Support Center > Search Results > SecureKnowledge Details
Check Point Processes and Daemons Technical Level
Solution

 Table of Contents:

  • Gaia Processes and Daemons
  • Infrastructure Processes
  • Security Gateway Software Blades and Features
    • Firewall Blade
    • IPSec VPN Blade
    • Mobile Access Blade
    • Identity Awareness Blade
    • DLP Blade
    • Threat Emulation Blade
    • Threat Extraction Blade
    • Infinity Threat Prevention Blade
    • IPS Blade
    • URL Filtering Blade
    • Application Control Blade
    • Anti-Bot Blade
    • Anti-Virus Blade
    • Anti-Spam Blade
    • Monitoring Blade
    • HTTPS Inspection
    • HTTP/HTTPS Proxy
    • ClusterXL
    • Acceleration
    • CoreXL
  • Security Management Software Blades and Features
    • Network Policy Management Blade
    • Endpoint Policy Management Blade
    • Monitoring Blade
    • Provisioning Blade
    • SmartReporter Blade
    • SmartEvent Blade
    • Logging & Status Blade
    • Management Portal
    • SmartLog
    • Internal CA
    • Compliance Blade
    • SofaWare Management Server
    • OPSEC LEA
  • 600 / 700 / 900 / 1100 / 1200R / 1400 / 1500 appliances
  • Additional Processes
  • Related solutions

 

Gaia Processes and Daemons

All Gaia processes and daemons run by default, other than snmpd and dhcpd.

Enter the string you are searching for in this table:

Daemon Child daemon Section Description / Paths / Notes / Stop and Start Commands / Debug

pm

 - Description Gaia OS Process Manager (/bin/pm). Controls other processes and daemons.
Path /bin/pm
Log file /var/log/messages
To Stop none
To Start none

confd

 Description Database and configuration.
Path /bin/confd
Important Note

Maintenance window is required to restart this daemon:

  • When confd daemon is starting, by design, it restarts any currently running routed daemons (by sending a TERM signal). It is done to avoid possible issues in Gaia Clish (e.g., returning invalid results for routing-related commands like "show route").
  • Since routed daemon is responsible for all the routing in Gaia OS, short traffic outage will occur while routed daemon is being restarted.
  • Since routed daemon is a Critical Device in Check Point cluster (since R76), cluster fail-over might occur while routed daemon is being restarted (refer to sk92878).
Log file /var/log/messages
To Stop [Expert@HostName]# tellpm process:confd
To Start [Expert@HostName]# tellpm process:confd t

searchd

 Description Search indexing daemon.
Log file /var/log/messages
Path /bin/searchd
To Stop [Expert@HostName]# tellpm process:searchd
To Start [Expert@HostName]# tellpm process:searchd t

clishd

 Description Gaia Clish CLI interface process - general information for all Clish sessions.
Path /bin/clishd
Log file /var/log/messages
To Stop [Expert@HostName]# tellpm process:clishd
To Start [Expert@HostName]# tellpm process:clishd t

clish

 Description Gaia Clish CLI interface process - Clish process per session.
Path /bin/clish
Log file /var/log/messages
To Stop [Expert@HostName]# tellpm process:clish
To Start [Expert@HostName]# tellpm process:clish t
Debug Refer to sk106938

routed

 Description Routing daemon.
Path /bin/routed
Important Note

Maintenance window is required to restart this daemon:

  • Since routed daemon is responsible for all the routing in Gaia OS, short traffic outage will occur while routed daemon is being restarted.
  • Since routed daemon is a Critical Device in Check Point cluster (since R76), cluster fail-over might occur while routed daemon is being restarted (refer to sk92878).
Log file /var/log/routed.log
/var/log/routed_messages 
Configuration file /etc/routed.conf
To Stop [Expert@HostName]# tellpm process:routed
To Start [Expert@HostName]# tellpm process:routed t
Debug Refer to sk84520, sk101399, sk92598

httpd2

 Description Web server daemon (Gaia Portal).
Path /web/cpshared/web/Apache/2.2.0/bin/httpd2
Log file /var/log/httpd2_error_log
/var/log/httpd2_access_log
Configuration file /web/conf/httpd2.conf
To Stop [Expert@HostName]# tellpm process:httpd2
To Start [Expert@HostName]# tellpm process:httpd2 t
Debug Refer to sk84561

monitord

 Description Hardware monitoring daemon.
Path /bin/monitord
Log file /var/log/messages
To Stop [Expert@HostName]# tellpm process:monitord
To Start [Expert@HostName]# tellpm process:monitord t

rconfd

 Description Provisioning daemon.
Path /bin/rconfd
Log file /var/log/messages
To Stop [Expert@HostName]# tellpm process:rconfd
To Start [Expert@HostName]# tellpm process:rconfd t

cloningd

 Description Cloning Groups daemon.
Path /bin/cloningd
Log file /var/log/messages
To Stop [Expert@HostName]# tellpm process:cloningd
To Start [Expert@HostName]# tellpm process:cloningd t

dhcpd

 Description DHCP server daemon.
Path /usr/sbin/dhcpd
Log file /var/log/messages
Configuration file /etc/dhcpd.conf
To Stop HostName> set dhcp server disable
or
In Gaia Portal - "Network Management" section - "DHCP Server" pane
To Start HostName> set dhcp server enable
or
In Gaia Portal - "Network Management" section - "DHCP Server" pane

snmpd

 Description SNMP (Linux) daemon.
Path /usr/sbin/snmpd
Log file /var/log/messages
Configuration file /etc/snmp/snmpd.conf
To Stop HostName> set snmp agent off
or
In Gaia Portal - "System Management" section - "SNMP" pane
To Start HostName> set snmp agent on
or
In Gaia Portal - "System Management" section - "SNMP" pane
Debug Refer to sk56783

xpand

 - Description Configuration daemon that processes and validates all user configuration requests, updates the system configuration database, and calls other utilities to carry out the request.
Path /bin/confd
Log file /var/log/messages
To Stop none
To Start none

sshd

 - Description SSH daemon.
Path /usr/sbin/sshd
Log file /var/log/secure
/var/log/auth/
/var/log/messages
Configuration file /etc/ssh/sshd_config
To Stop [Expert@HostName]# service sshd stop
To Start [Expert@HostName]# service sshd start
Debug
  1. Edit the /etc/ssh/sshd_config file:
    1. Change the "LogLevel" line:
      from:
      #LogLevel INFO
      to:
      LogLevel DEBUG3
    2. Save the changes in this file
  2. Start SSHD under debug to run in background (copy the PID):
    /usr/sbin/sshd -ddd 1>> /var/log/sshd.debug.txt 2>> /var/log/sshd.debug.txt &
  3. Replicate the issue (connect over SSH).
  4. Stop the SSHD:
    kill -TERM <PID>
    kill -KILL <PID>
  5. Revert the /etc/ssh/sshd_config file
  6. Analyze the /var/log/sshd.debug.txt file

syslogd

 - Description Syslog (Linux) daemon.
Path /sbin/syslogd
Log file /var/log/messages
/var/log/dmesg
Configuration file /etc/syslog.conf
/var/run/syslog.conf
To Stop [Expert@HostName]# service syslog stop
To Start [Expert@HostName]# service syslog start
Debug Refer to sk108421

DAService

 - Description Check Point Upgrade Service Engine (CPUSE) - former 'Gaia Software Updates' service (refer to sk92449).
Path $DADIR/bin/DAService
Log file /opt/CPInstLog/DeploymentAgent.log
/opt/CPInstLog/DA_UI.log
Notes "cpwd_admin list" command shows the process as "DASERVICE"
(command is "$DADIR/bin/DAService_script" - this is a watchdog script that starts the $DADIR/bin/DAService if it is not running).
To Stop
  1. [Expert@HostName]# $DADIR/bin/dastop
  2. [Expert@HostName]# dbget installer:stop
To Start
  1. [Expert@HostName]# $DADIR/bin/dastart
  2. [Expert@HostName]# dbget installer:start
Debug

Refer to sk92449:

  1. Create the configuration file:
    touch $DADIR/bin/DAconf
  2. Add the following line (case-sensitive; spaces are not allowed):
    PING_TRACE=1
  3. Save the changes
  4. Re-load the new configuration:
    DAClient conf
  5. As soon as possible:
    1. Replicate the issue
    2. Delete the $DADIR/bin/DAconf file
    3. Re-load the configuration with DAClient conf command
  6. Analyze:
    /opt/CPInstLog/DeploymentAgent.log

Note: Other Gaia OS daemons can be stopped in Expert mode, but it is not recommended.

 

Infrastructure Processes

Enter the string you are searching for in this table:

Daemon Section Description / Paths / Notes / Stop and Start Commands / Debug

cpwd

 Description WatchDog is a process that launches and monitors critical processes such as Check Point daemons on the local machine, and attempts to restart them if they fail.
Among the processes monitored by Watchdog are cpd, fwd and fwm.
Watchdog is controlled by the cpwd_admin utility.
To learn how to start and stop various daemons, run cpwd_admin command.
Path $CPDIR/bin/cpwd
%CPDIR%\bin\cpwd
Log file $CPDIR/log/cpwd.elg
%CPDIR%\log\cpwd.elg
To Stop [Expert@HostName]# cpwd_admin kill
or
[Expert@HostName]# cpstop
To Start [Expert@HostName]# $CPDIR/bin/cpwd >& /dev/null
or
[Expert@HostName]# cpstart
Debug none

cpd

 Description
  • Port 18191 - Generic process (add-ons container) for many Check Point services, such as installing and fetching policy, and online updates
  • Port 18211 - SIC push certificate (from Internal CA)
Path $CPDIR/bin/cpd
%CPDIR%\bin\cpd
Log file $CPDIR/log/cpd.elg
%CPDIR%\log\cpd.elg
Notes "cpwd_admin list" command shows the process as "CPD".
To Stop

  • MGMT / Gateway mode:

    [Expert@HostName]# cpwd_admin stop -name CPD -path "$CPDIR/bin/cpd_admin" -command "cpd_admin stop"
    or
    [Expert@HostName]# cpstop

  • VSX mode:

    [Expert@HostName:0]# vsenv <VSID>
    [Expert@HostName:<VSID>]# cpwd_admin stop -name CPD -ctx <VSID> -path "$CPDIR/bin/cpd_admin" -command "cpd_admin stop" -env inherit
    or
    [Expert@HostName:0]# cpstop
To Start

  • MGMT / Gateway mode:

    [Expert@HostName]# cpwd_admin start -name CPD -path "$CPDIR/bin/cpd" -command "cpd"
    or
    [Expert@HostName]# cpstart

  • VSX mode:

    [Expert@HostName:0]# vsenv <VSID>
    [Expert@HostName:<VSID>]# cpwd_admin start -name CPD -ctx <VSID> -path "$CPDIR/bin/cpd" -command "cpd" -env inherit
    or
    [Expert@HostName:0]# cpstart
Debug "cpd_admin debug" - refer to sk86320

fwd

 Description
  • Logging
  • Spawning child processes (e.g., vpnd)
Path $FWDIR/bin/fwd
%FWDIR%\bin\fwd
Log file $FWDIR/log/fwd.elg
%FWDIR%\log\fwd.elg
Notes
  • "cpwd_admin list" command shows the process as "FWD".
  • "top" / "ps" commands might also show "fw" process and/or "fw_full" process, which are just wrappers for the "fwd" process.
To Stop

  • MGMT / Gateway mode:

    [Expert@HostName]# cpwd_admin stop -name FWD -path "$FWDIR/bin/fw" -command "fw kill fwd"
    or
    [Expert@HostName]# cpstop

  • VSX mode:

