Get CheckPoint 156-587 Exam Practice Questions - Real and Updated

Answer : B

Answer : A

The top command is a Linux command that displays information about resource utilization for running processes and shows additional information for core utilization and memory. The top command provides a dynamic real-time view of the system, showing the processes that are consuming the most CPU, memory, and other resources. The top command also shows the total number of processes, the system load average, the uptime, and the CPU usage by user, system, and idle. The top command can be customized by using various options and interactive commands to change the display, sort the processes, filter the output, and kill processes.

The other commands are incorrect because:

B . vmstat is a Linux command that displays information about the virtual memory, CPU, disk, and system activity. It does not show information about individual processes or core utilization.

C . cptop is a Check Point command that displays information about the firewall kernel activity, such as the number of connections, packets, drops, and rejects. It does not show information about other processes or memory usage.

D . mpstat is a Linux command that displays information about the CPU utilization by each processor or core. It does not show information about processes or memory usage.

top(1) - Linux manual page

vmstat(8) - Linux manual page

cptop - Check Point Software

mpstat(1) - Linux manual page

Answer : D

The correct statement explaining the differences between the two procedures for debugging in the firewall kernel is D. (i) is used for general debugging, has a small buffer and is a quick way to set kernel debug flags to get an output via command line whereas (ii) is useful when there is a need for detailed debugging and requires additional steps to set the buffer and get an output via command line.

The commandfw ctl zdebugis a shortcut command that sets the kernel debug flags to a predefined value and prints the debug output to the standard output. It is useful for general debugging of common issues, such as traffic drops, NAT, VPN, or clustering. It has a small buffer size and does not require additional steps to start or stop the debugging.However, it has some limitations, such as it cannot be used with SecureXL, it cannot filter the output by chain modules, and it cannot save the output to a file12.

The commandfw ctl debugis a command that allows the administrator to set the kernel debug flags to a custom value and specify the chain modules to debug. It is useful for detailed debugging of specific issues, such as policy installation, CoreXL, or Identity Awareness. It has a larger buffer size and can save the output to a file.However, it requires additional steps to start and stop the debugging, such as setting the buffer size, clearing the buffer, dumping the buffer, and resetting the debug flags12.

The commandfw ctl kdebugis a command that is used in conjunction withfw ctl debugto dump the kernel debug buffer to the standard output or to a file.It is part of the procedure (ii) for detailed debugging in the firewall kernel12.

The other statements are not correct or relevant for explaining the differences between the two procedures for debugging in the firewall kernel. The commandfw ctl zdebugcan be used to debug more than just the access control policy, and the commandfw ctl debug/kdebugcan be used to debug more than just the unified policy.Both commands can be used on both the Security Gateway and the Security Management Server, depending on the issue to be debugged12.

1: https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_AdvancedTechnicalReferenceGuide/html_frameset.htm2: https://www.checkpoint.com/downloads/training/DOC-Training-Data-Sheet-CCTE-R81.10-V1.0.pdf3: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk97638

Answer : A

To troubleshoot Identity Awareness issues related to user identification and Access Role application, you need to enable debugging for both Identity Collectors (IDC) and Identity Providers (IDP). The command pdp debug set IDC all IDP all on the gateway achieves this.

Here's why this is the correct answer and why the others are not:

A . on the gateway: pdp debug set IDC all IDP all: This correctly enables debugging for all Identity Collectors and Identity Providers, allowing you to see detailed logs and messages related to user identification and Access Role assignment. This helps pinpoint issues with user mapping, authentication, or authorization.

B . on the gateway: pdp debug set AD all and IDC all: This command only enables debugging for Active Directory (AD) as an Identity Provider and all Identity Collectors. It might miss issues related to other Identity Providers if they are in use.

C . on the management: pdp debug on IDC all: This command has two issues. First, it should be executed on the gateway, not the management server, as the gateway is responsible for user identification and policy enforcement. Second, it only enables debugging for Identity Collectors, not Identity Providers.

D . on the management: pdp debug set all: While this command might seem to enable debugging for everything, it's not specific enough for Identity Awareness troubleshooting. It might generate excessive logs unrelated to the issue and make it harder to find the relevant information.

Check Point Troubleshooting Reference:

Check Point Identity Awareness Administration Guide: This guide provides detailed information about Identity Awareness components, configuration, and troubleshooting.

Check Point sk113963: This article explains how to troubleshoot Identity Awareness issues using debug commands and logs.

Check Point R81.20 Security Administration Guide: This guide covers general troubleshooting and debugging techniques, including the use of pdp debug commands.

Answer : B

The fw monitor command is a powerful troubleshooting tool in Check Point Gateways that captures packets at various points in the processing chain. The question asks how to capture traffic pre-inbound (before inbound processing, i.e., at the ''i'' inspection point) and before the VPN module (before VPN decryption or processing).

The fw monitor syntax allows specifying inspection points using options like -pi (pre-inbound) and module names (e.g., -vpn for the VPN module). The correct syntax to capture traffic before a specific module is -pi -<module>, where the module name is prefixed with a minus sign to indicate ''before'' the module.

Option A: Incorrect. fw monitor -p all captures packets at all inspection points in the chain, which includes pre-inbound, post-inbound, pre-outbound, and post-outbound points, as well as points around all modules. This is too broad and does not specifically target pre-inbound and before the VPN module.

Option B: Correct. fw monitor -pi -vpn captures packets at the pre-inbound inspection point (''i'') and before the VPN module (-vpn). The -pi specifies the pre-inbound point, and -vpn ensures the capture occurs before VPN processing (e.g., decryption).

Option C: Incorrect. fw monitor -pi +vpn would capture packets at the pre-inbound point but after the VPN module (+vpn indicates after the module), which contradicts the requirement to capture before the VPN module.

Option D: Incorrect. This option is a duplicate of Option C in the provided question, likely a typographical error. Even if corrected, +vpn is incorrect for the same reason as Option C.

The Check Point R81.20 Gaia Administration Guide explains the fw monitor command and its options, including how to specify inspection points and module positions. The CCTE R81.20 course includes hands-on labs for using fw monitor to troubleshoot packet flow, emphasizing precise inspection point selection.

For precise details, refer to:

Check Point R81.20 Gaia Administration Guide, section on ''fw monitor'' (available via Check Point Support Center).

CCTE R81.20 Courseware, which covers advanced packet capture techniques with fw monitor (available through authorized training partners).