156-587 Check Point Certified Troubleshooting Expert - R81.20 (CCTE) Questions and Answers

 One possible solution to solve the issue of having a very large file that is difficult to open and analyze with standard text editors is to divide the debug information into smaller files. This can be done by using the  fw ctl kdebug  command with the  -f ,  -o ,  -m , and  -s  options. The  -f  option means to write the debug output to a file instead of the screen. The  -o  option specifies the name of the output file. The  -m  option sets the maximum number of files to be created. The  -s  option sets the maximum size of each file in KB. For example, the command  fw ctl kdebug -f -o debug -m 25 -s 1024  will create up to 25 files named debug.0, debug.1, …, debug.24, each with a maximum size of 1024KB. This way, the debug information can be split into more manageable chunks that can be opened and analyzed more easily with standard text editors.

 The CPD process controls logging on the Security Management Server or the Log Server. It is responsible for receiving logs from the Security Gateways, storing them in the log files, and forwarding them to the SmartLog and SmartEvent servers. It also handles the communication with the SmartConsole clients and the CPM process. The CPD process runs on the Security Management Server or the Log Server as part of the Management High Availability module.

To see the list of processes monitored by the WatchDog process (CPWD), you use the cpwd_admin list command.

Option A (cpstat fw -f watchdog) : Shows firewall status and statistics for the "fw" context, not necessarily the list of monitored processes.

Option B (fw ctl get str watchdog) : Not a valid parameter for retrieving the list of monitored processes; “fw ctl” deals with kernel parameters.

Option C (cpwd_admin list) : Correct command that lists all processes monitored by CPWD, their status, and how many times they have been restarted.

Option D (ps -ef | grep watchd) : This will list any running process that matches the string “watchd” but will not specifically detail which processes are being monitored by CPWD.

Therefore, the best answer is cpwd_admin list .

Check Point Troubleshooting References

sk97638 : Explains Check Point WatchDog (CPWD) usage and the cpwd_admin utility.

R81.20 CLI Reference Guide : Describes common troubleshooting commands including cpwd_admin list.

Check Point Gaia Administration Guide : Provides instructions for monitoring system processes and verifying CPWD.

The correct Check Point command to display status and statistics information for various Check Point products and applications is cpstat. This command provides a dynamic real-time view of the system, showing the information such as the number of connections, packets, drops, CPU usage, memory usage, disk space, license status, and blade status. The cpstat command can be customized by using various options and flags to specify the product, the interval, the fields, and the format of the output. For example, to display the status and statistics of the firewall module every 5 seconds, the command would be:

cpstat fw -f all -i 5

The other commands are incorrect because:

A. CPview is a Check Point tool that displays information about the system performance, such as the CPU, memory, disk, network, and firewall. It does not show information about other products and applications, such as VPN, Identity Awareness, Anti-Virus, etc.

C. fwstat is not a valid command. The correct command is fw ctl pstat, which displays information about the firewall kernel, such as the number of connections, packets, drops, memory, and synchronization. It does not show information about other products and applications, such as VPN, Identity Awareness, Anti-Virus, etc.

D. CPstat is not a valid command. The correct command is cpstat, which is case-sensitive.

 The correct command to check the subscription status on the CLI of the gateway is  show license status . This command displays the current license information, such as the license type, expiration date, and subscription status for various blades, such as Anti-Bot, Anti-Virus, IPS, etc. The command also shows the contract status for each blade, such as valid, expired, or invalid. If John has renewed his NPTX license, but he gets an error that the contract for Anti-Bot expired, he can use this command to verify the contract status and the subscription status for the Anti-Bot blade.

The other commands are incorrect because:

A. fwm lie print is not a valid command. The correct command is  fwm lic print , which displays the license information on the Security Management Server, not on the gateway. This command does not show the subscription status or the contract status for the blades.

B. fw monitor license status is not a valid command. The correct command is  fw monitor , which is a tool for capturing network traffic on the gateway, not for checking the license status.

C. cpstat antimalware-f subscription status is not a valid command. The correct command is  cpstat antimalware -f subscription_status , which displays the subscription status for the Anti-Virus blade, not for the Anti-Bot blade. This command does not show the contract status for the blade.

