156-587 Check Point Certified Troubleshooting Expert - R81.20 (CCTE) Question and Answers

 One possible solution to solve the issue of having a very large file that is difficult to open and analyze with standard text editors is to divide the debug information into smaller files. This can be done by using the fw ctl kdebug command with the -f, -o, -m, and -s options. The -f option means to write the debug output to a file instead of the screen. The -o option specifies the name of the output file. The -m option sets the maximum number of files to be created. The -s option sets the maximum size of each file in KB. For example, the command fw ctl kdebug -f -o debug -m 25 -s 1024 will create up to 25 files named debug.0, debug.1, …, debug.24, each with a maximum size of 1024KB. This way, the debug information can be split into more manageable chunks that can be opened and analyzed more easily with standard text editors.

The cpca process is responsible for the generation of certificates on the Security Management Server or the Multi-Domain Security Management Server. It is the Check Point Internal Certificate Authority (ICA) that issues certificates for internal use, such as for VPN, HTTPS Inspection, SmartConsole, and Secure Internal Communication (SIC). The cpca process runs on the Security Management Server or the Multi-Domain Security Management Server as part of the Management High Availability module.

 The fw ctl zdebug command is a powerful tool that can be used to collect debug messages from the kernel, clean the buffer, and automatically allocate a 1MB buffer. However, it cannot be used to debug additional modules, such as SecureXL, CoreXL, or VPN. For those modules, other commands or tools are needed, such as fwaccel dbg, fw ctl affinity, or vpn debug.

The Multi-portal Daemon (mpdaemon) is responsible for handling the clientless access connections in Mobile Access VPN. It listens on port 443 and redirects the traffic to the appropriate port of the process that handles the specific connection type, such as cvpnd for SSL Network Extender, MAD for Mobile Access Portal, or HID for HTTPS Inspection.The mpdaemon also performs authentication and authorization for the clientless access connections.References: Check Point Processes and Daemons1, Mobile Access Blade Administration Guide

1: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails= &solutionid=sk97638 : https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_Mobile_Access_AdminGuide/html_frameset.htm

To see the list of processes monitored by the WatchDog process (CPWD), you use thecpwd_admin listcommand.

Option A (cpstat fw -f watchdog): Shows firewall status and statistics for the "fw" context, not necessarily the list of monitored processes.

Option B (fw ctl get str watchdog): Not a valid parameter for retrieving the list of monitored processes; “fw ctl” deals with kernel parameters.

Option C (cpwd_admin list): Correct command that lists all processes monitored by CPWD, their status, and how many times they have been restarted.

Option D (ps -ef | grep watchd): This will list any running process that matches the string “watchd” but will not specifically detail which processes are being monitored by CPWD.

Therefore, the best answer iscpwd_admin list.

Check Point Troubleshooting References

sk97638: Explains Check Point WatchDog (CPWD) usage and the cpwd_admin utility.

R81.20 CLI Reference Guide: Describes common troubleshooting commands including cpwd_admin list.

Check Point Gaia Administration Guide: Provides instructions for monitoring system processes and verifying CPWD.

 Dynamic log distribution is a feature that allows the Security Gateway to distribute logs between the active Log Servers, instead of sending a copy of every log to each Log Server. This feature was introduced in Check Point R81.10 version, and it requires boththe Management and the Gateways to be at least on version R81.10 for this to be supported12. With dynamic log distribution, the Gateway can optimize the disk space usage and network bandwidth consumption of the Log Servers, and also improve theperformance and reliability of the logging system3. References: Dynamic logs distribution - Check Point CheckMates1, (CCTE) - Check Point Software2, SmartLog and SmartEvent R81.10 Administration Guide3

1: https://community.checkpoint.com/t5/Management/Dynamic-logs-distribution/td-p/142732  2: https://www.checkpoint.com/downloads/training/DOC-Training-Data-Sheet-CCTE-R81.10-V1.0.pdf  3: https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_LoggingAndMonitoring_AdminGuide/html_frameset.htm

When a user space process crashes unexpectedly, the operating system often creates acore dumpfile. This file is a snapshot of the process's memory at the time of the crash, including information such as:

Program counter:This indicates where the program was executing when it crashed.

