Checkpoint 156-587 - Check Point Certified Troubleshooting Expert - R81.20 (CCTE)

A core dump file is essentially a snapshot of the process's memory at the time of the crash. This snapshot includes crucial information that can help diagnose the cause of the crash. Here's why all the options are relevant:

i. Program Counter:This register stores the address of the next instruction the CPU was supposed to execute. It pinpoints exactly where in the code the crash occurred.

ii. Stack Pointer:This register points to the top of the call stack, which shows the sequence of function calls that led to the crash. This helps trace the program's execution flow before the crash.

iii. Memory management information:This includes details about the process's memory allocations, which can reveal issues like memory leaks or invalid memory access attempts.

iv. Other Processor and OS flags/information:This encompasses various registers and system information that provide context about the state of the processor and operating system at the time of the crash.

By analyzing this information within the core dump, you can often identify the root cause of the crash, such as a segmentation fault, null pointer dereference, or stack overflow.

Check Point Troubleshooting References:

While core dumps are a general concept in operating systems, Check Point's documentation touches upon them in the context of troubleshooting specific processes like fwd (firewall) or cpd (Check Point daemon). The fw ctl zdebug command, for example, can be used to trigger a core dump of the fwd process for debugging purposes.

The Application Database on a Check Point Security Gateway stores information about applications and categories used by the Application Control and URL Filtering blades. This database is maintained in specific files on the Gateway.

Option A: Incorrect. api_db.C and api_custom_db.C are not standard files related to the Application Database. These names may be confused with API-related configurations.

Option B: Incorrect. apcl_db.C and apd_custom_db.C are not recognized as Application Database files. These names do not align with Check Point’s file naming conventions.

Option C: Correct. The Application Database is stored in application_db.C (the main database) and application_custom_db.C (custom application definitions). These files are located in the $FWDIR/conf directory on the Security Gateway.

Option D: Incorrect. appi_db.C and appi_custom_db.C are close but incorrect. The correct prefix is application_, not appi_.

When a process isfrozen(hung or unresponsive), the typical method to resolve it is tokill the process. On Check Point, you can use cpwd_admin kill -name or a standard Linux kill -9 command if necessary. You then allowCPWD(the Check Point watchdog) to restart it, or manually restart it if needed.

Other options:

A. Power off the machine: This is too drastic and not recommended just for a single frozen process.

B. Restart the process: While this sounds viable, you typicallymust killthe frozen process first, then let WatchDog or an admin restart it.

C. Reboot the machine: Similar to powering off—too disruptive for just one stuck process.

Hence, the most direct and standard approach:

“Kill the process.”

Check Point Troubleshooting References

sk97638– Explanation of CPWD (Check Point WatchDog) and how to manage processes.

sk43807– How to gracefully stop or kill a Check Point process.

Check Point CLI Reference Guide– Details on using cpwd_admin commands to kill or restart processes.

The process responsible for log indexing and text searching is solr, which is a child process of cpm. The solr process is responsible for indexing the logs and providing the search engine for SmartLog and SmartConsole. The solr process is started by the cpm process and can be monitored by the command cpwd_admin list. The solr process uses the PostgreSQL database to store the indexed data and the Lucene library to perform the text search. The solr process can be affected by various factors, such as the size and number of log files, the hardware resources, the network connectivity, and the configuration settings. If the solr process is not running correctly, the administrator may experience issues with log indexing and text searching, such as slow performance, missing logs, or incorrect results. 

 = The RFL process is the Remote File Log process that is responsible for transferring logs from the Security Gateway to the Security Management Server1. If the RFL process is with status T, it means that it is terminated and not running2. This could explain why the logs are not seen in the SMS. To resolve this issue, one possible command to run is smartlog_server stop and smartlog_server restart3. This command will stop and restart the SmartLog server, which is the process that indexes and displays the logs in the SmartConsole. By restarting the SmartLog server, it may also restart the RFL process and resume the log transfer. Alternatively, one can also try to restart the RFL process directly by running cpwd_admin stop -name RFL and cpwd_admin start -name RFL. References: Check Point Processes and Daemons, sk97638 - Check Point Processes and Daemons, sk144192 - How to restart SmartLog server, [sk98348 - SmartLog / SmartView server functionality], [sk97638 - Check Point Processes and Daemons]

The doctor-log script is a tool that provides information about the logging system and helps to identify and troubleshoot common issues. The script runs automatically every night and generates a report that contains the following information:

Current and daily average logging rates: This shows how many logs are being generated and received by the log server per second. It can help to monitor the logging performance and identify any spikes or drops in the logging rate.

Indexing status: This shows the status of the log indexing process, which enables faster and more efficient log searches. It can help to identify any issues with the indexing system, such as delays, failures, or errors.

Size: This shows the size of the log files and the disk space used by the logging system. It can help to manage the disk space and plan for log rotation and backup.

The doctor-log script also provides some troubleshooting tips and repair options for common logging issues, such as corrupted log files, missing log indexes, or low disk space. The script can be run manually or scheduled to run at a specific time. The script output can be viewed in the SmartConsole or in the log server file system.