Daemon |
Section |
Description / Paths / Notes / Stop and Start Commands / Debug |
Firewall Blade |
fwd
|
Description |
- Logging
- Spawning child processes (e.g., vpnd)
|
Path |
$FWDIR/bin/fwd %FWDIR%\bin\fwd |
Log file |
$FWDIR/log/fwd.elg %FWDIR%\log\fwd.elg |
Notes |
- "cpwd_admin list" command shows the process as "FWD".
- "top" / "ps" commands might also show "fw" process and/or "fw_full" process, which are just wrappers for the "fwd" process.
|
To Stop |
-
Gateway mode:
[Expert@HostName]# cpwd_admin stop -name FWD -path "$FWDIR/bin/fw" -command "fw kill fwd" or [Expert@HostName]# cpstop
-
VSX mode:
[Expert@HostName:0]# vsenv <VSID> [Expert@HostName:<VSID>]# cpwd_admin stop -name FWD -ctx <VSID> -path "$FWDIR/bin/fw" -command "fw kill fwd" -env inherit or [Expert@HostName:0]# cpstop
|
To Start |
-
Gateway mode:
[Expert@HostName]# cpwd_admin start -name FWD -path "$FWDIR/bin/fw" -command "fwd" or [Expert@HostName]# cpstart
-
VSX mode:
[Expert@HostName:0]# vsenv <VSID> [Expert@HostName:<VSID>]# cpwd_admin start -name FWD -ctx <VSID> -path "$FWDIR/bin/fwd" -command "fwd" -env inherit or [Expert@HostName:0]# cpstart
|
Debug |
Refer to sk86321
- Start debug:
fw debug fwd on TDERROR_ALL_ALL=5 fw debug fwd on OPSEC_DEBUG_LEVEL=3
- Replicate the issue
- Stop debug:
fw debug fwd off TDERROR_ALL_ALL=0 fw debug fwd off OPSEC_DEBUG_LEVEL=0
- Analyze:
$FWDIR/log/fwd.elg*
|
IPSec VPN Blade |
vpnd
|
Description |
- IKE (UDP/TCP)
- NAT-T
- Tunnel Test
- Reliable Datagram Protocol (RDP)
- Topology Update for SecureClient
- SSL Network Extender (SNX)
- SSL Network Extender (SNX) Portal
- Remote Access Client configuration
- Visitor Mode
- L2TP
|
Path |
$FWDIR/bin/vpn %FWDIR%\bin\vpn |
Log file |
$FWDIR/log/vpnd.elg %FWDIR%\log\vpnd.elg |
Notes |
This process is not monitored by Check Point WatchDog. |
To Stop |
[Expert@HostName]# cpstop |
To Start |
[Expert@HostName]# cpstart |
Debug |
Refer to sk89940 |
Mobile Access Blade |
cvpnd
|
Description |
Back-end daemon of the Mobile Access Software Blade. |
Path |
$CVPNDIR/bin/cvpnd |
Log file |
$CVPNDIR/log/cvpnd.elg |
Configuration file |
$CVPNDIR/conf/cvpnd.C |
Notes |
"cpwd_admin list" command shows the process as "CVPND". |
To Stop |
[Expert@HostName]# cvpnstop |
To Start |
[Expert@HostName]# cvpnstart |
Debug |
"cvpnd_admin debug" - refer to sk104577, sk99053 |
dbwriter
|
Description |
Offload database commands from cvpnd (to prevent locks) and synchronize with other members. |
Path |
$CVPNDIR/bin/dbwriter |
Log file |
$CVPNDIR/log/dbwriter.elg |
Configuration file |
$CVPNDIR/conf/dbwriter.C |
Notes |
"cpwd_admin list" command shows the process as "DBWRITER". |
To Stop |
[Expert@HostName]# cvpnstop |
To Start |
[Expert@HostName]# cvpnstart |
cvpnproc
|
Description |
Offload blocking commands from cvpnd (to prevent locks). Example: sending DynamicID. |
Path |
$CVPNDIR/bin/cvpnproc |
Log file |
$CVPNDIR/log/cvpnproc.elg |
Configuration file |
$CVPNDIR/conf/cvpnproc.C |
Notes |
"cpwd_admin list" command shows the process as "CVPNPROC". |
To Stop |
[Expert@HostName]# cvpnstop |
To Start |
[Expert@HostName]# cvpnstart |
Debug |
Refer to sk104577
- Stop Mobile Access:
cvpnstop
- Verify that cvpnproc process is not running:
ps aux | grep cvpnproc
- If the cvpnproc process is still running, then kill it:
kill -KILL $(pidof cvpnproc)
- Start cvpnproc process under debug to run in background (by running these 2 commands):
export TDERROR_ALL_ALL=5 $CVPNDIR/bin/cvpnproc $CVPNDIR/log/cvpnproc.elg $CVPNDIR/conf/cvpnproc.C &
- Start Mobile Access:
cvpnstart
- Replicate the issue
- Stop debug:
unset TDERROR_ALL_ALL
- Stop Mobile Access:
cvpnstop
- Kill cvpnproc process:
kill -TERM $(pidof cvpnproc) kill -KILL $(pidof cvpnproc)
- Start Mobile Access:
cvpnstart
- Analyze:
$CVPNDIR/log/cvpnproc.elg*
|
MoveFileServer
|
Description |
Move files between cluster members in order to perform database synchronization. |
Path |
$CVPNDIR/bin/MoveFileServer |
Log file |
$CVPNDIR/log/MFServer.log |
Configuration file |
$CVPNDIR/conf/mfserver.C |
Notes |
"cpwd_admin list" command shows the process as "MOVEFILESERVER", or as "MFSERVER" (from R77.30). |
To Stop |
[Expert@HostName]# cvpnstop |
To Start |
[Expert@HostName]# cvpnstart |
MoveFileDemuxer
|
Description |
Related to MoveFileServer process (moving files between cluster members in order to perform database synchronization). |
Path |
$CVPNDIR/bin/MoveFileDemuxer |
Log file |
$CVPNDIR/log/MFDemux.log |
Configuration file |
$CVPNDIR/conf/mfdemuxer.C |
Notes |
"cpwd_admin list" command shows the process as "MOVEFILEDEMUXER", or as "MFDEMUXER" (from R77.30). |
