The Check Point Certified Troubleshooting Expert - R81.20 (CCTE) (156-587)

The correct directory where an administrator can find vpn debug log files generated during Site-to-Site VPN troubleshooting is $FWDIR/log/. This directory contains the following files related to vpn debug:

vpnd.elg : This file contains the high-level VPN debug information, such as the VPN tunnel establishment, deletion, and negotiation messages. It can be enabled by using the vpn debug on command on the Security Gateway CLI.

legacy_ike.elg : This file contains the low-level IKE debug information for IKEv1, such as the IKE packets, encryption, decryption, and authentication. It can be enabled by using the vpn debug ikeon command on the Security Gateway CLI.

legacy_ikev2.xml : This file contains the low-level IKE debug information for IKEv2, such as the IKE packets, encryption, decryption, and authentication. It can be enabled by using the vpn debug ikev2on command on the Security Gateway CLI.

These files can be viewed by using the vpn debug view command on the Security Gateway CLI, or by using the IKEView tool on the Security Management Server GUI.

When a user space process crashes unexpectedly, the operating system often creates a core dump file. This file is a snapshot of the process's memory at the time of the crash, including information such as:

Program counter: This indicates where the program was executing when it crashed.

Stack pointer: This shows the function call stack, which can help trace the sequence of events leading to the crash.

Memory contents: This includes the values of variables and data structures used by the process.

Register values: This shows the state of the processor registers at the time of the crash.

Core dump files can be analyzed using debuggers like GDB to understand the cause of the crash.

Why other options are incorrect:

B. kernel_memory_dump dbg: This refers to a kernel memory dump, which is generated when the operating system kernel itself crashes.

C. core analyzer: This is a tool used to analyze core dump files, not the file itself.

D. coredebug: This is not a standard term for any type of crash dump file.

Check Point Troubleshooting References:

Check Point's documentation mentions core dumps in the context of troubleshooting various processes, such as fwd (firewall) and cpd (Check Point daemon). You can find information on enabling core dumps and analyzing them in the Check Point administration guides and knowledge base articles.

The cpca process is responsible for the generation of certificates on the Security Management Server or the Multi-Domain Security Management Server. It is the Check Point Internal Certificate Authority (ICA) that issues certificates for internal use, such as for VPN, HTTPS Inspection, SmartConsole, and Secure Internal Communication (SIC). The cpca process runs on the Security Management Server or the Multi-Domain Security Management Server as part of the Management High Availability module.

 Log indexing is a feature that enables faster and more efficient log searches in SmartLog and SmartEvent. To enable log indexing on the Security Management Server (SMS), you need to edit the SMS object in SmartConsole and go to the “Logs” tab.  There you can configure the log indexing settings, such as the index location, the index size, the index frequency, and the index retention 1 2 3 .  References :

1 : CCTE Courseware, Module 2: Advanced Logs and Monitoring, Slide 9

2 : Check Point R81 Logging and Monitoring Administration Guide, Chapter 2: Log Indexing, Page 17

3 : Check Point R81 Logging and Monitoring Administration Guide, Chapter 2: Log Indexing, Page 18

The Multi-portal Daemon (mpdaemon) is responsible for handling the clientless access connections in Mobile Access VPN. It listens on port 443 and redirects the traffic to the appropriate port of the process that handles the specific connection type, such as cvpnd for SSL Network Extender, MAD for Mobile Access Portal, or HID for HTTPS Inspection. The mpdaemon also performs authentication and authorization for the clientless access connections. References : Check Point Processes and Daemons 1 , Mobile Access Blade Administration Guide

1 : https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails= & solutionid=sk97638 : https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_Mobile_Access_AdminGuide/html_frameset.htm

When the free command on a Linux-based system (like a Check Point Gaia gateway) shows a non-zero value in the "Swap" column, it indicates that the system has utilized its swap space. Swap space is a portion of the hard disk designated to act as virtual RAM when the physical RAM is fully utilized.

The most direct and accurate explanation for swap usage is that the system's demand for Random Access Memory (RAM) exceeded the available physical RAM, forcing the operating system to move some less frequently used memory pages from RAM to the swap space on the disk. This frees up physical RAM for more active processes.

Let's analyze the options:

A. Utilization of ram is high and swap file had to be used: This is the correct and fundamental reason. Swap is used precisely because RAM utilization reached a point where the system needed more memory than was physically available.