Stack pointer:This shows the function call stack, which can help trace the sequence of events leading to the crash.

Memory contents:This includes the values of variables and data structures used by the process.

Register values:This shows the state of the processor registers at the time of the crash.

Core dump files can be analyzed using debuggers like GDB to understand the cause of the crash.

Why other options are incorrect:

B. kernel_memory_dump dbg:This refers to a kernel memory dump, which is generated when the operating system kernel itself crashes.

C. core analyzer:This is a tool used to analyze core dump files, not the file itself.

D. coredebug:This is not a standard term for any type of crash dump file.

Check Point Troubleshooting References:

Check Point's documentation mentions core dumps in the context of troubleshooting various processes, such as fwd (firewall) and cpd (Check Point daemon). You can find information on enabling core dumps and analyzing them in the Check Point administration guides and knowledge base articles.

The Core Dump Manager (CDM) is a utility that helps manage core dump files on Check Point systems. Its main functions include:  

Limiting file size and number:CDM can be configured to limit the size of individual core dump files and the total amount of disk space used for core dumps. This prevents core dumps from filling up valuable disk space.  

Compression:CDM can compress core dump files to reduce their storage size. This is particularly helpful when dealing with large core dumps.  

Process filtering:CDM allows you to specify which processes should be allowed to generate core dumps. This can help prevent unnecessary core dumps from being created.  

Remote collection:CDM can be configured to send core dump files to a remote server for analysis. This is useful in environments where direct access to the system generating the core dump is limited.

By using CDM, you can effectively manage core dump files and ensure that they are not overwhelming your system's resources.

 Identity Awareness is a feature that enables the Security Gateway to identify users and groups behind IP addresses, and apply security policies based on their identity12. Identity Awareness uses different methods to acquire identities, such as AD Query, Identity Collector, and Browser-Based Authentication12. To debug Identity Awareness issues, you need to use the command pdp debug on the gateway, where pdp stands for Policy Decision Point, the component that handles the identity acquisition and enforcement13. The command pdp debug has different flags for different identity sources, such as adlog for AD Query, ic for Identity Collector, and nac for Browser-Based Authentication13. The flag extended enables more detailed debug output13. Therefore, the correct command to debug the problem of users not being able to browse internet sites with Identity Awareness using AD Query, Identity Collector, and Browser-Based Authentication is pdp debug nac extended on the gateway13. The other options are incorrect because they either use the wrong command (ad debug instead of pdp debug), the wrong flag (ad query instead of nac), or the wrong location (on the management instead of on the gateway). References:

1: CCTE Courseware, Module 9: Advanced Identity Awareness Troubleshooting, Slide 4

2: Check Point R81 Identity Awareness Administration Guide, Chapter 1: Introduction to Identity Awareness, Page 7

3: Check Point R81 Identity Awareness Administration Guide, Chapter 5: Troubleshooting Identity Awareness, Page 49

 The correct command to check the subscription status on the CLI of the gateway is show license status. This command displays the current license information, such as the license type, expiration date, and subscription status for various blades, such as Anti-Bot, Anti-Virus, IPS, etc. The command also shows the contract status for each blade, such as valid, expired, or invalid. If John has renewed his NPTX license, but he gets an error that the contract for Anti-Bot expired, he can use this command to verify the contract status and the subscription status for the Anti-Bot blade.

The other commands are incorrect because:

A. fwm lie print is not a valid command. The correct command is fwm lic print, which displays the license information on the Security Management Server, not on the gateway. This command does not show the subscription status or the contract status for the blades.

B. fw monitor license status is not a valid command. The correct command is fw monitor, which is a tool for capturing network traffic on the gateway, not for checking the license status.

C. cpstat antimalware-f subscription status is not a valid command. The correct command is cpstat antimalware -f subscription_status, which displays the subscription status for the Anti-Virus blade, not for the Anti-Bot blade. This command does not show the contract status for the blade.

