156-587 Check Point Certified Troubleshooting Expert - R81.20 (CCTE) Questions and Answers

The STAT column in the output of the cpwd_admin list command shows the status of the monitored process. The possible values are E for established, meaning that the process is running, or T for terminated, meaning that the process is not running. The STAT column is useful for quickly checking if any critical process has crashed or failed to start. If the value is T, the process should be restarted and the reason for the termination should be investigated. The STAT column does not show the Watch Dog name, the number of times the process was started, or the monitoring method of the Watch Dog. 

The Core Dump Manager (CDM) is a utility that helps manage core dump files on Check Point systems. Its main functions include:  

Limiting file size and number:CDM can be configured to limit the size of individual core dump files and the total amount of disk space used for core dumps. This prevents core dumps from filling up valuable disk space.  

Compression:CDM can compress core dump files to reduce their storage size. This is particularly helpful when dealing with large core dumps.  

Process filtering:CDM allows you to specify which processes should be allowed to generate core dumps. This can help prevent unnecessary core dumps from being created.  

Remote collection:CDM can be configured to send core dump files to a remote server for analysis. This is useful in environments where direct access to the system generating the core dump is limited.

By using CDM, you can effectively manage core dump files and ensure that they are not overwhelming your system's resources.

The Multi-portal Daemon (mpdaemon) is responsible for handling the clientless access connections in Mobile Access VPN. It listens on port 443 and redirects the traffic to the appropriate port of the process that handles the specific connection type, such as cvpnd for SSL Network Extender, MAD for Mobile Access Portal, or HID for HTTPS Inspection.The mpdaemon also performs authentication and authorization for the clientless access connections.References: Check Point Processes and Daemons1, Mobile Access Blade Administration Guide

1: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsol utiondetails=&solutionid=sk97638 : https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_Mobile_Access_AdminGuide/html_frameset.htm

Usermode core files are generated when a user mode process crashes. They are located in the $CPDIR/var/log/dump/usermode directory on the Security Gateway or Security Management server. The core files can be used to analyze the cause of the crash and troubleshoot the issue. The core files are named according to the process name, date, and time of the crash. For example, cpd_2023_02_03_16_40_55.core is a core file for the cpd process that crashed on February 3, 2023 at 16:40:55

The System Domain of the Postgres database is a special domain that contains the configuration data of the Security Management Server and the Log Servers. It includes information such as the trusted GUI clients, the administrators, the licenses, the global properties, and the audit logs. The System Domain is not accessible by the user and can only be modified by the Check Point processes. The user modified configurations, such as network objects, policies, and rules, are stored in the User Domain of the Postgres database. The saved queries for applications are stored in the Application Domain of the Postgres database. 

The process responsible for log indexing and text searching is solr, which is a child process of cpm. The solr process is responsible for indexing the logs and providing the search engine for SmartLog and SmartConsole. The solr process is started by the cpm process and can be monitored by the command cpwd_admin list. The solr process uses the PostgreSQL database to store the indexed data and the Lucene library to perform the text search. The solr process can be affected by various factors, such as the size and number of log files, the hardware resources, the network connectivity, and the configuration settings. If the solr process is not running correctly, the administrator may experience issues with log indexing and text searching, such as slow performance, missing logs, or incorrect results. 

The correct directory where an administrator can find vpn debug log files generated during Site-to-Site VPN troubleshooting is $FWDIR/log/. This directory contains the following files related to vpn debug:

vpnd.elg: This file contains the high-level VPN debug information, such as the VPN tunnel establishment, deletion, and negotiation messages. It can be enabled by using thevpn debug oncommand on the Security Gateway CLI.

legacy_ike.elg: This file contains the low-level IKE debug information for IKEv1, such as the IKE packets, encryption, decryption, and authentication. It can be enabled by using thevpn debug ikeoncommand on the Security Gateway CLI.

legacy_ikev2.xml: This file contains the low-level IKE debug information for IKEv2, such as the IKE packets, encryption, decryption, and authentication. It can be enabled by using thevpn debug ikev2oncommand on the Security Gateway CLI.

These files can be viewed by using thevpn debug viewcommand on the Security Gateway CLI, or by using theIKEViewtool on the Security Management Server GUI.

References:

vpn debug - Check Point Software

IKE Debug on R81 and above - Check Point CheckMates

(CCTE) - Check Point Software