Wednesday, April 26, 2017

Gaia Processes and Daemons


Gaia Processes and Daemons

All Gaia processes and daemons run by default, other than snmpd and dhcpd.
DaemonChild daemonSectionDescription / Paths / Notes / Stop and Start Commands / Debug
pm-DescriptionGaia OS Process Manager (/bin/pm). Controls other processes and daemons.
Path/bin/pm
Log file/var/log/messages
To Stopnone
To Startnone
confdDescriptionDatabase and configuration.
Path/bin/confd
Log file/var/log/messages
To Stop[Expert@HostName]# tellpm process:confd
To Start[Expert@HostName]# tellpm process:confd t
searchdDescriptionSearch indexing daemon.
Log file/var/log/messages
Path/bin/searchd
To Stop[Expert@HostName]# tellpm process:searchd
To Start[Expert@HostName]# tellpm process:searchd t
clishdDescriptionGaia Clish CLI interface process - general information for all Clish sessions.
Path/bin/clishd
Log file/var/log/messages
To Stop[Expert@HostName]# tellpm process:clishd
To Start[Expert@HostName]# tellpm process:clishd t
clishDescriptionGaia Clish CLI interface process - Clish process per session.
Path/bin/clish
Log file/var/log/messages
To Stop[Expert@HostName]# tellpm process:clish
To Start[Expert@HostName]# tellpm process:clish t
DebugRefer to sk106938
routedDescriptionRouting daemon.
Path/bin/routed
Log file/var/log/routed.log
/var/log/routed_messages 
Configuration file/etc/routed.conf
To Stop[Expert@HostName]# tellpm process:routed
To Start[Expert@HostName]# tellpm process:routed t
DebugRefer to sk84520sk101399sk92598
httpd2DescriptionWeb server daemon (Gaia Portal).
Path/web/cpshared/web/Apache/2.2.0/bin/httpd2
Log file/var/log/httpd2_error_log
/var/log/httpd2_access_log
Configuration file/web/conf/httpd2.conf
To Stop[Expert@HostName]# tellpm process:httpd2
To Start[Expert@HostName]# tellpm process:httpd2 t
DebugRefer to sk84561
monitordDescriptionHardware monitoring daemon.
Path/bin/monitord
Log file/var/log/messages
To Stop[Expert@HostName]# tellpm process:monitord
To Start[Expert@HostName]# tellpm process:monitord t
rconfdDescriptionProvisioning daemon.
Path/bin/rconfd
Log file/var/log/messages
To Stop[Expert@HostName]# tellpm process:rconfd
To Start[Expert@HostName]# tellpm process:rconfd t
cloningdDescriptionCloning Groups daemon.
Path/bin/cloningd
Log file/var/log/messages
To Stop[Expert@HostName]# tellpm process:cloningd
To Start[Expert@HostName]# tellpm process:cloningd t
dhcpdDescriptionDHCP server daemon.
Path/usr/sbin/dhcpd
Log file/var/log/messages
Configuration file/etc/dhcpd.conf
To StopHostName> set dhcp server disable
or
In Gaia Portal - "Network Management" section - "DHCP Server" pane
To StartHostName> set dhcp server enable
or
In Gaia Portal - "Network Management" section - "DHCP Server" pane
snmpdDescriptionSNMP (Linux) daemon.
Path/usr/sbin/snmpd
Log file/var/log/messages
Configuration file/etc/snmp/snmpd.conf
To StopHostName> set snmp agent off
or
In Gaia Portal - "System Management" section - "SNMP" pane
To StartHostName> set snmp agent on
or
In Gaia Portal - "System Management" section - "SNMP" pane
DebugRefer to sk56783
xpand-DescriptionConfiguration daemon that processes and validates all user configuration requests, updates the system configuration database, and calls other utilities to carry out the request.
Path/bin/confd
Log file/var/log/messages
To Stopnone
To Startnone
sshd-DescriptionSSH daemon.
Path/usr/sbin/sshd
Log file/var/log/secure
/var/log/auth/
/var/log/messages
Configuration file/etc/ssh/sshd_config
To Stop[Expert@HostName]# service sshd stop
To Start[Expert@HostName]# service sshd start
Debug
  1. Edit the /etc/ssh/sshd_config file:
    1. Change the "LogLevel" line:
      from:
      #LogLevel INFO
      to:
      LogLevel DEBUG3
    2. Save the changes in this file
  2. Start SSHD under debug to run in background (copy the PID):
    /usr/sbin/sshd -ddd 1>> /var/log/sshd.debug.txt 2>> /var/log/sshd.debug.txt &
  3. Replicate the issue (connect over SSH).
  4. Stop the SSHD:
    kill -TERM <PID>
    kill -KILL <PID>
  5. Revert the /etc/ssh/sshd_config file
  6. Analyze the /var/log/sshd.debug.txt file
syslogd-DescriptionSyslog (Linux) daemon.
Path/sbin/syslogd
Log file/var/log/messages
/var/log/dmesg
Configuration file/etc/syslog.conf
/var/run/syslog.conf
To Stop[Expert@HostName]# service syslog stop
To Start[Expert@HostName]# service syslog start
DebugRefer to sk108421
DAService-DescriptionCheck Point Upgrade Service Engine (CPUSE) - former 'Gaia Software Updates' service (refer to sk92449).
Path$DADIR/bin/DAService
Log file/opt/CPInstLog/DeploymentAgent.log
/opt/CPInstLog/DA_UI.log
Notes"cpwd_admin list" command shows the process as "DASERVICE"
(command is "$DADIR/bin/DAService_script" - this is a watchdog script that starts the $DADIR/bin/DAService if it is not running).
To Stop
  1. [Expert@HostName]# $DADIR/bin/dastop
  2. [Expert@HostName]# dbget installer:stop
To Start
  1. [Expert@HostName]# $DADIR/bin/dastart
  2. [Expert@HostName]# dbget installer:start
DebugRefer to sk92449:
  1. Create the configuration file:
    touch $DADIR/bin/DAconf
  2. Add the following line (case-sensitive; spaces are not allowed):
    PING_TRACE=1
  3. Save the changes
  4. Re-load the new configuration:
    DAClient conf
  5. As soon as possible:
    1. Replicate the issue
    2. Delete the $DADIR/bin/DAconf file
    3. Re-load the configuration with DAClient conf command
  6. Analyze:
    /opt/CPInstLog/DeploymentAgent.log
Note: Other Gaia OS daemons can be stopped in Expert mode, but it is not recommended.

Infrastructure Processes

DaemonSectionDescription / Paths / Notes / Stop and Start Commands / Debug
cpwdDescriptionWatchDog is a process that launches and monitors critical processes such as Check Point daemons on the local machine, and attempts to restart them if they fail.
Among the processes monitored by Watchdog are cpdfwd and fwm.
Watchdog is controlled by the cpwd_admin utility.
To learn how to start and stop various daemons, run cpwd_admin command.
Path$CPDIR/bin/cpwd
%CPDIR%\bin\cpwd
Log file$CPDIR/log/cpwd.elg
%CPDIR%\log\cpwd.elg
To Stop[Expert@HostName]# cpwd_admin stop_monitor
or
[Expert@HostName]# cpstop
To Start[Expert@HostName]# cpwd_admin start_monitor
or
[Expert@HostName]# cpstart
Debugnone
cpdDescription
  • Port 18191 - Generic process (add-ons container) for many Check Point services, such as installing and fetching policy, and online updates
  • Port 18211 - SIC push certificate (from Internal CA)
Path$CPDIR/bin/cpd
%CPDIR%\bin\cpd
Log file$CPDIR/log/cpd.elg
%CPDIR%\log\cpd.elg
Notes"cpwd_admin list" command shows the process as "CPD".
To Stop
  • MGMT / Gateway mode:
    [Expert@HostName]# cpwd_admin stop -name CPD -path "$CPDIR/bin/cpd_admin" -command "cpd_admin stop"
    or
    [Expert@HostName]# cpstop
  • VSX mode:
    [Expert@HostName:0]# vsenv <VSID>
    [Expert@HostName:<VSID>]# cpwd_admin stop -name CPD -ctx <VSID> -path "$CPDIR/bin/cpd_admin" -command "cpd_admin stop" -env inherit
    or
    [Expert@HostName:0]# cpstop
To Start
  • MGMT / Gateway mode:
    [Expert@HostName]# cpwd_admin start -name CPD -path "$CPDIR/bin/cpd" -command "cpd"
    or
    [Expert@HostName]# cpstart
  • VSX mode:
    [Expert@HostName:0]# vsenv <VSID>
    [Expert@HostName:<VSID>]# cpwd_admin start -name CPD -ctx <VSID> -path "$CPDIR/bin/cpd" -command "cpd" -env inherit
    or
    [Expert@HostName:0]# cpstart
Debug"cpd_admin debug" - refer to sk86320
fwdDescription
  • Logging
  • Spawning child processes (e.g., vpnd)
Path$FWDIR/bin/fwd
%FWDIR%\bin\fwd
Log file$FWDIR/log/fwd.elg
%FWDIR%\log\fwd.elg
Notes
  • "cpwd_admin list" command shows the process as "FWD".
  • "top" / "ps" commands might also show "fw" process and/or "fw_full" process, which are just wrappers for the "fwd" process.
To Stop
  • MGMT / Gateway mode:
    [Expert@HostName]# cpwd_admin stop -name FWD -path "$FWDIR/bin/fw" -command "fw kill fwd"
    or
    [Expert@HostName]# cpstop
  • VSX mode:
    [Expert@HostName:0]# vsenv <VSID>
    [Expert@HostName:<VSID>]# cpwd_admin stop -name FWD -ctx <VSID> -path "$FWDIR/bin/fw" -command "fw kill fwd" -env inherit
    or
    [Expert@HostName:0]# cpstop
To Start
  • MGMT / Gateway mode:
    [Expert@HostName]# cpwd_admin start -name FWD -path "$FWDIR/bin/fw" -command "fwd"
    or
    [Expert@HostName]# cpstart
  • VSX mode:
    [Expert@HostName:0]# vsenv <VSID>
    [Expert@HostName:<VSID>]# cpwd_admin start -name FWD -ctx <VSID> -path "$FWDIR/bin/fwd" -command "fwd" -env inherit
    or
    [Expert@HostName:0]# cpstart
DebugRefer to sk86321
  1. Start debug:
    fw debug fwd on TDERROR_ALL_ALL=5
    fw debug fwd on OPSEC_DEBUG_LEVEL=3
  2. Replicate the issue
  3. Stop debug:
    fw debug fwd off TDERROR_ALL_ALL=0
    fw debug fwd off OPSEC_DEBUG_LEVEL=0
  4. Analyze:
    $FWDIR/log/fwd.elg*
cpridDescriptionCheck Point Remote Installation Daemon - distribution of packages from SmartUpdate to managed Gateways.
Path$CPDIR/bin/cprid
%CPDIR%\bin\cprid
Log file$CPDIR/log/cprid.elg
%CPDIR%\log\cprid.elg
To Stop[Expert@HostName]# $CPDIR/bin/cpridstop
To Start[Expert@HostName]# $CPDIR/bin/cpridstart
DebugRefer to sk41793
cprid_wdDescriptionWatchDog for Check Point Remote Installation Daemon "cprid".
Path$CPDIR/bin/cprid_wd
%CPDIR%\bin\cprid_wd
Log file$CPDIR/log/cprid_wd.elg
To Stop[Expert@HostName]# $CPDIR/bin/cpridstop
To Start[Expert@HostName]# $CPDIR/bin/cpridstart
DebugStandard CSH script debugging (csh -x -v $CPDIR/bin/cprid_wd)

