Hello again everyone!
I’ve been checking the questions online to have an idea what awaits me in CCTE exam, and came accross this question:
What is the difference in debugging a S2S or C2S (using Check Point VPN Client) VPN?
A. there is no difference
B. the C2S VPN uses a different VPN daemon and there a second VPN debug
C. the C2S VPN can not be debugged as it uses different protocols for the key exchange
D. the C2S client uses Browser based SSL vpn and can’t be debugged
Now, I’ve done many VPN debugs for our customers, including mobile based ones. And every time, we did a vpn debug on the gateway, PLUS, we collected debugs from the clients.
This question appears to be from CCTE for an old version, but I still wanted to make sure. To my (limited) experience there is (almost) no difference in terms of debug procedures on the gateways.
Maybe people who have experience with older versions can shed some light here.
Thanks!
The additional info “using Check Point VPN Client” may be a hint.
The desktop client uses IKE/ESP like a regular S2S VPN, but can fall back to Visitor mode which uses the https port by default for clients in restricted networks. However, this mechanism is quite old and predates the Mobile Access Blade.
With Mobile Access / SSLVPN I’d probably also do debugging via cvpnd_admin debug commands. But the question says it’s about the Check Point VPN Client.
So I’d go for A.
I believe the answer is B.
From my understanding there is a second daemon for client vpn separate from the S2S one so while the debug procedure is the same, they’re wanting be clear that the logs for bother resources are in different places.
I could also be wrong, we only use the tiny spark devices and managing those is quite different from the regular quantum devices
Check Point and their way of formulating questions… The answer to the majority of the questions is actually ‘it depends’. But I guess I will have to trust my instincts and go for A as well.
It IS different on Spark appliances. You have sfwd there, that is different than regular gateways. But still wanna clarify. Do you also have other daemons running, like vpnd or cvpnd?