The input that is suitable for debugging HTTPS inspection issues is  fw debug tls on TDERROR_ALL_ALL=5 . This input will enable the TLS debug mode and set the debug level to 5, which is the highest level of verbosity. The  fw debug  command is used to control the debug features of the firewall modules, such as TLS, CPTLS, HTTP, etc. The  tls  option will enable the debug mode for the TLS module, which is responsible for handling the HTTPS inspection feature. The  TDERROR_ALL_ALL  environment variable will set the debug level to 5, which will generate the most detailed and comprehensive debug output.  The debug output will be written to the  $FWDIR/log/tls.elg  file, which can be collected and analyzed with the TLSView tool 1  to see the details of the HTTPS inspection process, such as certificate validation, SSL/TLS negotiation, encryption/decryption, etc. The other options are incorrect because:

fw ctl debug -m fw + conn drop cptls  will enable the kernel debug mode for the firewall module, with the flags  conn ,  drop , and  cptls . The kernel debug mode will generate the  kdebug.txt  file in the  $FWDIR/log  directory, which contains information about the firewall traffic processing in the kernel.  The kernel debug mode is useful for troubleshooting issues related to policy, NAT, routing, and inspection, but not for issues related to HTTPS inspection, which is handled by the TLS module in the user space 2 .

vpn debug cptls on  will enable the IKE debug mode for the CPTLS module, which is a component of the VPN module. The IKE debug mode will generate the  ike.elg  and  ikev2.xmll  files in the  $FWDIR/log  directory, which contain information about the IKE negotiation, authentication, and key exchange between the VPN peers.  The CPTLS module is responsible for handling the SSL/TLS encryption/decryption for the VPN traffic, but not for the HTTPS inspection traffic 3 .

fw diag debug tls enable  is not a valid command and will not enable the TLS debug mode. The  fw diag  command is used to control the diagnostic features of the firewall, such as packet capture, core dump, etc. The  debug  option is not a valid option for the  fw diag  command, and the  tls  option is not a valid option for the  debug  option.  References :

How to use the TLSView tool

How to debug the Firewall kernel (fw) module

How to debug VPN issues on Quantum Spark (SMB) Appliances

[fw diag - Check Point CLI Reference Card]

The System Domain of the Postgres database is a special domain that contains the configuration data of the Security Management Server and the Log Servers. It includes information such as the trusted GUI clients, the administrators, the licenses, the global properties, and the audit logs. The System Domain is not accessible by the user and can only be modified by the Check Point processes. The user modified configurations, such as network objects, policies, and rules, are stored in the User Domain of the Postgres database. The saved queries for applications are stored in the Application Domain of the Postgres database. 

The Core Dump Manager (CDM) is a utility that helps manage core dump files on Check Point systems. Its main functions include:  

Limiting file size and number: CDM can be configured to limit the size of individual core dump files and the total amount of disk space used for core dumps. This prevents core dumps from filling up valuable disk space.  

Compression: CDM can compress core dump files to reduce their storage size. This is particularly helpful when dealing with large core dumps.  

Process filtering: CDM allows you to specify which processes should be allowed to generate core dumps. This can help prevent unnecessary core dumps from being created.  

Remote collection: CDM can be configured to send core dump files to a remote server for analysis. This is useful in environments where direct access to the system generating the core dump is limited.

By using CDM, you can effectively manage core dump files and ensure that they are not overwhelming your system's resources.

The cpwd_admin list command is used to display the status of processes monitored by the Check Point WatchDog Daemon (CPWD). The CPM (Check Point Management) process is a core process on the Security Management Server, responsible for management operations. However, on a Security Gateway , the CPM process is not typically present, as it is specific to management functions.

Option A : Correct. The output of cpwd_admin list differs between a Security Gateway and a Security Management Server. On a Security Gateway, processes like FWD, VPND, and PEP are monitored, but CPM is not present because it runs on the Management Server. Thus, CPM will not appear in the cpwd_admin list output on a Gateway.

Option B : Incorrect. While it’s true that CPM is not running on the Security Gateway, the reason it’s not listed is not because it “can’t be monitored” by CPWD. On a Management Server, CPM is indeed monitored by CPWD, but this question pertains to a Gateway.

Option C : Incorrect. CPM is automatically monitored by CPWD on systems where it runs (e.g., Management Server). There is no need to manually add it to WatchDog’s monitoring list.

Option D : Incorrect. CPM does not have its own separate monitoring system. On a Management Server, CPM is monitored by CPWD like other critical processes. The statement about “only lower processes” being monitored is inaccurate.

The Application Database on a Check Point Security Gateway stores information about applications and categories used by the Application Control and URL Filtering blades. This database is maintained in specific files on the Gateway.

Option A : Incorrect. api_db.C and api_custom_db.C are not standard files related to the Application Database. These names may be confused with API-related configurations.

