Check Point Processes and Daemons

Support Center > Search Results > SecureKnowledge Details

Check Point Processes and Daemons

Technical Level

Solution ID	sk97638
Technical Level
Product	Quantum Security Gateways, Quantum Security Management
Version	R77.20 (EOL), R77.30 (EOL), R80 (EOL), R80.10 (EOL), R80.20 (EOL), R80.20.x, R80.20SP, R80.30 (EOL), R80.30SP, R80.40, R81, R81.10, R81.10.x, R81.20
OS	Gaia, Gaia Embedded
Platform / Model	All
Date Created	17-Dec-2013
Last Modified	25-Jan-2023

Solution

Table of Contents:

Gaia Processes and Daemons
Infrastructure Processes

Security Gateway Software Blades and Features

Firewall Blade
IPSec VPN Blade
Mobile Access Blade
Identity Awareness Blade
DLP Blade
Threat Emulation Blade
Threat Extraction Blade

Infinity Threat Prevention Blade
IPS Blade
URL Filtering Blade
Application Control Blade
Anti-Bot Blade
Anti-Virus Blade
Anti-Spam Blade

Monitoring Blade
HTTPS Inspection
HTTP/HTTPS Proxy
ClusterXL
SecureXL
CoreXL
VSX

Security Management Software Blades and Features

Network Policy Management Blade
Endpoint Policy Management Blade
Monitoring Blade
Provisioning Blade
SmartReporter Blade

SmartEvent Blade
Logging & Status Blade
Management Portal
SmartLog

Internal CA
Compliance Blade
SofaWare Management Server
OPSEC LEA

1800 / 1600 / 1500 / 1400 / 1200R / 1100 / 900 / 700 / 600 appliances
Endpoint Security Client
Additional Processes
Related solutions

Important - Unless stated otherwise, you must run the commands in the Expert mode.

Gaia Processes and Daemons

All Gaia processes and daemons run by default, other than snmpd and dhcpd.

Enter the string you are searching for in this table:

