Check Point Certified Security Master - Topic 2 - Chain Modules

In this second article, ill solve the questions of the second topic of CCSM Certification: Chain Modules!

Those questions are available in CCSM Study Guide

ENJOY!


What the IP Options Strip represents under the fw chain output?

The IP Options Strip removes the IP header of the packet prior to be passed to the other kernel functions.


How to explain the command fw ctl chain function?

fw ctl chain will show all active chains in the Security Gateway as shown below:

Source 0 - sk98799 - Kernel Debug
Further Reading - CP R76 Gaia WebAdmin - Very good documentation about fw ctl


What command shows which firewall chain modules are active on a gateway.

According to the same sk98799 - Kernel Debug above:

To see all active chains in the Security Gateway, run: fw ctl chain

Further Reading - CP R76 Gaia WebAdmin - Very good documentation about fw ctl


Why fw debug commands should always be followed with an “off” parameter after capturing troubleshooting data?

Because if it's not turned off, the System will keep generating logs. It can crash the system due to high processing levels or disk consumption.

You can see the right procedure to full debug the kernel in sk98799


What flag option(s) must be used to dump the complete table in friendly format, assuming the connections in the table are more than 100?

fw tab can help us, as in sk65133:

The usage of fw tab is:

The flag -f is explained above.
The flag -u is for unlimited numbers. You can use -m to set the maximum values.

So, the right answer to this question is:

fw tab -t connections -f -u

Source: sk65133 - Connections Table Format


Which directory contains the URL Filtering engine update info?

The directory is: $FWDIR/appi/update

If you want to check the update status, you can take a look in $FWDIR/appi/update/Version file:

Source 0: sk112249 - Best Practices - Application Control - Ensuring the Gateway Receives Online Updates


What table is used to contain the URLF cache values for URL Filtering in the Cloud in R75 and above?

In sk90422 - How to modify URL Filtering cache size? explains how to change the cache size.

So, the table is: urlf_cache_table


What command would you issue in order to show all the chains through which traffic passed?

fw monitor -e "accept;" -p all

Source: sk30583 - What is FW Monitor?


Which commands will properly set the debug level to maximum and then run a policy install in debug mode for the policy Standard on gateway A-GW from an R77 Gaia Management Server?

As in sk112824:

First, to increase the debug level, you can do:
export TDERROR_ALL_ALL=5

and then, install the policy Standard on Gateway A-GW:

fwm –d load Standard A-GW

You can do it in a single line:

export TDERROR_ALL_ALL=5; fwm –d load Standard A-GW

Don't forget to disable the debug mode with:

unset TDERROR_ALL_ALL. Also, unset the variables that you used for debug, example:

Further Reading:
sk98799 - Kernel Debug

sk112824 - Policy installation failed with "Internal error occurred during the verification process" status message

sk97638 - Check Point Processes and Daemons

How To Troubleshoot Policy Installation Issues


Which commands obtain information about the mis-configuration issues that point to the rule base?

You must start the debug of FWM.

Use the procedures detailed in sk86186.

Source: sk86186 - How to debug FWM daemon


What following command would help you understand which chain is causing a problem on the Security Gateway, you use?

fw monitor -e "accept;" -p all

Source: sk30583 - What is FW Monitor?


Which process should you debug when SmartDashboard authentication is rejected?

fwm is responsible for the communications between SmartConsole applications and Security Management Server.

Source: sk97638 - Check Point Processes and Daemons


Where fwm debug logs are written?

$FWDIR/log/fwm.elg

Source: sk86186 - How to debug FWM daemon


That's all for today!
Thank you so much for reading!

See you in the third topic! :)

Vinny

Vinicius Neves

vinicius@sqlinjection.com.br

Brasil

Deseja se inscrever no sqlinjection | ' or 1=1 --?

Receba nossas últimas postagens diretamente em seu e-mail.

ou se inscreva via RSS com Feedly!