Security Gateway Software Blades and Features

DaemonSectionDescription / Paths / Notes / Stop and Start Commands / Debug
Firewall Blade
fwdDescription
  • Logging
  • Spawning child processes (e.g., vpnd)
Path$FWDIR/bin/fwd
%FWDIR%\bin\fwd
Log file$FWDIR/log/fwd.elg
%FWDIR%\log\fwd.elg
Notes
  • "cpwd_admin list" command shows the process as "FWD".
  • "top" / "ps" commands might also show "fw" process and/or "fw_full" process, which are just wrappers for the "fwd" process.
To Stop
  • Gateway mode:
    [Expert@HostName]# cpwd_admin stop -name FWD -path "$FWDIR/bin/fw" -command "fw kill fwd"
    or
    [Expert@HostName]# cpstop
  • VSX mode:
    [Expert@HostName:0]# vsenv <VSID>
    [Expert@HostName:<VSID>]# cpwd_admin stop -name FWD -ctx <VSID> -path "$FWDIR/bin/fw" -command "fw kill fwd" -env inherit
    or
    [Expert@HostName:0]# cpstop
To Start
  • Gateway mode:
    [Expert@HostName]# cpwd_admin start -name FWD -path "$FWDIR/bin/fw" -command "fwd"
    or
    [Expert@HostName]# cpstart
  • VSX mode:
    [Expert@HostName:0]# vsenv <VSID>
    [Expert@HostName:<VSID>]# cpwd_admin start -name FWD -ctx <VSID> -path "$FWDIR/bin/fwd" -command "fwd" -env inherit
    or
    [Expert@HostName:0]# cpstart
DebugRefer to sk86321
  1. Start debug:
    fw debug fwd on TDERROR_ALL_ALL=5
    fw debug fwd on OPSEC_DEBUG_LEVEL=3
  2. Replicate the issue
  3. Stop debug:
    fw debug fwd off TDERROR_ALL_ALL=0
    fw debug fwd off OPSEC_DEBUG_LEVEL=0
  4. Analyze:
    $FWDIR/log/fwd.elg*
IPSec VPN Blade
vpndDescription
  • IKE (UDP/TCP)
  • NAT-T
  • Tunnel Test
  • Reliable Datagram Protocol (RDP)
  • Topology Update for SecureClient
  • SSL Network Extender (SNX)
  • SSL Network Extender (SNX) Portal
  • Remote Access Client configuration
  • Visitor Mode
  • L2TP
Path$FWDIR/bin/vpn
%FWDIR%\bin\vpn
Log file$FWDIR/log/vpnd.elg
%FWDIR%\log\vpnd.elg
NotesThis process is not monitored by Check Point WatchDog.
To Stop[Expert@HostName]# cpstop
To Start[Expert@HostName]# cpstart
DebugRefer to sk89940
Mobile Access Blade
cvpndDescriptionBack-end daemon of the Mobile Access Software Blade.
Path$CVPNDIR/bin/cvpnd
Log file$CVPNDIR/log/cvpnd.elg
Configuration file$CVPNDIR/conf/cvpnd.C
Notes"cpwd_admin list" command shows the process as "CVPND".
To Stop[Expert@HostName]# cvpnstop
To Start[Expert@HostName]# cvpnstart
Debug"cvpnd_admin debug" - refer to sk104577sk99053
dbwriterDescriptionOffload database commands from cvpnd (to prevent locks) and synchronize with other members.
Path$CVPNDIR/bin/dbwriter
Log file$CVPNDIR/log/dbwriter.elg
Configuration file$CVPNDIR/conf/dbwriter.C
Notes"cpwd_admin list" command shows the process as "DBWRITER".
To Stop[Expert@HostName]# cvpnstop
To Start[Expert@HostName]# cvpnstart
cvpnprocDescriptionOffload blocking commands from cvpnd (to prevent locks). Example: sending DynamicID.
Path$CVPNDIR/bin/cvpnproc
Log file$CVPNDIR/log/cvpnproc.elg
Configuration file$CVPNDIR/conf/cvpnproc.C
Notes"cpwd_admin list" command shows the process as "CVPNPROC".
To Stop[Expert@HostName]# cvpnstop
To Start[Expert@HostName]# cvpnstart
DebugRefer to sk104577
  1. Stop Mobile Access:
    cvpnstop
  2. Verify that cvpnproc process is not running:
    ps aux | grep cvpnproc
  3. If the cvpnproc process is still running, then kill it:
    kill -KILL $(pidof cvpnproc)
  4. Start cvpnproc process under debug to run in background (by running these 2 commands):
    export TDERROR_ALL_ALL=5
    $CVPNDIR/bin/cvpnproc $CVPNDIR/log/cvpnproc.elg $CVPNDIR/conf/cvpnproc.C &
  5. Start Mobile Access:
    cvpnstart
  6. Replicate the issue
  7. Stop debug:
    unset TDERROR_ALL_ALL
  8. Stop Mobile Access:
    cvpnstop
  9. Kill cvpnproc process:
    kill -TERM $(pidof cvpnproc)
    kill -KILL $(pidof cvpnproc)
  10. Start Mobile Access:
    cvpnstart
  11. Analyze:
    $CVPNDIR/log/cvpnproc.elg*
MoveFileServerDescriptionMove files between cluster members in order to perform database synchronization.
Path$CVPNDIR/bin/MoveFileServer
Log file$CVPNDIR/log/MFServer.log
Configuration file$CVPNDIR/conf/mfserver.C
Notes"cpwd_admin list" command shows the process as "MOVEFILESERVER", or as "MFSERVER" (in R77.30 and above).
To Stop[Expert@HostName]# cvpnstop
To Start[Expert@HostName]# cvpnstart
MoveFileDemuxerDescriptionRelated to MoveFileServer process (moving files between cluster members in order to perform database synchronization).
Path$CVPNDIR/bin/MoveFileDemuxer
Log file$CVPNDIR/log/MFDemux.log
Configuration file$CVPNDIR/conf/mfdemuxer.C
Notes"cpwd_admin list" command shows the process as "MOVEFILEDEMUXER", or as "MFDEMUXER" (in R77.30 and above).
To Stop[Expert@HostName]# cvpnstop
To Start[Expert@HostName]# cvpnstart
PingerDescriptionReduce the number of httpd processes performing ActiveSync.
Path$CVPNDIR/bin/Pinger
Log file$CVPNDIR/log/Pinger.log
Configuration file$CVPNDIR/conf/Pinger.C
Notes"cpwd_admin list" command shows the process as "PINGER".
To Stop[Expert@HostName]# cvpnstop
To Start[Expert@HostName]# cvpnstart
DebugRefer to sk104577
  1. Verify that Pinger process is running:
    ps aux | grep Pinger
  2. Enable debug for relevant users:
    PingerAdmin debug users <user1>,<user2>,<user3>
  3. Set the debug level:
    PingerAdmin debug set TDERROR_ALL_Pinger=3
    or
    PingerAdmin debug set TDERROR_ALL_ALL=5
  4. Set the debug type:
    PingerAdmin debug type All
  5. Delete all files from $CVPNDIR/log/trace_log/ directory:
    Note: Do NOT delete the directory itself!
    cd $CVPNDIR/log/trace_log/
    rm -i *
  6. Enable trace log:
    Warning: This might print passwords to local files!
    PingerAdmin debug trace on
  7. Start debug:
    PingerAdmin debug on
  8. Replicate the issue
  9. Stop debug:
    PingerAdmin debug off
  10. Disable trace log:
    PingerAdmin debug trace off
  11. Reset the debug:
    PingerAdmin debug reset
  12. Analyze:
    $CVPNDIR/log/Pinger.log*
CvpnUMDDescriptionReport SNMP connected users to AMON.
Path$CVPNDIR/bin/CvpnUMD
Log file$CVPNDIR/log/CvpnUMD.log
Notes"cpwd_admin list" command shows the process as "CVPNUMD".
To Stop[Expert@HostName]# cvpnstop
To Start[Expert@HostName]# cvpnstart
httpdDescriptionFront-end daemon of the Mobile Access Software Blade (multi-processes).
Path$CPDIR/web/Apache/2.2.0/bin/httpd
Log file$CVPNDIR/log/httpd.log
Configuration file$CVPNDIR/conf/httpd.conf
To Stop[Expert@HostName]# cvpnstop
To Start[Expert@HostName]# cvpnstart
DebugRefer to sk104577sk99053
fwpushdDescriptionMobile Access Push Notifications daemon that is controlled by "fwpush" command. It is a child of fwd daemon (R77.10 and above).
Path$FWDIR/bin/fwpushd
Log file$FWDIR/log/fwpushd.elg
To Stop[Expert@HostName]# cvpnstop
To Start[Expert@HostName]# cvpnstart
Debug
  1. Enable debug:
    fwpush debug on
  2. Set the debug options:
    fwpush debug set all all
  3. Check the debug state:
    fwpush debug stat
  4. Replicate the issue
  5. Reset the debug options:
    fwpush debug reset
  6. Disable debug:
    fwpush debug off
  7. Check the debug state:
    fwpush debug stat
  8. Analyze:
    $FWDIR/log/fwpushd.elg*
postgresDescriptionPostgreSQL server. Used by Remote Access Session Visibility and Management Utility.
Path$CPDIR/database/postgresql/bin/postgres
Configuration file/var/log$FWDIR/datadir/postgres/sessions/postgresql.conf
To Stop[Expert@HostName]# cpstop
To Start[Expert@HostName]# cpstart
Debug"su cp_postgres -c "$CPDIR/database/postgresql/bin/pg_ctl -D $RTDIR/events_db/data start"; also refer to sk93970
Identity Awareness Blade
pepdDescriptionPolicy Enforcement Point daemon:
  • Receiving identities via identity sharing
  • Redirecting users to Captive Portal
Path$FWDIR/bin/pep
Log file$FWDIR/log/pepd.elg
Notes"cpwd_admin list" command shows the process as "PEPD".
To Stop[Expert@HostName]# cpstop
To Start[Expert@HostName]# cpstart
Debug"pep debug" - refer to Identity Awareness Administration Guide (R77)
pdpdDescriptionPolicy Decision Point daemon:
  • Acquiring identities from identity sources
  • Sharing identities with another gateways
Path$FWDIR/bin/pdpd
Log file$FWDIR/log/pdpd.elg
Notes"cpwd_admin list" command shows the process as "PDPD".
To Stop[Expert@HostName]# cpstop
To Start[Expert@HostName]# cpstart
Debug"pdp debug" - refer to Identity Awareness Administration Guide (R77)
DLP Blade
fwdlpDescriptionDLP core engine that performs the scanning / inspection.
Path$FWDIR/bin/fwdlp
Log file$FWDIR/log/fwdlp.elg