B. Swap file is used regularly because RAM memory is reserved for management traffic: While Check Point gateways handle management traffic, operating systems do not typically use swap "regularly" due to a fixed reservation of RAM for such traffic in a way that would routinely force swapping under normal conditions. If management traffic is excessively high and consumes too much RAM, it would fall under the general case of high RAM utilization.

C. Swap memory is used for heavy connections when RAM memory is full: This describes a common cause for high RAM utilization on a firewall. Heavy connections can consume significant memory resources. When this consumption leads to RAM exhaustion, swap will indeed be used. However, option A is a more general and direct explanation of why swap is used, regardless of the specific cause of high RAM utilization. Option C is a specific scenario leading to the condition described in A.

D. Its ole Swap is used to increase performance: This statement is incorrect. Swapping to disk is significantly slower than accessing RAM. Therefore, swap usage generally indicates a performance bottleneck (or potential for one) rather than a performance enhancement. While virtual memory (which includes swap) allows a system to run more or larger applications than its physical RAM would normally allow, the act of swapping itself is detrimental to performance.

Conclusion: The best answer is A because it directly and accurately describes the immediate reason for swap usage: high RAM utilization necessitating the use of the swap file. Option C, while plausible as a cause of high RAM utilization, is a specific instance, whereas A is the overarching reason swap comes into play.

Reference (General Linux/System Administration Principles and supported by CCTE exam preparation materials): This understanding is based on fundamental principles of how operating systems manage memory and swap space. Check Point CCTE R81.20 exam preparation materials also affirm this understanding for similar questions. For instance, a question identical to this one appearing in CCTE exam preparation resources typically points to option A as the correct answer.

The cpwd_admin list command is used to display the status of processes monitored by the Check Point WatchDog Daemon (CPWD). The CPM (Check Point Management) process is a core process on the Security Management Server, responsible for management operations. However, on a Security Gateway , the CPM process is not typically present, as it is specific to management functions.

Option A : Correct. The output of cpwd_admin list differs between a Security Gateway and a Security Management Server. On a Security Gateway, processes like FWD, VPND, and PEP are monitored, but CPM is not present because it runs on the Management Server. Thus, CPM will not appear in the cpwd_admin list output on a Gateway.

Option B : Incorrect. While it’s true that CPM is not running on the Security Gateway, the reason it’s not listed is not because it “can’t be monitored” by CPWD. On a Management Server, CPM is indeed monitored by CPWD, but this question pertains to a Gateway.

Option C : Incorrect. CPM is automatically monitored by CPWD on systems where it runs (e.g., Management Server). There is no need to manually add it to WatchDog’s monitoring list.

Option D : Incorrect. CPM does not have its own separate monitoring system. On a Management Server, CPM is monitored by CPWD like other critical processes. The statement about “only lower processes” being monitored is inaccurate.

 The top command is a Linux command that displays information about resource utilization for running processes and shows additional information for core utilization and memory. The top command provides a dynamic real-time view of the system, showing the processes that are consuming the most CPU, memory, and other resources. The top command also shows the total number of processes, the system load average, the uptime, and the CPU usage by user, system, and idle. The top command can be customized by using various options and interactive commands to change the display, sort the processes, filter the output, and kill processes.

The other commands are incorrect because:

B. vmstat is a Linux command that displays information about the virtual memory, CPU, disk, and system activity. It does not show information about individual processes or core utilization.

C. cptop is a Check Point command that displays information about the firewall kernel activity, such as the number of connections, packets, drops, and rejects. It does not show information about other processes or memory usage.

D. mpstat is a Linux command that displays information about the CPU utilization by each processor or core. It does not show information about processes or memory usage.

 The correct command to check the subscription status on the CLI of the gateway is  show license status . This command displays the current license information, such as the license type, expiration date, and subscription status for various blades, such as Anti-Bot, Anti-Virus, IPS, etc. The command also shows the contract status for each blade, such as valid, expired, or invalid. If John has renewed his NPTX license, but he gets an error that the contract for Anti-Bot expired, he can use this command to verify the contract status and the subscription status for the Anti-Bot blade.

The other commands are incorrect because:

A. fwm lie print is not a valid command. The correct command is  fwm lic print , which displays the license information on the Security Management Server, not on the gateway. This command does not show the subscription status or the contract status for the blades.

B. fw monitor license status is not a valid command. The correct command is  fw monitor , which is a tool for capturing network traffic on the gateway, not for checking the license status.

C. cpstat antimalware-f subscription status is not a valid command. The correct command is  cpstat antimalware -f subscription_status , which displays the subscription status for the Anti-Virus blade, not for the Anti-Bot blade. This command does not show the contract status for the blade.