel debug buffer, which is not human-readable and may contain irrelevant information. The command Smartlog will show the drops that are indexed and stored in the SmartEvent database, which may not be in real time and may depend on the log server performance12.

1: https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_AdvancedTechnicalReferenceGuide/html_frameset.htm  2: https://www.checkpoint.com/downloads/training/DOC-Training-Data-Sheet-CCTE-R81.10-V1.0.pdf

The Terraform Registry allows any user to publish and share modules. Published modules support versioning, automatically generate documentation, allow browsing version histories, show examples and READMEs, and more. Public modules are managed via Git and GitHub, and publishing a module takes only a few minutes. Once a module is published, releasing a new version of a module is as simple as pushing a properly formed Git tag1.

References = The information can be verified from the Terraform Registry documentation on Publishing Modules provided by HashiCorp Developer1.

The Resource Advisor (RAD) service on the Security Gateways is responsible for online categorization of URLs and resources for Application Control and Threat Prevention blades. RAD has two components: a kernel module and a user space module. The kernel module looks up the kernel cache for URLs and resources, notifies the client about hits and misses, and forwards asynchronous requests to the user space module. The user space module handles the communication with the Check Point online web service and updates the kernel cache with the results. RAD can operate in three modes: hold, background, and custom, depending on the configuration of the blades and the policy. References:

Check Point Processes and Daemons - Section: Security Gateway Software Blades and Features - Subsection: URL Filtering Blade

Solved: Re: RAD’s high utilization - Post by @PhoneBoy

Check Point Certified Troubleshooting Expert (CCTE) - Exam Topics - Module 5: Advanced Access Control

A core dump file is essentially a snapshot of the process's memory at the time of the crash. This snapshot includes crucial information that can help diagnose the cause of the crash. Here's why all the options are relevant:

i. Program Counter: This register stores the address of the next instruction the CPU was supposed to execute. It pinpoints exactly where in the code the crash occurred.

ii. Stack Pointer: This register points to the top of the call stack, which shows the sequence of function calls that led to the crash. This helps trace the program's execution flow before the crash.

iii. Memory management information: This includes details about the process's memory allocations, which can reveal issues like memory leaks or invalid memory access attempts.

iv. Other Processor and OS flags/information: This encompasses various registers and system information that provide context about the state of the processor and operating system at the time of the crash.

By analyzing this information within the core dump, you can often identify the root cause of the crash, such as a segmentation fault, null pointer dereference, or stack overflow.

Check Point Troubleshooting References:

While core dumps are a general concept in operating systems, Check Point's documentation touches upon them in the context of troubleshooting specific processes like fwd (firewall) or cpd (Check Point daemon). The fw ctl zdebug command, for example, can be used to trigger a core dump of the fwd process for debugging purposes.

The PDP process is the Identity server, which is a component of the Identity Awareness blade on the Security Gateway. The PDP process is responsible for collecting and managing identity information from various sources, such as Active Directory, Identity Agents, Captive Portal, Terminal Servers, and RADIUS. The PDP process also communicates with the PEP process, which is the Policy Enforcement Point, to enforce identity-based policies on the traffic passing through the Security Gateway1. The other options, such as Log Sifter, Captive Portal Service, and UserAuth Database, are either not related to Identity Awareness or not processes, but rather files or services. References: 1: sk93046: Identity Awareness - How to Configure

When a process is frozen (hung or unresponsive), the typical method to resolve it is to kill the process. On Check Point, you can use cpwd_admin kill -name or a standard Linux kill -9 command if necessary. You then allow CPWD (the Check Point watchdog) to restart it, or manually restart it if needed.

Other options:

A. Power off the machine: This is too drastic and not recommended just for a single frozen process.

B. Restart the process: While this sounds viable, you typically must kill the frozen process first, then let WatchDog or an admin restart it.

C. Reboot the machine: Similar to powering off—too disruptive for just one stuck process.

Hence, the most direct and standard approach:“Kill the process.”

Check Point Troubleshooting References

sk97638 – Explanation of CPWD (Check Point WatchDog) and how to manage processes.

sk43807 – How to gracefully stop or kill a Check Point process.

Check Point CLI Reference Guide – Details on using cpwd_admin commands to kill or restart processes.