To Stop |
[Expert@HostName]# cvpnstop |
To Start |
[Expert@HostName]# cvpnstart |
Pinger
|
Description |
Reduce the number of httpd processes performing ActiveSync. |
Path |
$CVPNDIR/bin/Pinger |
Log file |
$CVPNDIR/log/Pinger.log |
Configuration file |
$CVPNDIR/conf/Pinger.C |
Notes |
"cpwd_admin list" command shows the process as "PINGER". |
To Stop |
[Expert@HostName]# cvpnstop |
To Start |
[Expert@HostName]# cvpnstart |
Debug |
Refer to sk104577
- Verify that Pinger process is running:
ps aux | grep Pinger
- Enable debug for relevant users:
PingerAdmin debug users <user1>,<user2>,<user3>
- Set the debug level:
PingerAdmin debug set TDERROR_ALL_Pinger=3 or PingerAdmin debug set TDERROR_ALL_ALL=5
- Set the debug type:
PingerAdmin debug type All
- Delete all files from $CVPNDIR/log/trace_log/ directory:
Note: Do NOT delete the directory itself! cd $CVPNDIR/log/trace_log/ rm -i *
- Enable trace log:
Warning: This might print passwords to local files! PingerAdmin debug trace on
- Start debug:
PingerAdmin debug on
- Replicate the issue
- Stop debug:
PingerAdmin debug off
- Disable trace log:
PingerAdmin debug trace off
- Reset the debug:
PingerAdmin debug reset
- Analyze:
$CVPNDIR/log/Pinger.log*
|
CvpnUMD
|
Description |
Report SNMP connected users to AMON. |
Path |
$CVPNDIR/bin/CvpnUMD |
Log file |
$CVPNDIR/log/CvpnUMD.log |
Notes |
"cpwd_admin list" command shows the process as "CVPNUMD". |
To Stop |
[Expert@HostName]# cvpnstop |
To Start |
[Expert@HostName]# cvpnstart |
httpd
|
Description |
Front-end daemon of the Mobile Access Software Blade (multi-processes). |
Path |
$CPDIR/web/Apache/2.2.0/bin/httpd |
Log file |
$CVPNDIR/log/httpd.log |
Configuration file |
$CVPNDIR/conf/httpd.conf |
To Stop |
[Expert@HostName]# cvpnstop |
To Start |
[Expert@HostName]# cvpnstart |
Debug |
Refer to sk104577, sk99053 |
fwpushd
|
Description |
Mobile Access Push Notifications daemon that is controlled by "fwpush" command. It is a child of fwd daemon (from R77.10). |
Path |
$FWDIR/bin/fwpushd |
Log file |
$FWDIR/log/fwpushd.elg |
To Stop |
[Expert@HostName]# cpstop |
To Start |
[Expert@HostName]# cpstart |
Debug |
- Enable debug:
fwpush debug on
- Set the debug options:
fwpush debug set all all
- Check the debug state:
fwpush debug stat
- Replicate the issue
- Reset the debug options:
fwpush debug reset
- Disable debug:
fwpush debug off
- Check the debug state:
fwpush debug stat
- Analyze:
$FWDIR/log/fwpushd.elg*
|
postgres
|
Description |
PostgreSQL server. Used by Remote Access Session Visibility and Management Utility. |
Path |
$CPDIR/database/postgresql/bin/postgres |
Configuration file |
/var/log$FWDIR/datadir/postgres/sessions/postgresql.conf |
To Stop |
[Expert@HostName]# cpstop |
To Start |
[Expert@HostName]# cpstart |
Debug |
"su cp_postgres -c "$CPDIR/database/postgresql/bin/pg_ctl -D $RTDIR/events_db/data start"; also refer to sk93970 |
Identity Awareness Blade |
pepd
|
Description |
Policy Enforcement Point daemon:
- Receiving identities via identity sharing
- Redirecting users to Captive Portal
|
Path |
$FWDIR/bin/pep |
Log file |
$FWDIR/log/pepd.elg |
Notes |
"cpwd_admin list" command shows the process as "PEPD". |
To Stop |
[Expert@HostName]# cpstop |
To Start |
[Expert@HostName]# cpstart |
Debug |
"pep debug" - refer to Identity Awareness Administration Guide (R77) |
pdpd
|
Description |
Policy Decision Point daemon:
- Acquiring identities from identity sources
- Sharing identities with another gateways
|
Path |
$FWDIR/bin/pdpd |
Log file |
$FWDIR/log/pdpd.elg |
Notes |
"cpwd_admin list" command shows the process as "PDPD". |
To Stop |
[Expert@HostName]# cpstop |
To Start |
[Expert@HostName]# cpstart |
Debug |
"pdp debug" - refer to Identity Awareness Administration Guide (R77) |
DLP Blade |
fwdlp
|
Description |
DLP core engine that performs the scanning / inspection. |
Path |
$FWDIR/bin/fwdlp |
Log file |
$FWDIR/log/fwdlp.elg $DLPDIR/log/dlpe.log (refer to sk60387) $DLPDIR/log/dlpe_msg.log (refer to sk73660) $DLPDIR/log/dlpe_files_error.log |
To Stop |
[Expert@HostName]# cpstop |
To Start |
[Expert@HostName]# cpstart |
Debug |
Refer to sk73660, sk60388:
- Start debug:
fw debug fwdlp on TDERROR_ALL_ALL=5
- Replicate the issue
- Stop debug:
fw debug fwdlp off TDERROR_ALL_ALL=0
- Analyze:
$FWDIR/log/fwdlp.elg*
|
cp_file_convert
|
Description |
Used to convert various file formats to simple textual format for scanning by the DLP engine. |
Path |
$FWDIR/bin/cp_file_convert |
Log file |
$FWDIR/log/cp_file_convertd.elg |
To Stop |