    [Expert@HostName:0]# vsenv <VSID>
    [Expert@HostName:<VSID>]# cpwd_admin stop -name FWD -ctx <VSID> -path "$FWDIR/bin/fw" -command "fw kill fwd" -env inherit
    or
    [Expert@HostName:0]# cpstop
To Start

  • MGMT / Gateway mode:

    [Expert@HostName]# cpwd_admin start -name FWD -path "$FWDIR/bin/fw" -command "fwd"
    or
    [Expert@HostName]# cpstart

  • VSX mode:

    [Expert@HostName:0]# vsenv <VSID>
    [Expert@HostName:<VSID>]# cpwd_admin start -name FWD -ctx <VSID> -path "$FWDIR/bin/fwd" -command "fwd" -env inherit
    or
    [Expert@HostName:0]# cpstart
Debug Refer to sk86321
  1. Start debug:
    fw debug fwd on TDERROR_ALL_ALL=5
    fw debug fwd on OPSEC_DEBUG_LEVEL=3
  2. Replicate the issue
  3. Stop debug:
    fw debug fwd off TDERROR_ALL_ALL=0
    fw debug fwd off OPSEC_DEBUG_LEVEL=0
  4. Analyze:
    $FWDIR/log/fwd.elg*

cprid

 Description Check Point Remote Installation Daemon - distribution of packages from SmartUpdate to managed Gateways.
Path $CPDIR/bin/cprid
%CPDIR%\bin\cprid
Log file $CPDIR/log/cprid.elg
%CPDIR%\log\cprid.elg
To Stop [Expert@HostName]# $CPDIR/bin/cpridstop
To Start [Expert@HostName]# $CPDIR/bin/cpridstart
Debug Refer to sk41793

cprid_wd

 Description WatchDog for Check Point Remote Installation Daemon "cprid".
Path $CPDIR/bin/cprid_wd
%CPDIR%\bin\cprid_wd
Log file $CPDIR/log/cprid_wd.elg
To Stop [Expert@HostName]# $CPDIR/bin/cpridstop
To Start [Expert@HostName]# $CPDIR/bin/cpridstart
Debug Standard CSH script debugging (csh -x -v $CPDIR/bin/cprid_wd)

kissd

 Description KISS – used for kernel memory management.
Path  None – created by kernel code (drv_init)
Log file N/A
To Stop N/A
To Start N/A
Debug N/A

 

Security Gateway Software Blades and Features

Note: In CoreXL environments, enabling debug for dlpu, fwdlp and cp_file_convert, using fw debug dlpu on TDERROR_ALL_ALL=5 may not work.

The error "user defined signal 1" (or similar) may be printed.

Use the following syntax.

To enable:
for PROC in $(pidof dlpu) ; do fw debug $PROC on TDERROR_ALL_ALL=5 ; done

To disable:
for PROC in $(pidof dlpu) ; do fw debug $PROC off TDERROR_ALL_ALL=0 ; done

In addition, in cp_file_convert the location of the log file changed to: /var/log/jail/$FWDIR/log/cp_file_convertd.elg* since R80.10.

 

Enter the string you are searching for in this table:

Daemon Section Description / Paths / Notes / Stop and Start Commands / Debug
Firewall Blade

fwd

 Description
  • Logging
  • Spawning child processes (e.g., vpnd)
Path $FWDIR/bin/fwd
%FWDIR%\bin\fwd
Log file $FWDIR/log/fwd.elg
%FWDIR%\log\fwd.elg
Notes
  • "cpwd_admin list" command shows the process as "FWD".
  • "top" / "ps" commands might also show "fw" process and/or "fw_full" process, which are just wrappers for the "fwd" process.
To Stop

  • Gateway mode:

    [Expert@HostName]# cpwd_admin stop -name FWD -path "$FWDIR/bin/fw" -command "fw kill fwd"
    or
    [Expert@HostName]# cpstop

  • VSX mode:

    [Expert@HostName:0]# vsenv <VSID>
    [Expert@HostName:<VSID>]# cpwd_admin stop -name FWD -ctx <VSID> -path "$FWDIR/bin/fw" -command "fw kill fwd" -env inherit
    or
    [Expert@HostName:0]# cpstop
To Start

  • Gateway mode:

    [Expert@HostName]# cpwd_admin start -name FWD -path "$FWDIR/bin/fw" -command "fwd"
    or
    [Expert@HostName]# cpstart

  • VSX mode:

    [Expert@HostName:0]# vsenv <VSID>
    [Expert@HostName:<VSID>]# cpwd_admin start -name FWD -ctx <VSID> -path "$FWDIR/bin/fwd" -command "fwd" -env inherit
    or
    [Expert@HostName:0]# cpstart
Debug Refer to sk86321
  1. Start debug:
    fw debug fwd on TDERROR_ALL_ALL=5
    fw debug fwd on OPSEC_DEBUG_LEVEL=3
  2. Replicate the issue
  3. Stop debug:
    fw debug fwd off TDERROR_ALL_ALL=0
    fw debug fwd off OPSEC_DEBUG_LEVEL=0
  4. Analyze:
    $FWDIR/log/fwd.elg*
IPSec VPN Blade

vpnd

 Description
  • IKE (UDP/TCP)
  • NAT-T
  • Tunnel Test
  • Reliable Datagram Protocol (RDP)
  • Topology Update for SecureClient
  • SSL Network Extender (SNX)
  • SSL Network Extender (SNX) Portal
  • Remote Access Client configuration
  • Visitor Mode
  • L2TP
Path $FWDIR/bin/vpn
%FWDIR%\bin\vpn
Log file $FWDIR/log/vpnd.elg
%FWDIR%\log\vpnd.elg
Notes This process is not monitored by Check Point WatchDog.
To Stop [Expert@HostName]# cpstop
To Start [Expert@HostName]# cpstart
Debug Refer to sk89940
Mobile Access Blade

cvpnd

 Description Back-end daemon of the Mobile Access Software Blade.
Path $CVPNDIR/bin/cvpnd
Log file $CVPNDIR/log/cvpnd.elg
Configuration file $CVPNDIR/conf/cvpnd.C
Notes "cpwd_admin list" command shows the process as "CVPND".
To Stop [Expert@HostName]# cvpnstop
To Start [Expert@HostName]# cvpnstart
Debug "cvpnd_admin debug" - refer to sk104577, sk99053

dbwriter

 Description Offload database commands from cvpnd (to prevent locks) and synchronize with other members.
Path $CVPNDIR/bin/dbwriter
Log file $CVPNDIR/log/dbwriter.elg
Configuration file $CVPNDIR/conf/dbwriter.C
Notes "cpwd_admin list" command shows the process as "DBWRITER".
To Stop [Expert@HostName]# cvpnstop
To Start [Expert@HostName]# cvpnstart

cvpnproc

 Description Offload blocking commands from cvpnd (to prevent locks). Example: sending DynamicID.
Path $CVPNDIR/bin/cvpnproc
Log file $CVPNDIR/log/cvpnproc.elg
Configuration file $CVPNDIR/conf/cvpnproc.C
Notes "cpwd_admin list" command shows the process as "CVPNPROC".
To Stop [Expert@HostName]# cvpnstop
To Start [Expert@HostName]# cvpnstart
Debug Refer to sk104577
  1. Stop Mobile Access:
    cvpnstop
  2. Verify that cvpnproc process is not running:
    ps aux | grep cvpnproc
  3. If the cvpnproc process is still running, then kill it:
    kill -KILL $(pidof cvpnproc)
  4. Start cvpnproc process under debug to run in background (by running these 2 commands):
    export TDERROR_ALL_ALL=5
    $CVPNDIR/bin/cvpnproc $CVPNDIR/log/cvpnproc.elg $CVPNDIR/conf/cvpnproc.C &
  5. Start Mobile Access:
    cvpnstart
  6. Replicate the issue
  7. Stop debug:
    unset TDERROR_ALL_ALL
  8. Stop Mobile Access:
    cvpnstop
  9. Kill cvpnproc process:
    kill -TERM $(pidof cvpnproc)
    kill -KILL $(pidof cvpnproc)
  10. Start Mobile Access:
    cvpnstart
  11. Analyze:
    $CVPNDIR/log/cvpnproc.elg*

MoveFileServer

 Description Move files between cluster members in order to perform database synchronization.
Path $CVPNDIR/bin/MoveFileServer
Log file $CVPNDIR/log/MFServer.log
Configuration file $CVPNDIR/conf/mfserver.C
Notes "cpwd_admin list" command shows the process as "MOVEFILESERVER", or as "MFSERVER" (from R77.30).
To Stop [Expert@HostName]# cvpnstop
To Start [Expert@HostName]# cvpnstart

MoveFileDemuxer

 Description Related to MoveFileServer process (moving files between cluster members in order to perform database synchronization).
Path $CVPNDIR/bin/MoveFileDemuxer
Log file $CVPNDIR/log/MFDemux.log
Configuration file $CVPNDIR/conf/mfdemuxer.C
Notes "cpwd_admin list" command shows the process as "MOVEFILEDEMUXER", or as "MFDEMUXER" (from R77.30).
To Stop [Expert@HostName]# cvpnstop
To Start [Expert@HostName]# cvpnstart

Pinger

 Description Reduce the number of httpd processes performing ActiveSync.
Path $CVPNDIR/bin/Pinger
Log file $CVPNDIR/log/Pinger.log
Configuration file $CVPNDIR/conf/Pinger.C
Notes "cpwd_admin list" command shows the process as "PINGER".
To Stop [Expert@HostName]# cvpnstop
To Start [Expert@HostName]# cvpnstart
Debug Refer to sk104577
  1. Verify that Pinger process is running:
    ps aux | grep Pinger
  2. Enable debug for relevant users:
    PingerAdmin debug users <user1>,<user2>,<user3>
  3. Set the debug level:
    PingerAdmin debug set TDERROR_ALL_Pinger=3
    or
    PingerAdmin debug set TDERROR_ALL_ALL=5
  4. Set the debug type:
    PingerAdmin debug type All
  5. Delete all files from $CVPNDIR/log/trace_log/ directory:
    Note: Do NOT delete the directory itself!
    cd $CVPNDIR/log/trace_log/
    rm -i *
  6. Enable trace log:
    Warning: This might print passwords to local files!
    PingerAdmin debug trace on
  7. Start debug:
    PingerAdmin debug on
  8. Replicate the issue
  9. Stop debug:
    PingerAdmin debug off
  10. Disable trace log:
    PingerAdmin debug trace off
  11. Reset the debug:
    PingerAdmin debug reset
  12. Analyze:
    $CVPNDIR/log/Pinger.log*

CvpnUMD

 Description Report SNMP connected users to AMON.
Path $CVPNDIR/bin/CvpnUMD
Log file $CVPNDIR/log/CvpnUMD.log
Notes "cpwd_admin list" command shows the process as "CVPNUMD".
To Stop [Expert@HostName]# cvpnstop
To Start [Expert@HostName]# cvpnstart

httpd

 Description Front-end daemon of the Mobile Access Software Blade (multi-processes).
Path $CPDIR/web/Apache/2.2.0/bin/httpd
Log file $CVPNDIR/log/httpd.log
Configuration file $CVPNDIR/conf/httpd.conf
To Stop [Expert@HostName]# cvpnstop
To Start [Expert@HostName]# cvpnstart
Debug Refer to sk104577, sk99053

fwpushd

 Description Mobile Access Push Notifications daemon that is controlled by "fwpush" command. It is a child of fwd daemon (from R77.10).
Path $FWDIR/bin/fwpushd
Log file $FWDIR/log/fwpushd.elg
To Stop [Expert@HostName]# cpstop
To Start [Expert@HostName]# cpstart
Debug
  1. Enable debug:
    fwpush debug on
  2. Set the debug options:
    fwpush debug set all all
  3. Check the debug state:
    fwpush debug stat
  4. Replicate the issue
  5. Reset the debug options:
    fwpush debug reset
  6. Disable debug:
    fwpush debug off
  7. Check the debug state:
    fwpush debug stat
  8. Analyze:
    $FWDIR/log/fwpushd.elg*

postgres

 Description PostgreSQL server. Used by Remote Access Session Visibility and Management Utility.
Path $CPDIR/database/postgresql/bin/postgres
Configuration file /var/log$FWDIR/datadir/postgres/sessions/postgresql.conf
To Stop [Expert@HostName]# cpstop
To Start [Expert@HostName]# cpstart
Debug "su cp_postgres -c "$CPDIR/database/postgresql/bin/pg_ctl -D $RTDIR/events_db/data start"; also refer to sk93970
Identity Awareness Blade

pepd

 Description

Policy Enforcement Point daemon:

