The four main database domains are System, User, Global, and Log.  Each domain contains different types of data and serves different purposes 1 2 3 . The System domain contains the configuration data of the Security Management Server (SMS), such as the SMS name, IP address, licensing, and installed products. The User domain contains the configuration data of the security policy, such as the objects, rules, services, and VPN communities. The Global domain contains the configuration data of the global policy, such as the global objects, rules, and services.  The Log domain contains the log data of the security events, such as the source, destination, action, and time of each event 1 2 3 .  References :

1 : CCTE Courseware, Module 3: Management Database and Processes, Slide 4

2 : Check Point R81 Security Management Administration Guide, Chapter 2: Security Management Server, Page 14

3 : Check Point R81 Security Management Administration Guide, Chapter 2: Security Management Server, Page 15

In Check Point’s Security Management Architecture, SmartConsole is the graphical user interface used to manage the Security Management Server. The communication between SmartConsole and the Security Management Server relies on specific processes and ports, which are critical for troubleshooting connectivity issues.

The CPM (Check Point Management) process is the primary process on the Security Management Server responsible for handling management operations, including interactions with SmartConsole. The default port for this communication is 18190 (TCP), used for the SIC (Secure Internal Communication) and management GUI connections.

Option A : Correct. SmartConsole communicates with the Security Management Server using the CPM process over port 18190. This port is used for GUI client connections to the management server.

Option B : Incorrect. The FWM (Firewall Management) process is an older process used in earlier Check Point versions (pre-R80) for management tasks. In R81.20, CPM has largely replaced FWM for SmartConsole communications. Additionally, port 19009 is used for other purposes, such as the Check Point REST API, not SmartConsole.

Option C : Incorrect. While CPM is the correct process, port 19009 is not used for SmartConsole communication. Port 19009 is associated with the Check Point Management API (e.g., for mgmt_cli or REST API calls).

Option D : Incorrect. While CPM is involved, SmartConsole does not use both ports 19009 and 18191. Port 18191 is typically used for log server communications (e.g., SmartConsole to Log Server), not direct management server communication.

 = The RFL process is the Remote File Log process that is responsible for transferring logs from the Security Gateway to the Security Management Server 1 .  If the RFL process is with status T, it means that it is terminated and not running 2 . This could explain why the logs are not seen in the SMS.  To resolve this issue, one possible command to run is smartlog_server stop and smartlog_server restart 3 . This command will stop and restart the SmartLog server, which is the process that indexes and displays the logs in the SmartConsole. By restarting the SmartLog server, it may also restart the RFL process and resume the log transfer. Alternatively, one can also try to restart the RFL process directly by running cpwd_admin stop -name RFL and cpwd_admin start -name RFL.  References :  Check Point Processes and Daemons ,  sk97638 - Check Point Processes and Daemons ,  sk144192 - How to restart SmartLog server , [sk98348 - SmartLog / SmartView server functionality], [sk97638 - Check Point Processes and Daemons]

CMI stands for Context Management Infrastructure, which is a component of the Access Control Policy that enables the Security Gateway to inspect traffic based on the context of the connection. Context includes information such as user identity, application, location, time, and device. CMI allows the Security Gateway to apply different security rules and actions based on the context of the traffic, and to dynamically update the context as it changes. CMI consists of three main elements: Unified Policy, Identity Awareness, and Content Awareness. 

The ADLOG function receives the AD log event information from the Domain Controllers. The ADLOG function is part of the Identity Awareness feature that enables the Security Gateway to identify users and machines in the network and enforce Access Control policy rules based on their identities. The ADLOG function uses the AD Query (ADQ) method to connect to the Active Directory Domain Controllers using WMI and subscribe to receive Security Event logs that are generated when users perform login. The ADLOG function then extracts the user and machine information that maps to an IP address from the event logs and sends it to the PEP function, which enforces the policy based on the identity information.

When a Security Gateway performs a URL lookup and the URL is not found in the local caches, a request for online categorization is necessary. This process involves the Resource Advisor Daemon (RAD), which has components in both kernel space and user space.

Based on descriptions of the URL Filtering categorization process (often cited in CCTE R81.20 materials):

A client (internal component, potentially the URLF Kernel Client or a similar kernel module handling the traffic) initiates a URL lookup.

The URL is first checked against kernel caches.

If the URL is not found in the kernel cache (a cache miss), the RAD kernel component is notified.

The client component then typically sends an asynchronous request to the RAD kernel component.

The RAD Kernel Space component is then responsible for forwarding this request to the RAD User Space module.

The RAD User Space module handles the actual online categorization, often by querying the URLF Online Service (Check Point's cloud-based categorization service).

The result is then returned, and the kernel cache is updated.

The question asks where the sync-request (or a request requiring immediate online lookup) is forwarded from. In this flow, the RAD Kernel Space acts as the intermediary that forwards the request from the initial kernel-level lookup mechanism to the user-space RAD process for further handling.

Supporting Information (derived from CCTE R81.20 related materials/discussions):

The typical flow for URL categorization when an online lookup is needed involves these steps:

"The kernel cache notifies the RAD kernel of hits and misses."

"The client sends an a-sync request back to RAD if the URL was not found." (This request goes to the RAD Kernel Space).

"The a-sync request is forwarded to the RAD User space via the RAD kernel for online categorization."

This indicates that the RAD Kernel (RAD Kernel Space) is the component that forwards the request to the RAD User Space.

Therefore, if a sync-request (a request needing immediate online lookup) is required, it is forwarded from the RAD Kernel Space to the RAD User Space.

Reference Context (based on CCTE R81.20 materials and general Check Point URL Filtering architecture):

Discussions and explanations related to Check Point Certified Troubleshooting Expert (CCTE) R81.20 curriculum often detail this RAD architecture. For example, study materials might state: "RAD has a kernel module that looks up the kernel cache, notifies client about hits and misses and forwards a-sync requests to RAD user space module which is responsible for online categorization." The 1 "RAD kernel module" corresponds to the RAD Kernel Space, and it is this component that performs the forwarding action to the RAD User Space.(Exact page numbers like "CCTE R81.20, p338/339" have been referenced in public CCTE exam discussions pointing to this flow)