| Daemon |
Section |
Description / Paths / Notes / Stop and Start Commands / Debug |
| Firewall Blade |
|
fwd
|
Description |
- Logging
- Spawning child processes (e.g., vpnd)
|
| Path |
$FWDIR/bin/fwd
%FWDIR%\bin\fwd |
| Log file |
$FWDIR/log/fwd.elg
%FWDIR%\log\fwd.elg |
| Notes |
- "cpwd_admin list" command shows the process as "FWD".
- "top" / "ps" commands might also show "fw" process and/or "fw_full" process, which are just wrappers for the "fwd" process.
|
| To Stop |
-
Gateway mode:
[Expert@HostName]# cpwd_admin stop -name FWD -path "$FWDIR/bin/fw" -command "fw kill fwd"
or
[Expert@HostName]# cpstop
-
VSX mode:
[Expert@HostName:0]# vsenv <VSID>
[Expert@HostName:<VSID>]# cpwd_admin stop -name FWD -ctx <VSID> -path "$FWDIR/bin/fw" -command "fw kill fwd" -env inherit
or
[Expert@HostName:0]# cpstop
|
| To Start |
-
Gateway mode:
[Expert@HostName]# cpwd_admin start -name FWD -path "$FWDIR/bin/fw" -command "fwd"
or
[Expert@HostName]# cpstart
-
VSX mode:
[Expert@HostName:0]# vsenv <VSID>
[Expert@HostName:<VSID>]# cpwd_admin start -name FWD -ctx <VSID> -path "$FWDIR/bin/fwd" -command "fwd" -env inherit
or
[Expert@HostName:0]# cpstart
|
| Debug |
Refer to sk86321
- Start debug:
fw debug fwd on TDERROR_ALL_ALL=5
fw debug fwd on OPSEC_DEBUG_LEVEL=3
- Replicate the issue
- Stop debug:
fw debug fwd off TDERROR_ALL_ALL=0
fw debug fwd off OPSEC_DEBUG_LEVEL=0
- Analyze:
$FWDIR/log/fwd.elg*
|
| IPSec VPN Blade |
|
vpnd
|
Description |
- IKE (UDP/TCP)
- NAT-T
- Tunnel Test
- Reliable Datagram Protocol (RDP)
- Topology Update for SecureClient
- SSL Network Extender (SNX)
- SSL Network Extender (SNX) Portal
- Remote Access Client configuration
- Visitor Mode
- L2TP
|
| Path |
$FWDIR/bin/vpn
%FWDIR%\bin\vpn |
| Log file |
$FWDIR/log/vpnd.elg
%FWDIR%\log\vpnd.elg |
| Notes |
This process is not monitored by Check Point WatchDog. |
| To Stop |
[Expert@HostName]# cpstop |
| To Start |
[Expert@HostName]# cpstart |
| Debug |
Refer to sk89940 |
| Mobile Access Blade |
|
cvpnd
|
Description |
Back-end daemon of the Mobile Access Software Blade. |
| Path |
$CVPNDIR/bin/cvpnd |
| Log file |
$CVPNDIR/log/cvpnd.elg |
| Configuration file |
$CVPNDIR/conf/cvpnd.C |
| Notes |
"cpwd_admin list" command shows the process as "CVPND". |
| To Stop |
[Expert@HostName]# cvpnstop |
| To Start |
[Expert@HostName]# cvpnstart |
| Debug |
"cvpnd_admin debug" - refer to sk104577, sk99053 |
|
dbwriter
|
Description |
Offload database commands from cvpnd (to prevent locks) and synchronize with other members. |
| Path |
$CVPNDIR/bin/dbwriter |
| Log file |
$CVPNDIR/log/dbwriter.elg |
| Configuration file |
$CVPNDIR/conf/dbwriter.C |
| Notes |
"cpwd_admin list" command shows the process as "DBWRITER". |
| To Stop |
[Expert@HostName]# cvpnstop |
| To Start |
[Expert@HostName]# cvpnstart |
|
cvpnproc
|
Description |
Offload blocking commands from cvpnd (to prevent locks). Example: sending DynamicID. |
| Path |
$CVPNDIR/bin/cvpnproc |
| Log file |
$CVPNDIR/log/cvpnproc.elg |
| Configuration file |
$CVPNDIR/conf/cvpnproc.C |
| Notes |
"cpwd_admin list" command shows the process as "CVPNPROC". |
| To Stop |
[Expert@HostName]# cvpnstop |
| To Start |
[Expert@HostName]# cvpnstart |
| Debug |
Refer to sk104577
- Stop Mobile Access:
cvpnstop
- Verify that cvpnproc process is not running:
ps aux | grep cvpnproc
- If the cvpnproc process is still running, then kill it:
kill -KILL $(pidof cvpnproc)
- Start cvpnproc process under debug to run in background (by running these 2 commands):
export TDERROR_ALL_ALL=5
$CVPNDIR/bin/cvpnproc $CVPNDIR/log/cvpnproc.elg $CVPNDIR/conf/cvpnproc.C &
- Start Mobile Access:
cvpnstart
- Replicate the issue
- Stop debug:
unset TDERROR_ALL_ALL
- Stop Mobile Access:
cvpnstop
- Kill cvpnproc process:
kill -TERM $(pidof cvpnproc)
kill -KILL $(pidof cvpnproc)
- Start Mobile Access:
cvpnstart
- Analyze:
$CVPNDIR/log/cvpnproc.elg*
|
|
MoveFileServer
|
Description |
Move files between cluster members in order to perform database synchronization. |
| Path |
$CVPNDIR/bin/MoveFileServer |
| Log file |
$CVPNDIR/log/MFServer.log |
| Configuration file |
$CVPNDIR/conf/mfserver.C |
| Notes |
"cpwd_admin list" command shows the process as "MOVEFILESERVER", or as "MFSERVER" (in R77.30 and above). |
| To Stop |
[Expert@HostName]# cvpnstop |
| To Start |
[Expert@HostName]# cvpnstart |
|
MoveFileDemuxer
|
Description |
Related to MoveFileServer process (moving files between cluster members in order to perform database synchronization). |
| Path |
$CVPNDIR/bin/MoveFileDemuxer |
| Log file |
$CVPNDIR/log/MFDemux.log |
| Configuration file |
$CVPNDIR/conf/mfdemuxer.C |
| Notes |
"cpwd_admin list" command shows the process as "MOVEFILEDEMUXER", or as "MFDEMUXER" (in R77.30 and above). |
| To Stop |
[Expert@HostName]# cvpnstop |
| To Start |
[Expert@HostName]# cvpnstart |
|
Pinger
|
Description |
Reduce the number of httpd processes performing ActiveSync. |
| Path |
$CVPNDIR/bin/Pinger |
| Log file |
$CVPNDIR/log/Pinger.log |
| Configuration file |
$CVPNDIR/conf/Pinger.C |
| Notes |
"cpwd_admin list" command shows the process as "PINGER". |
| To Stop |
[Expert@HostName]# cvpnstop |
| To Start |
[Expert@HostName]# cvpnstart |
| Debug |
Refer to sk104577
- Verify that Pinger process is running:
ps aux | grep Pinger
- Enable debug for relevant users:
PingerAdmin debug users <user1>,<user2>,<user3>
- Set the debug level:
PingerAdmin debug set TDERROR_ALL_Pinger=3
or
PingerAdmin debug set TDERROR_ALL_ALL=5
- Set the debug type:
PingerAdmin debug type All
- Delete all files from $CVPNDIR/log/trace_log/ directory:
Note: Do NOT delete the directory itself!