  • Receiving identities via identity sharing
  • Redirecting users to Captive Portal
Path $FWDIR/bin/pep
Log file $FWDIR/log/pepd.elg
Notes "cpwd_admin list" command shows the process as "PEPD".
To Stop [Expert@HostName]# cpstop
To Start [Expert@HostName]# cpstart
Debug "pep debug" - refer to Identity Awareness Administration Guide (R77)

pdpd

 Description

Policy Decision Point daemon:

  • Acquiring identities from identity sources
  • Sharing identities with another gateways
Path $FWDIR/bin/pdpd
Log file $FWDIR/log/pdpd.elg
Notes "cpwd_admin list" command shows the process as "PDPD".
To Stop [Expert@HostName]# cpstop
To Start [Expert@HostName]# cpstart
Debug "pdp debug" - refer to Identity Awareness Administration Guide (R77)
DLP Blade

fwdlp

 Description DLP core engine that performs the scanning / inspection.
Path $FWDIR/bin/fwdlp
Log file $FWDIR/log/fwdlp.elg
$DLPDIR/log/dlpe.log (refer to sk60387)
$DLPDIR/log/dlpe_msg.log (refer to sk73660)
$DLPDIR/log/dlpe_files_error.log
To Stop [Expert@HostName]# cpstop
To Start [Expert@HostName]# cpstart
Debug

Refer to sk73660, sk60388:

  1. Start debug:
    fw debug fwdlp on TDERROR_ALL_ALL=5
  2. Replicate the issue
  3. Stop debug:
    fw debug fwdlp off TDERROR_ALL_ALL=0
  4. Analyze:
    $FWDIR/log/fwdlp.elg*

cp_file_convert

 Description Used to convert various file formats to simple textual format for scanning by the DLP engine.
Path $FWDIR/bin/cp_file_convert
Log file $FWDIR/log/cp_file_convertd.elg
To Stop [Expert@HostName]# cpstop
To Start [Expert@HostName]# cpstart
Debug

Refer to sk73660:

  1. Start debug:
    for PROC in $(pgrep cp_file_convert) ; do fw debug $PROC on TDERROR_ALL_ALL=5 ; done
  2. Replicate the issue
  3. Stop debug:
    fw debug cp_file_convert off TDERROR_ALL_ALL=0
  4. Analyze:
    $FWDIR/log/cp_file_convertd.elg*

dlp_fingerprint

 Description Used to identify the data according to a unique signature known as a fingerprint stored in your repository.
Path $FWDIR/bin/dlp_fingerprint
To Stop [Expert@HostName]# cpstop
To Start [Expert@HostName]# cpstart

cserver

 Description Check Server that either stops or processes the e-mail.
Path $FWDIR/bin/cserver
Log file $FWDIR/log/cserver.elg
Notes "cpwd_admin list" command shows the process as "DLP_WS".
To Stop [Expert@HostName]# cpstop
To Start [Expert@HostName]# cpstart
Debug

Refer to sk73660:

  1. Start debug:
    fw debug cserver on TDERROR_ALL_ALL=5
  2. Replicate the issue
  3. Stop debug:
    fw debug cserver off TDERROR_ALL_ALL=0
  4. Analyze:
    $FWDIR/log/cserver.elg*

dlpu

 Description Receives data from Check Point kernel.
Path $FWDIR/bin/dlpu
Log file $FWDIR/log/dlpu.elg
Notes "cpwd_admin list" command shows the process as "DLPU_<N>".
To Stop [Expert@HostName]# cpstop
To Start [Expert@HostName]# cpstart
Debug

Refer to sk73660:

  1. Start debug:
    fw debug dlpu on TDERROR_ALL_ALL=5
  2. Replicate the issue
  3. Stop debug:
    fw debug dlpu off TDERROR_ALL_ALL=0
  4. Analyze:
    $FWDIR/log/dlpu.elg*

fwucd

 Description UserCheck back-end daemon that sends approval / disapproval requests to user.
Path $FWDIR/bin/fwucd
Log file $FWDIR/log/fwucd.elg
Notes "cpwd_admin list" command shows the process as "FWUCD".
To Stop [Expert@HostName]# cpstop
To Start [Expert@HostName]# cpstart
Debug

Refer to sk73660, sk60388:

  1. Start debug:
    fw debug fwucd on TDERROR_ALL_ALL=5
  2. Replicate the issue
  3. Stop debug:
    fw debug fwucd off TDERROR_ALL_ALL=0
  4. Analyze:
    $FWDIR/log/fwucd.elg*

usrchkd

 Description Main UserCheck daemon, which deals with UserCheck requests (from CLI / from the user) that are sent from the UserCheck Web Portal.
Path $FWDIR/bin/usrchkd
Log file $FWDIR/log/usrchkd.elg
Configuration file
  • $FWDIR/conf/usrchkd.conf
  • $FWDIR/orig/UCPortal/fwdir_conf/usrchkd.conf
  • $FWDIR/conf/fwauthd.conf
Notes
  • This daemon is not monitored by Check Point WatchDog ("cpwd_admin list")
  • This daemon is spawned by the FWD daemon
To Stop [Expert@HostName]# cpstop
To Start [Expert@HostName]# cpstart
To Restart [Expert@HostName]# killall usrchkd
Debug

Note: It might also be required to collect the relevant kernel debug.

  1. Start debug:
    usrchk debug set all all
  2. Verify:
    usrchk debug stat
  3. Replicate the issue.
  4. Stop debug:
    usrchk debug off
  5. Analyze:
    $FWDIR/log/usrchkd.elg*

usrchk

 Description The CLI client for the UserCheck daemon USRCHKD (this process runs only when it is called explicitly).
Path $FWDIR/bin/usrchk
Log file $FWDIR/log/usrchk.elg
Threat Emulation Blade

ted

 Description Threat Emulation daemon engine - responsible for emulating files and communication with the cloud.
Path $FWDIR/teCurrentPack/temain
Log file $FWDIR/log/ted.elg
To Stop [Expert@HostName]# cpstop
To Start [Expert@HostName]# cpstart
Debug "tecli debug" - refer to Threat Prevention Administration Guide (R76, R77)

dlpu

 Description DLP process - receives data from Check Point kernel.
Path $FWDIR/bin/dlpu
Log file $FWDIR/log/dlpu.elg
Notes "cpwd_admin list" command shows the process as "DLPU_<N>".
To Stop [Expert@HostName]# cpstop
To Start [Expert@HostName]# cpstart
Debug

Refer to sk73660:

  1. Start debug:
    fw debug dlpu on TDERROR_ALL_ALL=5
  2. Replicate the issue
  3. Stop debug:
    fw debug dlpu off TDERROR_ALL_ALL=0
  4. Analyze:
    $FWDIR/log/dlpu.elg*

usrchkd

 Description Main UserCheck daemon, which deals with UserCheck requests (from CLI / from the user) that are sent from the UserCheck Web Portal.
Path $FWDIR/bin/usrchkd
Log file $FWDIR/log/usrchkd.elg
Configuration file
  • $FWDIR/conf/usrchkd.conf
  • $FWDIR/orig/UCPortal/fwdir_conf/usrchkd.conf
  • $FWDIR/conf/fwauthd.conf
Notes
  • This daemon is not monitored by Check Point WatchDog ("cpwd_admin list")
  • This daemon is spawned by the FWD daemon
To Stop [Expert@HostName]# cpstop
To Start [Expert@HostName]# cpstart
To Restart [Expert@HostName]# killall usrchkd
Debug

Note: It might also be required to collect the relevant kernel debug.

  1. Start debug:
    usrchk debug set all all
  2. Verify:
    usrchk debug stat
  3. Replicate the issue.
  4. Stop debug:
    usrchk debug off
  5. Analyze:
    $FWDIR/log/usrchkd.elg*

usrchk

 Description The CLI client for the UserCheck daemon USRCHKD (this process runs only when it is called explicitly).
Path $FWDIR/bin/usrchk
Log file $FWDIR/log/usrchk.elg

scanengine_b

 Description Third party engine.
Path $FWDIR/teCurrentPack/scanengine_b
Log file $FWDIR/log/bdadvisor.elg
To Stop [Expert@HostName]# cpstop
To Start [Expert@HostName]# cpstart
Debug None

scanengine_k

 Description Third party engine.
Path $FWDIR/teCurrentPack/scanengine_k
Log file $FWDIR/log/kavadvisor.elg
To Stop [Expert@HostName]# cpstop
To Start [Expert@HostName]# cpstart
Debug None

scanengine_s

 Description Third party engine.
Path $FWDIR/teCurrentPack/scanengine_s
Log file $FWDIR/log/sopadvisor.elg
To Stop [Expert@HostName]# cpstop
To Start [Expert@HostName]# cpstart
Debug None
Threat Extraction Blade

scrub

 Description Main CLI process for Threat Extraction.
Path $FWDIR/bin/scrub
Log file $FWDIR/log/scrubd.elg
/var/log/scrub/scrubd_messages
$CPDIR/log/scrub_plg.log
Configuration file $FWDIR/conf/scrub_debug.conf
To Stop [Expert@HostName]# cpstop
To Start [Expert@HostName]# cpstart
Debug
  1. Start Threat Extraction debug:
    scrub debug on
    scrub debug set all all
  2. Verify Threat Extraction debug is enabled:
    scrub debug stat
  3. Start debug of cp_file_convert daemon:
    for PROC in $(pgrep cp_file_convert) ; do fw debug $PROC on TDERROR_ALL_ALL=5 ; done
  4. Replicate the issue
  5. Stop debug of cp_file_convert daemon:
    for PROC in $(pgrep cp_file_convert) ; do fw debug $PROC off TDERROR_ALL_ALL=0 ; done
  6. Stop Threat Extraction debug:
    scrub debug off
    scrub debug reset
  7. Verify Threat Extraction debug is disabled:
    scrub debug stat
  8. Analyze:
    $FWDIR/log/scrubd.elg*
    /var/log/jail/$FWDIR/log/scrub_cp_file_convertd.elg

scrubd

 Description Main Threat Extraction daemon.
Path $FWDIR/bin/scrubd
Log file $FWDIR/log/scrubd.elg
/var/log/scrub/scrubd_messages
$CPDIR/log/scrub_plg.log
Configuration file $FWDIR/conf/scrub_debug.conf
To Stop [Expert@HostName]# cpstop
To Start [Expert@HostName]# cpstart
Debug
  1. Start Threat Extraction debug:
    scrub debug on
    scrub debug set all all
  2. Verify Threat Extraction debug is enabled:
    scrub debug stat
  3. Start debug of cp_file_convert daemon:
    for PROC in $(pgrep cp_file_convert) ; do fw debug $PROC on TDERROR_ALL_ALL=5 ; done
  4. Replicate the issue
  5. Stop debug of cp_file_convert daemon:
    for PROC in $(pgrep cp_file_convert) ; do fw debug $PROC off TDERROR_ALL_ALL=0 ; done
  6. Stop Threat Extraction debug:
    scrub debug off
    scrub debug reset
  7. Verify Threat Extraction debug is disabled:
    scrub debug stat
  8. Analyze:
    $FWDIR/log/scrubd.elg*
    /var/log/jail/$FWDIR/log/scrub_cp_file_convertd.elg