$DLPDIR/log/dlpe.log (refer to sk60387)
$DLPDIR/log/dlpe_msg.log (refer to sk73660)
$DLPDIR/log/dlpe_files_error.log
To Stop[Expert@HostName]# cpstop
To Start[Expert@HostName]# cpstart
DebugRefer to sk73660sk60388:
  1. Start debug:
    fw debug fwdlp on TDERROR_ALL_ALL=5
  2. Replicate the issue
  3. Stop debug:
    fw debug fwdlp off TDERROR_ALL_ALL=0
  4. Analyze:
    $FWDIR/log/fwdlp.elg*
cp_file_convertDescriptionUsed to convert various file formats to simple textual format for scanning by the DLP engine.
Path$FWDIR/bin/cp_file_convert
Log file$FWDIR/log/cp_file_convertd.elg
To Stop[Expert@HostName]# cpstop
To Start[Expert@HostName]# cpstart
DebugRefer to sk73660:
  1. Start debug:
    for PROC in $(pgrep cp_file_convert) ; do fw debug $PROC on TDERROR_ALL_ALL=5 ; done
  2. Replicate the issue
  3. Stop debug:
    fw debug cp_file_convert off TDERROR_ALL_ALL=0
  4. Analyze:
    $FWDIR/log/cp_file_convertd.elg*
dlp_fingerprintDescriptionUsed to identify the data according to a unique signature known as a fingerprint stored in your repository.
Path$FWDIR/bin/dlp_fingerprint
To Stop[Expert@HostName]# cpstop
To Start[Expert@HostName]# cpstart
cserverDescriptionCheck Server that either stops or processes the e-mail.
Path$FWDIR/bin/cserver
Log file$FWDIR/log/cserver.elg
Notes"cpwd_admin list" command shows the process as "DLP_WS".
To Stop[Expert@HostName]# cpstop
To Start[Expert@HostName]# cpstart
DebugRefer to sk73660:
  1. Start debug:
    fw debug cserver on TDERROR_ALL_ALL=5
  2. Replicate the issue
  3. Stop debug:
    fw debug cserver off TDERROR_ALL_ALL=0
  4. Analyze:
    $FWDIR/log/cserver.elg*
dlpuDescriptionReceives data from Check Point kernel.
Path$FWDIR/bin/dlpu
Log file$FWDIR/log/dlpu.elg
Notes"cpwd_admin list" command shows the process as "DLPU_<N>".
To Stop[Expert@HostName]# cpstop
To Start[Expert@HostName]# cpstart
DebugRefer to sk73660:
  1. Start debug:
    fw debug dlpu on TDERROR_ALL_ALL=5
  2. Replicate the issue
  3. Stop debug:
    fw debug dlpu off TDERROR_ALL_ALL=0
  4. Analyze:
    $FWDIR/log/dlpu.elg*
fwucdDescriptionUserCheck back-end daemon that sends approval / disapproval requests to user.
Path$FWDIR/bin/fwucd
Log file$FWDIR/log/fwucd.elg
Notes"cpwd_admin list" command shows the process as "FWUCD".
To Stop[Expert@HostName]# cpstop
To Start[Expert@HostName]# cpstart
DebugRefer to sk73660sk60388:
  1. Start debug:
    fw debug fwucd on TDERROR_ALL_ALL=5
  2. Replicate the issue
  3. Stop debug:
    fw debug fwucd off TDERROR_ALL_ALL=0
  4. Analyze:
    $FWDIR/log/fwucd.elg*
usrchkdDescriptionMain UserCheck daemon, which deals with UserCheck requests (from CLI / from the user) that are sent from the UserCheck Web Portal.
Path$FWDIR/bin/usrchkd
Log file$FWDIR/log/usrchkd.elg
Configuration file
  • $FWDIR/conf/usrchkd.conf
  • $FWDIR/orig/UCPortal/fwdir_conf/usrchkd.conf
  • $FWDIR/conf/fwauthd.conf
Notes
  • This daemon is not monitored by Check Point WatchDog ("cpwd_admin list")
  • This daemon is spawned by the FWD daemon
To Stop[Expert@HostName]# cpstop
To Start[Expert@HostName]# cpstart
To Restart[Expert@HostName]# killall usrchkd
DebugNote: It might also be required to collect the relevant kernel debug.
  1. Start debug:
    usrchk debug set all all
  2. Verify:
    usrchk debug stat
  3. Replicate the issue.
  4. Stop debug:
    usrchk debug off
  5. Analyze:
    $FWDIR/log/usrchkd.elg*
usrchkDescriptionThe CLI client for the UserCheck daemon USRCHKD (this process runs only when it is called explicitly).
Path$FWDIR/bin/usrchk
Log file$FWDIR/log/usrchk.elg
Threat Emulation Blade
tedDescriptionThreat Emulation daemon engine - responsible for emulating files and communication with the cloud.
Path$FWDIR/teCurrentPack/temain
Log file$FWDIR/log/ted.elg
To Stop[Expert@HostName]# cpstop
To Start[Expert@HostName]# cpstart
Debug"tecli debug" - refer to Threat Prevention Administration Guide (R76R77)
dlpuDescriptionDLP process - receives data from Check Point kernel.
Path$FWDIR/bin/dlpu
Log file$FWDIR/log/dlpu.elg
Notes"cpwd_admin list" command shows the process as "DLPU_<N>".
To Stop[Expert@HostName]# cpstop
To Start[Expert@HostName]# cpstart
DebugRefer to sk73660:
  1. Start debug:
    fw debug dlpu on TDERROR_ALL_ALL=5
  2. Replicate the issue
  3. Stop debug:
    fw debug dlpu off TDERROR_ALL_ALL=0
  4. Analyze:
    $FWDIR/log/dlpu.elg*
usrchkdDescriptionMain UserCheck daemon, which deals with UserCheck requests (from CLI / from the user) that are sent from the UserCheck Web Portal.
Path$FWDIR/bin/usrchkd
Log file$FWDIR/log/usrchkd.elg
Configuration file
  • $FWDIR/conf/usrchkd.conf
  • $FWDIR/orig/UCPortal/fwdir_conf/usrchkd.conf
  • $FWDIR/conf/fwauthd.conf
Notes
  • This daemon is not monitored by Check Point WatchDog ("cpwd_admin list")
  • This daemon is spawned by the FWD daemon
To Stop[Expert@HostName]# cpstop
To Start[Expert@HostName]# cpstart
To Restart[Expert@HostName]# killall usrchkd
DebugNote: It might also be required to collect the relevant kernel debug.
  1. Start debug:
    usrchk debug set all all
  2. Verify:
    usrchk debug stat
  3. Replicate the issue.
  4. Stop debug:
    usrchk debug off
  5. Analyze:
    $FWDIR/log/usrchkd.elg*
usrchkDescriptionThe CLI client for the UserCheck daemon USRCHKD (this process runs only when it is called explicitly).
Path$FWDIR/bin/usrchk
Log file$FWDIR/log/usrchk.elg
Threat Extraction Blade
scrubDescriptionMain CLI process for Threat Extraction.
Path$FWDIR/bin/scrub
Log file$FWDIR/log/scrubd.elg
/var/log/scrub/scrubd_messages
$CPDIR/log/scrub_plg.log
Configuration file$FWDIR/conf/scrub_debug.conf
To Stop[Expert@HostName]# cpstop
To Start[Expert@HostName]# cpstart
Debug
  1. Start Threat Extraction debug:
    scrub debug on
    scrub debug set all all
  2. Verify Threat Extraction debug is enabled:
    scrub debug stat
  3. Start debug of cp_file_convert daemon:
    for PROC in $(pgrep cp_file_convert) ; do fw debug $PROC on TDERROR_ALL_ALL=5 ; done
  4. Replicate the issue
  5. Stop debug of cp_file_convert daemon:
    for PROC in $(pgrep cp_file_convert) ; do fw debug $PROC off TDERROR_ALL_ALL=0 ; done
  6. Stop Threat Extraction debug:
    scrub debug off
    scrub debug reset
  7. Verify Threat Extraction debug is disabled:
    scrub debug stat
  8. Analyze:
    $FWDIR/log/scrubd.elg*
    /var/log/jail/$FWDIR/log/scrub_cp_file_convertd.elg
scrubdDescriptionMain Threat Extraction daemon.
Path$FWDIR/bin/scrubd
Log file$FWDIR/log/scrubd.elg
/var/log/scrub/scrubd_messages
$CPDIR/log/scrub_plg.log
Configuration file$FWDIR/conf/scrub_debug.conf
To Stop[Expert@HostName]# cpstop
To Start[Expert@HostName]# cpstart
Debug
  1. Start Threat Extraction debug:
    scrub debug on
    scrub debug set all all
  2. Verify Threat Extraction debug is enabled:
    scrub debug stat
  3. Start debug of cp_file_convert daemon:
    for PROC in $(pgrep cp_file_convert) ; do fw debug $PROC on TDERROR_ALL_ALL=5 ; done
  4. Replicate the issue
  5. Stop debug of cp_file_convert daemon:
    for PROC in $(pgrep cp_file_convert) ; do fw debug $PROC off TDERROR_ALL_ALL=0 ; done
  6. Stop Threat Extraction debug:
    scrub debug off
    scrub debug reset
  7. Verify Threat Extraction debug is disabled:
    scrub debug stat
  8. Analyze:
    $FWDIR/log/scrubd.elg*
    /var/log/jail/$FWDIR/log/scrub_cp_file_convertd.elg
scrub_cp_file_convertdDescriptionUsed to convert various file formats to simple textual format for scanning by the DLP engine.
Path$FWDIR/bin/cp_file_convert
Log file/var/log/jail/$FWDIR/log/scrub_cp_file_convertd.elg
$FWDIR/log/cp_file_convert_start.log
To Stop[Expert@HostName]# cpstop
To Start[Expert@HostName]# cpstart
Debug
  1. Start debug:
    for PROC in $(pgrep cp_file_convert) ; do fw debug $PROC on TDERROR_ALL_ALL=5 ; done
  2. Replicate the issue
  3. Stop debug:
    for PROC in $(pgrep cp_file_convert) ; do fw debug $PROC off TDERROR_ALL_ALL=0 ; done
  4. Analyze:
    /var/log/jail/$FWDIR/log/scrub_cp_file_convertd.elg*
in.emaild.mtaDescriptionE-Mail Security Server that receives e-mails sent by user and sends them to their destinations.
Path$FWDIR/bin/fwssd
Log file$FWDIR/log/emaild.mta.elg
/var/log/scrub/in.emaild.mta_messages
To Stop[Expert@HostName]# cpstop
To Start[Expert@HostName]# cpstart
DebugRefer to sk60387:
  1. Start debug:
    fw debug in.emaild.mta on TDERROR_ALL_ALL=5
  2. Replicate the issue
  3. Stop debug:
    fw debug in.emaild.mta off TDERROR_ALL_ALL=0