[Expert@HostName]# cpstop |
To Start |
[Expert@HostName]# cpstart |
Debug |
Refer to sk73660:
- Start debug:
for PROC in $(pgrep cp_file_convert) ; do fw debug $PROC on TDERROR_ALL_ALL=5 ; done
- Replicate the issue
- Stop debug:
fw debug cp_file_convert off TDERROR_ALL_ALL=0
- Analyze:
$FWDIR/log/cp_file_convertd.elg*
|
dlp_fingerprint
|
Description |
Used to identify the data according to a unique signature known as a fingerprint stored in your repository. |
Path |
$FWDIR/bin/dlp_fingerprint |
To Stop |
[Expert@HostName]# cpstop |
To Start |
[Expert@HostName]# cpstart |
cserver
|
Description |
Check Server that either stops or processes the e-mail. |
Path |
$FWDIR/bin/cserver |
Log file |
$FWDIR/log/cserver.elg |
Notes |
"cpwd_admin list" command shows the process as "DLP_WS". |
To Stop |
[Expert@HostName]# cpstop |
To Start |
[Expert@HostName]# cpstart |
Debug |
Refer to sk73660:
- Start debug:
fw debug cserver on TDERROR_ALL_ALL=5
- Replicate the issue
- Stop debug:
fw debug cserver off TDERROR_ALL_ALL=0
- Analyze:
$FWDIR/log/cserver.elg*
|
dlpu
|
Description |
Receives data from Check Point kernel. |
Path |
$FWDIR/bin/dlpu |
Log file |
$FWDIR/log/dlpu.elg |
Notes |
"cpwd_admin list" command shows the process as "DLPU_<N>". |
To Stop |
[Expert@HostName]# cpstop |
To Start |
[Expert@HostName]# cpstart |
Debug |
Refer to sk73660:
- Start debug:
fw debug dlpu on TDERROR_ALL_ALL=5
- Replicate the issue
- Stop debug:
fw debug dlpu off TDERROR_ALL_ALL=0
- Analyze:
$FWDIR/log/dlpu.elg*
|
fwucd
|
Description |
UserCheck back-end daemon that sends approval / disapproval requests to user. |
Path |
$FWDIR/bin/fwucd |
Log file |
$FWDIR/log/fwucd.elg |
Notes |
"cpwd_admin list" command shows the process as "FWUCD". |
To Stop |
[Expert@HostName]# cpstop |
To Start |
[Expert@HostName]# cpstart |
Debug |
Refer to sk73660, sk60388:
- Start debug:
fw debug fwucd on TDERROR_ALL_ALL=5
- Replicate the issue
- Stop debug:
fw debug fwucd off TDERROR_ALL_ALL=0
- Analyze:
$FWDIR/log/fwucd.elg*
|
usrchkd
|
Description |
Main UserCheck daemon, which deals with UserCheck requests (from CLI / from the user) that are sent from the UserCheck Web Portal. |
Path |
$FWDIR/bin/usrchkd |
Log file |
$FWDIR/log/usrchkd.elg |
Configuration file |
- $FWDIR/conf/usrchkd.conf
- $FWDIR/orig/UCPortal/fwdir_conf/usrchkd.conf
- $FWDIR/conf/fwauthd.conf
|
Notes |
- This daemon is not monitored by Check Point WatchDog ("cpwd_admin list")
- This daemon is spawned by the FWD daemon
|
To Stop |
[Expert@HostName]# cpstop |
To Start |
[Expert@HostName]# cpstart |
To Restart |
[Expert@HostName]# killall usrchkd |
Debug |
Note: It might also be required to collect the relevant kernel debug.
- Start debug:
usrchk debug set all all
- Verify:
usrchk debug stat
- Replicate the issue.
- Stop debug:
usrchk debug off
- Analyze:
$FWDIR/log/usrchkd.elg*
|
usrchk
|
Description |
The CLI client for the UserCheck daemon USRCHKD (this process runs only when it is called explicitly). |
Path |
$FWDIR/bin/usrchk |
Log file |
$FWDIR/log/usrchk.elg |
Threat Emulation Blade |
ted
|
Description |
Threat Emulation daemon engine - responsible for emulating files and communication with the cloud. |
Path |
$FWDIR/teCurrentPack/temain |
Log file |
$FWDIR/log/ted.elg |
To Stop |
[Expert@HostName]# cpstop |
To Start |
[Expert@HostName]# cpstart |
Debug |
"tecli debug" - refer to Threat Prevention Administration Guide (R76, R77) |
dlpu
|
Description |
DLP process - receives data from Check Point kernel. |
Path |
$FWDIR/bin/dlpu |
Log file |
$FWDIR/log/dlpu.elg |
Notes |
"cpwd_admin list" command shows the process as "DLPU_<N>". |
To Stop |
[Expert@HostName]# cpstop |
To Start |
[Expert@HostName]# cpstart |
Debug |
Refer to sk73660:
- Start debug:
fw debug dlpu on TDERROR_ALL_ALL=5
- Replicate the issue
- Stop debug:
fw debug dlpu off TDERROR_ALL_ALL=0
- Analyze:
$FWDIR/log/dlpu.elg*
|
usrchkd
|
Description |
Main UserCheck daemon, which deals with UserCheck requests (from CLI / from the user) that are sent from the UserCheck Web Portal. |
Path |
$FWDIR/bin/usrchkd |
Log file |
$FWDIR/log/usrchkd.elg |
Configuration file |
- $FWDIR/conf/usrchkd.conf
- $FWDIR/orig/UCPortal/fwdir_conf/usrchkd.conf
- $FWDIR/conf/fwauthd.conf
|
Notes |
- This daemon is not monitored by Check Point WatchDog ("cpwd_admin list")
- This daemon is spawned by the FWD daemon
|
To Stop |
[Expert@HostName]# cpstop |
To Start |
[Expert@HostName]# cpstart |
To Restart |
[Expert@HostName]# killall usrchkd |
Debug |
Note: It might also be required to collect the relevant kernel debug.