scrub_cp_file_convertd

 Description Used to convert various file formats to simple textual format for scanning by the DLP engine.
Path $FWDIR/bin/cp_file_convert
Log file /var/log/jail/$FWDIR/log/scrub_cp_file_convertd.elg
$FWDIR/log/cp_file_convert_start.log
To Stop [Expert@HostName]# cpstop
To Start [Expert@HostName]# cpstart
Debug
  1. Start debug:
    for PROC in $(pgrep cp_file_convert) ; do fw debug $PROC on TDERROR_ALL_ALL=5 ; done
  2. Replicate the issue
  3. Stop debug:
    for PROC in $(pgrep cp_file_convert) ; do fw debug $PROC off TDERROR_ALL_ALL=0 ; done
  4. Analyze:
    /var/log/jail/$FWDIR/log/scrub_cp_file_convertd.elg*

in.emaild.mta

 Description E-Mail Security Server that receives e-mails sent by user and sends them to their destinations.
Path $FWDIR/bin/fwssd
Log file $FWDIR/log/emaild.mta.elg
/var/log/scrub/in.emaild.mta_messages
To Stop [Expert@HostName]# cpstop
To Start [Expert@HostName]# cpstart
Debug

Refer to sk60387:

  1. Start debug:
    fw debug in.emaild.mta on TDERROR_ALL_ALL=5
  2. Replicate the issue
  3. Stop debug:
    fw debug in.emaild.mta off TDERROR_ALL_ALL=0
  4. Analyze:
    $FWDIR/log/emaild.mta.elg*

usrchkd

 Description Main UserCheck daemon, which deals with UserCheck requests (from CLI / from the user) that are sent from the UserCheck Web Portal.
Path $FWDIR/bin/usrchkd
Log file $FWDIR/log/usrchkd.elg
Configuration file
  • $FWDIR/conf/usrchkd.conf
  • $FWDIR/orig/UCPortal/fwdir_conf/usrchkd.conf
  • $FWDIR/conf/fwauthd.conf
Notes
  • This daemon is not monitored by Check Point WatchDog ("cpwd_admin list")
  • This daemon is spawned by the FWD daemon
To Stop [Expert@HostName]# cpstop
To Start [Expert@HostName]# cpstart
To Restart [Expert@HostName]# killall usrchkd
Debug

Note: It might also be required to collect the relevant kernel debug.

  1. Start debug:
    usrchk debug set all all
  2. Verify:
    usrchk debug stat
  3. Replicate the issue.
  4. Stop debug:
    usrchk debug off
  5. Analyze:
    $FWDIR/log/usrchkd.elg*

usrchk

 Description The CLI client for the UserCheck daemon USRCHKD (this process runs only when it is called explicitly).
Path $FWDIR/bin/usrchk
Log file $FWDIR/log/usrchk.elg
Infinity Threat Prevention Blade

tp_conf_service
(starting R80.40)

 Description Updatable configuration service for Threat Prevention blades, when using Infinity Threat Prevention.
Path $FWDIR/bin/tp_conf_service
Notes cpwd_admin list command shows the process as "TP_CONF_SERVICE"
Log file $FWDIR/log/tp_conf.log
To Stop cpstop
To Start cpstart
Configuration file $FWDIR/conf/tp_conf.json
Debug cpwd_admin stop -name TP_CONF_SERVICE

cpwd_admin start -name TP_CONF_SERVICE -path $FWDIR/bin/tp_conf_service -command "tp_conf_service --conf=tp_conf.json --log=info"

TPD
(starting R80.40)

 Description Threat Prevention Daemon - Communicate with kernel and deal with Usermode tasks.
Path $FWDIR/bin/tpd
Log file $FWDIR/log/tpd.elg
To Stop cpstop
To Start cpstart
Debug fw debug tpd on TDERROR_ALL_ALL=5
IPS Blade

in.geod

 Description Updates the IPS Geo Protection Database.
Path $FWDIR/bin/fwssd
%FWDIR%\bin\fwssd
Log file $FWDIR/log/geod.elg
%FWDIR%\log\geod.elg
To Stop [Expert@HostName]# kill -KILL $(pidof in.geod)
To Start After being killed, it will be restarted automatically
Debug

Refer to sk102329:

  1. Start debug:
    fw debug in.geod on TDERROR_ALL_ALL=5
  2. Replicate the issue
  3. Stop debug:
    fw debug in.geod off TDERROR_ALL_ALL=0
  4. Analyze:
    $FWDIR/log/geod.elg*
URL Filtering Blade

rad

 Description Resource Advisor - responsible for the detection of Social Network widgets. The detection is done via an online Application Control database, which identifies URLs as applications.
Path $FWDIR/bin/rad
Log file $FWDIR/log/rad.elg
Configuration file
  • $FWDIR/conf/rad_scheme.C
  • $FWDIR/conf/rad_settings.C
  • $FWDIR/database/rad_services.C
Notes "cpwd_admin list" command shows the process as "RAD".
To Stop [Expert@HostName]# rad_admin stop
or
[Expert@HostName]# cpstop
To Start [Expert@HostName]# rad_admin start
or
[Expert@HostName]# cpstart
Debug

Refer to sk92743:

  1. Start debug:
    rad_admin rad debug on all
  2. Replicate the issue.
  3. Stop debug:
    rad_admin rad debug off ALL
  4. Analyze:
    $FWDIR/log/rad.elg*

usrchkd

 Description Main UserCheck daemon, which deals with UserCheck requests (from CLI / from the user) that are sent from the UserCheck Web Portal.
Path $FWDIR/bin/usrchkd
Log file $FWDIR/log/usrchkd.elg
Configuration file
  • $FWDIR/conf/usrchkd.conf
  • $FWDIR/orig/UCPortal/fwdir_conf/usrchkd.conf
  • $FWDIR/conf/fwauthd.conf
Notes
  • This daemon is not monitored by Check Point WatchDog ("cpwd_admin list")
  • This daemon is spawned by the FWD daemon
To Stop [Expert@HostName]# cpstop
To Start [Expert@HostName]# cpstart
To Restart [Expert@HostName]# killall usrchkd
Debug

Note: It might also be required to collect the relevant kernel debug.

  1. Start debug:
    usrchk debug set all all
  2. Verify:
    usrchk debug stat
  3. Replicate the issue.
  4. Stop debug:
    usrchk debug off
  5. Analyze:
    $FWDIR/log/usrchkd.elg*

usrchk

 Description The CLI client for the UserCheck daemon USRCHKD (this process runs only when it is called explicitly).
Path $FWDIR/bin/usrchk
Log file $FWDIR/log/usrchk.elg
Application Control Blade
rad Description Resource Advisor - responsible for the detection of Social Network widgets. The detection is done via an online Application Control database, which identifies URLs as applications.
Path $FWDIR/bin/rad
Log file $FWDIR/log/rad.elg
Configuration file
  • $FWDIR/conf/rad_scheme.C
  • $FWDIR/conf/rad_settings.C
  • $FWDIR/database/rad_services.C
Notes "cpwd_admin list" command shows the process as "RAD".
To Stop [Expert@HostName]# rad_admin stop
or
[Expert@HostName]# cpstop
To Start [Expert@HostName]# rad_admin start
or
[Expert@HostName]# cpstart
Debug

Refer to sk92743:

  1. Start debug:
    rad_admin rad debug on all
  2. Replicate the issue.
  3. Stop debug:
    rad_admin rad debug off ALL
  4. Analyze:
    $FWDIR/log/rad.elg*
Anti-Bot Blade

in.acapd

 Description Packet capturing daemon for SmartView Tracker logs.
Path $FWDIR/bin/fwssd
Log file $FWDIR/log/acapd.elg
To Stop [Expert@HostName]# cpstop
To Start [Expert@HostName]# cpstart
Debug

Refer to sk108179:

  1. Start debug:
    fw debug in.acapd on TDERROR_ALL_ALL=5
  2. Replicate the issue
  3. Stop debug:
    fw debug in.acapd off TDERROR_ALL_ALL=0
  4. Analyze:
    $FWDIR/log/acapd.elg*

rad

 Description Resource Advisor - responsible for the detection of Social Network widgets. The detection is done via an online Application Control database which identifies URLs as applications.
Path $FWDIR/bin/rad
Log file $FWDIR/log/rad.elg
Configuration file
  • $FWDIR/conf/rad_scheme.C
  • $FWDIR/conf/rad_settings.C
  • $FWDIR/database/rad_services.C
Notes "cpwd_admin list" command shows the process as "RAD".
To Stop [Expert@HostName]# rad_admin stop
or
[Expert@HostName]# cpstop
To Start [Expert@HostName]# rad_admin start
or
[Expert@HostName]# cpstart
Debug

Refer to sk92264:

  1. Start debug:
    rad_admin rad debug on all
  2. Replicate the issue.
  3. Stop debug:
    rad_admin rad debug off ALL
  4. Analyze:
    $FWDIR/log/rad.elg*

usrchkd

 Description Main UserCheck daemon, which deals with UserCheck requests (from CLI / from the user) that are sent from the UserCheck Web Portal.
Path $FWDIR/bin/usrchkd
Log file $FWDIR/log/usrchkd.elg
Configuration file
  • $FWDIR/conf/usrchkd.conf
  • $FWDIR/orig/UCPortal/fwdir_conf/usrchkd.conf
  • $FWDIR/conf/fwauthd.conf
Notes
  • This daemon is not monitored by Check Point WatchDog ("cpwd_admin list")
  • This daemon is spawned by the FWD daemon
To Stop [Expert@HostName]# cpstop
To Start [Expert@HostName]# cpstart
To Restart [Expert@HostName]# killall usrchkd
Debug

Note: It might also be required to collect the relevant kernel debug.