  4. Analyze:
    $FWDIR/log/emaild.mta.elg*
usrchkdDescriptionMain UserCheck daemon, which deals with UserCheck requests (from CLI / from the user) that are sent from the UserCheck Web Portal.
Path$FWDIR/bin/usrchkd
Log file$FWDIR/log/usrchkd.elg
Configuration file
  • $FWDIR/conf/usrchkd.conf
  • $FWDIR/orig/UCPortal/fwdir_conf/usrchkd.conf
  • $FWDIR/conf/fwauthd.conf
Notes
  • This daemon is not monitored by Check Point WatchDog ("cpwd_admin list")
  • This daemon is spawned by the FWD daemon
To Stop[Expert@HostName]# cpstop
To Start[Expert@HostName]# cpstart
To Restart[Expert@HostName]# killall usrchkd
DebugNote: It might also be required to collect the relevant kernel debug.
  1. Start debug:
    usrchk debug set all all
  2. Verify:
    usrchk debug stat
  3. Replicate the issue.
  4. Stop debug:
    usrchk debug off
  5. Analyze:
    $FWDIR/log/usrchkd.elg*
usrchkDescriptionThe CLI client for the UserCheck daemon USRCHKD (this process runs only when it is called explicitly).
Path$FWDIR/bin/usrchk
Log file$FWDIR/log/usrchk.elg
IPS Blade
in.geodDescriptionUpdates the IPS Geo Protection Database.
Path$FWDIR/bin/fwssd
%FWDIR%\bin\fwssd
Log file$FWDIR/log/geod.elg
%FWDIR%\log\geod.elg
To Stop[Expert@HostName]# kill -KILL $(pidof in.geod)
To StartAfter being killed, it will be restarted automatically
DebugRefer to sk102329:
  1. Start debug:
    fw debug in.geod on TDERROR_ALL_ALL=5
  2. Replicate the issue
  3. Stop debug:
    fw debug in.geod off TDERROR_ALL_ALL=0
  4. Analyze:
    $FWDIR/log/geod.elg*
URL Filtering Blade
radDescriptionResource Advisor - responsible for the detection of Social Network widgets. The detection is done via an online Application Control database, which identifies URLs as applications.
Path$FWDIR/bin/rad
Log file$FWDIR/log/rad.elg
Configuration file
  • $FWDIR/conf/rad_scheme.C
  • $FWDIR/conf/rad_settings.C
  • $FWDIR/database/rad_services.C
Notes"cpwd_admin list" command shows the process as "RAD".
To Stop[Expert@HostName]# rad_admin stop
or
[Expert@HostName]# cpstop
To Start[Expert@HostName]# rad_admin start
or
[Expert@HostName]# cpstart
DebugRefer to sk92743:
  1. Start debug:
    rad_admin rad debug on all
  2. Replicate the issue.
  3. Stop debug:
    rad_admin rad debug off ALL
  4. Analyze:
    $FWDIR/log/rad.elg*
usrchkdDescriptionMain UserCheck daemon, which deals with UserCheck requests (from CLI / from the user) that are sent from the UserCheck Web Portal.
Path$FWDIR/bin/usrchkd
Log file$FWDIR/log/usrchkd.elg
Configuration file
  • $FWDIR/conf/usrchkd.conf
  • $FWDIR/orig/UCPortal/fwdir_conf/usrchkd.conf
  • $FWDIR/conf/fwauthd.conf
Notes
  • This daemon is not monitored by Check Point WatchDog ("cpwd_admin list")
  • This daemon is spawned by the FWD daemon
To Stop[Expert@HostName]# cpstop
To Start[Expert@HostName]# cpstart
To Restart[Expert@HostName]# killall usrchkd
DebugNote: It might also be required to collect the relevant kernel debug.
  1. Start debug:
    usrchk debug set all all
  2. Verify:
    usrchk debug stat
  3. Replicate the issue.
  4. Stop debug:
    usrchk debug off
  5. Analyze:
    $FWDIR/log/usrchkd.elg*
usrchkDescriptionThe CLI client for the UserCheck daemon USRCHKD (this process runs only when it is called explicitly).
Path$FWDIR/bin/usrchk
Log file$FWDIR/log/usrchk.elg
Application Control Blade
radDescriptionResource Advisor - responsible for the detection of Social Network widgets. The detection is done via an online Application Control database, which identifies URLs as applications.
Path$FWDIR/bin/rad
Log file$FWDIR/log/rad.elg
Configuration file
  • $FWDIR/conf/rad_scheme.C
  • $FWDIR/conf/rad_settings.C
  • $FWDIR/database/rad_services.C
Notes"cpwd_admin list" command shows the process as "RAD".
To Stop[Expert@HostName]# rad_admin stop
or
[Expert@HostName]# cpstop
To Start[Expert@HostName]# rad_admin start
or
[Expert@HostName]# cpstart
DebugRefer to sk92743:
  1. Start debug:
    rad_admin rad debug on all
  2. Replicate the issue.
  3. Stop debug:
    rad_admin rad debug off ALL
  4. Analyze:
    $FWDIR/log/rad.elg*
Anti-Bot Blade
in.acapdDescriptionPacket capturing daemon for SmartView Tracker logs.
Path$FWDIR/bin/fwssd
Log file$FWDIR/log/acapd.elg
To Stop[Expert@HostName]# cpstop
To Start[Expert@HostName]# cpstart
DebugRefer to sk108179:
  1. Start debug:
    fw debug in.acapd on TDERROR_ALL_ALL=5
  2. Reload the in.acapd daemon's configuration:
    kill -HUP $(pidof in.acapd)
  3. Replicate the issue
  4. Stop debug:
    fw debug in.acapd off TDERROR_ALL_ALL=0
  5. Analyze:
    $FWDIR/log/acapd.elg*
radDescriptionResource Advisor - responsible for the detection of Social Network widgets. The detection is done via an online Application Control database which identifies URLs as applications.
Path$FWDIR/bin/rad
Log file$FWDIR/log/rad.elg
Configuration file
  • $FWDIR/conf/rad_scheme.C
  • $FWDIR/conf/rad_settings.C
  • $FWDIR/database/rad_services.C
Notes"cpwd_admin list" command shows the process as "RAD".
To Stop[Expert@HostName]# rad_admin stop
or
[Expert@HostName]# cpstop
To Start[Expert@HostName]# rad_admin start
or
[Expert@HostName]# cpstart
DebugRefer to sk92264:
  1. Start debug:
    rad_admin rad debug on all
  2. Replicate the issue.
  3. Stop debug:
    rad_admin rad debug off ALL
  4. Analyze:
    $FWDIR/log/rad.elg*
usrchkdDescriptionMain UserCheck daemon, which deals with UserCheck requests (from CLI / from the user) that are sent from the UserCheck Web Portal.
Path$FWDIR/bin/usrchkd
Log file$FWDIR/log/usrchkd.elg
Configuration file
  • $FWDIR/conf/usrchkd.conf
  • $FWDIR/orig/UCPortal/fwdir_conf/usrchkd.conf
  • $FWDIR/conf/fwauthd.conf
Notes
  • This daemon is not monitored by Check Point WatchDog ("cpwd_admin list")
  • This daemon is spawned by the FWD daemon
To Stop[Expert@HostName]# cpstop
To Start[Expert@HostName]# cpstart
To Restart[Expert@HostName]# killall usrchkd
DebugNote: It might also be required to collect the relevant kernel debug.
  1. Start debug:
    usrchk debug set all all
  2. Verify:
    usrchk debug stat
  3. Replicate the issue.
  4. Stop debug:
    usrchk debug off
  5. Analyze:
    $FWDIR/log/usrchkd.elg*
usrchkDescriptionThe CLI client for the UserCheck daemon USRCHKD (this process runs only when it is called explicitly).
Path$FWDIR/bin/usrchk
Log file$FWDIR/log/usrchk.elg
Anti-Virus Blade
in.acapdDescriptionPacket capturing daemon for SmartView Tracker logs.
Path$FWDIR/bin/fwssd
Log file$FWDIR/log/acapd.elg
To Stop[Expert@HostName]# cpstop
To Start[Expert@HostName]# cpstart
DebugRefer to sk108179:
  1. Start debug:
    fw debug in.acapd on TDERROR_ALL_ALL=5
  2. Reload the in.acapd daemon's configuration:
    kill -HUP $(pidof in.acapd)
  3. Replicate the issue
  4. Stop debug:
    fw debug in.acapd off TDERROR_ALL_ALL=0
  5. Analyze:
    $FWDIR/log/acapd.elg*
in.emaild.mtaDescriptionE-Mail Security Server that receives e-mails sent by user and sends them to their destinations.
Path$FWDIR/bin/fwssd
Log file$FWDIR/log/emaild.mta.elg
To Stop[Expert@HostName]# cpstop
To Start[Expert@HostName]# cpstart
DebugRefer to sk60387:
  1. Start debug:
    fw debug in.emaild.mta on TDERROR_ALL_ALL=5
  2. Replicate the issue
  3. Stop debug:
    fw debug in.emaild.mta off TDERROR_ALL_ALL=0
  4. Analyze:
    $FWDIR/log/emaild.mta.elg*
in.emaild.smtpDescriptionSMTP Security Server that receives e-mails sent by user and sends them to their destinations.
Path$FWDIR/bin/fwssd
Log file$FWDIR/log/emaild.smtp.elg
To Stop[Expert@HostName]# cpstop
To Start[Expert@HostName]# cpstart
DebugRefer to sk60387:
  1. Start debug:
    fw debug in.emaild.smtp on TDERROR_ALL_ALL=5
  2. Replicate the issue
  3. Stop debug:
    fw debug in.emaild.smtp off TDERROR_ALL_ALL=0
  4. Analyze:
    $FWDIR/log/emaild.smtp.elg*
in.emaild.pop3DescriptionPOP3 Security Server that receives e-mails sent by user.
Path$FWDIR/bin/fwssd
Log file$FWDIR/log/emaild.pop3.elg
To Stop[Expert@HostName]# cpstop
To Start[Expert@HostName]# cpstart
Debug
  1. Start debug:
    fw debug in.emaild.pop3 on TDERROR_ALL_ALL=5
  2. Replicate the issue
  3. Stop debug:
    fw debug in.emaild.pop3 off TDERROR_ALL_ALL=0
  4. Analyze:
    $FWDIR/log/emaild.pop3.elg*
dlpuDescriptionDLP process - receives data from Check Point kernel.
Path$FWDIR/bin/dlpu
Log file$FWDIR/log/dlpu.elg
Notes"cpwd_admin list" command shows the process as "DLPU_<N>".
To Stop[Expert@HostName]# cpstop
