Free 156-585 Sample Questions — Check Point Certified Troubleshooting Expert

The two procedures available for debugging in the firewall kernel are: i. fw ctl zdebug ii. fw ctl debug/kdebug Choose the correct statement explaining the difference in the two.

• A. (i) Is used for general debugging, has a small buffer and is a quick way to set kernel debug flags to get an output via command line whereas (ii) is useful when there is a need for detailed debugging and requires additional steps to set the buffer and get an output via command line
• B. (i) is used to debug the access control policy only, however (ii) can be used to debug a unified policy
• C. (i) is used to debug only issues related to dropping traffic, however (ii) can be used for any firewall issue including NATing, clustering etc
• D. (i) is used on a Security Gateway, whereas (ii) is used on a Security Management Server

The customer is using Check Point appliances that were configured long ago by third-party administrators. Current policy includes different enabled IPS protections and Bypass Under Load function. Bypass Under Load is configured to disable IPS inspections of CPU and Memory usage is higher than 80%. The Customer reports that IPS protections are not working at all regardless of CPU and Memory usage. What is the possible reason of such behavior?

• A. The kernel parameter ids_assume_stress is set to 0
• B. The kernel parameter ids_assume_stress is set to 1
• C. The kernel parameter ids_tolerance_no_stress is set to 10
• D. The kernel parameter ids_tolerance_stress is set to 10

For TCP connections, when a packet arrives at the Firewall Kernel out of sequence or fragmented, which layer of IPS corrects this to allow for proper inspection?

• A. Passive Streaming Library
• B. Protections
• C. Protocol Parsers
• D. Context Management

Rules within the Threat Prevention policy use the Malware database and network objects. Which directory is used for the Malware database?

• A. $FWDIR/conf/install_manager_tmp/ANTIMALWARE/conf/
• B. $CPDIR/conf/install_manager_tmp/ANTIMALWARE/conf/
• C. $FWDIR/conf/install_firewall_tmp/ANTIMALWARE/conf/
• D. $FWDIR/log/install_manager_tmp/ANTlMALWARE/log/

If IPS protections that prevent SecureXL from accelerating traffic, such as Network Quota, Fingerprint Scrambling, TTL Masking etc, have to be used, what is recommended practice to enhance the performance of the gateway?

• A. Use the IPS exception mechanism
• B. Disable all such protections
• C. Disable SecureXL and use CoreXL
• D. Upgrade the hardware to include more Cores and Memory

When a User Mode process suddenly crashes, it may create a core dump file. Which of the following information is available in the core dump and may be used to identify the root cause of the crash? i. Program Counter ii. Stack Pointer iii. Memory management information iv. Other Processor and OS flags / information

• A. i, ii, iii and iv
• B. i and ii only
• C. iii and iv only
• D. Only iii

If the cpsemd process of SmartEvent has crashed or is having trouble to coming up, then it usually indicates that _______________.

• A. Postgres database is down
• B. Cpd daemon is unable to connect to the log server
• C. The SmartEvent core on the Solr indexer has been deleted
• D. The logged in administrator does not have permissions to run SmartEvent

Where do Protocol parsers register themselves for IPS?

• A. Passive Streaming Library
• B. Other handlers register to Protocol parser
• C. Protections database
• D. Context Management Infrastructure

VPN issues may result from misconfiguration, communication failure, or incompatible default configurations between peers. Which basic command syntax needs to be used for troubleshooting Site-to-Site VPN issues?

• A. vpn debug truncon
• B. fw debug truncon
• C. cp debug truncon
• D. vpn truncon debug

What are the maximum kernel debug buffer sizes, depending on the version?

• A. 8MB or 32MB
• B. 8GB or 64GB
• C. 4MB or 8MB
• D. 32MB or 64MB

What is the best way to resolve an issue caused by a frozen process?

• A. Reboot the machine
• B. Restart the process
• C. Kill the process
• D. Power off the machine

When a User process or program suddenly crashes, a core dump is often used to examine the problem. Which command is used to enable the core-dumping via GAIA clish?

• A. set core-dump enable
• B. set core-dump per_process
• C. set user-dump enable
• D. set core-dump total

To check the current status of hyper-threading, which command would you execute in expert mode?

• A. cat /proc/hypert_status
• B. cat /proc/smt_status
• C. cat /proc/hypert_stat
• D. cat /proc/smt_stat

Your users have some issues connecting Mobile Access VPN to the gateway. How can you debug the tunnel establishment?

• A. in the file $CVPNDIR/conf/httpd.conf change the line loglevel .. To LogLevel debug and run cvpnrestart
• B. run vpn debug truncon
• C. run fw ctl zdebug -m sslvpn all
• D. in the file $VPNDIR/conf/httpd.conf the line Loglevel .. To LogLevel debug and run vpn restart

You are trying to establish a VPN tunnel between two Security Gateways but fail. What initial steps will you make to troubleshoot the issue?

• A. capture traffic on both tunnel members and collect debug of IKE and VPND daemon
• B. capture traffic on both tunnel members and collect kernel debug for fw module with vm, crypt, conn and drop flags, then collect debug of IKE and VPND daemon
• C. collect debug of IKE and VPND daemon and collect kernel debug for fw module with vm, crypt, conn and drop flags
• D. capture traffic on both tunnel members and collect kernel debug for fw module with vm, crypt, conn and drop flags

You are running R80.XX on an open server and you see a high CPU utilization on your 12 CPU cores. You now want to enable Hyperthreading to get more cores to gain some performance. What is the correct way to achieve this?

• A. Hyperthreading is not supported on open servers, on Check Point Appliances
• B. Just turn on HAT in the bios of the server and boot it
• C. Just turn on HAT in the bios of the server and after it was booted enable it in cpconfig
• D. in clish run set HAT on

You need to run a kernel debug over a longer period of time as the problem occurs only once or twice a week. Therefore, you need to add a timestamp to the kernel debug and write the output to a file but you can’t afford to fill up all the remaining disk space and you only have 10 GB free for saving the debugs. What is the correct syntax for this?

• A. fw ctl kdebug -T -f -m 10 -s 1000000 -o debugfilename
• B. fw ctl kdebug -T -f -m 10 -s 1000000 > debugfilename
• C. fw ctl kdebug -T -m 10 -s 1000000 -o debugfilename
• D. fw ctl debug -T -f -m 10 -s 1000000 -o debugfilename

Which of the following daemons is used for Threat Extraction?

• A. scrubd
• B. extractd
• C. tex
• D. tedex

How does the URL Filtering Categorization occur in the kernel? 1. RAD provides the status of the search to the client. 2. The a-sync request is forwarded to the RAD User space via the RAD kernel for online categorization. 3. The online detection service responds with categories and the kernel cache is updated. 4. The kernel cache notifies the RAD kernel of hits and misses. 5. URL lookup initiated by the client. 6. URL lookup occurs in the kernel cache. 7. The client sends an a-sync request back to RAD If the URL was not found.

• A. 5, 6, 7, 1, 3, 2, 4
• B. 5, 6, 2, 4, 1, 7, 3
• C. 5, 6, 4, 1, 7, 2, 3
• D. 5, 6, 3, 1, 2, 4, 7

What is the main SecureXL database for tracking acceleration status of traffic?

• A. cphwd_db
• B. cphwd_tmp1
• C. cphwd_dev_conn_table
• D. cphwd_dev_identity_table