Daemon	Child daemon	Section	Information
pm	-	Description	Gaia OS Process Manager (/bin/pm). Controls other processes and daemons.
		Path	/bin/pm
		Log file	/var/log/messages
		To Stop	none
		To Start	none
	confd	Description	Database and configuration.
		Path	/bin/confd
		Important Note	Maintenance window is required to restart this daemon: When confd daemon is starting, by design, it restarts any currently running routed daemons (by sending a TERM signal). It is done to avoid possible issues in Gaia Clish (e.g., returning invalid results for routing-related commands like "`show route`"). Since routed daemon is responsible for all the routing in Gaia OS, short traffic outage will occur while routed daemon is being restarted. Since routed daemon is a Critical Device in Check Point cluster (since R76), cluster fail-over might occur while routed daemon is being restarted (refer to sk92878).
		Log file	/var/log/messages
		To Stop	tellpm process:confd
		To Start	tellpm process:confd t
	searchd	Description	Search indexing daemon.
		Log file	/var/log/messages
		Path	/bin/searchd
		To Stop	tellpm process:searchd
		To Start	tellpm process:searchd t
	clishd	Description	Gaia Clish CLI interface process - general information for all Clish sessions.
		Path	/bin/clishd
		Log file	/var/log/messages
		To Stop	tellpm process:clishd
		To Start	tellpm process:clishd t
	clish	Description	Gaia Clish CLI interface process - Clish process per session.
		Path	/bin/clish
		Log file	/var/log/messages
		To Stop	tellpm process:clish
		To Start	tellpm process:clish t
		Debug	Refer to sk106938
	routed	Description	Routing daemon.
		Path	/bin/routed
		Important Note	Maintenance window is required to restart this daemon: Since routed daemon is responsible for all the routing in Gaia OS, short traffic outage will occur while routed daemon is being restarted. Since routed daemon is a Critical Device in Check Point cluster (since R76), cluster fail-over might occur while routed daemon is being restarted (refer to sk92878).
		Log file	/var/log/routed.log /var/log/routed_messages
		Configuration file	/etc/routed.conf
		To Stop	tellpm process:routed
		To Start	tellpm process:routed t
		Debug	Refer to: sk84520 - How to debug OSPF and RouteD daemon on Gaia, sk101399 - How to debug BGP and RouteD daemon on Gaia, sk92598 - How to debug PIM and Multicast on Gaia
	httpd2	Description	Web server daemon (Gaia Portal).
		Path	/web/cpshared/web/Apache/2.2.0/bin/httpd2
		Log file	/var/log/httpd2_error_log /var/log/httpd2_access_log
		Configuration file	/web/conf/httpd2.conf
		To Stop	tellpm process:httpd2
		To Start	tellpm process:httpd2 t
		Debug	Refer to sk84561
	monitord	Description	Hardware monitoring daemon.
		Path	/bin/monitord
		Log file	/var/log/messages
		To Stop	tellpm process:monitord
		To Start	tellpm process:monitord t
	rconfd	Description	Provisioning daemon.
		Path	/bin/rconfd
		Log file	/var/log/messages
		To Stop	tellpm process:rconfd
		To Start	tellpm process:rconfd t
	cloningd	Description	Cloning Groups daemon.
		Path	/bin/cloningd
		Log file	/var/log/messages
		To Stop	tellpm process:cloningd
		To Start	tellpm process:cloningd t
	dhcpd	Description	DHCP server daemon.
		Path	/usr/sbin/dhcpd
		Log file	/var/log/messages
		Configuration file	/etc/dhcpd.conf
		To Stop	In Gaia Clish: set dhcp server disable In Gaia Portal: "Network Management" section - "DHCP Server" pane