To Start[Expert@HostName]# cpstart
DebugRefer to sk73660:
  1. Start debug:
    fw debug dlpu on TDERROR_ALL_ALL=5
  2. Replicate the issue
  3. Stop debug:
    fw debug dlpu off TDERROR_ALL_ALL=0
  4. Analyze:
    $FWDIR/log/dlpu.elg*
radDescriptionResource Advisor - responsible for the detection of Social Network widgets. The detection is done via an online Application Control database which identifies URLs as applications.
Path$FWDIR/bin/rad
Log file$FWDIR/log/rad.elg
Configuration file
  • $FWDIR/conf/rad_scheme.C
  • $FWDIR/conf/rad_settings.C
  • $FWDIR/database/rad_services.C
Note"cpwd_admin list" command shows the process as "RAD".
To Stop[Expert@HostName]# rad_admin stop
or
[Expert@HostName]# cpstop
To Start[Expert@HostName]# rad_admin start
or
[Expert@HostName]# cpstart
DebugRefer to sk92264:
  1. Start debug:
    rad_admin rad debug on all
  2. Replicate the issue.
  3. Stop debug:
    rad_admin rad debug off ALL
  4. Analyze:
    $FWDIR/log/rad.elg*
usrchkdDescriptionMain UserCheck daemon, which deals with UserCheck requests (from CLI / from the user) that are sent from the UserCheck Web Portal.
Path$FWDIR/bin/usrchkd
Log file$FWDIR/log/usrchkd.elg
Configuration file
  • $FWDIR/conf/usrchkd.conf
  • $FWDIR/orig/UCPortal/fwdir_conf/usrchkd.conf
  • $FWDIR/conf/fwauthd.conf
Notes
  • This daemon is not monitored by Check Point WatchDog ("cpwd_admin list")
  • This daemon is spawned by the FWD daemon
To Stop[Expert@HostName]# cpstop
To Start[Expert@HostName]# cpstart
To Restart[Expert@HostName]# killall usrchkd
DebugNote: It might also be required to collect the relevant kernel debug.
  1. Start debug:
    usrchk debug set all all
  2. Verify:
    usrchk debug stat
  3. Replicate the issue.
  4. Stop debug:
    usrchk debug off
  5. Analyze:
    $FWDIR/log/usrchkd.elg*
usrchkDescriptionThe CLI client for the UserCheck daemon USRCHKD (this process runs only when it is called explicitly).
Path$FWDIR/bin/usrchk
Log file$FWDIR/log/usrchk.elg
Anti-Spam Blade
in.emaild.smtpDescriptionSMTP Security Server that receives e-mails sent by user and sends them to their destinations.
Path$FWDIR/bin/fwssd
Log file$FWDIR/log/emaild.smtp.elg
To Stop[Expert@HostName]# cpstop
To Start[Expert@HostName]# cpstart
DebugRefer to sk60387:
  1. Start debug:
    fw debug in.emaild.smtp on TDERROR_ALL_ALL=5
  2. Replicate the issue
  3. Stop debug:
    fw debug in.emaild.smtp off TDERROR_ALL_ALL=0
  4. Analyze:
    $FWDIR/log/emaild.smtp.elg*
in.msdDescriptionMail Security Daemon that queries the Commtouch engine for reputation.
Path$FWDIR/bin/fwssd
Log file$FWDIR/log/msd.elg
To Stop[Expert@HostName]# cpstop
To Start[Expert@HostName]# cpstart
DebugRefer to sk92264:
  1. Start debug:
    fw debug in.msd on TDERROR_ALL_ALL=5
  2. Replicate the issue
  3. Stop debug:
    fw debug in.msd off TDERROR_ALL_ALL=0
  4. Analyze:
    $FWDIR/log/msd.elg*
ctasdDescriptionCommtouch Anti-Spam daemon.
Path/opt/aspam_engine/ctipd/bin/ctasd
Configuration file/opt/aspam_engine/ctasd/conf/ctasd.conf
To Stop[Expert@HostName]# cpstop
To Start[Expert@HostName]# cpstart
ctipdDescriptionCommtouch IP Reputation daemon.
Path/opt/aspam_engine/ctipd/bin/ctipd
Configuration file/opt/aspam_engine/ctipd/conf/ctipd.conf
To Stop[Expert@HostName]# cpstop
To Start[Expert@HostName]# cpstart
Monitoring Blade
rtmdDescriptionReal Time traffic statistics.
Path$FWDIR/bin/rtm
%FWDIR%\bin\rtm
Log file$FWDIR/log/rtmd.elg
%FWDIR%\log\rtmd.elg
Notes"cpwd_admin list" command shows the process as "RTMD".
To Stop[Expert@HostName]# rtmstop
To Start[Expert@HostName]# rtmstart
DebugRefer to skI2821:
  1. Start debug:
    rtm debug on TDERROR_ALL_ALL=5
    rtm debug on OPSEC_DEBUG_LEVEL=3
  2. Replicate the issue
  3. Stop debug:
    rtm debug off TDERROR_ALL_ALL=0
    rtm debug off OPSEC_DEBUG_LEVEL=0
  4. Analyze:
    $FWDIR/log/rtmd.elg*
cpstat_monitorDescriptionProcess is responsible for collecting and sending information to SmartView Monitor.
Path$FWDIR/bin/cpstat_monitor
%FWDIR%\bin\cpstat_monitor
Log file$FWDIR/log/cpstat_monitor.elg
%FWDIR%\log\cpstat_monitor.elg
Notes
  • "cpwd_admin list" command shows the process as "CPSM".
  • By default, does not run in the context of Domain Management Servers.
  • By default, in MGMT HA runs only on "Active" Security Management Server.
To Stop[Expert@HostName]# cpwd_admin stop -name CPSM
To Start[Expert@HostName]# cpwd_admin start -name CPSM -path "$FWDIR/bin/cpstat_monitor" -command "cpstat_monitor"
DebugRefer to sk108177
HTTPS Inspection
wstlsdDescriptionHandles SSL handshake for HTTPS Inspected connections.
Path$CPDIR/bin/wstlsd
Log file$FWDIR/log/wstlsd.elg
To Stop[Expert@HostName]# cpstop
To Start[Expert@HostName]# cpstart
DebugRefer to sk105559:
  1. Start debug:
    for PROC in $(pidof wstlsd) ; do fw debug $PROC on TDERROR_ALL_ALL=6 ; done
  2. Replicate the issue (it is very important to collect the relevant traffic using both TCPDump tool and the FW Monitor).
  3. Stop debug:
    for PROC in $(pidof wstlsd) ; do fw debug $PROC off TDERROR_ALL_ALL=0 ; done
  4. Analyze:
    $FWDIR/log/wstlsd.elg*
pkxldDescriptionPerforms asymmetric key operations for HTTPS Inspection (R77.30 and above)
Path$CPDIR/bin/pkxld
Log filenone
NotesRefer to sk104717
To Stop[Expert@HostName]# cpstop
To Start[Expert@HostName]# cpstart
Debugnone
HTTP/HTTPS Proxy
wsdnsdDescriptionDNS Resolver (in R77.30 and above) - activated when Security Gateway is configured as HTTP/HTTPS Proxy, and no next proxy is used. Process is started and stopped during policy installation.
Path$FWDIR/bin/wsdnsd
%FWDIR%\bin\wsdnsd
Log file$FWDIR/log/wsdnsd.elg
Notes"cpwd_admin list" command shows the process as "WSDNSD"
To Stop[Expert@HostName]# cpwd_admin stop -name WSDNSD -path "$FWDIR/bin/wsdnsd" -command "kill -SIGTERM $(pidof $FWDIR/bin/wsdnsd)"
To Start[Expert@HostName]# cpwd_admin start -name WSDNSD -path "$FWDIR/bin/wsdnsd" -command "wsdnsd"
DebugRefer to sk106443:
  1. Start debug:
    fw debug wsdnsd on TDERROR_ALL_ALL=5
  2. Replicate the issue
  3. Stop debug:
    fw debug wsdnsd off TDERROR_ALL_ALL=0
  4. Analyze:
    $FWDIR/log/wsdnsd.elg*
Cluster
cphamcsetDescriptionClustering daemon - responsible for opening sockets on the NICs in order to allow them to pass multicast traffic (CCP) to the machine.
Path$FWDIR/bin/cphamcset
%FWDIR%\bin\cphamcset
Log file$FWDIR/log/cphamcset.elg
%FWDIR%\log\cphamcset.elg
Notes
To Stop[Expert@HostName]# cphastop
To Start[Expert@HostName]# cphastart
Debug
  1. Stop clustering:
    cphastop
  2. Start under debug:
    cphamcset -d
  3. Stop Check Point services:
    cphastop
  4. Start clustering:
    cphastart
cphaprobDescriptionProcess that lists the state of cluster members, cluster interfaces and critical monitored components (pnotes).
Path$FWDIR/bin/cphaprob
%FWDIR%\bin\cphaprob
Configuration file$FWDIR/conf/cphaprob.conf
%FWDIR%\conf\cphaprob.conf
NotesRefer to ATRG: ClusterXL R6x and R7x - Chapter "ClusterXL Monitoring and Troubleshooting" - 'cphaprob' command.
To Stopnone
To Startnone
Debug"cphaprob -D <command>" (e.g., "cphaprob -D state")
cphaconfDescriptionCluster configuration process - installs the cluster configuration into Check Point kernel on cluster members.
Path$FWDIR/bin/cphaconf
%FWDIR%\bin\cphaconf
Log file$FWDIR/log/cphaconf.elg
%FWDIR%\log\cphaconf.elg
Notes
  • Refer to ATRG: ClusterXL R6x and R7x - Chapter "ClusterXL Monitoring and Troubleshooting" - 'cphaconf' command.
  • Log file exist only in R77.20 and above
To Stopnone
To Startnone
DebugRefer to ATRG: ClusterXL R6x and R7x - Chapter "ClusterXL Monitoring and Troubleshooting" - 'cphaconf' command - 'cphaconf debug_data'.
cphastartDescriptionStarts the cluster and state synchronization.
Path$FWDIR/bin/cphastart
%FWDIR%\bin\cphastart
Log file$FWDIR/log/cphastart.elg
%FWDIR%\log\cphastart.elg
Notes
  • Refer to ATRG: ClusterXL R6x and R7x - Chapter "ClusterXL Monitoring and Troubleshooting" - 'cphastart' and 'cphastop' commands.
  • Log file exist only in R77.20 and above
To Stopnone
To Startnone
Debug"cphastart -d" - refer to sk39842
cphastopDescriptionStops the cluster and state synchronization.
Path$FWDIR/bin/cphastop
%FWDIR%\bin\cphastop
NotesRefer to ATRG: ClusterXL R6x and R7x - Chapter "ClusterXL Monitoring and Troubleshooting" - 'cphastart' and 'cphastop' commands.
To Stopnone
To Startnone
DebugStandard CSH script debugging (csh -x -v $FWDIR/bin/cphastop)

