156-587 Exam Dumps : Check Point Certified Troubleshooting Expert - R81.20 (CCTE)

The ADLOG function receives the AD log event information from the Domain Controllers. The ADLOG function is part of the Identity Awareness feature that enablesthe Security Gateway to identify users and machines in the network and enforce Access Control policy rules based on their identities. The ADLOG function uses the AD Query (ADQ) method to connect to the Active Directory Domain Controllers using WMI and subscribe to receive Security Event logs that are generated when users perform login. The ADLOG function then extracts the user and machine information that maps to an IP address from the event logs and sends it to the PEP function, which enforces the policy based on the identity information.

 = The RFL process is the Remote File Log process that is responsible for transferring logs from the Security Gateway to the Security Management Server1. If the RFL process is with status T, it means that it is terminated and not running2. This could explain why the logs are not seen in the SMS. To resolve this issue, one possible command to run is smartlog_server stop and smartlog_server restart3. This command will stop and restart the SmartLog server, which is the process that indexes and displays the logs in the SmartConsole. By restarting the SmartLog server, it may also restart the RFL process and resume the log transfer. Alternatively, one can also try to restart the RFL process directly by running cpwd_admin stop -name RFL and cpwd_admin start -name RFL. References: Check Point Processes and Daemons, sk97638 - Check Point Processes and Daemons, sk144192 - How to restart SmartLog server, [sk98348 - SmartLog / SmartView server functionality], [sk97638 - Check Point Processes and Daemons]