- Start debug:
usrchk debug set all all
- Verify:
usrchk debug stat
- Replicate the issue.
- Stop debug:
usrchk debug off
- Analyze:
$FWDIR/log/usrchkd.elg*
|
usrchk
|
Description |
The CLI client for the UserCheck daemon USRCHKD (this process runs only when it is called explicitly). |
Path |
$FWDIR/bin/usrchk |
Log file |
$FWDIR/log/usrchk.elg |
scanengine_b
|
Description |
Third party engine. |
Path |
$FWDIR/teCurrentPack/scanengine_b |
Log file |
$FWDIR/log/bdadvisor.elg |
To Stop |
[Expert@HostName]# cpstop |
To Start |
[Expert@HostName]# cpstart |
Debug |
None |
scanengine_k
|
Description |
Third party engine. |
Path |
$FWDIR/teCurrentPack/scanengine_k |
Log file |
$FWDIR/log/kavadvisor.elg |
To Stop |
[Expert@HostName]# cpstop |
To Start |
[Expert@HostName]# cpstart |
Debug |
None |
scanengine_s
|
Description |
Third party engine. |
Path |
$FWDIR/teCurrentPack/scanengine_s |
Log file |
$FWDIR/log/sopadvisor.elg |
To Stop |
[Expert@HostName]# cpstop |
To Start |
[Expert@HostName]# cpstart |
Debug |
None |
Threat Extraction Blade |
scrub
|
Description |
Main CLI process for Threat Extraction. |
Path |
$FWDIR/bin/scrub |
Log file |
$FWDIR/log/scrubd.elg /var/log/scrub/scrubd_messages $CPDIR/log/scrub_plg.log |
Configuration file |
$FWDIR/conf/scrub_debug.conf |
To Stop |
[Expert@HostName]# cpstop |
To Start |
[Expert@HostName]# cpstart |
Debug |
- Start Threat Extraction debug:
scrub debug on scrub debug set all all
- Verify Threat Extraction debug is enabled:
scrub debug stat
- Start debug of cp_file_convert daemon:
for PROC in $(pgrep cp_file_convert) ; do fw debug $PROC on TDERROR_ALL_ALL=5 ; done
- Replicate the issue
- Stop debug of cp_file_convert daemon:
for PROC in $(pgrep cp_file_convert) ; do fw debug $PROC off TDERROR_ALL_ALL=0 ; done
- Stop Threat Extraction debug:
scrub debug off scrub debug reset
- Verify Threat Extraction debug is disabled:
scrub debug stat
- Analyze:
$FWDIR/log/scrubd.elg* /var/log/jail/$FWDIR/log/scrub_cp_file_convertd.elg
|
scrubd
|
Description |
Main Threat Extraction daemon. |
Path |
$FWDIR/bin/scrubd |
Log file |
$FWDIR/log/scrubd.elg /var/log/scrub/scrubd_messages $CPDIR/log/scrub_plg.log |
Configuration file |
$FWDIR/conf/scrub_debug.conf |
To Stop |
[Expert@HostName]# cpstop |
To Start |
[Expert@HostName]# cpstart |
Debug |
- Start Threat Extraction debug:
scrub debug on scrub debug set all all
- Verify Threat Extraction debug is enabled:
scrub debug stat
- Start debug of cp_file_convert daemon:
for PROC in $(pgrep cp_file_convert) ; do fw debug $PROC on TDERROR_ALL_ALL=5 ; done
- Replicate the issue
- Stop debug of cp_file_convert daemon:
for PROC in $(pgrep cp_file_convert) ; do fw debug $PROC off TDERROR_ALL_ALL=0 ; done
- Stop Threat Extraction debug:
scrub debug off scrub debug reset
- Verify Threat Extraction debug is disabled:
scrub debug stat
- Analyze:
$FWDIR/log/scrubd.elg* /var/log/jail/$FWDIR/log/scrub_cp_file_convertd.elg
|
scrub_cp_file_convertd
|
Description |
Used to convert various file formats to simple textual format for scanning by the DLP engine. |
Path |
$FWDIR/bin/cp_file_convert |
Log file |
/var/log/jail/$FWDIR/log/scrub_cp_file_convertd.elg $FWDIR/log/cp_file_convert_start.log |
To Stop |
[Expert@HostName]# cpstop |
To Start |
[Expert@HostName]# cpstart |
Debug |
- Start debug:
for PROC in $(pgrep cp_file_convert) ; do fw debug $PROC on TDERROR_ALL_ALL=5 ; done
- Replicate the issue
- Stop debug:
for PROC in $(pgrep cp_file_convert) ; do fw debug $PROC off TDERROR_ALL_ALL=0 ; done
- Analyze:
/var/log/jail/$FWDIR/log/scrub_cp_file_convertd.elg*
|
in.emaild.mta
|
Description |
E-Mail Security Server that receives e-mails sent by user and sends them to their destinations. |
Path |
$FWDIR/bin/fwssd |
Log file |
$FWDIR/log/emaild.mta.elg /var/log/scrub/in.emaild.mta_messages |
To Stop |
[Expert@HostName]# cpstop |
To Start |
[Expert@HostName]# cpstart |
Debug |
Refer to sk139892 - MTA Engine Debugging
|
usrchkd
|
Description |
Main UserCheck daemon, which deals with UserCheck requests (from CLI / from the user) that are sent from the UserCheck Web Portal. |
Path |
$FWDIR/bin/usrchkd |
Log file |
$FWDIR/log/usrchkd.elg |
Configuration file |
- $FWDIR/conf/usrchkd.conf
- $FWDIR/orig/UCPortal/fwdir_conf/usrchkd.conf
- $FWDIR/conf/fwauthd.conf
|
Notes |
- This daemon is not monitored by Check Point WatchDog ("cpwd_admin list")
- This daemon is spawned by the FWD daemon
|
To Stop |
[Expert@HostName]# cpstop |
To Start |
[Expert@HostName]# cpstart |
To Restart |
[Expert@HostName]# killall usrchkd |
Debug |
Note: It might also be required to collect the relevant kernel debug.