  1. Start debug:
    usrchk debug set all all
  2. Verify:
    usrchk debug stat
  3. Replicate the issue.
  4. Stop debug:
    usrchk debug off
  5. Analyze:
    $FWDIR/log/usrchkd.elg*

usrchk

 Description The CLI client for the UserCheck daemon USRCHKD (this process runs only when it is called explicitly).
Path $FWDIR/bin/usrchk
Log file $FWDIR/log/usrchk.elg
Anti-Virus Blade

in.acapd

 Description Packet capturing daemon for SmartView Tracker logs.
Path $FWDIR/bin/fwssd
Log file $FWDIR/log/acapd.elg
To Stop [Expert@HostName]# cpstop
To Start [Expert@HostName]# cpstart
Debug

Refer to sk108179:

  1. Start debug:
    fw debug in.acapd on TDERROR_ALL_ALL=5
  2. Replicate the issue
  3. Stop debug:
    fw debug in.acapd off TDERROR_ALL_ALL=0
  4. Analyze:
    $FWDIR/log/acapd.elg*

in.emaild.mta

 Description E-Mail Security Server that receives e-mails sent by user and sends them to their destinations.
Path $FWDIR/bin/fwssd
Log file $FWDIR/log/emaild.mta.elg
To Stop [Expert@HostName]# cpstop
To Start [Expert@HostName]# cpstart
Debug

Refer to sk60387:

  1. Start debug:
    fw debug in.emaild.mta on TDERROR_ALL_ALL=5
  2. Replicate the issue
  3. Stop debug:
    fw debug in.emaild.mta off TDERROR_ALL_ALL=0
  4. Analyze:
    $FWDIR/log/emaild.mta.elg*

in.emaild.smtp

 Description SMTP Security Server that receives e-mails sent by user and sends them to their destinations.
Path $FWDIR/bin/fwssd
Log file $FWDIR/log/emaild.smtp.elg
To Stop [Expert@HostName]# cpstop
To Start [Expert@HostName]# cpstart
Debug

Refer to sk60387:

  1. Start debug:
    fw debug in.emaild.smtp on TDERROR_ALL_ALL=5
  2. Replicate the issue
  3. Stop debug:
    fw debug in.emaild.smtp off TDERROR_ALL_ALL=0
  4. Analyze:
    $FWDIR/log/emaild.smtp.elg*

in.emaild.pop3

 Description POP3 Security Server that receives e-mails sent by user.
Path $FWDIR/bin/fwssd
Log file $FWDIR/log/emaild.pop3.elg
To Stop [Expert@HostName]# cpstop
To Start [Expert@HostName]# cpstart
Debug
  1. Start debug:
    fw debug in.emaild.pop3 on TDERROR_ALL_ALL=5
  2. Replicate the issue
  3. Stop debug:
    fw debug in.emaild.pop3 off TDERROR_ALL_ALL=0
  4. Analyze:
    $FWDIR/log/emaild.pop3.elg*

dlpu

 Description DLP process - receives data from Check Point kernel.
Path $FWDIR/bin/dlpu
Log file $FWDIR/log/dlpu.elg
Notes "cpwd_admin list" command shows the process as "DLPU_<N>".
To Stop [Expert@HostName]# cpstop
To Start [Expert@HostName]# cpstart
Debug

Refer to sk73660:

  1. Start debug:
    fw debug dlpu on TDERROR_ALL_ALL=5
  2. Replicate the issue
  3. Stop debug:
    fw debug dlpu off TDERROR_ALL_ALL=0
  4. Analyze:
    $FWDIR/log/dlpu.elg*

rad

 Description Resource Advisor - responsible for the detection of Social Network widgets. The detection is done via an online Application Control database which identifies URLs as applications.
Path $FWDIR/bin/rad
Log file $FWDIR/log/rad.elg
Configuration file
  • $FWDIR/conf/rad_scheme.C
  • $FWDIR/conf/rad_settings.C
  • $FWDIR/database/rad_services.C
Note "cpwd_admin list" command shows the process as "RAD".
To Stop [Expert@HostName]# rad_admin stop
or
[Expert@HostName]# cpstop
To Start [Expert@HostName]# rad_admin start
or
[Expert@HostName]# cpstart
Debug

Refer to sk92264:

  1. Start debug:
    rad_admin rad debug on all
  2. Replicate the issue.
  3. Stop debug:
    rad_admin rad debug off ALL
  4. Analyze:
    $FWDIR/log/rad.elg*

usrchkd

 Description Main UserCheck daemon, which deals with UserCheck requests (from CLI / from the user) that are sent from the UserCheck Web Portal.
Path $FWDIR/bin/usrchkd
Log file $FWDIR/log/usrchkd.elg
Configuration file
  • $FWDIR/conf/usrchkd.conf
  • $FWDIR/orig/UCPortal/fwdir_conf/usrchkd.conf
  • $FWDIR/conf/fwauthd.conf
Notes
  • This daemon is not monitored by Check Point WatchDog ("cpwd_admin list")
  • This daemon is spawned by the FWD daemon
To Stop [Expert@HostName]# cpstop
To Start [Expert@HostName]# cpstart
To Restart [Expert@HostName]# killall usrchkd
Debug

Note: It might also be required to collect the relevant kernel debug.

  1. Start debug:
    usrchk debug set all all
  2. Verify:
    usrchk debug stat
  3. Replicate the issue.
  4. Stop debug:
    usrchk debug off
  5. Analyze:
    $FWDIR/log/usrchkd.elg*

usrchk

 Description The CLI client for the UserCheck daemon USRCHKD (this process runs only when it is called explicitly).
Path $FWDIR/bin/usrchk
Log file $FWDIR/log/usrchk.elg
Anti-Spam Blade

in.emaild.smtp

 Description SMTP Security Server that receives e-mails sent by user and sends them to their destinations.
Path $FWDIR/bin/fwssd
Log file $FWDIR/log/emaild.smtp.elg
To Stop [Expert@HostName]# cpstop
To Start [Expert@HostName]# cpstart
Debug

Refer to sk60387:

  1. Start debug:
    fw debug in.emaild.smtp on TDERROR_ALL_ALL=5
  2. Replicate the issue
  3. Stop debug:
    fw debug in.emaild.smtp off TDERROR_ALL_ALL=0
  4. Analyze:
    $FWDIR/log/emaild.smtp.elg*

in.msd

 Description Mail Security Daemon that queries the Commtouch engine for reputation.
Path $FWDIR/bin/fwssd
Log file $FWDIR/log/msd.elg
To Stop [Expert@HostName]# cpstop
To Start [Expert@HostName]# cpstart
Debug

Refer to sk92264:

  1. Start debug:
    fw debug in.msd on TDERROR_ALL_ALL=5
  2. Replicate the issue
  3. Stop debug:
    fw debug in.msd off TDERROR_ALL_ALL=0
  4. Analyze:
    $FWDIR/log/msd.elg*

ctasd

 Description Commtouch Anti-Spam daemon.
Path /opt/aspam_engine/ctipd/bin/ctasd
Configuration file /opt/aspam_engine/ctasd/conf/ctasd.conf
To Stop [Expert@HostName]# cpstop
To Start [Expert@HostName]# cpstart

ctipd

 Description Commtouch IP Reputation daemon.
Path /opt/aspam_engine/ctipd/bin/ctipd
Configuration file /opt/aspam_engine/ctipd/conf/ctipd.conf
To Stop [Expert@HostName]# cpstop
To Start [Expert@HostName]# cpstart
Monitoring Blade

rtmd

 Description Real Time traffic statistics.
Path $FWDIR/bin/rtm
%FWDIR%\bin\rtm
Log file $FWDIR/log/rtmd.elg
%FWDIR%\log\rtmd.elg
Notes "cpwd_admin list" command shows the process as "RTMD".
To Stop [Expert@HostName]# rtmstop
To Start [Expert@HostName]# rtmstart
Debug

Refer to skI2821:

  1. Start debug:
    rtm debug on TDERROR_ALL_ALL=5
    rtm debug on OPSEC_DEBUG_LEVEL=3
  2. Replicate the issue
  3. Stop debug:
    rtm debug off TDERROR_ALL_ALL=0
    rtm debug off OPSEC_DEBUG_LEVEL=0
  4. Analyze:
    $FWDIR/log/rtmd.elg*

cpstat_monitor

 Description Process is responsible for collecting and sending information to SmartView Monitor.
Path $FWDIR/bin/cpstat_monitor
%FWDIR%\bin\cpstat_monitor
Log file $FWDIR/log/cpstat_monitor.elg
%FWDIR%\log\cpstat_monitor.elg
Notes
  • "cpwd_admin list" command shows the process as "CPSM".
  • By default, does not run in the context of Domain Management Servers.
  • By default, in MGMT HA runs only on "Active" Security Management Server.
To Stop [Expert@HostName]# cpwd_admin stop -name CPSM
To Start [Expert@HostName]# cpwd_admin start -name CPSM -path "$FWDIR/bin/cpstat_monitor" -command "cpstat_monitor"
Debug Refer to sk108177
HTTPS Inspection

wstlsd

 Description Handles SSL handshake for HTTPS Inspected connections.
Path $CPDIR/bin/wstlsd
Log file $FWDIR/log/wstlsd.elg
To Stop [Expert@HostName]# cpstop
To Start [Expert@HostName]# cpstart
Debug

Refer to sk105559:

  1. Start debug:
    for PROC in $(pidof wstlsd) ; do fw debug $PROC on TDERROR_ALL_ALL=6 ; done
  2. Replicate the issue (it is very important to collect the relevant traffic using both TCPDump tool and the FW Monitor).
  3. Stop debug:
    for PROC in $(pidof wstlsd) ; do fw debug $PROC off TDERROR_ALL_ALL=0 ; done
  4. Analyze:
    $FWDIR/log/wstlsd.elg*

pkxld

 Description Performs asymmetric key operations for HTTPS Inspection (from R77.30)
Path $CPDIR/bin/pkxld
Log file none
Notes Refer to sk104717
To Stop [Expert@HostName]# cpstop
To Start [Expert@HostName]# cpstart
Debug none
HTTP/HTTPS Proxy

wsdnsd

 Description DNS Resolver (from R77.30) - activated when Security Gateway is configured as HTTP/HTTPS Proxy, and no next proxy is used. Process is started and stopped during policy installation.
Path $FWDIR/bin/wsdnsd
%FWDIR%\bin\wsdnsd
Log file $FWDIR/log/wsdnsd.elg
Notes "cpwd_admin list" command shows the process as "WSDNSD"
To Stop [Expert@HostName]# cpwd_admin stop -name WSDNSD -path "$FWDIR/bin/wsdnsd" -command "kill -SIGTERM $(pidof $FWDIR/bin/wsdnsd)"
To Start [Expert@HostName]# cpwd_admin start -name WSDNSD -path "$FWDIR/bin/wsdnsd" -command "wsdnsd"
Debug

Refer to sk106443:

  1. Start debug:
    fw debug wsdnsd on TDERROR_ALL_ALL=5
  2. Replicate the issue
  3. Stop debug:
    fw debug wsdnsd off TDERROR_ALL_ALL=0
  4. Analyze:
    $FWDIR/log/wsdnsd.elg*
Cluster

cphamcset

 Description Clustering daemon - responsible for opening sockets on the NICs in order to allow them to pass multicast traffic (CCP) to the machine.
Path $FWDIR/bin/cphamcset
%FWDIR%\bin\cphamcset
Log file $FWDIR/log/cphamcset.elg
%FWDIR%\log\cphamcset.elg
Notes
To Stop [Expert@HostName]# cphastop
To Start [Expert@HostName]# cphastart
Debug
  1. Stop clustering:
    cphastop
  2. Start under debug:
    cphamcset -d
  3. Stop Check Point services:
    cphastop
  4. Start clustering:
    cphastart

cphaprob

 Description Process that lists the state of cluster members, cluster interfaces and critical monitored components (pnotes).
Path $FWDIR/bin/cphaprob
%FWDIR%\bin\cphaprob
Configuration file $FWDIR/conf/cphaprob.conf
%FWDIR%\conf\cphaprob.conf
Notes Refer to ATRG: ClusterXL R6x and R7x - Chapter "ClusterXL Monitoring and Troubleshooting" - 'cphaprob' command.
To Stop none
To Start none
Debug "cphaprob -D <command>" (e.g., "cphaprob -D state")

cphaconf

 Description Cluster configuration process - installs the cluster configuration into Check Point kernel on cluster members.
Path $FWDIR/bin/cphaconf
%FWDIR%\bin\cphaconf
Log file $FWDIR/log/cphaconf.elg
%FWDIR%\log\cphaconf.elg
Notes
  • Refer to ATRG: ClusterXL R6x and R7x - Chapter "ClusterXL Monitoring and Troubleshooting" - 'cphaconf' command.
  • Log file exist only from R77.20
To Stop none
To Start none
Debug Refer to ATRG: ClusterXL R6x and R7x - Chapter "ClusterXL Monitoring and Troubleshooting" - 'cphaconf' command - 'cphaconf debug_data'.