cd $CVPNDIR/log/trace_log/
rm -i *
- Enable trace log:
Warning: This might print passwords to local files!
PingerAdmin debug trace on
- Start debug:
PingerAdmin debug on
- Replicate the issue
- Stop debug:
PingerAdmin debug off
- Disable trace log:
PingerAdmin debug trace off
- Reset the debug:
PingerAdmin debug reset
- Analyze:
$CVPNDIR/log/Pinger.log*
|
|
CvpnUMD
|
Description |
Report SNMP connected users to AMON. |
| Path |
$CVPNDIR/bin/CvpnUMD |
| Log file |
$CVPNDIR/log/CvpnUMD.log |
| Notes |
"cpwd_admin list" command shows the process as "CVPNUMD". |
| To Stop |
[Expert@HostName]# cvpnstop |
| To Start |
[Expert@HostName]# cvpnstart |
|
httpd
|
Description |
Front-end daemon of the Mobile Access Software Blade (multi-processes). |
| Path |
$CPDIR/web/Apache/2.2.0/bin/httpd |
| Log file |
$CVPNDIR/log/httpd.log |
| Configuration file |
$CVPNDIR/conf/httpd.conf |
| To Stop |
[Expert@HostName]# cvpnstop |
| To Start |
[Expert@HostName]# cvpnstart |
| Debug |
Refer to sk104577, sk99053 |
|
fwpushd
|
Description |
Mobile Access Push Notifications daemon that is controlled by "fwpush" command. It is a child of fwd daemon (R77.10 and above). |
| Path |
$FWDIR/bin/fwpushd |
| Log file |
$FWDIR/log/fwpushd.elg |
| To Stop |
[Expert@HostName]# cvpnstop |
| To Start |
[Expert@HostName]# cvpnstart |
| Debug |
- Enable debug:
fwpush debug on
- Set the debug options:
fwpush debug set all all
- Check the debug state:
fwpush debug stat
- Replicate the issue
- Reset the debug options:
fwpush debug reset
- Disable debug:
fwpush debug off
- Check the debug state:
fwpush debug stat
- Analyze:
$FWDIR/log/fwpushd.elg*
|
|
postgres
|
Description |
PostgreSQL server. Used by Remote Access Session Visibility and Management Utility. |
| Path |
$CPDIR/database/postgresql/bin/postgres
|
| Configuration file |
/var/log$FWDIR/datadir/postgres/sessions/postgresql.conf |
| To Stop |
[Expert@HostName]# cpstop |
| To Start |
[Expert@HostName]# cpstart |
| Debug |
"su cp_postgres -c "$CPDIR/database/postgresql/bin/pg_ctl -D $RTDIR/events_db/data start"; also refer to sk93970 |
| Identity Awareness Blade |
|
pepd
|
Description |
Policy Enforcement Point daemon:
- Receiving identities via identity sharing
- Redirecting users to Captive Portal
|
| Path |
$FWDIR/bin/pep |
| Log file |
$FWDIR/log/pepd.elg |
| Notes |
"cpwd_admin list" command shows the process as "PEPD". |
| To Stop |
[Expert@HostName]# cpstop |
| To Start |
[Expert@HostName]# cpstart |
| Debug |
"pep debug" - refer to Identity Awareness Administration Guide (R77) |
|
pdpd
|
Description |
Policy Decision Point daemon:
- Acquiring identities from identity sources
- Sharing identities with another gateways
|
| Path |
$FWDIR/bin/pdpd |
| Log file |
$FWDIR/log/pdpd.elg |
| Notes |
"cpwd_admin list" command shows the process as "PDPD". |
| To Stop |
[Expert@HostName]# cpstop |
| To Start |
[Expert@HostName]# cpstart |
| Debug |
"pdp debug" - refer to Identity Awareness Administration Guide (R77) |
| DLP Blade |
|
fwdlp
|
Description |
DLP core engine that performs the scanning / inspection. |
| Path |
$FWDIR/bin/fwdlp |
| Log file |
$FWDIR/log/fwdlp.elg
$DLPDIR/log/dlpe.log (refer to sk60387)
$DLPDIR/log/dlpe_msg.log (refer to sk73660)
$DLPDIR/log/dlpe_files_error.log |
| To Stop |
[Expert@HostName]# cpstop |
| To Start |
[Expert@HostName]# cpstart |
| Debug |
Refer to sk73660, sk60388:
- Start debug:
fw debug fwdlp on TDERROR_ALL_ALL=5
- Replicate the issue
- Stop debug:
fw debug fwdlp off TDERROR_ALL_ALL=0
- Analyze:
$FWDIR/log/fwdlp.elg*
|
|
cp_file_convert
|
Description |
Used to convert various file formats to simple textual format for scanning by the DLP engine. |
| Path |
$FWDIR/bin/cp_file_convert |
| Log file |
$FWDIR/log/cp_file_convertd.elg |
| To Stop |
[Expert@HostName]# cpstop |
| To Start |
[Expert@HostName]# cpstart |
| Debug |
Refer to sk73660:
- Start debug:
for PROC in $(pgrep cp_file_convert) ; do fw debug $PROC on TDERROR_ALL_ALL=5 ; done
- Replicate the issue
- Stop debug:
fw debug cp_file_convert off TDERROR_ALL_ALL=0
- Analyze:
$FWDIR/log/cp_file_convertd.elg*
|
|
dlp_fingerprint
|
Description |
Used to identify the data according to a unique signature known as a fingerprint stored in your repository. |