- Start debug:
usrchk debug set all all
- Verify:
usrchk debug stat
- Replicate the issue.
- Stop debug:
usrchk debug off
- Analyze:
$FWDIR/log/usrchkd.elg*
|
usrchk
|
Description |
The CLI client for the UserCheck daemon USRCHKD (this process runs only when it is called explicitly). |
Path |
$FWDIR/bin/usrchk |
Log file |
$FWDIR/log/usrchk.elg |
Infinity Threat Prevention Blade |
tp_conf_service (starting R80.40)
|
Description |
Updatable configuration service for Threat Prevention blades, when using Infinity Threat Prevention. |
Path |
$FWDIR/bin/tp_conf_service |
Notes |
cpwd_admin list command shows the process as "TP_CONF_SERVICE" |
Log file |
$FWDIR/log/tp_conf.log |
To Stop |
cpstop |
To Start |
cpstart |
Configuration file |
$FWDIR/conf/tp_conf.json |
Debug |
cpwd_admin stop -name TP_CONF_SERVICE
cpwd_admin start -name TP_CONF_SERVICE -path $FWDIR/bin/tp_conf_service -command "tp_conf_service --conf=tp_conf.json --log=info" |
TPD (starting R80.40)
|
Description |
Threat Prevention Daemon - Communicate with kernel and deal with Usermode tasks. |
Path |
$FWDIR/bin/tpd |
Log file |
$FWDIR/log/tpd.elg |
To Stop |
cpstop |
To Start |
cpstart |
Debug |
fw debug tpd on TDERROR_ALL_ALL=5 |
IPS Blade |
in.geod
|
Description |
Updates the IPS Geo Protection Database. |
Path |
$FWDIR/bin/fwssd %FWDIR%\bin\fwssd |
Log file |
$FWDIR/log/geod.elg %FWDIR%\log\geod.elg |
To Stop |
[Expert@HostName]# kill -KILL $(pidof in.geod) |
To Start |
After being killed, it will be restarted automatically |
Debug |
Refer to sk102329:
- Start debug:
fw debug in.geod on TDERROR_ALL_ALL=5
- Replicate the issue
- Stop debug:
fw debug in.geod off TDERROR_ALL_ALL=0
- Analyze:
$FWDIR/log/geod.elg*
|
URL Filtering Blade |
rad
|
Description |
Resource Advisor - responsible for the detection of Social Network widgets. The detection is done via an online Application Control database, which identifies URLs as applications. |
Path |
$FWDIR/bin/rad |
Log file |
$FWDIR/log/rad.elg |
Configuration file |
- $FWDIR/conf/rad_scheme.C
- $FWDIR/conf/rad_settings.C
- $FWDIR/database/rad_services.C
|
Notes |
"cpwd_admin list" command shows the process as "RAD". |
To Stop |
[Expert@HostName]# rad_admin stop or [Expert@HostName]# cpstop |
To Start |
[Expert@HostName]# rad_admin start or [Expert@HostName]# cpstart |
Debug |
Refer to sk92743:
- Start debug:
rad_admin rad debug on all
- Replicate the issue.
- Stop debug:
rad_admin rad debug off ALL
- Analyze:
$FWDIR/log/rad.elg*
|
usrchkd
|
Description |
Main UserCheck daemon, which deals with UserCheck requests (from CLI / from the user) that are sent from the UserCheck Web Portal. |
Path |
$FWDIR/bin/usrchkd |
Log file |
$FWDIR/log/usrchkd.elg |
Configuration file |
- $FWDIR/conf/usrchkd.conf
- $FWDIR/orig/UCPortal/fwdir_conf/usrchkd.conf
- $FWDIR/conf/fwauthd.conf
|
Notes |
- This daemon is not monitored by Check Point WatchDog ("cpwd_admin list")
- This daemon is spawned by the FWD daemon
|
To Stop |
[Expert@HostName]# cpstop |
To Start |
[Expert@HostName]# cpstart |
To Restart |
[Expert@HostName]# killall usrchkd |
Debug |
Note: It might also be required to collect the relevant kernel debug.
- Start debug:
usrchk debug set all all
- Verify:
usrchk debug stat
- Replicate the issue.
- Stop debug:
usrchk debug off
- Analyze:
$FWDIR/log/usrchkd.elg*
|
usrchk
|
Description |
The CLI client for the UserCheck daemon USRCHKD (this process runs only when it is called explicitly). |
Path |
$FWDIR/bin/usrchk |
Log file |
$FWDIR/log/usrchk.elg |
Application Control Blade |
rad |
Description |
Resource Advisor - responsible for the detection of Social Network widgets. The detection is done via an online Application Control database, which identifies URLs as applications. |
Path |
$FWDIR/bin/rad |
Log file |
$FWDIR/log/rad.elg |
Configuration file |
- $FWDIR/conf/rad_scheme.C
- $FWDIR/conf/rad_settings.C
- $FWDIR/database/rad_services.C
|
Notes |
"cpwd_admin list" command shows the process as "RAD". |
To Stop |
[Expert@HostName]# rad_admin stop or [Expert@HostName]# cpstop |
To Start |
[Expert@HostName]# rad_admin start or [Expert@HostName]# cpstart |
Debug |
Refer to sk92743:
- Start debug:
rad_admin rad debug on all
- Replicate the issue.