Security Management Software Blades and Features


DaemonSectionDescription / Paths / Notes / Stop and Start Commands / Debug
Network Policy Management Blade
fwmDescriptionCommunication between SmartConsole applications and Security Management Server.
Path$FWDIR/bin/fwm
%FWDIR%\bin\fwm
Log file$FWDIR/log/fwm.elg
%FWDIR%\log\fwm.elg
Notes"cpwd_admin list" command shows the process as "FWM".
To Stop[Expert@HostName]# cpwd_admin stop -name FWM -path "$FWDIR/bin/fwm" -command "fw kill fwm"
To Start[Expert@HostName]# cpwd_admin start -name FWM -path "$FWDIR/bin/fwm" -command "fwm"
Debug
  • Security Management Server - refer to sk86186:
    1. Start debug:
      fw debug fwm on TDERROR_ALL_ALL=5
      fw debug fwm on OPSEC_DEBUG_LEVEL=3
    2. Replicate the issue
    3. Stop debug:
      fw debug fwm off TDERROR_ALL_ALL=0
      fw debug fwm off OPSEC_DEBUG_LEVEL=0
    4. Analyze:
      $FWDIR/log/fwm.elg*
  • Domain Management Server - refer to sk33207:
    1. Switch to the context of the relevant Domain Management Server:
      mdsenv <Domain_Name>
    2. Start debug:
      fw debug fwm on TDERROR_ALL_ALL=5
      fw debug fwm on OPSEC_DEBUG_LEVEL=3
    3. Replicate the issue
    4. Stop debug:
      fw debug fwm off TDERROR_ALL_ALL=0
      fw debug fwm off OPSEC_DEBUG_LEVEL=0
    5. Analyze:
      $FWDIR/log/fwm.elg*
  • Multi-Domain Security Management Server - refer to sk33208:
    1. Start debug:
      fw debug mds on TDERROR_ALL_ALL=5
      fw debug mds on OPSEC_DEBUG_LEVEL=3
    2. Replicate the issue
    3. Stop debug:
      fw debug mds off TDERROR_ALL_ALL=0
      fw debug mds off OPSEC_DEBUG_LEVEL=0
    4. Analyze:
      $MDS_TEMPLATE/log/mds.elg*
Endpoint Policy Management Blade
uepmDescriptionEndpoint Management Server.
Path$UEPMDIR/bin/uepm
%UEPMDIR%\bin\uepm
Log file$UEPMDIR/logs/server_messages.log
%UEPMDIR%\logs\server_messages.log
To Stop[Expert@HostName]# uepm_stop
To Start[Expert@HostName]# uepm_start
Debug"uepm debug"; also refer to sk92619
httpdDescriptionCommunication with Endpoint Clients.
Path$UEPMDIR/apache22/bin/httpd
%UEPMDIR%\apache22\bin\httpd
To Stop[Expert@HostName]# uepm_stop
To Start[Expert@HostName]# uepm_start
Monitoring Blade
rtmdDescriptionReal Time traffic statistics.
Path$FWDIR/bin/rtm
%FWDIR%\bin\rtm
Log file$FWDIR/log/rtmd.elg
%FWDIR%\log\rtmd.elg
Notes"cpwd_admin list" command shows the process as "RTMD".
To Stop[Expert@HostName]# rtmstop
To Start[Expert@HostName]# rtmstart
DebugRefer to skI2821
  1. Start debug:
    rtm debug on TDERROR_ALL_ALL=5
    rtm debug on OPSEC_DEBUG_LEVEL=3
  2. Replicate the issue
  3. Stop debug:
    rtm debug off TDERROR_ALL_ALL=0
    rtm debug off OPSEC_DEBUG_LEVEL=0
  4. Analyze:
    $FWDIR/log/rtmd.elg*
cpstat_monitorDescriptionProcess is responsible for collecting and sending information to SmartView Monitor. By default, does not run in the context of Domain Management Servers.
Path$FWDIR/bin/cpstat_monitor
%FWDIR%\bin\cpstat_monitor
Log file$FWDIR/log/cpstat_monitor.elg
%FWDIR%\log\cpstat_monitor.elg
Notes"cpwd_admin list" command shows the process as "CPSM".
To Stop[Expert@HostName]# cpwd_admin stop -name CPSM
To Start[Expert@HostName]# cpwd_admin start -name CPSM -path "$FWDIR/bin/cpstat_monitor" -command "cpstat_monitor"
DebugRefer to sk108177
Provisioning Blade
status_proxyDescriptionStatus collection of ROBO Gateways - SmartLSM / SmartProvisioning status proxy. This process runs only on Security Management Server / Domain Management Servers that are activated for Large Scale Management / SmartProvisioning.
Path$FWDIR/bin/status_proxy
%FWDIR%\bin\status_proxy
Log file$FWDIR/log/status_proxy.elg
%FWDIR%\log\status_proxy.elg
Notes"cpwd_admin list" command shows the process as "STPR".
To Stop[Expert@HostName]# cpwd_admin stop -name STPR
To Start[Expert@HostName]# cpwd_admin start -name STPR -path "$FWDIR/bin/status_proxy" -command "status_proxy"
DebugRefer to sk108182
SmartReporter Blade
SVRServerDescriptionController for the SmartReporter product. Traffic is sent via SSL.
Path$RTDIR/bin/SVRServer
%RTDIR%\bin\SVRServer
Log file$RTDIR/log/SVRServer.log
%RTDIR%\log\SVRServer.log
Notes"cpwd_admin list" command shows the process as "SVR".
To Stop[Expert@HostName]# rmdstop
or
[Expert@HostName]# cpwd_admin stop -name SVR -path $RTDIR/bin/SVRServer -command "SVRServer kill SVRServer"
Also refer to sk105485.
To Start[Expert@HostName]# rmdstart
or
[Expert@HostName]# cpwd_admin start -name SVR -path "$RTDIR/bin/SVRServer" -command "SVRServer"
DebugRefer to sk93970
log_consolidatorDescriptionLog Consolidator for the SmartReporter product.
Path$RTDIR/log_consolidator_engine/bin/log_consolidator
%RTDIR%\log_consolidator_engine\bin\log_consolidator
Log file$RTDIR/log_consolidator_engine/log/<Log_Server_IP_Address>/lc_rt.log
%RTDIR%\log_consolidator_engine\log\<Log_Server_IP_Address>\lc_rt.log
Configuration file
  • $RTDIR/log_consolidator_engine/conf/lc_rt_default.conf
    %RTDIR%\log_consolidator_engine\conf\lc_rt_default.conf
  • $RTDIR/log_consolidator_engine/conf/<Log_Server_IP_Address>/lc_rt_default.conf
    %RTDIR%\log_consolidator_engine\conf\<Log_Server_IP_Address>\lc_rt_default.conf
Notes"cpwd_admin list" command shows the process as "LC_<IP_Address _of_Log_Server>".
To Stop[Expert@HostName]# rmdstop
or
[Expert@HostName]# evstop
or
[Expert@HostName]# log_consolidator -C -m stop -s <IP_Address _of_Log_Server> [-g <Domain_Name>]
[Expert@HostName]# log_consolidator -C -m exit -s <IP_Address _of_Log_Server> [-g <Domain_Name>]
To Start[Expert@HostName]# rmdstart
or
[Expert@HostName]# evstart
or
[Expert@HostName]# log_consolidator -C -m start -s <IP_Address _of_Log_Server> [-g <Domain_Name>]
dbsyncDescriptionDBsync enables SmartReporter to synchronize data stored in different parts of the network. After SIC is established, DBsync connects to the management server to retrieve all the objects. After the initial synchronization, it gets updates whenever an object is saved. In distributed information systems DBsync provides one-way synchronization of data between the Security Management Servers object database and the SmartReporter computer, and supports configuration and administration of distributed systems.
Path$RTDIR/bin/dbsync
%RTDIR%\bin\dbsync
Log file$RTDIR/log/dbsync.elg
%RTDIR%\log\dbsync.elg
Notes"cpwd_admin list" command shows the process as "DBSYNC".
To Stop[Expert@HostName]# rmdstop
or
[Expert@HostName]# evstop
or
[Expert@HostName]# cpwd_admin stop -name DBSYNC
To Start[Expert@HostName]# rmdstart
or
[Expert@HostName]# evstart
or
[Expert@HostName]# cpwd_admin start -name DBSYNC -path "$RTDIR/bin/dbsync" -command "dbsync"
DebugRefer to sk93970
postgresDescriptionPostgreSQL server.
Path$CPDIR/database/postgresql/bin/postgres
%CPDIR%\database\postgresql\bin\postgres
Log file$RTDIR/events_db/data/pg_log/postgresql-YYY-MM-DD_HHMMSS.log
Configuration file$RTDIR/events_db/data/postgresql.conf
To Stop[Expert@HostName]# cpstop
To Start[Expert@HostName]# cpstart
Debug"su cp_postgres -c "$CPDIR/database/postgresql/bin/pg_ctl -D $RTDIR/events_db/data start"; also refer to sk93970
SmartEvent Blade
cpseadDescriptionResponsible for Correlation Unit functionality.
Path$RTDIR/bin/cpsead
%RTDIR%\bin\cpsead
Log file$RTDIR/log/cpsead.elg
%RTDIR%\log\cpsead.elg
Notes"cpwd_admin list" command shows the process as "CPSEAD".
To Stop[Expert@HostName]# evstop
or
[Expert@HostName]# cpwd_admin stop -name CPSEAD
Also refer to sk105485.
To Start[Expert@HostName]# evstart
or
[Expert@HostName]# cpwd_admin start -name CPSEAD -path "$RTDIR/bin/cpsead" -command "cpsead"
DebugRefer to sk95153sk105806sk93970
cpsemdDescriptionResponsible for logging into the SmartEvent GUI.
Path$RTDIR/bin/cpsemd
%RTDIR%\bin\cpsemd
Log file$RTDIR/log/cpsemd.elg
%RTDIR%\log\cpsemd.elg
Notes"cpwd_admin list" command shows the process as "CPSEMD".
To Stop[Expert@HostName]# evstop
or
[Expert@HostName]# cpwd_admin stop -name CPSEMD
