The CpmiHostCkp table in the Postgres database contains the data for CPMI objects, such as gateways, clusters, and servers. The table column that should be selected to query for the object instance is the objid column, which is the primary key of the table and uniquely identifies each object. The objid column can be used to join with other tables that reference CPMI objects, such as CpmiClusterMember, CpmiCluster, and CpmiServer. The objid column can also be used to retrieve the object name, IP address, type, and other attributes from the CpmiHostCkp table itself. References:

Check Point Database Tool (GuiDBedit Tool) - Section: How to use the Check Point Database Tool (GuiDBedit Tool) - Subsection: How to view the data in the database

Check Point Certified Troubleshooting Expert (CCTE) - Exam Topics - Module 6: Advanced Management Server Troubleshooting

[Check Point R81 Database Schema] - Section: CPMI Tables - Subsection: CpmiHostCkp Table

The process responsible for log indexing and text searching is solr, which is a child process of cpm. The solr process is responsible for indexing the logs and providing the search engine for SmartLog and SmartConsole. The solr process is started by the cpm process and can be monitored by the command cpwd_admin list. The solr process uses the PostgreSQL database to store the indexed data and the Lucene library to perform the text search. The solr process can be affected by various factors, such as the size and number of log files, the hardware resources, the network connectivity, and the configuration settings. If the solr process is not running correctly, the administrator may experience issues with log indexing and text searching, such as slow performance, missing logs, or incorrect results. 

When a process isfrozen(hung or unresponsive), the typical method to resolve it is tokill the process. On Check Point, you can use cpwd_admin kill -name or a standard Linux kill -9 command if necessary. You then allowCPWD(the Check Point watchdog) to restart it, or manually restart it if needed.

Other options:

A. Power off the machine: This is too drastic and not recommended just for a single frozen process.

B. Restart the process: While this sounds viable, you typicallymust killthe frozen process first, then let WatchDog or an admin restart it.

C. Reboot the machine: Similar to powering off—too disruptive for just one stuck process.

Hence, the most direct and standard approach:“Kill the process.”

Check Point Troubleshooting References

sk97638– Explanation of CPWD (Check Point WatchDog) and how to manage processes.

sk43807– How to gracefully stop or kill a Check Point process.

Check Point CLI Reference Guide– Details on using cpwd_admin commands to kill or restart processes.

SmartEvent is a unified security event management and analysis solution that collects and analyzes data from multiple sources to identify and respond to security threats. SmartEvent consists of three main components: Log Server, Correlation Unit, and SmartEvent Server1. The three main processes that govern these SmartEvent components are:

eventiasv: This process is responsible for indexing the logs received from the Log Server and storing them in the SmartEvent database. It also performs log consolidation and compression to optimize the disk space usage2.

eventiarp: This process is responsible for running the predefined and custom correlation rules on the indexed logs and generating security events based on the rule criteria. It also sends notifications and triggers automatic responses for the security events3.

eventiacu: This process is responsible for providing the web-based user interface for SmartEvent, which allows the administrators to view, analyze, and manage the security events. It also provides the SmartEvent API for external integration4. References: Check Point Processes and Daemons5, SmartEvent Administration Guide1

1: https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_SmartEvent_AdminGuide/html_frameset.htm  2: https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_SmartEvent_AdminGuide/Content/Topics-SmartEvent/SmartEvent-Components.htm#_Toc64167467  3: https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_SmartEvent_AdminGuide/Content/Topics-SmartEvent/SmartEvent-Components.htm#_Toc64167468  4: https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_SmartEvent_AdminGuide/Content/Topics-SmartEvent/SmartEvent-Components.htm#_Toc64167469  5: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails= &solutionid=sk97638

CMI stands for Context Management Infrastructure, which is a component of the Access Control Policy that enables the Security Gateway to inspect traffic based on the context of the connection. Context includes information such as user identity, application, location, time, and device. CMI allows the Security Gateway to apply different security rules and actions based on the context of the traffic, and to dynamically update the context as it changes. CMI consists of three main elements: Unified Policy, Identity Awareness, and Content Awareness.