CertsOut Checkpoint-156-587

Text Material Preview

Check Point Certified
Troubleshooting
Expert - R81.20 (CCTE)
Version: Demo
[ Total Questions: 10]
Web: www.certsout.com
Email: support@certsout.com
Checkpoint
156-587
https://www.certsout.com
https://www.certsout.com/156-587-test.html
IMPORTANT NOTICE
Feedback
We have developed quality product and state-of-art service to ensure our customers interest. If you have any 
suggestions, please feel free to contact us at feedback@certsout.com
Support
If you have any questions about our product, please provide the following items:
exam code
screenshot of the question
login id/email
please contact us at and our technical experts will provide support within 24 hours.support@certsout.com
Copyright
The product of each order has its own encryption code, so you should use it independently. Any unauthorized 
changes will inflict legal punishment. We reserve the right of final explanation for this statement.
Checkpoint - 156-587Certs Exam
1 of 7Pass with Valid Exam Questions Pool
A. 
B. 
C. 
D. 
Question #:1
SmartEvent utilizes the Log Server, Correlation Unit and SmartEvent Server to aggregate logs and identify 
security events. The three main processes that govern these SmartEvent components are:
cpcu, cplog, cpse
eventiasv, eventiarp,eventiacu
cpsemd, cpsead, and DBSync
fwd, secu, sesrv
Answer: B
Explanation
SmartEvent is a unified security event management and analysis solution that collects and analyzes data from 
multiple sources to identify and respond to security threats. SmartEvent consists of three main components: 
Log Server, Correlation Unit, and SmartEvent Server1. The three main processes that govern these 
SmartEvent components are:
eventiasv: This process is responsible for indexing the logs received from the Log Server and storing 
them in the SmartEvent database. It also performs log consolidation and compression to optimize the 
diskspace usage2.
eventiarp: This process is responsible for running the predefined and custom correlation rules on the 
indexed logs and generating security events based on the rule criteria. It also sends notifications and 
triggers automatic responses for the security events3.
eventiacu: This process is responsible for providing the web-based user interface for SmartEvent, which 
allows the administrators to view, analyze, and manage the security events. It also provides the 
SmartEvent API for external integration4. References: Check Point Processes and Daemons5, 
SmartEvent Administration Guide1
1: https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.
10_SmartEvent_AdminGuide/html_frameset.htm 2: https://sc1.checkpoint.com/documents/R81.10
/WebAdminGuides/EN/CP_R81.10_SmartEvent_AdminGuide/Content/Topics-SmartEvent/SmartEvent-
Components.htm#_Toc64167467 3: https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN
/CP_R81.10_SmartEvent_AdminGuide/Content/Topics-SmartEvent/SmartEvent-Components.
htm#_Toc64167468 4: https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.
10_SmartEvent_AdminGuide/Content/Topics-SmartEvent/SmartEvent-Components.htm#_Toc64167469 5: 
https://supportcenter.checkpoint.com/supportcenter/portal?
eventSubmit_doGoviewsolutiondetails=&solutionid=sk97638
Question #:2
What is the kernel process for Content Awareness that collects the data from the contexts received from the 
CMI and decides if the file is matched by a data type?
Checkpoint - 156-587Certs Exam
2 of 7Pass with Valid Exam Questions Pool
A. 
B. 
C. 
D. 
A. 
B. 
C. 
D. 
A. 
B. 
C. 
D. 
cntawmod
cntmgr
dlpda
dlpu
Answer: A
Question #:3
What does CMI stand for in relation to the Access Control Policy?
Context Manipulation Interface
Context Management Infrastructure
Content Management Interface
Content Matching Infrastructure
Answer: B
Explanation
CMI stands for Context Management Infrastructure, which is a component of the Access Control Policy that 
enables the Security Gateway to inspect traffic based on the context of the connection. Context includes 
information such as user identity, application, location, time, and device. CMI allows the Security Gateway to 
apply different security rules and actions based on the context of the traffic, and to dynamically update the 
context as it changes. CMI consists of three main elements: Unified Policy, Identity Awareness, and Content 
Awareness. 
Question #:4
In some scenarios it is very helpful to use advanced Linux commands for troubleshooting purposes. Which 
command displays information about resource utilization for running processes and shows additional 
information for core utilization and memory?
top
vmstat
cptop
mpstat
Answer: A
Explanation
Checkpoint - 156-587Certs Exam
3 of 7Pass with Valid Exam Questions Pool
A. 
B. 
C. 
D. 