| Path |
$FWDIR/bin/dlp_fingerprint |
| To Stop |
[Expert@HostName]# cpstop |
| To Start |
[Expert@HostName]# cpstart |
|
cserver
|
Description |
Check Server that either stops or processes the e-mail. |
| Path |
$FWDIR/bin/cserver |
| Log file |
$FWDIR/log/cserver.elg |
| Notes |
"cpwd_admin list" command shows the process as "DLP_WS". |
| To Stop |
[Expert@HostName]# cpstop |
| To Start |
[Expert@HostName]# cpstart |
| Debug |
Refer to sk73660:
- Start debug:
fw debug cserver on TDERROR_ALL_ALL=5
- Replicate the issue
- Stop debug:
fw debug cserver off TDERROR_ALL_ALL=0
- Analyze:
$FWDIR/log/cserver.elg*
|
|
dlpu
|
Description |
Receives data from Check Point kernel. |
| Path |
$FWDIR/bin/dlpu |
| Log file |
$FWDIR/log/dlpu.elg |
| Notes |
"cpwd_admin list" command shows the process as "DLPU_<N>". |
| To Stop |
[Expert@HostName]# cpstop |
| To Start |
[Expert@HostName]# cpstart |
| Debug |
Refer to sk73660:
- Start debug:
fw debug dlpu on TDERROR_ALL_ALL=5
- Replicate the issue
- Stop debug:
fw debug dlpu off TDERROR_ALL_ALL=0
- Analyze:
$FWDIR/log/dlpu.elg*
|
|
fwucd
|
Description |
UserCheck back-end daemon that sends approval / disapproval requests to user. |
| Path |
$FWDIR/bin/fwucd |
| Log file |
$FWDIR/log/fwucd.elg |
| Notes |
"cpwd_admin list" command shows the process as "FWUCD". |
| To Stop |
[Expert@HostName]# cpstop |
| To Start |
[Expert@HostName]# cpstart |
| Debug |
Refer to sk73660, sk60388:
- Start debug:
fw debug fwucd on TDERROR_ALL_ALL=5
- Replicate the issue
- Stop debug:
fw debug fwucd off TDERROR_ALL_ALL=0
- Analyze:
$FWDIR/log/fwucd.elg*
|
|
usrchkd
|
Description |
Main UserCheck daemon, which deals with UserCheck requests (from CLI / from the user) that are sent from the UserCheck Web Portal. |
| Path |
$FWDIR/bin/usrchkd |
| Log file |
$FWDIR/log/usrchkd.elg |
| Configuration file |
- $FWDIR/conf/usrchkd.conf
- $FWDIR/orig/UCPortal/fwdir_conf/usrchkd.conf
- $FWDIR/conf/fwauthd.conf
|
| Notes |
- This daemon is not monitored by Check Point WatchDog ("cpwd_admin list")
- This daemon is spawned by the FWD daemon
|
| To Stop |
[Expert@HostName]# cpstop |
| To Start |
[Expert@HostName]# cpstart |
| To Restart |
[Expert@HostName]# killall usrchkd |
| Debug |
Note: It might also be required to collect the relevant kernel debug.
- Start debug:
usrchk debug set all all
- Verify:
usrchk debug stat
- Replicate the issue.
- Stop debug:
usrchk debug off
- Analyze:
$FWDIR/log/usrchkd.elg*
|
|
usrchk
|
Description |
The CLI client for the UserCheck daemon USRCHKD (this process runs only when it is called explicitly). |
| Path |
$FWDIR/bin/usrchk |
| Log file |
$FWDIR/log/usrchk.elg |
| Threat Emulation Blade |
|
ted
|
Description |
Threat Emulation daemon engine - responsible for emulating files and communication with the cloud. |
| Path |
$FWDIR/teCurrentPack/temain |
| Log file |
$FWDIR/log/ted.elg |
| To Stop |
[Expert@HostName]# cpstop |
| To Start |
[Expert@HostName]# cpstart |
| Debug |
"tecli debug" - refer to Threat Prevention Administration Guide (R76, R77) |
|
dlpu
|
Description |
DLP process - receives data from Check Point kernel. |
| Path |
$FWDIR/bin/dlpu |
| Log file |
$FWDIR/log/dlpu.elg |
| Notes |
"cpwd_admin list" command shows the process as "DLPU_<N>". |
| To Stop |
[Expert@HostName]# cpstop |
| To Start |
[Expert@HostName]# cpstart |
| Debug |
Refer to sk73660:
- Start debug:
fw debug dlpu on TDERROR_ALL_ALL=5
- Replicate the issue
- Stop debug:
fw debug dlpu off TDERROR_ALL_ALL=0
- Analyze:
$FWDIR/log/dlpu.elg*
|
|
usrchkd
|
Description |
Main UserCheck daemon, which deals with UserCheck requests (from CLI / from the user) that are sent from the UserCheck Web Portal. |
| Path |
$FWDIR/bin/usrchkd |
| Log file |
$FWDIR/log/usrchkd.elg |
| Configuration file |
- $FWDIR/conf/usrchkd.conf
- $FWDIR/orig/UCPortal/fwdir_conf/usrchkd.conf
- $FWDIR/conf/fwauthd.conf
|
| Notes |
- This daemon is not monitored by Check Point WatchDog ("cpwd_admin list")
- This daemon is spawned by the FWD daemon
|
| To Stop |
[Expert@HostName]# cpstop |
| To Start |
[Expert@HostName]# cpstart |
| To Restart |
[Expert@HostName]# killall usrchkd |
| Debug |
Note: It might also be required to collect the relevant kernel debug.
