Exam 156-587 topic 1 question 27 discussion

n Check Point's packet processing infrastructure, Observers are responsible for attaching object IDs to traffic and storing Rule Base matching state information. They also monitor the state of Check Point gateways and report this information to the security manager. Furthermore, Observers determine whether to publish a CLOB (Check Point Large Object) to the Security Policy based on the observed state of the traffic and its associated connection.

Observers are responsible for refining and classifying CLOBs, which are then used to enhance the accuracy of the Security Policy. They play a key role in the Publisher-Observer system by deciding whether or not to publish a CLOB to the Security Policy.

The correct answer is: B. They store Rule Base matching state related information Explanation: In Check Point’s Unified Policy (UP) infrastructure, Observers are components that collect and store classification objects (CLOBs) for further classification refinement. They are responsible for maintaining the state of rule base matching and classification objects during a connection or transaction. Observers do not attach object IDs to traffic (that's the role of Classifiers), nor do they monitor gateway health or decide on publishing CLOBs to the policy. Reference: "Observers CLOBS are distributed to a Publisher-Observer system (via the Manager). The Transaction is a Publisher. The Observer is a unit collecting CLOBs for classification refinement (e.g: CLOB dependency)." — ATRG: Unified Policy (sk120964)

Observer The Observer decides if enough information is known to publish a CLOB to the security policy. CLOBs are observed in the context of their transaction and the connection that the transaction belongs to. The Observer may request more CLOBs for a dedicated packet from the Classifier or decides that it has sufficient information about the packet to execute the rule base on the CLOB, e.g. if a file type is needed for Content Awareness and the gateway hasn’t yet received the S2C response containing the file. Executing the rule base on a CLOB is called “publishing a CLOB”. The Observer may wait to receive more CLOBs that belong to the same transaction before publishing the CLOBs.

CCTE R81.20, p318: Observers decide whether to publish a CLOB to the rulebase. More CLOBs can be requested from the Classifier if the Observer needs additional information for a particular packet. The Observer publishes the CLOB and subsequent packets to the rulebase.