 The top command is a Linux command that displays information about resource utilization for running 
processes and shows additional information for core utilization and memory. The top command provides a 
dynamic real-time view of the system, showing the processes that are consuming the most CPU, memory, and 
other resources. The top command also shows the total number of processes, the system load average, the 
uptime, and the CPU usage by user, system, andidle. The top command can be customized by using various 
options and interactive commands to change the display, sort the processes, filter the output, and kill 
processes.
The other commands are incorrect because:
B. vmstat is a Linux command that displays information about the virtual memory, CPU, disk, and 
system activity. It does not show information about individual processes or core utilization.
C. cptop is a Check Point command that displays information about the firewall kernel activity, such as 
the number of connections, packets, drops, and rejects. It does not show information about other 
processes or memory usage.
D. mpstat is a Linux command that displays information about the CPU utilization by each processor or 
core. It does not show information about processes or memory usage.
References:
top(1) - Linux manual page
vmstat(8) - Linux manual page
cptop - Check Point Software
mpstat(1) - Linux manual page
Question #:5
When debugging is enabled on firewall kernel module using the fw ctl debug' command with required 
options, many debug messages are provided by the kernel that help the administrator to identify
Issues. Which of the following is true about these debug messages generated by the kernel module?
Messages are written to /etc/dmesg file
Messages are written to a buffer and collected using ‘fw ctl kdebug
Messages are written to SFWDIR
Messages are written to console and also /var/log/messages file
Answer: B
Question #:6
Checkpoint - 156-587Certs Exam
4 of 7Pass with Valid Exam Questions Pool
A. 
B. 
C. 
D. 
A. 
B. 
C. 
D. 
You were asked by security team to debug Mobile Access VPN. What processes will you debug?
HTTPD and CPVND
IKED
VPND and IKED
SNX daemon
Answer: A
Question #:7
Which of these packet processing components stores Rule Base matching state-related information?
Classifiers
Manager
Handlers
Observers
Answer: C
Explanation
While specific Check Point CCTE R81.20 official documentation that explicitly singles out "Handlers" from 
the given options as the sole component for storing Rule Base matching state-related information is not 
readily available in the provided search snippets, CCTE exam preparation materials consistently point to 
"Handlers" as the correct answer for this question.
In the broader context of Check Point's packet processing and Unified Policy architecture, several components 
are involved in rule base matching:
According to Check Point's sk120964 - ATRG: Unified Policy (relevant for R81.20):
Connection/Transaction: This logical entity "Saves rulebase matching state and classification objects 
(CLOBs)."
Manager: This component acts as a "Mediator between other components. Responsible for the whole rulebase execution process. Creates connection/transactions, as required. Sends logs."  
Classifiers: These are "CMI_LOADER applications" (e.g., Network, Identity, Application Control) that 
provide classification data (CLOBs) used in the matching process.
Observers: An "Observer is a unit collecting CLOBs for classification refinement."
Checkpoint - 156-587Certs Exam
5 of 7Pass with Valid Exam Questions Pool
A. 
B. 
C. 
D. 
"Handlers" in a general firewall architecture are typically components (which can be kernel modules or 
processes) responsible for managing active connections and their progression through policy enforcement. As 
such, they would inherently be involved in maintaining and accessing state information related to rule base 
matching for those connections. The "Connection/Transaction" objects, which store the rule base matching 
state, are created by the Manager and would be managed by such Handlers during the lifecycle of a 
connection.
Therefore, in the context of the CCTE R81.20 exam, "Handlers" are understood to be the packet processing 
components that store this Rule Base matching state-related information. The state itself is conceptually saved 
within Connection/Transaction objects, which are orchestrated by the Manager and utilized by various 
processing components often referred to as Handlers.
Reference (based on Unified Policy component roles from official Check Point documentation):
Check Point Support Center sk120964: ATRG: Unified Policy. (Last Modified: 2024-12-29, relevant for R81.
20)."Connection/Transaction. Saves rulebase matching state and classification objects (CLOBs)."
"Manager. Mediator between other components. Responsible for the whole rule base execution process. 
Creates connection/transactions, as required.
Question #:8
What is NOT monitored as a PNOTE by ClusterXL?
TED
Policy
RouteD
VPND
Answer: A
Explanation
ClusterXL is Check Point’s high-availability and load-sharing solution, which monitors critical components to 
ensure cluster functionality. PNOTEs (Problem Notifications) are specific conditions or processes monitored 
by ClusterXL to detect failures or issues that could impact the cluster’s operation. When a PNOTE is 
triggered, ClusterXL may initiate a failover to maintain service continuity.
Option A: Correct. TED (Threat Emulation Daemon) is not monitored as a PNOTE by ClusterXL. 