- Start debug:
usrchk debug set all all
- Verify:
usrchk debug stat
- Replicate the issue.
- Stop debug:
usrchk debug off
- Analyze:
$FWDIR/log/usrchkd.elg*
|
|
usrchk
|
Description |
The CLI client for the UserCheck daemon USRCHKD (this process runs only when it is called explicitly). |
| Path |
$FWDIR/bin/usrchk |
| Log file |
$FWDIR/log/usrchk.elg |
|
scanengine_b
|
Description |
Third party engine.
|
| Path |
$FWDIR/teCurrentPack/scanengine_b
|
| Log file |
$FWDIR/log/bdadvisor.elg
|
| To Stop |
[Expert@HostName]# cpstop
|
| To Start |
[Expert@HostName]# cpstart
|
| Debug |
None |
|
scanengine_k
|
Description |
Third party engine.
|
| Path |
$FWDIR/teCurrentPack/scanengine_k
|
| Log file |
$FWDIR/log/kavadvisor.elg
|
| To Stop |
[Expert@HostName]# cpstop
|
| To Start |
[Expert@HostName]# cpstart
|
| Debug |
None
|
|
scanengine_s
|
Description |
Third party engine.
|
| Path |
$FWDIR/teCurrentPack/scanengine_s
|
| Log file |
$FWDIR/log/sopadvisor.elg
|
| To Stop |
[Expert@HostName]# cpstop |
| To Start |
[Expert@HostName]# cpstart |
| Debug |
None |
| Threat Extraction Blade |
|
scrub
|
Description |
Main CLI process for Threat Extraction. |
| Path |
$FWDIR/bin/scrub |
| Log file |
$FWDIR/log/scrubd.elg
/var/log/scrub/scrubd_messages
$CPDIR/log/scrub_plg.log |
| Configuration file |
$FWDIR/conf/scrub_debug.conf |
| To Stop |
[Expert@HostName]# cpstop |
| To Start |
[Expert@HostName]# cpstart |
| Debug |
- Start Threat Extraction debug:
scrub debug on
scrub debug set all all
- Verify Threat Extraction debug is enabled:
scrub debug stat
- Start debug of cp_file_convert daemon:
for PROC in $(pgrep cp_file_convert) ; do fw debug $PROC on TDERROR_ALL_ALL=5 ; done
- Replicate the issue
- Stop debug of cp_file_convert daemon:
for PROC in $(pgrep cp_file_convert) ; do fw debug $PROC off TDERROR_ALL_ALL=0 ; done
- Stop Threat Extraction debug:
scrub debug off
scrub debug reset
- Verify Threat Extraction debug is disabled:
scrub debug stat
- Analyze:
$FWDIR/log/scrubd.elg*
/var/log/jail/$FWDIR/log/scrub_cp_file_convertd.elg
|
|
scrubd
|
Description |
Main Threat Extraction daemon. |
| Path |
$FWDIR/bin/scrubd |
| Log file |
$FWDIR/log/scrubd.elg
/var/log/scrub/scrubd_messages
$CPDIR/log/scrub_plg.log |
| Configuration file |
$FWDIR/conf/scrub_debug.conf |
| To Stop |
[Expert@HostName]# cpstop |
| To Start |
[Expert@HostName]# cpstart |
| Debug |
- Start Threat Extraction debug:
scrub debug on
scrub debug set all all
- Verify Threat Extraction debug is enabled:
scrub debug stat
- Start debug of cp_file_convert daemon:
for PROC in $(pgrep cp_file_convert) ; do fw debug $PROC on TDERROR_ALL_ALL=5 ; done
- Replicate the issue
- Stop debug of cp_file_convert daemon:
for PROC in $(pgrep cp_file_convert) ; do fw debug $PROC off TDERROR_ALL_ALL=0 ; done
- Stop Threat Extraction debug:
scrub debug off
scrub debug reset
- Verify Threat Extraction debug is disabled:
scrub debug stat
- Analyze:
$FWDIR/log/scrubd.elg*
/var/log/jail/$FWDIR/log/scrub_cp_file_convertd.elg
|
|
scrub_cp_file_convertd
|
Description |
Used to convert various file formats to simple textual format for scanning by the DLP engine. |
| Path |
$FWDIR/bin/cp_file_convert |
| Log file |
/var/log/jail/$FWDIR/log/scrub_cp_file_convertd.elg
$FWDIR/log/cp_file_convert_start.log |
| To Stop |
[Expert@HostName]# cpstop |
| To Start |
[Expert@HostName]# cpstart |
| Debug |
- Start debug:
for PROC in $(pgrep cp_file_convert) ; do fw debug $PROC on TDERROR_ALL_ALL=5 ; done
- Replicate the issue
- Stop debug:
for PROC in $(pgrep cp_file_convert) ; do fw debug $PROC off TDERROR_ALL_ALL=0 ; done
- Analyze:
/var/log/jail/$FWDIR/log/scrub_cp_file_convertd.elg*
|
|
in.emaild.mta
|
Description |
E-Mail Security Server that receives e-mails sent by user and sends them to their destinations. |
| Path |
$FWDIR/bin/fwssd |
| Log file |
$FWDIR/log/emaild.mta.elg
/var/log/scrub/in.emaild.mta_messages |
| To Stop |
[Expert@HostName]# cpstop |
| To Start |
[Expert@HostName]# cpstart |
| Debug |
Refer to sk60387:
- Start debug:
fw debug in.emaild.mta on TDERROR_ALL_ALL=5
- Replicate the issue
- Stop debug:
fw debug in.emaild.mta off TDERROR_ALL_ALL=0
- Analyze:
$FWDIR/log/emaild.mta.elg*
|
|
usrchkd
|
Description |
Main UserCheck daemon, which deals with UserCheck requests (from CLI / from the user) that are sent from the UserCheck Web Portal. |
| Path |
$FWDIR/bin/usrchkd |
| Log file |
$FWDIR/log/usrchkd.elg |
| Configuration file |
- $FWDIR/conf/usrchkd.conf
- $FWDIR/orig/UCPortal/fwdir_conf/usrchkd.conf
- $FWDIR/conf/fwauthd.conf
|
| Notes |
- This daemon is not monitored by Check Point WatchDog ("cpwd_admin list")
- This daemon is spawned by the FWD daemon
|
| To Stop |
[Expert@HostName]# cpstop |
| To Start |
[Expert@HostName]# cpstart |
| To Restart |
[Expert@HostName]# killall usrchkd |
| Debug |
Note: It might also be required to collect the relevant kernel debug.