cphastart

 Description Starts the cluster and state synchronization.
Path $FWDIR/bin/cphastart
%FWDIR%\bin\cphastart
Log file $FWDIR/log/cphastart.elg
%FWDIR%\log\cphastart.elg
Notes
  • Refer to ATRG: ClusterXL R6x and R7x - Chapter "ClusterXL Monitoring and Troubleshooting" - 'cphastart' and 'cphastop' commands.
  • Log file exist only from R77.20
To Stop none
To Start none
Debug "cphastart -d" - refer to sk39842

cphastop

 Description Stops the cluster and state synchronization.
Path $FWDIR/bin/cphastop
%FWDIR%\bin\cphastop
Notes Refer to ATRG: ClusterXL R6x and R7x - Chapter "ClusterXL Monitoring and Troubleshooting" - 'cphastart' and 'cphastop' commands.
To Stop none
To Start none
Debug Standard CSH script debugging (csh -x -v $FWDIR/bin/cphastop)
Acceleration

sxl_statd

 Description Allow acquiring statistics information from Host ppak 
Path  $FWDIR/bin/sxl_statd
Log File N/A
To Stop cpwd_admin stop -name SXL_STATD
To Start Run on boot
Debug Cpwd_admin start -name SXL_STATD -path $FWDIR/bin/sxl_statd -command sxl_statd
CoreXL

dsd
(starting R80.40)

 Description Dynamic Balancing (Formerly: Dynamic Split)- responsible for dynamically adjusting CoreXL for optimized CPU resources allocation, based on continuous monitoring of system resources
Path $FWDIR/bin/dsd
Log File $FWIDR/log/dsd.elg
To Stop dynamic_split –o disable
To Start dynamic_split –o enable (requires reboot, on by default in R81)
Debug None

 

Security Management Software Blades and Features

Enter the string you are searching for in this table:

Daemon Section Description / Paths / Notes / Stop and Start Commands / Debug
Network Policy Management Blade

cpm

 Description

From Security Management Server R80:

  • Serves requests from SmartConsole
  • Responsible for writing all information to the PostgreSQL and SOLR databases
Path $FWDIR/scripts/cpm.sh
Log file $FWDIR/log/cpm.elg
Notes "cpwd_admin list" command shows the process as "CPM".
To Stop

[Expert@HostName]# cpstop

In addition, on R8x, you can use the ngm_stop.sh script (refer to sk111772):
  • $FWDIR/scripts/ngm_stop.sh
    (refer to $FWDIR/log/ngm_stop.elg)
  • $MDS_TEMPLATE/scripts/ngm_stop.sh
    (refer to $MDS_TEMPLATE/log/ngm_stop.elg)
To Start

[Expert@HostName]# cpstart

In addition, on R8x, you can use the ngm_start.sh script (refer to sk111772):
  • $FWDIR/scripts/ngm_start.sh
    (refer to $FWDIR/log/ngm_start.elg)
  • $MDS_TEMPLATE/scripts/ngm_start.sh
    (refer to $MDS_TEMPLATE/log/ngm_start.elg)
Debug Refer to sk115557

fwm

 Description Communication between SmartConsole applications and Security Management Server.
Path $FWDIR/bin/fwm
%FWDIR%\bin\fwm
Log file $FWDIR/log/fwm.elg
%FWDIR%\log\fwm.elg
Notes "cpwd_admin list" command shows the process as "FWM".
To Stop

[Expert@HostName]# cpwd_admin stop -name FWM -path "$FWDIR/bin/fwm" -command "fw kill fwm"

In addition, on R8x, you can use the ngm_stop.sh script (refer to sk111772):
  • $FWDIR/scripts/ngm_stop.sh
    (refer to $FWDIR/log/ngm_stop.elg)
  • $MDS_TEMPLATE/scripts/ngm_stop.sh
    (refer to $MDS_TEMPLATE/log/ngm_stop.elg)
To Start

[Expert@HostName]# cpwd_admin start -name FWM -path "$FWDIR/bin/fwm" -command "fwm"

In addition, on R8x, you can use the ngm_start.sh script (refer to sk111772):
  • $FWDIR/scripts/ngm_start.sh
    (refer to $FWDIR/log/ngm_start.elg)
  • $MDS_TEMPLATE/scripts/ngm_start.sh
    (refer to $MDS_TEMPLATE/log/ngm_start.elg)
Debug

  • Security Management Server - refer to sk86186:

    1. Start debug:
      fw debug fwm on TDERROR_ALL_ALL=5
      fw debug fwm on OPSEC_DEBUG_LEVEL=3
    2. Replicate the issue
    3. Stop debug:
      fw debug fwm off TDERROR_ALL_ALL=0
      fw debug fwm off OPSEC_DEBUG_LEVEL=0
    4. Analyze:
      $FWDIR/log/fwm.elg*

  • Domain Management Server - refer to sk33207:

    1. Switch to the context of the relevant Domain Management Server:
      mdsenv <Domain_Name>
    2. Start debug:
      fw debug fwm on TDERROR_ALL_ALL=5
      fw debug fwm on OPSEC_DEBUG_LEVEL=3
    3. Replicate the issue
    4. Stop debug:
      fw debug fwm off TDERROR_ALL_ALL=0
      fw debug fwm off OPSEC_DEBUG_LEVEL=0
    5. Analyze:
      $FWDIR/log/fwm.elg*

  • Multi-Domain Security Management Server - refer to sk33208:

    1. Start debug:
      fw debug mds on TDERROR_ALL_ALL=5
      fw debug mds on OPSEC_DEBUG_LEVEL=3
    2. Replicate the issue
    3. Stop debug:
      fw debug mds off TDERROR_ALL_ALL=0
      fw debug mds off OPSEC_DEBUG_LEVEL=0
    4. Analyze:
      $MDS_TEMPLATE/log/mds.elg*
Endpoint Policy Management Blade

uepm

 Description Endpoint Management Server.
Path $UEPMDIR/bin/uepm
%UEPMDIR%\bin\uepm
Log file $UEPMDIR/logs/server_messages.log
%UEPMDIR%\logs\server_messages.log
To Stop [Expert@HostName]# uepm_stop
To Start [Expert@HostName]# uepm_start
Debug "uepm debug"; also refer to sk92619

httpd

 Description Communication with Endpoint Clients.
Path $UEPMDIR/apache22/bin/httpd
%UEPMDIR%\apache22\bin\httpd
To Stop [Expert@HostName]# uepm_stop
To Start [Expert@HostName]# uepm_start
Monitoring Blade

rtmd

 Description Real Time traffic statistics.
Path $FWDIR/bin/rtm
%FWDIR%\bin\rtm
Log file $FWDIR/log/rtmd.elg
%FWDIR%\log\rtmd.elg
Notes "cpwd_admin list" command shows the process as "RTMD".
To Stop [Expert@HostName]# rtmstop
To Start [Expert@HostName]# rtmstart
Debug Refer to skI2821
  1. Start debug:
    rtm debug on TDERROR_ALL_ALL=5
    rtm debug on OPSEC_DEBUG_LEVEL=3
  2. Replicate the issue
  3. Stop debug:
    rtm debug off TDERROR_ALL_ALL=0
    rtm debug off OPSEC_DEBUG_LEVEL=0
  4. Analyze:
    $FWDIR/log/rtmd.elg*

cpstat_monitor

 Description Process is responsible for collecting and sending information to SmartView Monitor. By default, does not run in the context of Domain Management Servers.
Path $FWDIR/bin/cpstat_monitor
%FWDIR%\bin\cpstat_monitor
Log file $FWDIR/log/cpstat_monitor.elg
%FWDIR%\log\cpstat_monitor.elg
Notes "cpwd_admin list" command shows the process as "CPSM".
To Stop [Expert@HostName]# cpwd_admin stop -name CPSM
To Start [Expert@HostName]# cpwd_admin start -name CPSM -path "$FWDIR/bin/cpstat_monitor" -command "cpstat_monitor"
Debug Refer to sk108177
Provisioning Blade

status_proxy

 Description Status collection of ROBO Gateways - SmartLSM / SmartProvisioning status proxy. This process runs only on Security Management Server / Domain Management Servers that are activated for Large Scale Management / SmartProvisioning.
Path $FWDIR/bin/status_proxy
%FWDIR%\bin\status_proxy
Log file $FWDIR/log/status_proxy.elg
%FWDIR%\log\status_proxy.elg
Notes "cpwd_admin list" command shows the process as "STPR".
To Stop [Expert@HostName]# cpwd_admin stop -name STPR
To Start [Expert@HostName]# cpwd_admin start -name STPR -path "$FWDIR/bin/status_proxy" -command "status_proxy"
Debug Refer to sk108182
SmartReporter Blade

SVRServer

 Description Controller for the SmartReporter product. Traffic is sent via SSL.
Path $RTDIR/bin/SVRServer
%RTDIR%\bin\SVRServer
Log file $RTDIR/log/SVRServer.log
%RTDIR%\log\SVRServer.log
Notes "cpwd_admin list" command shows the process as "SVR".
To Stop [Expert@HostName]# rmdstop
or
[Expert@HostName]# cpwd_admin stop -name SVR -path $RTDIR/bin/SVRServer -command "SVRServer kill SVRServer"
Also refer to sk105485.
To Start [Expert@HostName]# rmdstart
or
[Expert@HostName]# cpwd_admin start -name SVR -path "$RTDIR/bin/SVRServer" -command "SVRServer"
Debug Refer to sk93970

log_consolidator

 Description Log Consolidator for the SmartReporter product.
Path $RTDIR/log_consolidator_engine/bin/log_consolidator
%RTDIR%\log_consolidator_engine\bin\log_consolidator
Log file $RTDIR/log_consolidator_engine/log/<Log_Server_IP_Address>/lc_rt.log
%RTDIR%\log_consolidator_engine\log\<Log_Server_IP_Address>\lc_rt.log
Configuration file
  • $RTDIR/log_consolidator_engine/conf/lc_rt_default.conf
    %RTDIR%\log_consolidator_engine\conf\lc_rt_default.conf
  • $RTDIR/log_consolidator_engine/conf/<Log_Server_IP_Address>/lc_rt_default.conf
    %RTDIR%\log_consolidator_engine\conf\<Log_Server_IP_Address>\lc_rt_default.conf
Notes "cpwd_admin list" command shows the process as "LC_<IP_Address _of_Log_Server>".
To Stop [Expert@HostName]# rmdstop
or
[Expert@HostName]# evstop
or
[Expert@HostName]# log_consolidator -C -m stop -s <IP_Address _of_Log_Server> [-g <Domain_Name>]
[Expert@HostName]# log_consolidator -C -m exit -s <IP_Address _of_Log_Server> [-g <Domain_Name>]
To Start [Expert@HostName]# rmdstart
or
[Expert@HostName]# evstart
or
[Expert@HostName]# log_consolidator -C -m start -s <IP_Address _of_Log_Server> [-g <Domain_Name>]

dbsync

 Description DBsync enables SmartReporter to synchronize data stored in different parts of the network. After SIC is established, DBsync connects to the management server to retrieve all the objects. After the initial synchronization, it gets updates whenever an object is saved. In distributed information systems DBsync provides one-way synchronization of data between the Security Management Servers object database and the SmartReporter computer, and supports configuration and administration of distributed systems.
Path $RTDIR/bin/dbsync
%RTDIR%\bin\dbsync
Log file $RTDIR/log/dbsync.elg
%RTDIR%\log\dbsync.elg
Notes "cpwd_admin list" command shows the process as "DBSYNC".
To Stop [Expert@HostName]# rmdstop
or
[Expert@HostName]# evstop
or
[Expert@HostName]# cpwd_admin stop -name DBSYNC
To Start [Expert@HostName]# rmdstart
or
[Expert@HostName]# evstart
or
[Expert@HostName]# cpwd_admin start -name DBSYNC -path "$RTDIR/bin/dbsync" -command "dbsync"
Debug Refer to sk93970