		To Start	In Gaia Clish: set dhcp server enable In Gaia Portal: "Network Management" section - "DHCP Server" pane
	snmpd	Description	SNMP (Linux) daemon.
Path		/usr/sbin/snmpd
Log file		/var/log/messages
Configuration file		/etc/snmp/snmpd.conf
To Stop		In Gaia Clish: set snmp agent off In Gaia Portal:"System Management" section - "SNMP" pane
To Start		In Gaia Clish: set snmp agent on In Gaia Portal: "System Management" section - "SNMP" pane
Debug		Refer to sk56783
xpand	-	Description	Configuration daemon that processes and validates all user configuration requests, updates the system configuration database, and calls other utilities to carry out the request.
		Path	/bin/confd
		Log file	/var/log/messages
		To Stop	None
		To Start	None
sshd	-	Description	SSH daemon.
		Path	/usr/sbin/sshd
		Log file	/var/log/secure /var/log/auth/ /var/log/messages
		Configuration file	R80.40 Jumbo Hotfix Take 83 and higher versions: Back up and edit: `/etc/ssh/templates/sshd_config.templ` Run : `/bin/sshd_template_xlate < /config/active` In lower versions: /etc/ssh/sshd_config
		To Stop	service sshd stop
		To Start	service sshd start
		Debug	Edit the applicable "sshd_config" file (see above): Change the "LogLevel" line: from: #LogLevel INFO to: LogLevel DEBUG3 Save the changes in the file Load the updated configuration (in R80.40 Jumbo Hotfix Take 83 and higher versions): `/bin/sshd_template_xlate < /config/active` Start SSHD under debug to run in background (copy the PID): /usr/sbin/sshd -ddd 1>> /var/log/sshd.debug.txt 2>> /var/log/sshd.debug.txt & Replicate the issue (connect over SSH). Stop the SSHD: kill -TERM <PID> kill -KILL <PID> Revert the changes in the applicable "sshd_config" file Load the updated configuration (in R80.40 Jumbo Hotfix Take 83 and higher versions): `/bin/sshd_template_xlate < /config/active` Analyze: /var/log/sshd.debug.txt
syslogd	-	Description	Syslog (Linux) daemon.
		Path	/sbin/syslogd
		Log file	/var/log/messages /var/log/dmesg
		Configuration file	/etc/syslog.conf /var/run/syslog.conf
		To Stop	service syslog stop
		To Start	service syslog start
		Debug	Refer to sk108421
DAService	-	Description	Check Point Upgrade Service Engine (CPUSE) - former 'Gaia Software Updates' service (refer to sk92449).
		Path	$DADIR/bin/DAService
		Log file	/opt/CPInstLog/DeploymentAgent.log /opt/CPInstLog/DA_UI.log
		Notes	The "cpwd_admin list" command shows the process as "DASERVICE" (command is "$DADIR/bin/DAService_script" - this is a watchdog script that starts the $DADIR/bin/DAService, if it is not running).
		To Stop	$DADIR/bin/dastop dbget installer:stop
		To Start	$DADIR/bin/dastart dbget installer:start
		Debug	Refer to sk92449: Create the configuration file: touch $DADIR/bin/DAconf Add the following line (case-sensitive; spaces are not allowed): PING_TRACE=1 Save the changes Re-load the new configuration: DAClient conf As soon as possible: Replicate the issue Delete the $DADIR/bin/DAconf file Re-load the configuration with DAClient conf command Analyze: /opt/CPInstLog/DeploymentAgent.log
AutoUpdater	-	Description	AutoUpdater - responsible for automatic updates in: R80.40 and higher R80.30 Jumbo Take 71 (and higher) R80.20 Jumbo Take 117 (and higher) R80.10 Jumbo Take 245 (and higher)
		Path	$AUTOUPDATERDIR/latest/bin/AutoUpdater
		Log file	$AUTOUPDATERDIR/AutoUpdater.log
		To Stop	AutoUpdaterWDUnReg.sh ; autoupdatercli stop
		To Start	AutoUpdaterWDReg.sh
		Debug	autoupdatercli debug DEBUG