- Start debug:
usrchk debug set all all
- Verify:
usrchk debug stat
- Replicate the issue.
- Stop debug:
usrchk debug off
- Analyze:
$FWDIR/log/usrchkd.elg*
|
|
usrchk
|
Description |
The CLI client for the UserCheck daemon USRCHKD (this process runs only when it is called explicitly). |
| Path |
$FWDIR/bin/usrchk |
| Log file |
$FWDIR/log/usrchk.elg |
| IPS Blade |
|
in.geod
|
Description |
Updates the IPS Geo Protection Database. |
| Path |
$FWDIR/bin/fwssd
%FWDIR%\bin\fwssd |
| Log file |
$FWDIR/log/geod.elg
%FWDIR%\log\geod.elg |
| To Stop |
[Expert@HostName]# kill -KILL $(pidof in.geod) |
| To Start |
After being killed, it will be restarted automatically |
| Debug |
Refer to sk102329:
- Start debug:
fw debug in.geod on TDERROR_ALL_ALL=5
- Replicate the issue
- Stop debug:
fw debug in.geod off TDERROR_ALL_ALL=0
- Analyze:
$FWDIR/log/geod.elg*
|
| URL Filtering Blade |
|
rad
|
Description |
Resource Advisor - responsible for the detection of Social Network widgets. The detection is done via an online Application Control database, which identifies URLs as applications. |
| Path |
$FWDIR/bin/rad |
| Log file |
$FWDIR/log/rad.elg |
| Configuration file |
- $FWDIR/conf/rad_scheme.C
- $FWDIR/conf/rad_settings.C
- $FWDIR/database/rad_services.C
|
| Notes |
"cpwd_admin list" command shows the process as "RAD". |
| To Stop |
[Expert@HostName]# rad_admin stop
or
[Expert@HostName]# cpstop |
| To Start |
[Expert@HostName]# rad_admin start
or
[Expert@HostName]# cpstart |
| Debug |
Refer to sk92743:
- Start debug:
rad_admin rad debug on all
- Replicate the issue.
- Stop debug:
rad_admin rad debug off ALL
- Analyze:
$FWDIR/log/rad.elg*
|
|
usrchkd
|
Description |
Main UserCheck daemon, which deals with UserCheck requests (from CLI / from the user) that are sent from the UserCheck Web Portal. |
| Path |
$FWDIR/bin/usrchkd |
| Log file |
$FWDIR/log/usrchkd.elg |
| Configuration file |
- $FWDIR/conf/usrchkd.conf
- $FWDIR/orig/UCPortal/fwdir_conf/usrchkd.conf
- $FWDIR/conf/fwauthd.conf
|
| Notes |
- This daemon is not monitored by Check Point WatchDog ("cpwd_admin list")
- This daemon is spawned by the FWD daemon
|
| To Stop |
[Expert@HostName]# cpstop |
| To Start |
[Expert@HostName]# cpstart |
| To Restart |
[Expert@HostName]# killall usrchkd |
| Debug |
Note: It might also be required to collect the relevant kernel debug.
- Start debug:
usrchk debug set all all
- Verify:
usrchk debug stat
- Replicate the issue.
- Stop debug:
usrchk debug off
- Analyze:
$FWDIR/log/usrchkd.elg*
|
|
usrchk
|
Description |
The CLI client for the UserCheck daemon USRCHKD (this process runs only when it is called explicitly). |
| Path |
$FWDIR/bin/usrchk |
| Log file |
$FWDIR/log/usrchk.elg |
| Application Control Blade |
| rad |
Description |
Resource Advisor - responsible for the detection of Social Network widgets. The detection is done via an online Application Control database, which identifies URLs as applications. |
| Path |
$FWDIR/bin/rad |
| Log file |
$FWDIR/log/rad.elg |
| Configuration file |
- $FWDIR/conf/rad_scheme.C
- $FWDIR/conf/rad_settings.C
- $FWDIR/database/rad_services.C
|
| Notes |
"cpwd_admin list" command shows the process as "RAD". |
| To Stop |
[Expert@HostName]# rad_admin stop
or
[Expert@HostName]# cpstop |
| To Start |
[Expert@HostName]# rad_admin start
or
[Expert@HostName]# cpstart |
| Debug |
Refer to sk92743:
- Start debug:
rad_admin rad debug on all
- Replicate the issue.