To Start[Expert@HostName]# evstart
or
[Expert@HostName]# cpwd_admin start -name CPSEMD -path "$RTDIR/bin/cpsemd" -command "cpsemd"
DebugRefer to sk95153sk105806sk93970
dbsyncDescriptionDBsync enables SmartEvent to synchronize data stored in different parts of the network. In distributed information systems DBsync provides one-way synchronization of data between the Security Management Servers object database and the SmartEvent computer, and supports configuration and administration of distributed systems. DBsync initially connects to the Management Server, with which SIC is established. It retrieves all the objects and after the initial synchronization it gets updates whenever an object is saved.
Path$RTDIR/bin/dbsync
%RTDIR%\bin\dbsync
Log file$RTDIR/log/dbsync.elg
%RTDIR%\log\dbsync.elg
Notes"cpwd_admin list" command shows the process as "DBSYNC".
To Stop[Expert@HostName]# evstop
or
[Expert@HostName]# cpwd_admin stop -name DBSYNC
To Start[Expert@HostName]# evstart
or
[Expert@HostName]# cpwd_admin start -name DBSYNC -path "$RTDIR/bin/dbsync" -command "dbsync"
DebugRefer to sk93970
java_solrDescriptionStarting in R80 (SmartEvent NGSE was integrated).
Jetty Server.
Events are stored in the SOLR database.
Path$RTDIR/bin/java_solr
Log file$RTDIR/log/solr.log
$RTDIR/log/solrRun.log
Notes"cpwd_admin list" command shows the process as "SOLR".
Configuration file$RTDIR/conf/jetty.xml
$RTDIR/conf/solr.log4j.properties
$RTDIR/conf/solrConnectionConfig.xml
$RTDIR/log_indexes/solr.xml
To Stop[Expert@HostName]# evstop
To Start[Expert@HostName]# evstart
DebugRefer to sk105806.
SmartEventSetDebugLevel solr <debug_level>
$FWDIR/scripts/solr_debug.py {on | off}
LogCoreDescriptionStarting in R80 (SmartEvent NGSE was integrated).
Manages the queries it gets from the consumer processes, forwards them to SOLR database and returns the results. Also in charge of resolving and database maintenance (clean up old indexes to have space for the new ones).
Path$RTDIR/bin/LogCore
Log file$RTDIR/log/RFL.log
$RTDIR/log/rflRun.log
Notes"cpwd_admin list" command shows the process as "RFL".
Configuration file$RTDIR/conf/rfl.log4j.properties
$RTDIR/conf/rfl.log4j.properties.forUpgrade
$RTDIR/conf/rflConfig.xml
To Stop[Expert@HostName]# evstop
To Start[Expert@HostName]# evstart
DebugRefer to sk105806.
SmartEventSetDebugLevel rfl <debug_level>
SmartViewDescriptionSmartEvent Web Application that allows you to connect to SmartEvent NGSE server (at https://<IP_Address_of_SmartEvent_Server>/smartview/) and see the event views and analysis directly from a Web Browser, without installing SmartConsole. The Web page comes with predefined views that you can customize.
Refer to sk105684.
Path$RTDIR/bin/SmartView
Log file$RTDIR/log/smartview.log
$RTDIR/log/SmartViewRun.log
$RTDIR/log/smartview-service.log
Notes"cpwd_admin list" command shows the process as "SMARTVIEW".
Configuration file$RTDIR/conf/smartview.log4j.properties
To Stop[Expert@HostName]# evstop
To Start[Expert@HostName]# evstart
DebugRefer to sk105806.
SmartEventSetDebugLevel smartview <debug_level>
log_indexerDescriptionStarting in R80 (SmartEvent NGSE was integrated).
Log indexer.
Path$RTDIR/log_indexer/log_indexer
Log file$RTDIR/log_indexer/log/log_indexer.elg
$RTDIR/log_indexer/log/log_indexerRun.log
Notes"cpwd_admin list" command shows the process as "INDEXER".
Configuration file$RTDIR/log_indexer/conf/log_indexer_settings.conf
$RTDIR/log_indexer/log_indexer_custom_settings.conf
To Stop[Expert@HostName]# evstop
To Start[Expert@HostName]# evstart
postgresDescriptionPostgreSQL server.
Path$CPDIR/database/postgresql/bin/postgres
%CPDIR%\database\postgresql\bin\postgres
Log file$RTDIR/events_db/data/pg_log/postgresql-YYY-MM-DD_HHMMSS.log
Configuration file$RTDIR/events_db/data/postgresql.conf
To Stop[Expert@HostName]# cpstop
To Start[Expert@HostName]# cpstart
Debug"su cp_postgres -c "$CPDIR/database/postgresql/bin/pg_ctl -D $RTDIR/events_db/data start"; also refer to sk93970
Logging & Status Blade
cplmdDescriptionIn order to get the data that should be presented in SmartView Tracker, FWM spawns a child process CPLMD, which reads the information from the log file and performs unification (if necessary). Upon receiving an answer from CPLMD, FWM transfers it to SmartView Tracker.
Path$FWDIR/bin/cplmd
%FWDIR%\bin\cplmd
Log file$FWDIR/log/cplmd.elg
%FWDIR%\log\cplmd.elg
To Stop[Expert@HostName]# cpstop
To Start[Expert@HostName]# cpstart
DebugRefer to sk86324:
  1. Start debug:
    fw debug cplmd on TDERROR_ALL_ALL=5
  2. Replicate the issue
  3. Stop debug:
    fw debug cplmd off TDERROR_ALL_ALL=0
  4. Analyze:
    $FWDIR/log/cplmd.elg*
Management Portal
cpwmdDescriptionCheck Point Web Management Daemon - back-end for Management Portal / SmartPortal.
Path$WEBDIR/bin/cpwmd
%WEBDIR%\bin\cpwmd
Log file/opt/CPportal-<RXX>/portal/log/cpwmd.elg
C:\Program Files\CheckPoint\SmartPortal\<RXX>\SmartPortal\log\cpwmd.elg
Notes"cpwd_admin list" command shows the process as "CPWMD".
To Stop[Expert@HostName]# cpwd_admin stop -name CPWMD
To Start[Expert@HostName]# cpwd_admin start -name CPWMD -path "$WEBDIR/bin/cpwmd" -command "cpwmd -D -app SmartPortal"
DebugRefer to sk31023
cp_http_serverDescriptionHTTP Server for Management Portal (SmartPortal) and for OS WebUI.
Path$WEBDIR/bin/cp_http_server
%WEBDIR%\bin\cp_http_server
Log fileRefer to sk31023sk30634
Configuration file$MPDIR/conf/cp_httpd_admin.conf
Notes"cpwd_admin list" command shows the process as "CPHTTPD".
To Stop[Expert@HostName]# cpwd_admin stop -name CPHTTPD
To Start[Expert@HostName]# pwd_admin start -name CPHTTPD -path "$WEBDIR/bin/cp_http_server" -command "cp_http_server -f '$MPDIR/conf/cp_httpd_admin.conf'"
DebugRefer to sk31023
SmartLog
smartlog_serverDescriptionSmartLog product.
Path$SMARTLOGDIR/smartlog_server
Log file$SMARTLOGDIR/log/smartlog_server.elg
Notes"cpwd_admin list" command shows the process as "SMARTLOG_SERVER".
To Stop[Expert@HostName]# smartlogstop
To Start[Expert@HostName]# smartlogstart
Debug
  1. Stop SmartLog:
    smartlogstop
  2. Start SmartLog under debug:
    env TDERROR_ALL_ALL=5 $SMARTLOGDIR/smartlog_server 1>> /var/log/smartlog.debug 2>> /var/log/smartlog.debug
  3. Replicate the issue
  4. Stop debug - press CTRL+C.
  5. Start SmartLog normally:
    smartlogstart
Internal CA
cpcaDescriptionCheck Point Internal Certificate Authority (ICA):
  • SIC certificate pulling
  • Certificate enrollment
  • CRL fetch
  • Admin WebUI
Path$FWDIR/bin/cpca
%FWDIR%\bin\cpca
Log file$FWDIR/log/cpca.elg
%FWDIR%\log\cpca.elg
To Stop[Expert@HostName]# cpstop
To Start[Expert@HostName]# cpstart
DebugRefer to sk60338:
  1. Start debug:
    fw debug cpca on TDERROR_ALL_ALL=5
  2. Replicate the issue
  3. Stop debug:
    fw debug cpca off TDERROR_ALL_ALL=0
  4. Analyze:
    $FWDIR/log/cpca.elg*
Compliance Blade
interpreterDescriptionProcess is responsible for Compliance Blade database scan.
Path$FWDIR/bin/interpreter
%FWDIR%\bin\interpreter
Log file
  • R77 and above:
    $FWDIR/log/grc_interpreter.elg
    %FWDIR%\log\grc_interpreter.elg
  • R76:
    /opt/CPPIgrc-R76/bin/grc_interpreter.elg
  • R75.40/R75.45/R75.46/R75.47:
    /opt/CPPIgrc-R75.40/bin/grc_interpreter.elg
Configuration file$FWDIR/conf/grc.conf (since R77)
%FWDIR%\conf\grc.conf (since R77)
NotesThis process is not monitored by Check Point WatchDog.
To Stop[Expert@HostName]# cpstop
To Start[Expert@HostName]# cpstart
Debug
  • R77 and above:
    1. Stop Check Point service with "cpstop" command
    2. Either run "interpreter debug=1" command,
      or in configuration file "grc.conf", manually set the value of "debugMode" from "0" to "1"
    3. Start Check Point service with "cpstart" command
  • R75.40/R75.45/R75.46/R75.47/R76:
    1. Stop Check Point service with "cpstop" command
    2. In configuration file "grc.conf", manually set the value of "debugMode" from "0" to "1"
    3. Start Check Point service with "cpstart" command

