Pass the Checkpoint CCTE 156-587 Questions and answers with CertsForce

 One possible solution to solve the issue of having a very large file that is difficult to open and analyze with standard text editors is to divide the debug information into smaller files. This can be done by using the fw ctl kdebug command with the -f, -o, -m, and -s options. The -f option means to write the debug output to a file instead of the screen. The -o option specifies the name of the output file. The -m option sets the maximum number of files to be created. The -s option sets the maximum size of each file in KB. For example, the command fw ctl kdebug -f -o debug -m 25 -s 1024 will create up to 25 files named debug.0, debug.1, …, debug.24, each with a maximum size of 1024KB. This way, the debug information can be split into more manageable chunks that can be opened and analyzed more easily with standard text editors.

When a Security Gateway performs a URL lookup and the URL is not found in the local caches, a request for online categorization is necessary. This process involves the Resource Advisor Daemon (RAD), which has components in both kernel space and user space.

Based on descriptions of the URL Filtering categorization process (often cited in CCTE R81.20 materials):

A client (internal component, potentially the URLF Kernel Client or a similar kernel module handling the traffic) initiates a URL lookup.

The URL is first checked against kernel caches.

If the URL is not found in the kernel cache (a cache miss), the RAD kernel component is notified.

The client component then typically sends an asynchronous request to the RAD kernel component.

The RAD Kernel Space component is then responsible for forwarding this request to the RAD User Space module.

The RAD User Space module handles the actual online categorization, often by querying the URLF Online Service (Check Point's cloud-based categorization service).

The result is then returned, and the kernel cache is updated.

The question asks where the sync-request (or a request requiring immediate online lookup) is forwarded from. In this flow, the RAD Kernel Space acts as the intermediary that forwards the request from the initial kernel-level lookup mechanism to the user-space RAD process for further handling.

Supporting Information (derived from CCTE R81.20 related materials/discussions):

The typical flow for URL categorization when an online lookup is needed involves these steps:

"The kernel cache notifies the RAD kernel of hits and misses."

"The client sends an a-sync request back to RAD if the URL was not found." (This request goes to the RAD Kernel Space).

"The a-sync request is forwarded to the RAD User space via the RAD kernel for online categorization."

This indicates that the RAD Kernel (RAD Kernel Space) is the component that forwards the request to the RAD User Space.

Therefore, if a sync-request (a request needing immediate online lookup) is required, it is forwarded from the RAD Kernel Space to the RAD User Space.

Reference Context (based on CCTE R81.20 materials and general Check Point URL Filtering architecture):

Discussions and explanations related to Check Point Certified Troubleshooting Expert (CCTE) R81.20 curriculum often detail this RAD architecture. For example, study materials might state: "RAD has a kernel module that looks up the kernel cache, notifies client about hits and misses and forwards a-sync requests to RAD user space module which is responsible for online categorization." The 1 "RAD kernel module" corresponds to the RAD Kernel Space, and it is this component that performs the forwarding action to the RAD User Space.(Exact page numbers like "CCTE R81.20, p338/339" have been referenced in public CCTE exam discussions pointing to this flow)

The cpwd_admin list command is used to display the status of processes monitored by the Check Point WatchDog Daemon (CPWD). The CPM (Check Point Management) process is a core process on the Security Management Server, responsible for management operations. However, on aSecurity Gateway, the CPM process is not typically present, as it is specific to management functions.

Option A: Correct. The output of cpwd_admin list differs between a Security Gateway and a Security Management Server. On a Security Gateway, processes like FWD, VPND, and PEP are monitored, but CPM is not present because it runs on the Management Server. Thus, CPM will not appear in the cpwd_admin list output on a Gateway.

Option B: Incorrect. While it’s true that CPM is not running on the Security Gateway, the reason it’s not listed is not because it “can’t be monitored” by CPWD. On a Management Server, CPM is indeed monitored by CPWD, but this question pertains to a Gateway.

Option C: Incorrect. CPM is automatically monitored by CPWD on systems where it runs (e.g., Management Server). There is no need to manually add it to WatchDog’s monitoring list.

Option D: Incorrect. CPM does not have its own separate monitoring system. On a Management Server, CPM is monitored by CPWD like other critical processes. The statement about “only lower processes” being monitored is inaccurate.

 The CpmiHostCkp table in the Postgres database contains the data for CPMI objects, such as gateways, clusters, and servers. The table column that should be selected to query for the object instance is the objid column, which is the primary key of the table and uniquely identifies each object. The objid column can be used to join with other tables that reference CPMI objects, such as CpmiClusterMember, CpmiCluster, and CpmiServer. The objid column can also be used to retrieve the object name, IP address, type, and other attributes from the CpmiHostCkp table itself. References:

Check Point Database Tool (GuiDBedit Tool) - Section: How to use the Check Point Database Tool (GuiDBedit Tool) - Subsection: How to view the data in the database

Check Point Certified Troubleshooting Expert (CCTE) - Exam Topics - Module 6: Advanced Management Server Troubleshooting

[Check Point R81 Database Schema] - Section: CPMI Tables - Subsection: CpmiHostCkp Table

CMI stands for Context Management Infrastructure, which is a component of the Access Control Policy that enables the Security Gateway to inspect traffic based on the context of the connection. Context includes information such as user identity, application, location, time, and device. CMI allows the Security Gateway to apply different security rules and actions based on the context of the traffic, and to dynamically update the context as it changes. CMI consists of three main elements: Unified Policy, Identity Awareness, and Content Awareness. 

The ADLOG function receives the AD log event information from the Domain Controllers. The ADLOG function is part of the Identity Awareness feature that enablesthe Security Gateway to identify users and machines in the network and enforce Access Control policy rules based on their identities. The ADLOG function uses the AD Query (ADQ) method to connect to the Active Directory Domain Controllers using WMI and subscribe to receive Security Event logs that are generated when users perform login. The ADLOG function then extracts the user and machine information that maps to an IP address from the event logs and sends it to the PEP function, which enforces the policy based on the identity information.