- Stop debug:
rad_admin rad debug off ALL
- Analyze:
$FWDIR/log/rad.elg*
|
Anti-Bot Blade |
in.acapd
|
Description |
Packet capturing daemon for SmartView Tracker logs. |
Path |
$FWDIR/bin/fwssd |
Log file |
$FWDIR/log/acapd.elg |
To Stop |
[Expert@HostName]# cpstop |
To Start |
[Expert@HostName]# cpstart |
Debug |
Refer to sk108179:
- Start debug:
fw debug in.acapd on TDERROR_ALL_ALL=5
- Replicate the issue
- Stop debug:
fw debug in.acapd off TDERROR_ALL_ALL=0
- Analyze:
$FWDIR/log/acapd.elg*
|
rad
|
Description |
Resource Advisor - responsible for the detection of Social Network widgets. The detection is done via an online Application Control database which identifies URLs as applications. |
Path |
$FWDIR/bin/rad |
Log file |
$FWDIR/log/rad.elg |
Configuration file |
- $FWDIR/conf/rad_scheme.C
- $FWDIR/conf/rad_settings.C
- $FWDIR/database/rad_services.C
|
Notes |
"cpwd_admin list" command shows the process as "RAD". |
To Stop |
[Expert@HostName]# rad_admin stop or [Expert@HostName]# cpstop |
To Start |
[Expert@HostName]# rad_admin start or [Expert@HostName]# cpstart |
Debug |
Refer to sk92264:
- Start debug:
rad_admin rad debug on all
- Replicate the issue.
- Stop debug:
rad_admin rad debug off ALL
- Analyze:
$FWDIR/log/rad.elg*
|
usrchkd
|
Description |
Main UserCheck daemon, which deals with UserCheck requests (from CLI / from the user) that are sent from the UserCheck Web Portal. |
Path |
$FWDIR/bin/usrchkd |
Log file |
$FWDIR/log/usrchkd.elg |
Configuration file |
- $FWDIR/conf/usrchkd.conf
- $FWDIR/orig/UCPortal/fwdir_conf/usrchkd.conf
- $FWDIR/conf/fwauthd.conf
|
Notes |
- This daemon is not monitored by Check Point WatchDog ("cpwd_admin list")
- This daemon is spawned by the FWD daemon
|
To Stop |
[Expert@HostName]# cpstop |
To Start |
[Expert@HostName]# cpstart |
To Restart |
[Expert@HostName]# killall usrchkd |
Debug |
Note: It might also be required to collect the relevant kernel debug.
- Start debug:
usrchk debug set all all
- Verify:
usrchk debug stat
- Replicate the issue.
- Stop debug:
usrchk debug off
- Analyze:
$FWDIR/log/usrchkd.elg*
|
usrchk
|
Description |
The CLI client for the UserCheck daemon USRCHKD (this process runs only when it is called explicitly). |
Path |
$FWDIR/bin/usrchk |
Log file |
$FWDIR/log/usrchk.elg |
Anti-Virus Blade |
in.acapd
|
Description |
Packet capturing daemon for SmartView Tracker logs. |
Path |
$FWDIR/bin/fwssd |
Log file |
$FWDIR/log/acapd.elg |
To Stop |
[Expert@HostName]# cpstop |
To Start |
[Expert@HostName]# cpstart |
Debug |
Refer to sk108179:
- Start debug:
fw debug in.acapd on TDERROR_ALL_ALL=5
- Replicate the issue
- Stop debug:
fw debug in.acapd off TDERROR_ALL_ALL=0
- Analyze:
$FWDIR/log/acapd.elg*
|
in.emaild.mta
|
Description |
E-Mail Security Server that receives e-mails sent by user and sends them to their destinations. |
Path |
$FWDIR/bin/fwssd |
Log file |
$FWDIR/log/emaild.mta.elg |
To Stop |
[Expert@HostName]# cpstop |
To Start |
[Expert@HostName]# cpstart |
Debug |
Refer to sk60387:
- Start debug:
fw debug in.emaild.mta on TDERROR_ALL_ALL=5
- Replicate the issue
- Stop debug:
fw debug in.emaild.mta off TDERROR_ALL_ALL=0
- Analyze:
$FWDIR/log/emaild.mta.elg*
|
in.emaild.smtp
|
Description |
SMTP Security Server that receives e-mails sent by user and sends them to their destinations. |
Path |
$FWDIR/bin/fwssd |
Log file |
$FWDIR/log/emaild.smtp.elg |
To Stop |
[Expert@HostName]# cpstop |
To Start |
[Expert@HostName]# cpstart |
Debug |
Refer to sk60387:
- Start debug:
fw debug in.emaild.smtp on TDERROR_ALL_ALL=5
- Replicate the issue
- Stop debug:
fw debug in.emaild.smtp off TDERROR_ALL_ALL=0
- Analyze:
$FWDIR/log/emaild.smtp.elg*
|
in.emaild.pop3
|
Description |
POP3 Security Server that receives e-mails sent by user. |
Path |
$FWDIR/bin/fwssd |
Log file |
$FWDIR/log/emaild.pop3.elg |
To Stop |
[Expert@HostName]# cpstop |
To Start |
[Expert@HostName]# cpstart |
Debug |
- Start debug:
fw debug in.emaild.pop3 on TDERROR_ALL_ALL=5
- Replicate the issue
- Stop debug:
fw debug in.emaild.pop3 off TDERROR_ALL_ALL=0
- Analyze:
$FWDIR/log/emaild.pop3.elg*
|
dlpu
|
Description |
DLP process - receives data from Check Point kernel. |
Path |
$FWDIR/bin/dlpu |
Log file |
$FWDIR/log/dlpu.elg |
Notes |
"cpwd_admin list" command shows the process as "DLPU_<N>". |
To Stop |
[Expert@HostName]# cpstop |
To Start |
[Expert@HostName]# cpstart |
Debug |
Refer to sk73660:
- Start debug:
fw debug dlpu on TDERROR_ALL_ALL=5
- Replicate the issue
- Stop debug:
fw debug dlpu off TDERROR_ALL_ALL=0
- Analyze:
$FWDIR/log/dlpu.elg*
|
rad
|
Description |
Resource Advisor - responsible for the detection of Social Network widgets. The detection is done via an online Application Control database which identifies URLs as applications. |
Path |
$FWDIR/bin/rad |
Log file |
$FWDIR/log/rad.elg |
Configuration file |
- $FWDIR/conf/rad_scheme.C
- $FWDIR/conf/rad_settings.C
- $FWDIR/database/rad_services.C
|
Note |
"cpwd_admin list" command shows the process as "RAD". |
To Stop |
[Expert@HostName]# rad_admin stop or [Expert@HostName]# cpstop |
To Start |
[Expert@HostName]# rad_admin start or [Expert@HostName]# cpstart |
Debug |
Refer to sk92264:
- Start debug:
rad_admin rad debug on all
- Replicate the issue.