Usermode core files are generated when a user mode process crashes. They are located in the $CPDIR/var/log/dump/usermode directory on the Security Gateway or Security Management server. The core files can be used to analyze the cause of the crash and troubleshoot the issue. The core files are named according to the process name, date, and time of the crash. For example, cpd_2023_02_03_16_40_55.core is a core file for the cpd process that crashed on February 3, 2023 at 16:40:55

The fw monitor command is a powerful troubleshooting tool in Check Point Gateways that captures packets at various points in the processing chain. The question asks how to capture trafficpre-inbound(before inbound processing, i.e., at the “i” inspection point) andbefore the VPN module(before VPN decryption or processing).

The fw monitor syntax allows specifying inspection points using options like -pi (pre-inbound) and module names (e.g., -vpn for the VPN module). The correct syntax to capture traffic before a specific module is -pi -, where the module name is prefixed with a minus sign to indicate “before” the module.

Option A: Incorrect. fw monitor -p all captures packets at all inspection points in the chain, which includes pre-inbound, post-inbound, pre-outbound, and post-outbound points, as well as points around all modules. This is too broad and does not specifically target pre-inbound and before the VPN module.

Option B: Correct. fw monitor -pi -vpn captures packets at the pre-inbound inspection point (“i”) and before the VPN module (-vpn). The -pi specifies the pre-inbound point, and -vpn ensures the capture occurs before VPN processing (e.g., decryption).

Option C: Incorrect. fw monitor -pi +vpn would capture packets at the pre-inbound point butafterthe VPN module (+vpn indicates after the module), which contradicts the requirement to capturebeforethe VPN module.

Option D: Incorrect. This option is a duplicate of Option C in the provided question, likely a typographical error. Even if corrected, +vpn is incorrect for the same reason as Option C.

ClusterXL is Check Point’s high-availability and load-sharing solution, which monitors critical components to ensure cluster functionality. PNOTEs (Problem Notifications) are specific conditions or processes monitored by ClusterXL to detect failures or issues that could impact the cluster’s operation. When a PNOTE is triggered, ClusterXL may initiate a failover to maintain service continuity.

Option A: Correct. TED (Threat Emulation Daemon) is not monitored as a PNOTE by ClusterXL. TED is part of the Threat Emulation blade, which handles sandboxing and emulation tasks, but it is not a critical cluster component monitored by ClusterXL.

Option B: Incorrect. Policy installation status is monitored as a PNOTE by ClusterXL. If a policy fails to install or becomes corrupted, ClusterXL can detect this as a critical issue and trigger a failover.

Option C: Incorrect. RouteD (Routing Daemon) is monitored as a PNOTE by ClusterXL. Routing issues, such as the failure of dynamic routing protocols, are critical for cluster operations, especially in environments with dynamic routing enabled.

Option D: Incorrect. VPND (VPN Daemon) is monitored as a PNOTE by ClusterXL. VPN functionality is critical in many deployments, and ClusterXL monitors VPND to ensure VPN tunnels remain operational.

The Application Database on a Check Point Security Gateway stores information about applications and categories used by the Application Control and URL Filtering blades. This database is maintained in specific files on the Gateway.

Option A: Incorrect. api_db.C and api_custom_db.C are not standard files related to the Application Database. These names may be confused with API-related configurations.

Option B: Incorrect. apcl_db.C and apd_custom_db.C are not recognized as Application Database files. These names do not align with Check Point’s file naming conventions.

Option C: Correct. The Application Database is stored in application_db.C (the main database) and application_custom_db.C (custom application definitions). These files are located in the $FWDIR/conf directory on the Security Gateway.

Option D: Incorrect. appi_db.C and appi_custom_db.C are close but incorrect. The correct prefix is application_, not appi_.

The correct statement explaining the differences between the two procedures for debugging in the firewall kernel is D. (i) is used for general debugging, has a small buffer and is a quick way to set kernel debug flags to get an output via command line whereas (ii) is useful when there is a need for detailed debugging and requires additional steps to set the buffer and get an output via command line.

The command fw ctl zdebug is a shortcut command that sets the kernel debug flags to a predefined value and prints the debug output to the standard output. It is useful for general debugging of common issues, such as traffic drops, NAT, VPN, or clustering. It has a small buffer size and does not require additional steps to start or stop the debugging. However, it has some limitations, such as it cannot be used with SecureXL, it cannot filter the output by chain modules, and it cannot save the output to a file12.

