156-587 Exam Dumps - Check Point Certified Troubleshooting Expert - R81.20 (CCTE)

When a process isfrozen(hung or unresponsive), the typical method to resolve it is tokill the process. On Check Point, you can use cpwd_admin kill -name or a standard Linux kill -9 command if necessary. You then allowCPWD(the Check Point watchdog) to restart it, or manually restart it if needed.

Other options:

A. Power off the machine: This is too drastic and not recommended just for a single frozen process.

B. Restart the process: While this sounds viable, you typicallymust killthe frozen process first, then let WatchDog or an admin restart it.

C. Reboot the machine: Similar to powering off—too disruptive for just one stuck process.

Hence, the most direct and standard approach:

“Kill the process.”

Check Point Troubleshooting References

sk97638– Explanation of CPWD (Check Point WatchDog) and how to manage processes.

sk43807– How to gracefully stop or kill a Check Point process.

Check Point CLI Reference Guide– Details on using cpwd_admin commands to kill or restart processes.

The cpca process is responsible for the generation of certificates on the Security Management Server or the Multi-Domain Security Management Server. It is the Check Point Internal Certificate Authority (ICA) that issues certificates for internal use, such as for VPN, HTTPS Inspection, SmartConsole, and Secure Internal Communication (SIC). The cpca process runs on the Security Management Server or the Multi-Domain Security Management Server as part of the Management High Availability module.

The kernel component associated with Content Awareness and data collection from contexts (often provided by the Context Management Infrastructure - CMI) is dlpda.  

According to the Check Point R81.20 Quantum Security Gateway Administration Guide, within the listing of kernel modules, dlpda is described as follows:

Exact Extract:

Module "dlpda" (Data Loss Prevention - Download Agent for Content Awareness)

The dlpda module functions as a "Download Agent for Content Awareness." This role involves collecting data necessary for the Content Awareness blade to inspect and understand the content of traffic. The Content Awareness blade works in conjunction with the Context Management Infrastructure (CMI), which provides the initial context about the traffic. The dlpda component then uses these contexts to gather the relevant data for deeper inspection and to determine if the content matches any defined data types or policies. While the guide lists it as a "Module," exam questions in the CCTE context often refer to such components involved in kernel operations as "kernel processes." The function described clearly aligns with collecting data for Content Awareness.  

Options analysis:

A. PDP (Policy Decision Point): This process is primarily associated with Identity Awareness for making access decisions based on user identity, not directly for Content Awareness data collection from CMI contexts.

B. cpemd (Check Point Endpoint Management Daemon): This daemon is related to endpoint security management and does not fit the role of a kernel process for gateway-level Content Awareness data collection.

D. CMI (Context Management Infrastructure): CMI is an infrastructure that provides contexts to various blades, including Content Awareness. It is the source of the contexts, not the kernel process that collects data based on those contexts.

Therefore, dlpda is the kernel component specifically tasked with collecting data for Content Awareness.

The correct statement explaining the differences between the two procedures for debugging in the firewall kernel is D. (i) is used for general debugging, has a small buffer and is a quick way to set kernel debug flags to get an output via command line whereas (ii) is useful when there is a need for detailed debugging and requires additional steps to set the buffer and get an output via command line.

The command fw ctl zdebug is a shortcut command that sets the kernel debug flags to a predefined value and prints the debug output to the standard output. It is useful for general debugging of common issues, such as traffic drops, NAT, VPN, or clustering. It has a small buffer size and does not require additional steps to start or stop the debugging. However, it has some limitations, such as it cannot be used with SecureXL, it cannot filter the output by chain modules, and it cannot save the output to a file12.

The command fw ctl debug is a command that allows the administrator to set the kernel debug flags to a custom value and specify the chain modules to debug. It is useful for detailed debugging of specific issues, such as policy installation, CoreXL, or Identity Awareness. It has a larger buffer size and can save the output to a file. However, it requires additional steps to start and stop thedebugging, such as setting the buffer size, clearing the buffer, dumping the buffer, and resetting the debug flags12.

The command fw ctl kdebug is a command that is used in conjunction with fw ctl debug to dump the kernel debug buffer to the standard output or to a file. It is part of the procedure (ii) for detailed debugging in the firewall kernel12.

The other statements are not correct or relevant for explaining the differences between the two procedures for debugging in the firewall kernel. The command fw ctl zdebug can be used to debug more than just the access control policy, and the command fw ctl debug/kdebug can be used to debug more than just the unified policy. Both commands can be used on both the Security Gateway and the Security Management Server, depending on the issue to be debugged12.

The cpwd_admin list command is used to display the status of processes monitored by the Check Point WatchDog Daemon (CPWD). The CPM (Check Point Management) process is a core process on the Security Management Server, responsible for management operations. However, on aSecurity Gateway, the CPM process is not typically present, as it is specific to management functions.

Option A: Correct. The output of cpwd_admin list differs between a Security Gateway and a Security Management Server. On a Security Gateway, processes like FWD, VPND, and PEP are monitored, but CPM is not present because it runs on the Management Server. Thus, CPM will not appear in the cpwd_admin list output on a Gateway.

Option B: Incorrect. While it’s true that CPM is not running on the Security Gateway, the reason it’s not listed is not because it “can’t be monitored” by CPWD. On a Management Server, CPM is indeed monitored by CPWD, but this question pertains to a Gateway.

Option C: Incorrect. CPM is automatically monitored by CPWD on systems where it runs (e.g., Management Server). There is no need to manually add it to WatchDog’s monitoring list.

Option D: Incorrect. CPM does not have its own separate monitoring system. On a Management Server, CPM is monitored by CPWD like other critical processes. The statement about “only lower processes” being monitored is inaccurate.