postgres

 Description PostgreSQL server.
Path $CPDIR/database/postgresql/bin/postgres
%CPDIR%\database\postgresql\bin\postgres
Log file $RTDIR/events_db/data/pg_log/postgresql-YYY-MM-DD_HHMMSS.log
Configuration file $RTDIR/events_db/data/postgresql.conf
To Stop [Expert@HostName]# cpstop
To Start [Expert@HostName]# cpstart
Debug "su cp_postgres -c "$CPDIR/database/postgresql/bin/pg_ctl -D $RTDIR/events_db/data start"; also refer to sk93970
SmartEvent Blade

cpsead

 Description Responsible for Correlation Unit functionality.
Path $RTDIR/bin/cpsead
%RTDIR%\bin\cpsead
Log file $RTDIR/log/cpsead.elg
%RTDIR%\log\cpsead.elg
Notes "cpwd_admin list" command shows the process as "CPSEAD".
To Stop [Expert@HostName]# evstop
or
[Expert@HostName]# cpwd_admin stop -name CPSEAD
Also refer to sk105485.
To Start [Expert@HostName]# evstart
or
[Expert@HostName]# cpwd_admin start -name CPSEAD -path "$RTDIR/bin/cpsead" -command "cpsead"
Debug Refer to sk95153, sk105806, sk93970

cpsemd

 Description Responsible for logging into the SmartEvent GUI.
Path $RTDIR/bin/cpsemd
%RTDIR%\bin\cpsemd
Log file $RTDIR/log/cpsemd.elg
%RTDIR%\log\cpsemd.elg
Notes "cpwd_admin list" command shows the process as "CPSEMD".
To Stop [Expert@HostName]# evstop
or
[Expert@HostName]# cpwd_admin stop -name CPSEMD
To Start [Expert@HostName]# evstart
or
[Expert@HostName]# cpwd_admin start -name CPSEMD -path "$RTDIR/bin/cpsemd" -command "cpsemd"
Debug Refer to sk95153, sk105806, sk93970

dbsync

 Description DBsync enables SmartEvent to synchronize data stored in different parts of the network. In distributed information systems DBsync provides one-way synchronization of data between the Security Management Servers object database and the SmartEvent computer, and supports configuration and administration of distributed systems. DBsync initially connects to the Management Server, with which SIC is established. It retrieves all the objects and after the initial synchronization it gets updates whenever an object is saved.
Path $RTDIR/bin/dbsync
%RTDIR%\bin\dbsync
Log file $RTDIR/log/dbsync.elg
%RTDIR%\log\dbsync.elg
Notes "cpwd_admin list" command shows the process as "DBSYNC".
To Stop [Expert@HostName]# evstop
or
[Expert@HostName]# cpwd_admin stop -name DBSYNC
To Start [Expert@HostName]# evstart
or
[Expert@HostName]# cpwd_admin start -name DBSYNC -path "$RTDIR/bin/dbsync" -command "dbsync"
Debug Refer to sk93970

java_solr

 Description

Starting in R80 (SmartEvent NGSE was integrated).

Jetty Server.

Events are stored in the SOLR database.
Path $RTDIR/bin/java_solr
Log file $RTDIR/log/solr.log
$RTDIR/log/solrRun.log
Notes "cpwd_admin list" command shows the process as "SOLR".
Configuration file $RTDIR/conf/jetty.xml
$RTDIR/conf/solr.log4j.properties
$RTDIR/conf/solrConnectionConfig.xml
  • In R80: $RTDIR/log_indexes/solr.xml
  • From R80.10: $RTDIR/rfl_server/solr/solr.xml
To Stop [Expert@HostName]# evstop
To Start [Expert@HostName]# evstart
Debug

Refer to sk105806.

SmartEventSetDebugLevel solr <debug_level>

$FWDIR/scripts/solr_debug.py {on | off}

LogCore

 Description

Starting in R80 (SmartEvent NGSE was integrated).

Manages the queries it gets from the consumer processes, forwards them to SOLR database and returns the results. Also in charge of resolving and database maintenance (clean up old indexes to have space for the new ones).
Path $RTDIR/bin/LogCore
Log file $RTDIR/log/RFL.log
$RTDIR/log/rflRun.log
Notes "cpwd_admin list" command shows the process as "RFL".
Configuration file $RTDIR/conf/rfl.log4j.properties
$RTDIR/conf/rfl.log4j.properties.forUpgrade
$RTDIR/conf/rflConfig.xml
To Stop [Expert@HostName]# evstop
To Start [Expert@HostName]# evstart
Debug

Refer to sk105806.

SmartEventSetDebugLevel rfl <debug_level>

SmartView

 Description

SmartEvent Web Application that allows you to connect to SmartEvent NGSE server (at https://<IP_Address_of_SmartEvent_Server>/smartview/) and see the event views and analysis directly from a Web Browser, without installing SmartConsole. The Web page comes with predefined views that you can customize.

Refer to sk105684.
Path $RTDIR/bin/SmartView
Log file $RTDIR/log/smartview.log
$RTDIR/log/SmartViewRun.log
$RTDIR/log/smartview-service.log
Notes "cpwd_admin list" command shows the process as "SMARTVIEW".
Configuration file $RTDIR/conf/smartview.log4j.properties
To Stop [Expert@HostName]# evstop
To Start [Expert@HostName]# evstart
Debug

Refer to sk105806.

SmartEventSetDebugLevel smartview <debug_level>

log_indexer

 Description

Starting in R80 (SmartEvent NGSE was integrated).

Log indexer.
Path $RTDIR/log_indexer/log_indexer
Log file $RTDIR/log_indexer/log/log_indexer.elg
$RTDIR/log_indexer/log/log_indexerRun.log
Notes "cpwd_admin list" command shows the process as "INDEXER".
Configuration file $RTDIR/log_indexer/conf/log_indexer_settings.conf
$RTDIR/log_indexer/log_indexer_custom_settings.conf
To Stop

[Expert@HostName]# evstop

Note: In MDS, evstop stops log_indexer for all levels (MDS and CMAs) and evstart starts log_indexer ONLY for MDS. To start it for CMAs we need to perform: mdsstart.
To Start [Expert@HostName]# evstart

postgres

 Description PostgreSQL server.
Path $CPDIR/database/postgresql/bin/postgres
%CPDIR%\database\postgresql\bin\postgres
Log file $RTDIR/events_db/data/pg_log/postgresql-YYY-MM-DD_HHMMSS.log
Configuration file $RTDIR/events_db/data/postgresql.conf
To Stop [Expert@HostName]# cpstop
To Start [Expert@HostName]# cpstart
Debug "su cp_postgres -c "$CPDIR/database/postgresql/bin/pg_ctl -D $RTDIR/events_db/data start"; also refer to sk93970
Logging & Status Blade

cplmd

 Description In order to get the data that should be presented in SmartView Tracker, FWM spawns a child process CPLMD, which reads the information from the log file and performs unification (if necessary). Upon receiving an answer from CPLMD, FWM transfers it to SmartView Tracker.
Path $FWDIR/bin/cplmd
%FWDIR%\bin\cplmd
Log file $FWDIR/log/cplmd.elg
%FWDIR%\log\cplmd.elg
To Stop [Expert@HostName]# cpstop
To Start [Expert@HostName]# cpstart
Debug

Refer to sk86324:

  1. Start debug:
    fw debug cplmd on TDERROR_ALL_ALL=5
  2. Replicate the issue
  3. Stop debug:
    fw debug cplmd off TDERROR_ALL_ALL=0
  4. Analyze:
    $FWDIR/log/cplmd.elg*
Management Portal

cpwmd

 Description Check Point Web Management Daemon - back-end for Management Portal / SmartPortal.
Path $WEBDIR/bin/cpwmd
%WEBDIR%\bin\cpwmd
Log file /opt/CPportal-<RXX>/portal/log/cpwmd.elg
C:\Program Files\CheckPoint\SmartPortal\<RXX>\SmartPortal\log\cpwmd.elg
Notes "cpwd_admin list" command shows the process as "CPWMD".
To Stop [Expert@HostName]# cpwd_admin stop -name CPWMD
To Start [Expert@HostName]# cpwd_admin start -name CPWMD -path "$WEBDIR/bin/cpwmd" -command "cpwmd -D -app SmartPortal"
Debug Refer to sk31023

cp_http_server

 Description HTTP Server for Management Portal (SmartPortal) and for OS WebUI.
Path $WEBDIR/bin/cp_http_server
%WEBDIR%\bin\cp_http_server
Log file Refer to sk31023; sk30634
Configuration file $MPDIR/conf/cp_httpd_admin.conf
Notes "cpwd_admin list" command shows the process as "CPHTTPD".
To Stop [Expert@HostName]# cpwd_admin stop -name CPHTTPD
To Start [Expert@HostName]# pwd_admin start -name CPHTTPD -path "$WEBDIR/bin/cp_http_server" -command "cp_http_server -f '$MPDIR/conf/cp_httpd_admin.conf'"
Debug Refer to sk31023
SmartLog

smartlog_server

 Description SmartLog product.
Path $SMARTLOGDIR/smartlog_server
Log file $SMARTLOGDIR/log/smartlog_server.elg
Notes "cpwd_admin list" command shows the process as "SMARTLOG_SERVER".
To Stop [Expert@HostName]# smartlogstop
To Start [Expert@HostName]# smartlogstart
Debug
  1. Stop SmartLog:
    smartlogstop
  2. Start SmartLog under debug:
    env TDERROR_ALL_ALL=5 $SMARTLOGDIR/smartlog_server 1>> /var/log/smartlog.debug 2>> /var/log/smartlog.debug
  3. Replicate the issue
  4. Stop debug - press CTRL+C.
  5. Start SmartLog normally:
    smartlogstart
Internal CA

cpca

 Description

Check Point Internal Certificate Authority (ICA):

  • SIC certificate pulling
  • Certificate enrollment
  • CRL fetch
  • Admin WebUI

Note: By default, in MGMT HA, it runs only on "Active" Security Management Server. On the "Backup" Security Management Server, the "cpstat mg" command will show "SmartCenter CA is not running".
Path $FWDIR/bin/cpca
%FWDIR%\bin\cpca
Log file $FWDIR/log/cpca.elg
%FWDIR%\log\cpca.elg
To Stop [Expert@HostName]# cpstop
To Start [Expert@HostName]# cpstart
Debug

Refer to sk60338:

  1. Start debug:
    fw debug cpca on TDERROR_ALL_ALL=5
  2. Replicate the issue
  3. Stop debug:
    fw debug cpca off TDERROR_ALL_ALL=0
  4. Analyze:
    $FWDIR/log/cpca.elg*
Compliance Blade

interpreter

 Description Process is responsible for Compliance Blade database scan.
Path $FWDIR/bin/interpreter
%FWDIR%\bin\interpreter
Log file
  • From R77:
    $FWDIR/log/grc_interpreter.elg
    %FWDIR%\log\grc_interpreter.elg

