156-587 Check Point Certified Troubleshooting Expert - R81.20 (CCTE) Questions and Answers

When troubleshootingcrasheson a Security Gateway (or any Linux-based system), the file type that is typically generated and used for in-depth analysis is acore dump.

A core dump captures the memory state of a process at the time it crashed and is critical for root-cause analysis.

Other options:

A. tcpdump: A packet capture file, not a crash-related file.

C. fw monitor: A Check Point packet capture tool, but not for crash debugging.

D. CPMIL dump: Not a common or standard crash dump reference in Check Point.

The Resource Advisor (RAD) service on the Security Gateways is responsible for online categorization of URLs and resources for Application Control and Threat Prevention blades. RAD has two components: a kernel module and a user space module. The kernel module looks up the kernel cache for URLs and resources, notifies the client about hits and misses, and forwards asynchronous requests to the user space module. The user space module handles the communication with the Check Point online web service and updates the kernel cache with the results. RAD can operate in three modes: hold, background, and custom, depending on the configuration of the blades and the policy. References:

Check Point Processes and Daemons - Section: Security Gateway Software Blades and Features - Subsection: URL Filtering Blade

Solved: Re: RAD’s high utilization - Post by @PhoneBoy

Check Point Certified Troubleshooting Expert (CCTE) - Exam Topics - Module 5: Advanced Access Control

CPWD (Check Point WatchDog)is the process that monitors, terminates (if necessary), and restarts critical Check Point processes (e.g., FWD, FWM, CPM) when they stop responding or crash.

CPM(Check Point Management process) is a process on the Management Server responsible for the web-based SmartConsole connections, policy installations, etc.

FWD(Firewall Daemon) handles logging and communication functions in the Security Gateway.

FWM(FireWall Management) is an older reference to the management process on the Management Server for older versions.

Therefore, the best answer isCPWD.

Check Point Troubleshooting References

sk97638: Check Point WatchDog (CPWD) process explanation and commands.

R81.20 Administration Guide– Section on CoreXL, Daemons, and CPWD usage.

sk105217: Best Practices – Explains system processes, how to monitor them, and how CPWD is utilized.

When a user space process crashes unexpectedly, the operating system often creates acore dumpfile. This file is a snapshot of the process's memory at the time of the crash, including information such as:

Program counter:This indicates where the program was executing when it crashed.

Stack pointer:This shows the function call stack, which can help trace the sequence of events leading to the crash.

Memory contents:This includes the values of variables and data structures used by the process.

Register values:This shows the state of the processor registers at the time of the crash.

Core dump files can be analyzed using debuggers like GDB to understand the cause of the crash.

Why other options are incorrect:

B. kernel_memory_dump dbg:This refers to a kernel memory dump, which is generated when the operating system kernel itself crashes.

C. core analyzer:This is a tool used to analyze core dump files, not the file itself.

D. coredebug:This is not a standard term for any type of crash dump file.

Check Point Troubleshooting References:

Check Point's documentation mentions core dumps in the context of troubleshooting various processes, such as fwd (firewall) and cpd (Check Point daemon). You can find information on enabling core dumps and analyzing them in the Check Point administration guides and knowledge base articles.

 The CpmiHostCkp table in the Postgres database contains the data for CPMI objects, such as gateways, clusters, and servers. The table column that should be selected to query for the object instance is the objid column, which is the primary key of the table and uniquely identifies each object. The objid column can be used to join with other tables that reference CPMI objects, such as CpmiClusterMember, CpmiCluster, and CpmiServer. The objid column can also be used to retrieve the object name, IP address, type, and other attributes from the CpmiHostCkp table itself. References:

Check Point Database Tool (GuiDBedit Tool) - Section: How to use the Check Point Database Tool (GuiDBedit Tool) - Subsection: How to view the data in the database

Check Point Certified Troubleshooting Expert (CCTE) - Exam Topics - Module 6: Advanced Management Server Troubleshooting

[Check Point R81 Database Schema] - Section: CPMI Tables - Subsection: CpmiHostCkp Table