- Stop debug:
rad_admin rad debug off ALL
- Analyze:
$FWDIR/log/rad.elg*
|
usrchkd
|
Description |
Main UserCheck daemon, which deals with UserCheck requests (from CLI / from the user) that are sent from the UserCheck Web Portal. |
Path |
$FWDIR/bin/usrchkd |
Log file |
$FWDIR/log/usrchkd.elg |
Configuration file |
- $FWDIR/conf/usrchkd.conf
- $FWDIR/orig/UCPortal/fwdir_conf/usrchkd.conf
- $FWDIR/conf/fwauthd.conf
|
Notes |
- This daemon is not monitored by Check Point WatchDog ("cpwd_admin list")
- This daemon is spawned by the FWD daemon
|
To Stop |
[Expert@HostName]# cpstop |
To Start |
[Expert@HostName]# cpstart |
To Restart |
[Expert@HostName]# killall usrchkd |
Debug |
Note: It might also be required to collect the relevant kernel debug.
- Start debug:
usrchk debug set all all
- Verify:
usrchk debug stat
- Replicate the issue.
- Stop debug:
usrchk debug off
- Analyze:
$FWDIR/log/usrchkd.elg*
|
usrchk
|
Description |
The CLI client for the UserCheck daemon USRCHKD (this process runs only when it is called explicitly). |
Path |
$FWDIR/bin/usrchk |
Log file |
$FWDIR/log/usrchk.elg |
Anti-Spam Blade |
in.emaild.smtp
|
Description |
SMTP Security Server that receives e-mails sent by user and sends them to their destinations. |
Path |
$FWDIR/bin/fwssd |
Log file |
$FWDIR/log/emaild.smtp.elg |
To Stop |
[Expert@HostName]# cpstop |
To Start |
[Expert@HostName]# cpstart |
Debug |
Refer to sk60387:
- Start debug:
fw debug in.emaild.smtp on TDERROR_ALL_ALL=5
- Replicate the issue
- Stop debug:
fw debug in.emaild.smtp off TDERROR_ALL_ALL=0
- Analyze:
$FWDIR/log/emaild.smtp.elg*
|
in.msd
|
Description |
Mail Security Daemon that queries the Commtouch engine for reputation. |
Path |
$FWDIR/bin/fwssd |
Log file |
$FWDIR/log/msd.elg |
To Stop |
[Expert@HostName]# cpstop |
To Start |
[Expert@HostName]# cpstart |
Debug |
Refer to sk92264:
- Start debug:
fw debug in.msd on TDERROR_ALL_ALL=5
- Replicate the issue
- Stop debug:
fw debug in.msd off TDERROR_ALL_ALL=0
- Analyze:
$FWDIR/log/msd.elg*
|
ctasd
|
Description |
Commtouch Anti-Spam daemon. |
Path |
/opt/aspam_engine/ctipd/bin/ctasd |
Configuration file |
/opt/aspam_engine/ctasd/conf/ctasd.conf |
To Stop |
[Expert@HostName]# cpstop |
To Start |
[Expert@HostName]# cpstart |
ctipd
|
Description |
Commtouch IP Reputation daemon. |
Path |
/opt/aspam_engine/ctipd/bin/ctipd |
Configuration file |
/opt/aspam_engine/ctipd/conf/ctipd.conf |
To Stop |
[Expert@HostName]# cpstop |
To Start |
[Expert@HostName]# cpstart |
Monitoring Blade |
rtmd
|
Description |
Real Time traffic statistics. |
Path |
$FWDIR/bin/rtm %FWDIR%\bin\rtm |
Log file |
$FWDIR/log/rtmd.elg %FWDIR%\log\rtmd.elg |
Notes |
"cpwd_admin list" command shows the process as "RTMD". |
To Stop |
[Expert@HostName]# rtmstop |
To Start |
[Expert@HostName]# rtmstart |
Debug |
Refer to skI2821:
- Start debug:
rtm debug on TDERROR_ALL_ALL=5 rtm debug on OPSEC_DEBUG_LEVEL=3
- Replicate the issue
- Stop debug:
rtm debug off TDERROR_ALL_ALL=0 rtm debug off OPSEC_DEBUG_LEVEL=0
- Analyze:
$FWDIR/log/rtmd.elg*
|
cpstat_monitor
|
Description |
Process is responsible for collecting and sending information to SmartView Monitor. |
Path |
$FWDIR/bin/cpstat_monitor %FWDIR%\bin\cpstat_monitor |
Log file |
$FWDIR/log/cpstat_monitor.elg %FWDIR%\log\cpstat_monitor.elg |
Notes |
- "cpwd_admin list" command shows the process as "CPSM".
- By default, does not run in the context of Domain Management Servers.
- By default, in MGMT HA runs only on "Active" Security Management Server.
|
To Stop |
[Expert@HostName]# cpwd_admin stop -name CPSM |
To Start |
[Expert@HostName]# cpwd_admin start -name CPSM -path "$FWDIR/bin/cpstat_monitor" -command "cpstat_monitor" |
Debug |
Refer to sk108177 |
HTTPS Inspection |
wstlsd
|
Description |
Handles SSL handshake for HTTPS Inspected connections. |
Path |
$CPDIR/bin/wstlsd |
Log file |
$FWDIR/log/wstlsd.elg |
To Stop |
[Expert@HostName]# cpstop |
To Start |
[Expert@HostName]# cpstart |
Debug |
Refer to sk105559:
- Start debug:
for PROC in $(pidof wstlsd) ; do fw debug $PROC on TDERROR_ALL_ALL=6 ; done
- Replicate the issue (it is very important to collect the relevant traffic using both TCPDump tool and the FW Monitor).