  • R76:
    /opt/CPPIgrc-R76/bin/grc_interpreter.elg

  • R75.40/R75.45/R75.46/R75.47:
    /opt/CPPIgrc-R75.40/bin/grc_interpreter.elg
Configuration file $FWDIR/conf/grc.conf (since R77)
%FWDIR%\conf\grc.conf (since R77)
Notes This process is not monitored by Check Point WatchDog.
To Stop [Expert@HostName]# cpstop
To Start [Expert@HostName]# cpstart
Debug
  • From R77:
    1. Stop Check Point service with "cpstop" command
    2. Either run "interpreter debug=1" command,
      or in configuration file "grc.conf", manually set the value of "debugMode" from "0" to "1"
    3. Start Check Point service with "cpstart" command
  • R75.40/R75.45/R75.46/R75.47/R76:
    1. Stop Check Point service with "cpstop" command
    2. In configuration file "grc.conf", manually set the value of "debugMode" from "0" to "1"
    3. Start Check Point service with "cpstart" command

In addition, refer to "interpreter -help" command and to sk92861
SofaWare Management Server (Service Center for centrally managed Edge devices)

sms

 Description Manages communication (status collection, logs collection, policy update, configuration update) with UTM-1 Edge Security Gateways. This process runs only on Security Management Server / Multi-Domain Security Management Servers that manage UTM-1 Edge devices.
Path $FWDIR/bin/sms
%FWDIR%\bin\sms
Configuration file $FWDIR/conf/sofaware/SWManagementServer.ini
%FWDIR%\conf\sofaware\SWManagementServer.ini
Notes "cpwd_admin list" command shows the process as "VPN-1 Embedded Connector".
To Stop [Expert@HostName]# smsstop
To Start [Expert@HostName]# smsstart
Debug Refer to sk60780
OPSEC LEA (Log Export API)

lea_session

 Description Responsible for OPSEC LEA session between the OPSEC LEA Client and the OPSEC LEA Server on Check Point Management Server / Log Server.
Spawned by the FWD daemon.
Path $FWDIR/bin/lea_session
%FWDIR%\bin\lea_session
Configuration file $FWDIR/conf/fwopsec.conf
%FWDIR%\conf\fwopsec.conf
Refer to "lea_server" lines
Log file $FWDIR/log/lea_session.<PID>.elg
%FWDIR%\log\lea_session.<PID>.elg
Notes
  • "top" / "ps" commands shows the process as "lea_session".
To Stop [Expert@HostName]# cpwd_admin stop -name FWD -path "$FWDIR/bin/fw" -command "fw kill fwd"
or
[Expert@HostName]# cpstop
To Start [Expert@HostName]# cpwd_admin start -name FWD -path "$FWDIR/bin/fw" -command "fwd"
or
[Expert@HostName]# cpstart
Debug Refer to sk86321
  1. Start debug:
    fw debug fwd on TDERROR_ALL_ALL=5
    fw debug fwd on OPSEC_DEBUG_LEVEL=3
  2. Replicate the issue
  3. Stop debug:
    fw debug fwd off TDERROR_ALL_ALL=0
    fw debug fwd off OPSEC_DEBUG_LEVEL=0
  4. Analyze:
    $FWDIR/log/lea_session.<PID>.elg*

 

600 / 700 / 900 / 1100 / 1200R / 1400 / 1500 appliances

Enter the string you are searching for in this table:

Daemon Section Description / Paths / Notes / Stop and Start Commands / Debug

sfwd

 Description

Main process:

  • Logging
  • Policy installation
  • VPN negotiation
  • Identity Awareness enforcement
  • UserCheck enforcement
  • etc.
Log file $FWDIR/log/sfwd.elg
Also refer to $FWDIR/log/cpwd.elg
Notes
  • "cpwd_admin list" command shows the process as "SFWD".
  • "ps auxw" command shows the process as "fw sfwd".
To Stop [Expert@HostName]# $FWDIR/bin/cpwd_admin stop -name SFWD
To Start [Expert@HostName]# $FWDIR/bin/cpwd_admin start -name SFWD -path $FWDIR/bin/fw -command "fw sfwd"
Debug Refer to sk86321

cposd

 Description SMB-specific daemon responsible for OS Networking operations.
Log file $FWDIR/log/cposd.elg
Notes "cpwd_admin list" command shows the process as "cposd".
To Stop [Expert@HostName]# cpwd_admin stop -name cposd
To Start [Expert@HostName]# cpwd_admin start -name cposd -path /pfrm2.0/bin/cposd -command "cposd"

rtdbd

 Description Real Time database daemon.
Configuration file /pfrm2.0/etc/rtdbd.conf
Notes "cpwd_admin list" command shows the process as "RTDB".
To Stop [Expert@HostName]# $FWDIR/bin/cpwd_admin stop -name RTDB
To Start [Expert@HostName]# $FWDIR/bin/cpwd_admin start -name RTDB -path /pfrm2.0/bin/rtdbd -command "rtdbd"

dropbear

 Description Lightweight SSH server on 1100 appliance.
Notes "cpwd_admin list" command shows the process as "dropbear".
To Stop none
To Start none

 

Additional Processes

Enter the string you are searching for in this table:

Daemon Section Description / Paths / Notes / Stop and Start Commands / Debug

mpdaemon

 Description On Security Gateway and Management Server.
Platform Portal / Multi Portal (https://<IP_Address>/).
Each portal has his own Apache server (which can have multiple processes).
mpdaemon process is responsible for starting these web servers.
Path $CPDIR/bin/mpdaemon
Log file $CPDIR/log/mpdaemon.elg
$CPDIR/log/mpclient.elg
Configuration file $CPDIR/conf/mpdaemon.conf
Notes "cpwd_admin list" command shows the process as "MPDAEMON".
To Stop [Expert@HostName]# cpwd_admin stop -name MPDAEMON
or
[Expert@HostName]# mpclient stopall
To Start [Expert@HostName]# cpwd_admin start -name MPDAEMON -path "$CPDIR/bin/mpdaemon" -command "mpdaemon $CPDIR/log/mpdaemon.elg $CPDIR/conf/mpdaemon.conf"
Debug

Refer to sk87920:

  1. Start debug:
    mpclient debug on
    mpclient debug set TDERROR_ALL_ALL=5
  2. Replicate the issue
  3. Stop debug:
    mpclient debug set TDERROR_ALL_ALL=0
    mpclient debug off

avi_del_tmp_files

 Description On Security Gateway and Management Server.
Shell script (from $FWDIR/bin/) that periodically deletes various old temporary Anti-Virus files.
Path $FWDIR/bin/avi_del_tmp_files
Log file $FWDIR/log/avi_del_tmp_files.elg
Notes "cpwd_admin list" command shows the process as "CI_CLEANUP".
To Stop [Expert@HostName]# cpwd_admin stop -name CI_CLEANUP
To Start [Expert@HostName]# cpwd_admin start -name CI_CLEANUP -path $FWDIR/bin/avi_del_tmp_files -command "avi_del_tmp_files"
Debug Standard CSH script debugging (csh -x -v $FWDIR/bin/avi_del_tmp_files)

ci_http_server

 Description On Security Gateway.
HTTP Server for Content Inspection.
Path $FWDIR/bin/ci_http_server
Log file $FWDIR/log/cphttpd.elg
Configuration file $FWDIR/conf/cihs.conf
Notes "cpwd_admin list" command shows the process as "CIHS".
To Stop [Expert@HostName]# cpwd_admin stop -name CIHS
To Start [Expert@HostName]# cpwd_admin start -name CIHS -path $FWDIR/bin/ci_http_server -command "ci_http_server -j -f $FWDIR/conf/cihs.conf"
Debug
  1. Stop:
    cpwd_admin stop -name CIHS
  2. Start under debug (with "-v" flag):
    cpwd_admin start -name CIHS -path $FWDIR/bin/ci_http_server -command "ci_http_server -v -j -f $FWDIR/conf/cihs.conf"
  3. Replicate the issue
  4. Stop:
    cpwd_admin stop -name CIHS
  5. Start normally:
    cpwd_admin start -name CIHS -path $FWDIR/bin/ci_http_server -command "ci_http_server -j -f $FWDIR/conf/cihs.conf"

cp_http_server

 Description On Security Gateway and Management Server.
HTTP Server for OS WebUI and Management Portal (SmartPortal).
Path $WEBDIR/bin/cp_http_server
Log file $FWDIR/log/cphttpd.elg
Configuration file $MPDIR/conf/cp_httpd_admin.conf
Notes "cpwd_admin list" command shows the process as "CPHTTPD".
To Stop [Expert@HostName]# cpwd_admin stop -name CPHTTPD
To Start [Expert@HostName]# cpwd_admin start -name CPHTTPD -path "$WEBDIR/bin/cp_http_server" -command "cp_http_server -f '$MPDIR/conf/cp_httpd_admin.conf'"
Debug
  1. Stop:
    cpwd_admin stop -name CPHTTPD
  2. Start under debug (with "-v" flag):
    cpwd_admin start -name CPHTTPD -path "$WEBDIR/bin/cp_http_server" -command "cp_http_server -v -f '$MPDIR/conf/cp_httpd_admin.conf'"
  3. Replicate the issue
  4. Stop:
    cpwd_admin stop -name CPHTTPD
  5. Start normally:
    cpwd_admin start -name CPHTTPD -path "$WEBDIR/bin/cp_http_server" -command "cp_http_server -f '$MPDIR/conf/cp_httpd_admin.conf'"

cpviewd

 Description On Security Gateway and Management Server.
CPView Utility daemon (sk101878).
Path
  • From R77.30:
    $CPDIR/bin/cpviewd
  • In R77-R77.20:
    $FWDIR/bin/cpviewd
Configuration file $CPDIR/conf/cpview_conf.xml
Notes "cpwd_admin list" command shows the process as "CPVIEWD".
To Stop [Expert@HostName]# cpwd_admin stop -name CPVIEWD
To Start
  • From R77.30:
    [Expert@HostName]# cpwd_admin start -name CPVIEWD -path "$CPDIR/bin/cpviewd" -command "cpviewd"

  • In R77-R77.20:
    [Expert@HostName]# cpwd_admin start -name CPVIEWD -path "$FWDIR/bin/cpviewd" -command "cpviewd"
Debug Refer to sk101878

cpview_historyd

 Description On Security Gateway and Management Server.
CPView Utility History daemon (sk101878).
Path
  • From R77.30:
    $CPDIR/bin/cpview_historyd
  • In R77-R77.20:
    $FWDIR/bin/cpview_historyd
Log file /var/log/CPView_history/CPViewDB.dat
Notes "cpwd_admin list" command shows the process as "HISTORYD".
To Stop [Expert@HostName]# cpview history off
To Start [Expert@HostName]# cpview history on

cpsnmpd

 Description

On Security Gateway and Management Server:

  • Listens on UDP port 260 and is capable of responding to SNMP queries for Check Point OIDs only (under OID .1.3.6.1.4.1.2620)
  • Accepts only SNMPv1
  • Supplied as a part of Check Point Suite ($CPDIR/bin/cpsnmpd)
To Stop [Expert@HostName]# killall cpsnmpd
To Start [Expert@HostName]# cpsnmpd -p 260
Debug Refer to sk66384

lpd

 Description Log Parser Daemon – Search predefined patterns in log files
Path $DIAGDIR/bin/lpd
Log file $FWDIR/log/lpd.elg
Configuration file $DIAGDIR/signatures/sdb.dat
Notes "cpwd_admin list" command shows the process as "LPD" 
To Stop [Expert@HostName]# cpwd_admin stop -name LPD
To Start [Expert@HostName]# cpwd_admin start -name LPD -path "$DIAGDIR/bin/lpd" -command "lpd"
Debug
  • Start debug: fw debug lpd on TDERROR_ALL_ALL=5
  • Stop debug: fw debug lpd off TDERROR_ALL_ALL=0

     

    Give us Feedback
    Please rate this document
    [1=Worst,5=Best]
    Comment