Note: Other Gaia OS daemons can be stopped in Expert mode, but it is not recommended.

Infrastructure Processes

Enter the string you are searching for in this table:

Daemon	Section	Information
cpwd	Description	WatchDog is a process that launches and monitors critical processes such as Check Point daemons on the local machine, and attempts to restart them if they fail. Among the processes monitored by Watchdog are cpd, fwd and fwm. Watchdog is controlled by the cpwd_admin utility. To learn how to start and stop various daemons, run cpwd_admin command.
	Path	$CPDIR/bin/cpwd %CPDIR%\bin\cpwd (R77.30 and lower)
	Log file	$CPDIR/log/cpwd.elg %CPDIR%\log\cpwd.elg (R77.30 and lower)
	To Stop	cpwd_admin kill or cpstop
	To Start	$CPDIR/bin/cpwd >& /dev/null or cpstart
	Debug	None
cpd	Description	Port 18191 - Generic process (add-ons container) for many Check Point services, such as installing and fetching policy, and online updates Port 18211 - SIC push certificate (from Internal CA)
	Path	$CPDIR/bin/cpd %CPDIR%\bin\cpd (R77.30 and lower)
	Log file	$CPDIR/log/cpd.elg %CPDIR%\log\cpd.elg (R77.30 and lower)
	Notes	The "cpwd_admin list" command shows the process as "CPD"
	To Stop	Management Server / Security Gateway: cpwd_admin stop -name CPD -path "$CPDIR/bin/cpd_admin" -command "cpd_admin stop" or cpstop VSX Gateway: [Expert@HostName:0]# vsenv <VSID> [Expert@HostName:<VSID>]# cpwd_admin stop -name CPD -ctx <VSID> -path "$CPDIR/bin/cpd_admin" -command "cpd_admin stop" -env inherit or [Expert@HostName:0]# cpstop
	To Start	Management Server / Security Gateway: cpwd_admin start -name CPD -path "$CPDIR/bin/cpd" -command "cpd" or cpstart VSX Gateway: [Expert@HostName:0]# vsenv <VSID> [Expert@HostName:<VSID>]# cpwd_admin start -name CPD -ctx <VSID> -path "$CPDIR/bin/cpd" -command "cpd" -env inherit or [Expert@HostName:0]# cpstart
	Debug	"cpd_admin debug" - refer to sk86320
fwd	Description	Logging Spawning child processes (e.g., vpnd)
	Path	$FWDIR/bin/fwd %FWDIR%\bin\fwd (R77.30 and lower)
	Log file	$FWDIR/log/fwd.elg %FWDIR%\log\fwd.elg (R77.30 and lower)
	Notes	The "cpwd_admin list" command shows the process as "FWD". The "top" and "ps" commands might also show "fw" process and/or "fw_full" process, which are just wrappers for the "fwd" process.
	To Stop	Management Server / Security Gateway: cpwd_admin stop -name FWD -path "$FWDIR/bin/fw" -command "fw kill fwd" or cpstop VSX Gateway: [Expert@HostName:0]# vsenv <VSID> [Expert@HostName:<VSID>]# cpwd_admin stop -name FWD -ctx <VSID> -path "$FWDIR/bin/fw" -command "fw kill fwd" -env inherit or [Expert@HostName:0]# cpstop
	To Start	Management Server / Security Gateway: cpwd_admin start -name FWD -path "$FWDIR/bin/fw" -command "fwd" or cpstart VSX Gateway: [Expert@HostName:0]# vsenv <VSID> [Expert@HostName:<VSID>]# cpwd_admin start -name FWD -ctx <VSID> -path "$FWDIR/bin/fwd" -command "fwd" -env inherit or [Expert@HostName:0]# cpstart
	Debug	Refer to sk86321 Start debug: fw debug fwd on TDERROR_ALL_ALL=5 fw debug fwd on OPSEC_DEBUG_LEVEL=3 Replicate the issue Stop debug: fw debug fwd off TDERROR_ALL_ALL=0 fw debug fwd off OPSEC_DEBUG_LEVEL=0 Analyze: $FWDIR/log/fwd.elg*
cprid	Description	Check Point Remote Installation Daemon - distribution of packages from SmartUpdate to managed Gateways.
	Path	$CPDIR/bin/cprid %CPDIR%\bin\cprid (R77.30 and lower)
	Log file	$CPDIR/log/cprid.elg %CPDIR%\log\cprid.elg (R77.30 and lower)
	To Stop	$CPDIR/bin/cpridstop
	To Start	$CPDIR/bin/cpridstart
	Debug	Refer to sk41793
cprid_wd	Description	WatchDog for Check Point Remote Installation Daemon "cprid".
	Path	$CPDIR/bin/cprid_wd %CPDIR%\bin\cprid_wd (R77.30 and lower)
	Log file	$CPDIR/log/cprid_wd.elg
	To Stop	$CPDIR/bin/cpridstop
	To Start	$CPDIR/bin/cpridstart
	Debug	Standard CSH script debugging (csh -x -v $CPDIR/bin/cprid_wd)
kissd	Description	KISS - used for kernel memory management.
	Path	None - created by kernel code (drv_init)
	Log file	None
	To Stop	None
	To Start	None
	Debug	None

Security Gateway Software Blades and Features

Enter the string you are searching for in this table:

