156-587 Check Point Certified Troubleshooting Expert - R81.20 (CCTE) Question and Answers

CMI stands for Context Management Infrastructure, which is a component of the Access Control Policy that enables the Security Gateway to inspect traffic based on the context of the connection. Context includes information such as user identity, application, location, time, and device. CMI allows the Security Gateway to apply different security rules and actions based on the context of the traffic, and to dynamically update the context as it changes. CMI consists of three main elements: Unified Policy, Identity Awareness, and Content Awareness. 

The STAT column in the output of the cpwd_admin list command shows the status of the monitored process. The possible values are E for established, meaning that the process is running, or T for terminated, meaning that the process is not running. The STAT column is useful for quickly checking if any critical process has crashed or failed to start. If the value is T, the process should be restarted and the reason for the termination should be investigated. The STAT column does not show the Watch Dog name, the number of times the process was started, or the monitoring method of the Watch Dog. 

CPWD (Check Point WatchDog)is the process that monitors, terminates (if necessary), and restarts critical Check Point processes (e.g., FWD, FWM, CPM) when they stop responding or crash.

CPM(Check Point Management process) is a process on the Management Server responsible for the web-based SmartConsole connections, policy installations, etc.

FWD(Firewall Daemon) handles logging and communication functions in the Security Gateway.

FWM(FireWall Management) is an older reference to the management process on the Management Server for older versions.

Therefore, the best answer isCPWD.

Check Point Troubleshooting References

sk97638: Check Point WatchDog (CPWD) process explanation and commands.

R81.20 Administration Guide– Section on CoreXL, Daemons, and CPWD usage.

sk105217: Best Practices – Explains system processes, how to monitor them, and how CPWD is utilized.

If you have modified kernel parameters (infwkern.conf, for example) and the gateway starts dropping traffic or behaving abnormally after a reboot, the best practice is to restore the original or a known-good configuration from backup. Then, reboot again so that the gateway loads the last known stable settings.

Option A(fw ctl set int fw1_kernel_all_disable=1) is not a standard or documented method for “undoing” all kernel tweaks.

Option B(Restore fwkem.conf from backup and reboot the gateway) is the correct and straightforward approach.

Option C(fw unloadlocal) removes the local policy but does not revert custom kernel parameters that have already been loaded at boot.

Option D(Remove all kernel parameters from fwkem.conf and reboot) might help in some cases, but you risk losing other beneficial or necessary parameters if there were legitimate custom settings. Restoring from a known-good backup is safer and more precise.

Hence, the best answer:“Restore fwkem.conf from backup and reboot the gateway.”

Check Point Troubleshooting References

sk98339– Working with fwkern.conf (kernel parameters) in Gaia OS.

sk92739– Advanced System Tuning in Gaia OS.

Check Point Gaia Administration Guide– Section on kernel parameters and system tuning.

Check Point CLI Reference Guide– Explanation of using fw ctl, fw unloadlocal, and relevant troubleshooting commands.

When troubleshootingcrasheson a Security Gateway (or any Linux-based system), the file type that is typically generated and used for in-depth analysis is acore dump.

A core dump captures the memory state of a process at the time it crashed and is critical for root-cause analysis.

Other options:

A. tcpdump: A packet capture file, not a crash-related file.

C. fw monitor: A Check Point packet capture tool, but not for crash debugging.

D. CPMIL dump: Not a common or standard crash dump reference in Check Point.

When a process isfrozen(hung or unresponsive), the typical method to resolve it is tokill the process. On Check Point, you can use cpwd_admin kill -name or a standard Linux kill -9 command if necessary. You then allowCPWD(the Check Point watchdog) to restart it, or manually restart it if needed.

Other options:

A. Power off the machine: This is too drastic and not recommended just for a single frozen process.

B. Restart the process: While this sounds viable, you typicallymust killthe frozen process first, then let WatchDog or an admin restart it.

C. Reboot the machine: Similar to powering off—too disruptive for just one stuck process.

Hence, the most direct and standard approach:“Kill the process.”

Check Point Troubleshooting References

sk97638– Explanation of CPWD (Check Point WatchDog) and how to manage processes.

sk43807– How to gracefully stop or kill a Check Point process.

Check Point CLI Reference Guide– Details on using cpwd_admin commands to kill or restart processes.

To see the list of processes monitored by the WatchDog process (CPWD), you use thecpwd_admin listcommand.

Option A (cpstat fw -f watchdog): Shows firewall status and statistics for the "fw" context, not necessarily the list of monitored processes.

Option B (fw ctl get str watchdog): Not a valid parameter for retrieving the list of monitored processes; “fw ctl” deals with kernel parameters.

Option C (cpwd_admin list): Correct command that lists all processes monitored by CPWD, their status, and how many times they have been restarted.

Option D (ps -ef | grep watchd): This will list any running process that matches the string “watchd” but will not specifically detail which processes are being monitored by CPWD.

Therefore, the best answer iscpwd_admin list.

Check Point Troubleshooting References

sk97638: Explains Check Point WatchDog (CPWD) usage and the cpwd_admin utility.

R81.20 CLI Reference Guide: Describes common troubleshooting commands including cpwd_admin list.

Check Point Gaia Administration Guide: Provides instructions for monitoring system processes and verifying CPWD.

Usermode core files are generated when a user mode process crashes. They are located in the $CPDIR/var/log/dump/usermode directory on the Security Gateway or Security Management server. The core files can be used to analyze the cause of the crash and troubleshoot the issue. The core files are named according to the process name, date, and time of the crash. For example, cpd_2023_02_03_16_40_55.core is a core file for the cpd process that crashed on February 3, 2023 at 16:40:55