TED is part of the Threat Emulation blade, which handles sandboxing and emulation tasks, but it is not 
a critical cluster component monitored by ClusterXL.
Option B: Incorrect. Policy installation status is monitored as a PNOTE by ClusterXL. If a policy fails 
to install or becomes corrupted, ClusterXL can detect this as a critical issue and trigger a failover.
Checkpoint - 156-587Certs Exam
6 of 7Pass with Valid Exam Questions Pool
A. 
B. 
C. 
D. 
A. 
B. 
C. 
Option C: Incorrect. RouteD (Routing Daemon) is monitored as a PNOTE by ClusterXL. Routing 
issues, such as the failure of dynamic routing protocols, are critical for cluster operations, especially in 
environments with dynamic routing enabled.
Option D: Incorrect. VPND (VPN Daemon) is monitored as a PNOTE by ClusterXL. VPN 
functionality is critical in many deployments, and ClusterXL monitors VPND to ensure VPN tunnels 
remain operational.
:The Check Point R81.20 ClusterXL Administration Guide details the components monitored by ClusterXL 
via PNOTEs, including policy installation, routing (RouteD), and VPN (VPND). The CCTE R81.20 course 
covers ClusterXL troubleshooting, including understanding PNOTEs and their role in failover decisions. 
While TED is part of Check Point’s Threat Prevention suite, it is not listed as a PNOTE in ClusterXL 
documentation.
For precise details, refer to:
Check Point R81.20 ClusterXL Administration Guide, section on “Problem Notification (PNOTE)” 
(available via Check Point Support Center).
CCTE R81.20 Courseware, which includes modules on ClusterXL monitoring and troubleshooting 
(available through authorized training partners like Arrow Education or Red Education).
Question #:9
Captive Portal, PDP and PEP run in what space?
User
CPM
FWD
Kernel
Answer: A
Question #:10
An administrator receives reports about issues with log indexing and text searching regarding an existing 
Management Server. In trying to find a solution she wants to check if the process responsible for this feature 
is running correctly. What is true about the related process?
cpd needs to be restarted manual to show in the list
fwm manaqes this database after initialization of the 1CA
solr is a child process of cpm
Checkpoint - 156-587Certs Exam
7 of 7Pass with Valid Exam Questions Pool
D. fwssd crashes can affect therefore not show in the list
Answer: C
Explanation
The process responsible for log indexing and text searching is  , which is a child process of  . The solr solr cpm
process is responsible for indexing the logs and providing the search engine for SmartLog and SmartConsole. 
The solr process is started by the cpm process and can be monitored by the command cpwd_admin list. The 
solr process uses the   database to store the indexed data and the   library to perform the PostgreSQL Lucene
text search. The solr process can be affected by various factors, such as the size and number of log files, the 
hardware resources, the network connectivity, and the configuration settings. If the solr process is not running 
correctly, the administrator may experience issues with log indexing and text searching, such as slow 
performance, missing logs, or incorrect results. 
About certsout.com
certsout.com was founded in 2007. We provide latest & high quality IT / Business Certification Training Exam 
Questions, Study Guides, Practice Tests.
We help you pass any IT / Business Certification Exams with 100% Pass Guaranteed or Full Refund. Especially 
Cisco, CompTIA, Citrix, EMC, HP, Oracle, VMware, Juniper, Check Point, LPI, Nortel, EXIN and so on.
View list of all certification exams: All vendors
 
 
 
We prepare state-of-the art practice tests for certification exams. You can reach us at any of the email addresses 
listed below.
Sales: sales@certsout.com
Feedback: feedback@certsout.com
Support: support@certsout.com
Any problems about IT certification or our products, You can write us back and we will get back to you within 24 
hours.
https://www.certsout.com
https://www.certsout.com/vendors.html
https://www.certsout.com/Apple-Practice-Test.html
https://www.certsout.com/Cisco-Practice-Test.html
https://www.certsout.com/Citrix-Practice-Test.html
https://www.certsout.com/CompTIA-Practice-Test.html
https://www.certsout.com/EMC-Practice-Test.html
https://www.certsout.com/ISC-Practice-Test.html
https://www.certsout.com/IBM-Practice-Test.html
https://www.certsout.com/Juniper-Practice-Test.html
https://www.certsout.com/Microsoft-Practice-Test.html
https://www.certsout.com/Oracle-Practice-Test.html
https://www.certsout.com/Symantec-Practice-Test.html
https://www.certsout.com/VMware-Practice-Test.html
mailto:sales@certsout.com
mailto:feedback@certsout.com
mailto:support@certsout.com