The command fw ctl debug is a command that allows the administrator to set the kernel debug flags to a custom value and specify the chain modules to debug. It is useful for detailed debugging of specific issues, such as policy installation, CoreXL, or Identity Awareness. It has a larger buffer size and can save the output to a file. However, it requires additional steps to start and stop thedebugging, such as setting the buffer size, clearing the buffer, dumping the buffer, and resetting the debug flags12.

The command fw ctl kdebug is a command that is used in conjunction with fw ctl debug to dump the kernel debug buffer to the standard output or to a file. It is part of the procedure (ii) for detailed debugging in the firewall kernel12.

The other statements are not correct or relevant for explaining the differences between the two procedures for debugging in the firewall kernel. The command fw ctl zdebug can be used to debug more than just the access control policy, and the command fw ctl debug/kdebug can be used to debug more than just the unified policy. Both commands can be used on both the Security Gateway and the Security Management Server, depending on the issue to be debugged12.

The STAT column in the output of the cpwd_admin list command shows the status of the monitored process. The possible values are E for established, meaning that the process is running, or T for terminated, meaning that the process is not running. The STAT column is useful for quickly checking if any critical process has crashed or failed to start. If the value is T, the process should be restarted and the reason for the termination should be investigated. The STAT column does not show the Watch Dog name, the number of times the process was started, or the monitoring method of the Watch Dog. 

The System Domain of the Postgres database is a special domain that contains the configuration data of the Security Management Server and the Log Servers. It includes information such as the trusted GUI clients, the administrators, the licenses, the global properties, and the audit logs. The System Domain is not accessible by the user and can only be modified by the Check Point processes. The user modified configurations, such as network objects, policies, and rules, are stored in the User Domain of the Postgres database. The saved queries for applications are stored in the Application Domain of the Postgres database. 

The Check Point process responsible for Mobile VPN connections, particularly those associated with the Mobile Access Software Blade (which includes SSL VPN and clientless access), is cvpnd (Connectra VPN Daemon).

Exact Extracts and Supporting Information:

Check Point CLI Reference Guide (for cvpnd_admin):

"cvpnd_admin. Description. Changes the behavior of the Mobile Access cvpnd process."

This command utility directly interacts with cvpnd for Mobile Access functionalities.  

Check Point Daemon Lists (e.g., from "tech :: stuff - Checkpoint Daemons and Processes Explained" or similar CCTE R81.20 documentation):

Under the "Mobile Access Blade" section, CVPND is typically listed as:"CVPND - Connectra VPN Daemon. Main daemon for the Mobile Access Software Blade."  

It's also often noted that the cpwd_admin list command (Check Point WatchDog) shows this process as "CVPND".  

Commands like cvpnstart and cvpnstop are used to manage this daemon.  

Exam Preparation Materials (e.g., ExamTopics for 156-586):

A question directly asking "Which process is responsible for Mobile VPN connections?" with options including cvpnd, vpnk, fwk, and vpnd, typically indicates cvpnd as the correct answer.

Explanation of other options:

B. fwk: This is a general suffix often related to firewall worker processes or kernel modules, not a specific high-level daemon for Mobile VPN.

C. vpnd: This is the main VPN daemon, primarily responsible for site-to-site IPsec VPNs and some traditional IPsec remote access clients. While it handles VPN functions, cvpnd is specialized for Mobile Access.  

D. vpnk: This refers to VPN kernel-level operations and modules (e.g., handling the actual encryption/decryption of traffic processed by IPsec SAs). It is not the user-space daemon that manages Mobile VPN sessions and policies.

Therefore, cvpnd is the specific process dedicated to managing Mobile VPN connections within the Check Point architecture.

Reference (based on official Check Point documentation naming and functionality):

Check Point R81.20 CLI Reference Guide (details for cvpnd_admin).

Check Point R81.20 Administration Guides (sections discussing Mobile Access architecture and daemons).

Commonly known Check Point process lists available in CCTE study materials.