- Stop debug:
rad_admin rad debug off ALL
- Analyze:
$FWDIR/log/rad.elg*
|
| Anti-Bot Blade |
|
in.acapd
|
Description |
Packet capturing daemon for SmartView Tracker logs. |
| Path |
$FWDIR/bin/fwssd |
| Log file |
$FWDIR/log/acapd.elg |
| To Stop |
[Expert@HostName]# cpstop |
| To Start |
[Expert@HostName]# cpstart |
| Debug |
Refer to sk108179:
- Start debug:
fw debug in.acapd on TDERROR_ALL_ALL=5
- Reload the in.acapd daemon's configuration:
kill -HUP $(pidof in.acapd)
- Replicate the issue
- Stop debug:
fw debug in.acapd off TDERROR_ALL_ALL=0
- Analyze:
$FWDIR/log/acapd.elg*
|
|
rad
|
Description |
Resource Advisor - responsible for the detection of Social Network widgets. The detection is done via an online Application Control database which identifies URLs as applications. |
| Path |
$FWDIR/bin/rad |
| Log file |
$FWDIR/log/rad.elg |
| Configuration file |
- $FWDIR/conf/rad_scheme.C
- $FWDIR/conf/rad_settings.C
- $FWDIR/database/rad_services.C
|
| Notes |
"cpwd_admin list" command shows the process as "RAD". |
| To Stop |
[Expert@HostName]# rad_admin stop
or
[Expert@HostName]# cpstop |
| To Start |
[Expert@HostName]# rad_admin start
or
[Expert@HostName]# cpstart |
| Debug |
Refer to sk92264:
- Start debug:
rad_admin rad debug on all
- Replicate the issue.
- Stop debug:
rad_admin rad debug off ALL
- Analyze:
$FWDIR/log/rad.elg*
|
|
usrchkd
|
Description |
Main UserCheck daemon, which deals with UserCheck requests (from CLI / from the user) that are sent from the UserCheck Web Portal. |
| Path |
$FWDIR/bin/usrchkd |
| Log file |
$FWDIR/log/usrchkd.elg |
| Configuration file |
- $FWDIR/conf/usrchkd.conf
- $FWDIR/orig/UCPortal/fwdir_conf/usrchkd.conf
- $FWDIR/conf/fwauthd.conf
|
| Notes |
- This daemon is not monitored by Check Point WatchDog ("cpwd_admin list")
- This daemon is spawned by the FWD daemon
|
| To Stop |
[Expert@HostName]# cpstop |
| To Start |
[Expert@HostName]# cpstart |
| To Restart |
[Expert@HostName]# killall usrchkd |
| Debug |
Note: It might also be required to collect the relevant kernel debug.
- Start debug:
usrchk debug set all all
- Verify:
usrchk debug stat
- Replicate the issue.
- Stop debug:
usrchk debug off
- Analyze:
$FWDIR/log/usrchkd.elg*
|
|
usrchk
|
Description |
The CLI client for the UserCheck daemon USRCHKD (this process runs only when it is called explicitly). |
| Path |
$FWDIR/bin/usrchk |
| Log file |
$FWDIR/log/usrchk.elg |
| Anti-Virus Blade |
|
in.acapd
|
Description |
Packet capturing daemon for SmartView Tracker logs. |
| Path |
$FWDIR/bin/fwssd |
| Log file |
$FWDIR/log/acapd.elg |
| To Stop |
[Expert@HostName]# cpstop |
| To Start |
[Expert@HostName]# cpstart |
| Debug |
Refer to sk108179:
- Start debug:
fw debug in.acapd on TDERROR_ALL_ALL=5
- Reload the in.acapd daemon's configuration:
kill -HUP $(pidof in.acapd)
- Replicate the issue
- Stop debug:
fw debug in.acapd off TDERROR_ALL_ALL=0
- Analyze:
$FWDIR/log/acapd.elg*
|
|
in.emaild.mta
|
Description |
E-Mail Security Server that receives e-mails sent by user and sends them to their destinations. |
| Path |
$FWDIR/bin/fwssd |
| Log file |
$FWDIR/log/emaild.mta.elg |
| To Stop |
[Expert@HostName]# cpstop |
| To Start |
[Expert@HostName]# cpstart |
| Debug |
Refer to sk60387:
- Start debug:
fw debug in.emaild.mta on TDERROR_ALL_ALL=5
- Replicate the issue
- Stop debug:
fw debug in.emaild.mta off TDERROR_ALL_ALL=0
- Analyze:
$FWDIR/log/emaild.mta.elg*
|
|
in.emaild.smtp
|
Description |
SMTP Security Server that receives e-mails sent by user and sends them to their destinations. |
| Path |
$FWDIR/bin/fwssd |
| Log file |
$FWDIR/log/emaild.smtp.elg |
| To Stop |
[Expert@HostName]# cpstop |
| To Start |
[Expert@HostName]# cpstart |
| Debug |
Refer to sk60387:
- Start debug:
fw debug in.emaild.smtp on TDERROR_ALL_ALL=5
- Replicate the issue
- Stop debug:
fw debug in.emaild.smtp off TDERROR_ALL_ALL=0
- Analyze:
$FWDIR/log/emaild.smtp.elg*
|
|
in.emaild.pop3
|
Description |
POP3 Security Server that receives e-mails sent by user. |
| Path |
$FWDIR/bin/fwssd |
| Log file |
$FWDIR/log/emaild.pop3.elg |
| To Stop |
[Expert@HostName]# cpstop |
| To Start |
[Expert@HostName]# cpstart |
| Debug |
- Start debug:
fw debug in.emaild.pop3 on TDERROR_ALL_ALL=5
- Replicate the issue
- Stop debug:
fw debug in.emaild.pop3 off TDERROR_ALL_ALL=0
- Analyze:
$FWDIR/log/emaild.pop3.elg*
|
|
dlpu
|
Description |
DLP process - receives data from Check Point kernel. |
| Path |
$FWDIR/bin/dlpu |
| Log file |
$FWDIR/log/dlpu.elg |
| Notes |
"cpwd_admin list" command shows the process as "DLPU_<N>". |
| To Stop |
[Expert@HostName]# cpstop |
| To Start |
[Expert@HostName]# cpstart |
| Debug |
Refer to sk73660:
- Start debug:
fw debug dlpu on TDERROR_ALL_ALL=5
- Replicate the issue
- Stop debug:
fw debug dlpu off TDERROR_ALL_ALL=0
- Analyze:
$FWDIR/log/dlpu.elg*
|
|
rad
|
Description |
Resource Advisor - responsible for the detection of Social Network widgets. The detection is done via an online Application Control database which identifies URLs as applications.
|
| Path |
$FWDIR/bin/rad |
| Log file |
$FWDIR/log/rad.elg |
| Configuration file |
- $FWDIR/conf/rad_scheme.C
- $FWDIR/conf/rad_settings.C
- $FWDIR/database/rad_services.C
|
| Note |
"cpwd_admin list" command shows the process as "RAD". |
| To Stop |
[Expert@HostName]# rad_admin stop
or
[Expert@HostName]# cpstop |
| To Start |
[Expert@HostName]# rad_admin start
or
[Expert@HostName]# cpstart |
| Debug |
Refer to sk92264:
- Start debug:
rad_admin rad debug on all
- Replicate the issue.