Option B : Incorrect. apcl_db.C and apd_custom_db.C are not recognized as Application Database files. These names do not align with Check Point’s file naming conventions.

Option C : Correct. The Application Database is stored in application_db.C (the main database) and application_custom_db.C (custom application definitions). These files are located in the $FWDIR/conf directory on the Security Gateway.

Option D : Incorrect. appi_db.C and appi_custom_db.C are close but incorrect. The correct prefix is application_, not appi_.

To troubleshoot Identity Awareness issues related to user identification and Access Role application, you need to enable debugging for both Identity Collectors (IDC) and Identity Providers (IDP). The command pdp debug set IDC all IDP all on the gateway achieves this.

Here's why this is the correct answer and why the others are not:

A. on the gateway: pdp debug set IDC all IDP all: This correctly enables debugging for all Identity Collectors and Identity Providers, allowing you to see detailed logs and messages related to user identification and Access Role assignment. This helps pinpoint issues with user mapping, authentication, or authorization.

B. on the gateway: pdp debug set AD all and IDC all: This command only enables debugging for Active Directory (AD) as an Identity Provider and all Identity Collectors. It might miss issues related to other Identity Providers if they are in use.

C. on the management: pdp debug on IDC all: This command has two issues. First, it should be executed on the gateway, not the management server, as the gateway is responsible for user identification and policy enforcement. Second, it only enables debugging for Identity Collectors, not Identity Providers.

D. on the management: pdp debug set all: While this command might seem to enable debugging for everything, it's not specific enough for Identity Awareness troubleshooting. It might generate excessive logs unrelated to the issue and make it harder to find the relevant information.

Check Point Troubleshooting References:

Check Point Identity Awareness Administration Guide: This guide provides detailed information about Identity Awareness components, configuration, and troubleshooting.

Check Point sk113963: This article explains how to troubleshoot Identity Awareness issues using debug commands and logs.

Check Point R81.20 Security Administration Guide: This guide covers general troubleshooting and debugging techniques, including the use of pdp debug commands.

 The top command is a Linux command that displays information about resource utilization for running processes and shows additional information for core utilization and memory. The top command provides a dynamic real-time view of the system, showing the processes that are consuming the most CPU, memory, and other resources. The top command also shows the total number of processes, the system load average, the uptime, and the CPU usage by user, system, and idle. The top command can be customized by using various options and interactive commands to change the display, sort the processes, filter the output, and kill processes.

The other commands are incorrect because:

B. vmstat is a Linux command that displays information about the virtual memory, CPU, disk, and system activity. It does not show information about individual processes or core utilization.

C. cptop is a Check Point command that displays information about the firewall kernel activity, such as the number of connections, packets, drops, and rejects. It does not show information about other processes or memory usage.

D. mpstat is a Linux command that displays information about the CPU utilization by each processor or core. It does not show information about processes or memory usage.

IKE view is the most efficient way to read an IKEv2 debug.  IKE view is a graphical user interface tool that enables you to analyze the IKEv2 debugs generated by the Security Gateway 1 . It can parse the debug files and display the information in a structured and readable format.  It can also filter the debug messages based on various criteria, such as IP address, encryption domain, or IKEv2 state 1 .  IKE view can help you to troubleshoot the IKEv2 issues and identify the root cause of the problems 1 .  References :  IKEView: VPN Debugging Tool - Check Point Software

 Log indexing is a feature that enables faster and more efficient log searches in SmartLog and SmartEvent. To enable log indexing on the Security Management Server (SMS), you need to edit the SMS object in SmartConsole and go to the “Logs” tab.  There you can configure the log indexing settings, such as the index location, the index size, the index frequency, and the index retention 1 2 3 .  References :

1 : CCTE Courseware, Module 2: Advanced Logs and Monitoring, Slide 9

2 : Check Point R81 Logging and Monitoring Administration Guide, Chapter 2: Log Indexing, Page 17

3 : Check Point R81 Logging and Monitoring Administration Guide, Chapter 2: Log Indexing, Page 18

The STAT column in the output of the cpwd_admin list command shows the status of the monitored process. The possible values are E for established, meaning that the process is running, or T for terminated, meaning that the process is not running. The STAT column is useful for quickly checking if any critical process has crashed or failed to start. If the value is T, the process should be restarted and the reason for the termination should be investigated. The STAT column does not show the Watch Dog name, the number of times the process was started, or the monitoring method of the Watch Dog.