In addition, refer to "interpreter -help" command and to sk92861
SofaWare Management Server (Service Center for centrally managed Edge devices)
smsDescriptionManages communication (status collection, logs collection, policy update, configuration update) with UTM-1 Edge Security Gateways. This process runs only on Security Management Server / Multi-Domain Security Management Servers that manage UTM-1 Edge devices.
Path$FWDIR/bin/sms
%FWDIR%\bin\sms
Configuration file$FWDIR/conf/sofaware/SWManagementServer.ini
%FWDIR%\conf\sofaware\SWManagementServer.ini
Notes"cpwd_admin list" command shows the process as "VPN-1 Embedded Connector".
To Stop[Expert@HostName]# smsstop
To Start[Expert@HostName]# smsstart
DebugRefer to sk60780
OPSEC LEA (Log Export API)
lea_sessionDescriptionResponsible for OPSEC LEA session between the OPSEC LEA Client and the OPSEC LEA Server on Check Point Management Server / Log Server.
Spawned by the FWD daemon.
Path$FWDIR/bin/lea_session
%FWDIR%\bin\lea_session
Configuration file$FWDIR/conf/fwopsec.conf
%FWDIR%\conf\fwopsec.conf
Refer to "lea_server" lines
Log file$FWDIR/log/lea_session.<PID>.elg
%FWDIR%\log\lea_session.<PID>.elg
Notes
  • "top" / "ps" commands shows the process as "lea_session".
To Stop[Expert@HostName]# cpwd_admin stop -name FWD -path "$FWDIR/bin/fw" -command "fw kill fwd"
or
[Expert@HostName]# cpstop
To Start[Expert@HostName]# cpwd_admin start -name FWD -path "$FWDIR/bin/fw" -command "fwd"
or
[Expert@HostName]# cpstart
DebugRefer to sk86321
  1. Start debug:
    fw debug fwd on TDERROR_ALL_ALL=5
    fw debug fwd on OPSEC_DEBUG_LEVEL=3
  2. Replicate the issue
  3. Stop debug:
    fw debug fwd off TDERROR_ALL_ALL=0
    fw debug fwd off OPSEC_DEBUG_LEVEL=0
  4. Analyze:
    $FWDIR/log/lea_session.<PID>.elg*

600 / 700 / 1100 / 1200R / 1400 appliances

DaemonSectionDescription / Paths / Notes / Stop and Start Commands / Debug
sfwdDescriptionMain process:
  • Logging
  • Policy installation
  • VPN negotiation
  • Identity Awareness enforcement
  • UserCheck enforcement
  • etc.
Log file$FWDIR/log/sfwd.elg
Also refer to $FWDIR/log/cpwd.elg
Notes
  • "cpwd_admin list" command shows the process as "SFWD".
  • "ps auxw" command shows the process as "fw sfwd".
To Stop[Expert@HostName]# $FWDIR/bin/cpwd_admin stop -name SFWD
To Start[Expert@HostName]# $FWDIR/bin/cpwd_admin start -name SFWD -path $FWDIR/bin/fw -command "fw sfwd"
DebugRefer to sk86321
cposdDescriptionSMB-specific daemon responsible for OS Networking operations.
Log file$FWDIR/log/cposd.elg
Notes"cpwd_admin list" command shows the process as "cposd".
To Stop[Expert@HostName]# cpwd_admin stop -name cposd
To Start[Expert@HostName]# cpwd_admin start -name cposd -path /pfrm2.0/bin/cposd -command "cposd"
rtdbdDescriptionReal Time database daemon.
Configuration file/pfrm2.0/etc/rtdbd.conf
Notes"cpwd_admin list" command shows the process as "RTDB".
To Stop[Expert@HostName]# $FWDIR/bin/cpwd_admin stop -name RTDB
To Start[Expert@HostName]# $FWDIR/bin/cpwd_admin start -name RTDB -path /pfrm2.0/bin/rtdbd -command "rtdbd"
dropbearDescriptionLightweight SSH server on 1100 appliance.
Notes"cpwd_admin list" command shows the process as "dropbear".
To Stopnone
To Startnone

Additional Processes

DaemonSectionDescription / Paths / Notes / Stop and Start Commands / Debug
mpdaemonDescriptionOn Security Gateway and Management Server.
Platform Portal / Multi Portal (https://<IP_Address>/).
Each portal has his own Apache server (which can have multiple processes).
mpdaemon process is responsible for starting these web servers.
Path$CPDIR/bin/mpdaemon
Log file$CPDIR/log/mpdaemon.elg
$CPDIR/log/mpclient.elg
Configuration file$CPDIR/log/mpdaemon.conf
Notes"cpwd_admin list" command shows the process as "MPDAEMON".
To Stop[Expert@HostName]# cpwd_admin stop -name MPDAEMON
or
[Expert@HostName]# mpclient stopall
To Start[Expert@HostName]# cpwd_admin start -name MPDAEMON -path "$CPDIR/bin/mpdaemon" -command "mpdaemon $CPDIR/log/mpdaemon.elg $CPDIR/conf/mpdaemon.conf"
DebugRefer to sk87920:
  1. Start debug:
    mpclient debug on
    mpclient debug set TDERROR_ALL_ALL=5
  2. Replicate the issue
  3. Stop debug:
    mpclient debug set TDERROR_ALL_ALL=0
    mpclient debug off
avi_del_tmp_filesDescriptionOn Security Gateway and Management Server.
Shell script (from $FWDIR/bin/) that periodically deletes various old temporary Anti-Virus files.
Path$FWDIR/bin/avi_del_tmp_files
Log file$FWDIR/log/avi_del_tmp_files.elg
Notes"cpwd_admin list" command shows the process as "CI_CLEANUP".
To Stop[Expert@HostName]# cpwd_admin stop -name CI_CLEANUP
To Start[Expert@HostName]# cpwd_admin start -name CI_CLEANUP -path $FWDIR/bin/avi_del_tmp_files -command "avi_del_tmp_files"
DebugStandard CSH script debugging (csh -x -v $FWDIR/bin/avi_del_tmp_files)
ci_http_serverDescriptionOn Security Gateway.
HTTP Server for Content Inspection.
Path$FWDIR/bin/ci_http_server
Log file$FWDIR/log/cphttpd.elg
Configuration file$FWDIR/conf/cihs.conf
Notes"cpwd_admin list" command shows the process as "CIHS".
To Stop[Expert@HostName]# cpwd_admin stop -name CIHS
To Start[Expert@HostName]# cpwd_admin start -name CIHS -path $FWDIR/bin/ci_http_server -command "ci_http_server -j -f $FWDIR/conf/cihs.conf"
Debug
  1. Stop:
    cpwd_admin stop -name CIHS
  2. Start under debug (with "-v" flag):
    cpwd_admin start -name CIHS -path $FWDIR/bin/ci_http_server -command "ci_http_server -v -j -f $FWDIR/conf/cihs.conf"
  3. Replicate the issue
  4. Stop:
    cpwd_admin stop -name CIHS
  5. Start normally:
    cpwd_admin start -name CIHS -path $FWDIR/bin/ci_http_server -command "ci_http_server -j -f $FWDIR/conf/cihs.conf"
cp_http_serverDescriptionOn Security Gateway and Management Server.
HTTP Server for OS WebUI and Management Portal (SmartPortal).
Path$WEBDIR/bin/cp_http_server
Log file$FWDIR/log/cphttpd.elg
Configuration file$MPDIR/conf/cp_httpd_admin.conf
Notes"cpwd_admin list" command shows the process as "CPHTTPD".
To Stop[Expert@HostName]# cpwd_admin stop -name CPHTTPD
To Start[Expert@HostName]# cpwd_admin start -name CPHTTPD -path "$WEBDIR/bin/cp_http_server" -command "cp_http_server -f '$MPDIR/conf/cp_httpd_admin.conf'"
Debug
  1. Stop:
    cpwd_admin stop -name CPHTTPD
  2. Start under debug (with "-v" flag):
    cpwd_admin start -name CPHTTPD -path "$WEBDIR/bin/cp_http_server" -command "cp_http_server -v -f '$MPDIR/conf/cp_httpd_admin.conf'"
  3. Replicate the issue
  4. Stop:
    cpwd_admin stop -name CPHTTPD
  5. Start normally:
    cpwd_admin start -name CPHTTPD -path "$WEBDIR/bin/cp_http_server" -command "cp_http_server -f '$MPDIR/conf/cp_httpd_admin.conf'"
cpviewdDescriptionOn Security Gateway and Management Server.
CPView Utility daemon (sk101878).
Path
  • In R77.30 and above:
    $CPDIR/bin/cpviewd
  • In R77-R77.20:
    $FWDIR/bin/cpviewd
Configuration file$CPDIR/conf/cpview_conf.xml
Notes"cpwd_admin list" command shows the process as "CPVIEWD".
To Stop[Expert@HostName]# cpwd_admin stop -name CPVIEWD
To Start
  • In R77.30 and above:
    [Expert@HostName]# cpwd_admin start -name CPVIEWD -path "$CPDIR/bin/cpviewd" -command "cpviewd"
  • In R77-R77.20:
    [Expert@HostName]# cpwd_admin start -name CPVIEWD -path "$FWDIR/bin/cpviewd" -command "cpviewd"
DebugRefer to sk101878
cpview_historydDescriptionOn Security Gateway and Management Server.
CPView Utility History daemon (sk101878).
Path
  • In R77.30 and above:
    $CPDIR/bin/cpview_historyd
  • In R77-R77.20:
    $FWDIR/bin/cpview_historyd
Log file/var/log/CPView_history/CPViewDB.dat
Notes"cpwd_admin list" command shows the process as "HISTORYD".
To Stop[Expert@HostName]# cpview history off
To Start[Expert@HostName]# cpview history on
cpsnmpdDescriptionOn Security Gateway and Management Server:
  • Listens on UDP port 260 and is capable of responding to SNMP queries for Check Point OIDs only (under OID .1.3.6.1.4.1.2620)
  • Accepts only SNMPv1
  • Supplied as a part of Check Point Suite ($CPDIR/bin/cpsnmpd)
To Stop[Expert@HostName]# killall cpsnmpd
To Start[Expert@HostName]# cpsnmpd -p 260
DebugRefer to sk66384

Posted by at