- Stop debug:
rad_admin rad debug off ALL
- Analyze:
$FWDIR/log/rad.elg*
|
|
usrchkd
|
Description |
Main UserCheck daemon, which deals with UserCheck requests (from CLI / from the user) that are sent from the UserCheck Web Portal. |
| Path |
$FWDIR/bin/usrchkd |
| Log file |
$FWDIR/log/usrchkd.elg |
| Configuration file |
- $FWDIR/conf/usrchkd.conf
- $FWDIR/orig/UCPortal/fwdir_conf/usrchkd.conf
- $FWDIR/conf/fwauthd.conf
|
| Notes |
- This daemon is not monitored by Check Point WatchDog ("cpwd_admin list")
- This daemon is spawned by the FWD daemon
|
| To Stop |
[Expert@HostName]# cpstop |
| To Start |
[Expert@HostName]# cpstart |
| To Restart |
[Expert@HostName]# killall usrchkd |
| Debug |
Note: It might also be required to collect the relevant kernel debug.
- Start debug:
usrchk debug set all all
- Verify:
usrchk debug stat
- Replicate the issue.
- Stop debug:
usrchk debug off
- Analyze:
$FWDIR/log/usrchkd.elg*
|
|
usrchk
|
Description |
The CLI client for the UserCheck daemon USRCHKD (this process runs only when it is called explicitly). |
| Path |
$FWDIR/bin/usrchk |
| Log file |
$FWDIR/log/usrchk.elg |
| Anti-Spam Blade |
|
in.emaild.smtp
|
Description |
SMTP Security Server that receives e-mails sent by user and sends them to their destinations. |
| Path |
$FWDIR/bin/fwssd |
| Log file |
$FWDIR/log/emaild.smtp.elg |
| To Stop |
[Expert@HostName]# cpstop |
| To Start |
[Expert@HostName]# cpstart |
| Debug |
Refer to sk60387:
- Start debug:
fw debug in.emaild.smtp on TDERROR_ALL_ALL=5
- Replicate the issue
- Stop debug:
fw debug in.emaild.smtp off TDERROR_ALL_ALL=0
- Analyze:
$FWDIR/log/emaild.smtp.elg*
|
|
in.msd
|
Description |
Mail Security Daemon that queries the Commtouch engine for reputation. |
| Path |
$FWDIR/bin/fwssd |
| Log file |
$FWDIR/log/msd.elg |
| To Stop |
[Expert@HostName]# cpstop |
| To Start |
[Expert@HostName]# cpstart |
| Debug |
Refer to sk92264:
- Start debug:
fw debug in.msd on TDERROR_ALL_ALL=5
- Replicate the issue
- Stop debug:
fw debug in.msd off TDERROR_ALL_ALL=0
- Analyze:
$FWDIR/log/msd.elg*
|
|
ctasd
|
Description |
Commtouch Anti-Spam daemon. |
| Path |
/opt/aspam_engine/ctipd/bin/ctasd |
| Configuration file |
/opt/aspam_engine/ctasd/conf/ctasd.conf |
| To Stop |
[Expert@HostName]# cpstop |
| To Start |
[Expert@HostName]# cpstart |
|
ctipd
|
Description |
Commtouch IP Reputation daemon. |
| Path |
/opt/aspam_engine/ctipd/bin/ctipd |
| Configuration file |
/opt/aspam_engine/ctipd/conf/ctipd.conf |
| To Stop |
[Expert@HostName]# cpstop |
| To Start |
[Expert@HostName]# cpstart |
| Monitoring Blade |
|
rtmd
|
Description |
Real Time traffic statistics. |
| Path |
$FWDIR/bin/rtm
%FWDIR%\bin\rtm |
| Log file |
$FWDIR/log/rtmd.elg
%FWDIR%\log\rtmd.elg |
| Notes |
"cpwd_admin list" command shows the process as "RTMD". |
| To Stop |
[Expert@HostName]# rtmstop |
| To Start |
[Expert@HostName]# rtmstart |
| Debug |
Refer to skI2821:
- Start debug:
rtm debug on TDERROR_ALL_ALL=5
rtm debug on OPSEC_DEBUG_LEVEL=3
- Replicate the issue
- Stop debug:
rtm debug off TDERROR_ALL_ALL=0
rtm debug off OPSEC_DEBUG_LEVEL=0
- Analyze:
$FWDIR/log/rtmd.elg*
|
|
cpstat_monitor
|
Description |
Process is responsible for collecting and sending information to SmartView Monitor. |
| Path |
$FWDIR/bin/cpstat_monitor
%FWDIR%\bin\cpstat_monitor |
| Log file |
$FWDIR/log/cpstat_monitor.elg
%FWDIR%\log\cpstat_monitor.elg |
| Notes |
- "cpwd_admin list" command shows the process as "CPSM".
- By default, does not run in the context of Domain Management Servers.
