Check Point Certified Security Expert (CCSE) R81.20 — Question 155

A user complains that some Internet resources are not available. The Administrator is having issues seeing if packets are being dropped at the firewall (not seeing drops in logs). What is the solution to troubleshoot the issue?

Answer options

• A. run “fw ctl zdebug drop” on the relevant gateway
• B. run “cpstop” on the relevant gateway and check the ping again
• C. run “fw unloadlocal” on the relevant gateway and check the ping again
• D. run “fw log” on the relevant gateway

Correct answer: A

Explanation

The correct answer is A, as running 'fw ctl zdebug drop' enables real-time monitoring of dropped packets at the firewall, allowing the Administrator to diagnose the issue effectively. Options B and C involve stopping services or unloading local policies, which are not necessary for troubleshooting packet drops. Option D merely checks existing logs, which the Administrator has already indicated are not showing drops.