- Stop debug:
for PROC in $(pidof wstlsd) ; do fw debug $PROC off TDERROR_ALL_ALL=0 ; done
- Analyze:
$FWDIR/log/wstlsd.elg*
|
pkxld
|
Description |
Performs asymmetric key operations for HTTPS Inspection (from R77.30) |
Path |
$CPDIR/bin/pkxld |
Log file |
none |
Notes |
Refer to sk104717 |
To Stop |
[Expert@HostName]# cpstop |
To Start |
[Expert@HostName]# cpstart |
Debug |
none |
HTTP/HTTPS Proxy |
wsdnsd
|
Description |
DNS Resolver (from R77.30) - activated when Security Gateway is configured as HTTP/HTTPS Proxy, and no next proxy is used. Process is started and stopped during policy installation. |
Path |
$FWDIR/bin/wsdnsd %FWDIR%\bin\wsdnsd |
Log file |
$FWDIR/log/wsdnsd.elg |
Notes |
"cpwd_admin list" command shows the process as "WSDNSD" |
To Stop |
[Expert@HostName]# cpwd_admin stop -name WSDNSD -path "$FWDIR/bin/wsdnsd" -command "kill -SIGTERM $(pidof $FWDIR/bin/wsdnsd)" |
To Start |
[Expert@HostName]# cpwd_admin start -name WSDNSD -path "$FWDIR/bin/wsdnsd" -command "wsdnsd" |
Debug |
Refer to sk106443:
- Start debug:
fw debug wsdnsd on TDERROR_ALL_ALL=5
- Replicate the issue
- Stop debug:
fw debug wsdnsd off TDERROR_ALL_ALL=0
- Analyze:
$FWDIR/log/wsdnsd.elg*
|
Cluster |
cphamcset
|
Description |
Clustering daemon - responsible for opening sockets on the NICs in order to allow them to pass multicast traffic (CCP) to the machine. |
Path |
$FWDIR/bin/cphamcset %FWDIR%\bin\cphamcset |
Log file |
$FWDIR/log/cphamcset.elg %FWDIR%\log\cphamcset.elg |
Notes |
|
To Stop |
[Expert@HostName]# cphastop |
To Start |
[Expert@HostName]# cphastart |
Debug |
- Stop clustering:
cphastop
- Start under debug:
cphamcset -d
- Stop Check Point services:
cphastop
- Start clustering:
cphastart
|
cphaprob
|
Description |
Process that lists the state of cluster members, cluster interfaces and critical monitored components (pnotes). |
Path |
$FWDIR/bin/cphaprob %FWDIR%\bin\cphaprob |
Configuration file |
$FWDIR/conf/cphaprob.conf %FWDIR%\conf\cphaprob.conf |
Notes |
Refer to ATRG: ClusterXL R6x and R7x - Chapter "ClusterXL Monitoring and Troubleshooting" - 'cphaprob' command. |
To Stop |
none |
To Start |
none |
Debug |
"cphaprob -D <command>" (e.g., "cphaprob -D state") |
cphaconf
|
Description |
Cluster configuration process - installs the cluster configuration into Check Point kernel on cluster members. |
Path |
$FWDIR/bin/cphaconf %FWDIR%\bin\cphaconf |
Log file |
$FWDIR/log/cphaconf.elg %FWDIR%\log\cphaconf.elg |
Notes |
- Refer to ATRG: ClusterXL R6x and R7x - Chapter "ClusterXL Monitoring and Troubleshooting" - 'cphaconf' command.
- Log file exist only from R77.20
|
To Stop |
none |
To Start |
none |
Debug |
Refer to ATRG: ClusterXL R6x and R7x - Chapter "ClusterXL Monitoring and Troubleshooting" - 'cphaconf' command - 'cphaconf debug_data'. |
cphastart
|
Description |
Starts the cluster and state synchronization. |
Path |
$FWDIR/bin/cphastart %FWDIR%\bin\cphastart |
Log file |
$FWDIR/log/cphastart.elg %FWDIR%\log\cphastart.elg |
Notes |
- Refer to ATRG: ClusterXL R6x and R7x - Chapter "ClusterXL Monitoring and Troubleshooting" - 'cphastart' and 'cphastop' commands.
- Log file exist only from R77.20
|
To Stop |
none |
To Start |
none |
Debug |
"cphastart -d" - refer to sk39842 |
cphastop
|
Description |
Stops the cluster and state synchronization. |
Path |
$FWDIR/bin/cphastop %FWDIR%\bin\cphastop |
Notes |
Refer to ATRG: ClusterXL R6x and R7x - Chapter "ClusterXL Monitoring and Troubleshooting" - 'cphastart' and 'cphastop' commands. |
To Stop |
none |
To Start |
none |
Debug |
Standard CSH script debugging (csh -x -v $FWDIR/bin/cphastop) |
Acceleration |
sxl_statd
|
Description |
Allow acquiring statistics information from Host ppak |
Path |
$FWDIR/bin/sxl_statd |
Log File |
N/A |
To Stop |
cpwd_admin stop -name SXL_STATD |
To Start |
Run on boot |
Debug |
Cpwd_admin start -name SXL_STATD -path $FWDIR/bin/sxl_statd -command sxl_statd |
CoreXL |
dsd (starting R80.40)
|
Description |
Dynamic Balancing (Formerly: Dynamic Split)- responsible for dynamically adjusting CoreXL for optimized CPU resources allocation, based on continuous monitoring of system resources |
Path |
$FWDIR/bin/dsd |
Log File |
$FWIDR/log/dsd.elg |
To Stop |
dynamic_split –o disable |
To Start |
dynamic_split –o enable (requires reboot, on by default in R81) |
Debug |
None |