- By default, in MGMT HA runs only on "Active" Security Management Server.
|
| To Stop |
[Expert@HostName]# cpwd_admin stop -name CPSM |
| To Start |
[Expert@HostName]# cpwd_admin start -name CPSM -path "$FWDIR/bin/cpstat_monitor" -command "cpstat_monitor" |
| Debug |
Refer to sk108177 |
| HTTPS Inspection |
|
wstlsd
|
Description |
Handles SSL handshake for HTTPS Inspected connections. |
| Path |
$CPDIR/bin/wstlsd |
| Log file |
$FWDIR/log/wstlsd.elg |
| To Stop |
[Expert@HostName]# cpstop |
| To Start |
[Expert@HostName]# cpstart |
| Debug |
Refer to sk105559:
- Start debug:
for PROC in $(pidof wstlsd) ; do fw debug $PROC on TDERROR_ALL_ALL=6 ; done
- Replicate the issue (it is very important to collect the relevant traffic using both TCPDump tool and the FW Monitor).
- Stop debug:
for PROC in $(pidof wstlsd) ; do fw debug $PROC off TDERROR_ALL_ALL=0 ; done
- Analyze:
$FWDIR/log/wstlsd.elg*
|
|
pkxld
|
Description |
Performs asymmetric key operations for HTTPS Inspection (R77.30 and above) |
| Path |
$CPDIR/bin/pkxld |
| Log file |
none |
| Notes |
Refer to sk104717 |
| To Stop |
[Expert@HostName]# cpstop |
| To Start |
[Expert@HostName]# cpstart |
| Debug |
none |
| HTTP/HTTPS Proxy |
|
wsdnsd
|
Description |
DNS Resolver (in R77.30 and above) - activated when Security Gateway is configured as HTTP/HTTPS Proxy, and no next proxy is used. Process is started and stopped during policy installation. |
| Path |
$FWDIR/bin/wsdnsd
%FWDIR%\bin\wsdnsd |
| Log file |
$FWDIR/log/wsdnsd.elg |
| Notes |
"cpwd_admin list" command shows the process as "WSDNSD" |
| To Stop |
[Expert@HostName]# cpwd_admin stop -name WSDNSD -path "$FWDIR/bin/wsdnsd" -command "kill -SIGTERM $(pidof $FWDIR/bin/wsdnsd)" |
| To Start |
[Expert@HostName]# cpwd_admin start -name WSDNSD -path "$FWDIR/bin/wsdnsd" -command "wsdnsd" |
| Debug |
Refer to sk106443:
- Start debug:
fw debug wsdnsd on TDERROR_ALL_ALL=5
- Replicate the issue
- Stop debug:
fw debug wsdnsd off TDERROR_ALL_ALL=0
- Analyze:
$FWDIR/log/wsdnsd.elg*
|
| Cluster |
|
cphamcset
|
Description |
Clustering daemon - responsible for opening sockets on the NICs in order to allow them to pass multicast traffic (CCP) to the machine. |
| Path |
$FWDIR/bin/cphamcset
%FWDIR%\bin\cphamcset |
| Log file |
$FWDIR/log/cphamcset.elg
%FWDIR%\log\cphamcset.elg |
| Notes |
|
| To Stop |
[Expert@HostName]# cphastop |
| To Start |
[Expert@HostName]# cphastart |
| Debug |
- Stop clustering:
cphastop
- Start under debug:
cphamcset -d
- Stop Check Point services:
cphastop
- Start clustering:
cphastart
|
|
cphaprob
|
Description |
Process that lists the state of cluster members, cluster interfaces and critical monitored components (pnotes). |
| Path |
$FWDIR/bin/cphaprob
%FWDIR%\bin\cphaprob |
| Configuration file |
$FWDIR/conf/cphaprob.conf
%FWDIR%\conf\cphaprob.conf |
| Notes |
Refer to ATRG: ClusterXL R6x and R7x - Chapter "ClusterXL Monitoring and Troubleshooting" - 'cphaprob' command. |
| To Stop |
none |
| To Start |
none |
| Debug |
"cphaprob -D <command>" (e.g., "cphaprob -D state") |
|
cphaconf
|
Description |
Cluster configuration process - installs the cluster configuration into Check Point kernel on cluster members. |
| Path |
$FWDIR/bin/cphaconf
%FWDIR%\bin\cphaconf |
| Log file |
$FWDIR/log/cphaconf.elg
%FWDIR%\log\cphaconf.elg |
| Notes |
- Refer to ATRG: ClusterXL R6x and R7x - Chapter "ClusterXL Monitoring and Troubleshooting" - 'cphaconf' command.
- Log file exist only in R77.20 and above
|
| To Stop |
none |
| To Start |
none |
| Debug |
Refer to ATRG: ClusterXL R6x and R7x - Chapter "ClusterXL Monitoring and Troubleshooting" - 'cphaconf' command - 'cphaconf debug_data'. |
|
cphastart
|
Description |
Starts the cluster and state synchronization. |
| Path |
$FWDIR/bin/cphastart
%FWDIR%\bin\cphastart |
| Log file |
$FWDIR/log/cphastart.elg
%FWDIR%\log\cphastart.elg |
| Notes |
- Refer to ATRG: ClusterXL R6x and R7x - Chapter "ClusterXL Monitoring and Troubleshooting" - 'cphastart' and 'cphastop' commands.
- Log file exist only in R77.20 and above
|
| To Stop |
none |
| To Start |
none |
| Debug |
"cphastart -d" - refer to sk39842 |
|
cphastop
|
Description |
Stops the cluster and state synchronization. |
| Path |
$FWDIR/bin/cphastop
%FWDIR%\bin\cphastop |
| Notes |
Refer to ATRG: ClusterXL R6x and R7x - Chapter "ClusterXL Monitoring and Troubleshooting" - 'cphastart' and 'cphastop' commands. |
| To Stop |
none |
| To Start |
none |
| Debug |
Standard CSH script debugging (csh -x -v $FWDIR/bin/cphastop) |
| Acceleration |
|
sxl_statd
|
Description |
Allow acquiring statistics information from Host ppak and Falcon cards. |
| Path |
$FWDIR/bin/sxl_statd |
Log File
|
N/A |
| To Stop |
cpwd_admin stop -name SXL_STATD
|
| To Start |
Run on boot |
| Debug |
Cpwd_admin start -name SXL_STATD -path $FWDIR/bin/sxl_statd -command sxl_statd
|