Daemon	Section	Information
Firewall Blade
fwd	Description	Logging Spawning child processes (e.g., vpnd)
	Path	$FWDIR/bin/fwd %FWDIR%\bin\fwd (R77.30 and lower)
	Log file	$FWDIR/log/fwd.elg %FWDIR%\log\fwd.elg (R77.30 and lower)
	Notes	The "cpwd_admin list" command shows the process as "FWD". The "top" and "ps" commands might also show "fw" process and/or "fw_full" process, which are just wrappers for the "fwd" process.
	To Stop	Security Gateway: cpwd_admin stop -name FWD -path "$FWDIR/bin/fw" -command "fw kill fwd" or cpstop VSX Gateway: [Expert@HostName:0]# vsenv <VSID> [Expert@HostName:<VSID>]# cpwd_admin stop -name FWD -ctx <VSID> -path "$FWDIR/bin/fw" -command "fw kill fwd" -env inherit or [Expert@HostName:0]# cpstop
	To Start	Security Gateway: cpwd_admin start -name FWD -path "$FWDIR/bin/fw" -command "fwd" or cpstart VSX Gateway: [Expert@HostName:0]# vsenv <VSID> [Expert@HostName:<VSID>]# cpwd_admin start -name FWD -ctx <VSID> -path "$FWDIR/bin/fwd" -command "fwd" -env inherit or [Expert@HostName:0]# cpstart
	Debug	Refer to sk86321 Start debug: fw debug fwd on TDERROR_ALL_ALL=5 fw debug fwd on OPSEC_DEBUG_LEVEL=3 Replicate the issue Stop debug: fw debug fwd off TDERROR_ALL_ALL=0 fw debug fwd off OPSEC_DEBUG_LEVEL=0 Analyze: $FWDIR/log/fwd.elg*
IPSec VPN Blade
vpnd	Description	R81.10 and higher: The single vpnd daemon handles these VPN connections: All connections from non-IKE Remote Access clients (SSL Network Extender, Capsule VPN). Multi-Portal (SSL/TLS) traffic. R81 and lower: The single vpnd daemon handles these VPN connections: IKE (UDP/TCP) NAT-T Tunnel Test Reliable Datagram Protocol (RDP) Topology Update for SecureClient SSL Network Extender (SNX) SSL Network Extender (SNX) Portal Remote Access Client configuration Visitor Mode L2TP
	Path	On Gaia OS / SecurePlatform OS / IPSO OS: $FWDIR/bin/vpn R77.30 and lower on Windows OS: %FWDIR%\bin\vpn
	Log file	R81.20 and higher: $FWDIR/log/vpnd.elg* $FWDIR/log/vpnd.ikev1trace* $FWDIR/log/vpnd.ikev2trace* R81.10: $FWDIR/log/vpnd.elg* $FWDIR/log/legacy_ike.elg* $FWDIR/log/legacy_ikev2.xml* R81 and R80.40: $FWDIR/log/vpnd.elg* $FWDIR/log/ike.elg* $FWDIR/log/ikev2.xmll* R80.30 and lower: $FWDIR/log/vpnd.elg* $FWDIR/log/ike.elg* R77.30 and lower on Windows OS: %FWDIR%\log\vpnd.elg %FWDIR%\log\ike.elg
	Notes	This process is not monitored by Check Point WatchDog
	To Stop	cpstop
	To Start	cpstart
	Debug	Refer to sk89940
iked	Description	This process exists starting from the R81.10 version. R81.20 and higher: The multiple iked daemons (iked0, iked1, and so on) handle these VPN connections: All connections from IKE Remote Access clients (for example, Endpoint clients). All IKE Site-to-Site connections from peer Security Gateways, and Large Scale VPN (LSV) connections. All connections from SmartLSM ROBO gateways. All connections from Security Gateways with a Dynamically Assigned IP Address (DAIP). R81.10: The single iked daemon handles these VPN connections: All connections from IKE Remote Access clients (for example, Endpoint clients). All IKE Site-to-Site connections from peer Security Gateways, and Large Scale VPN (LSV) connections. All connections from SmartLSM ROBO gateways. All connections from Security Gateways with a Dynamically Assigned IP Address (DAIP).
	Path	$FWDIR/bin/ike
	Log file	R81.20 and higher: $FWDIR/log/iked.elg $FWDIR/log/iked.ikev1trace $FWDIR/log/iked.ikev2trace R81.10: $FWDIR/log/ike.elg* $FWDIR/log/iked.elg* $FWDIR/log/ikev2.xml*
	Notes	This process is not monitored by Check Point WatchDog
	To Stop	cpstop
	To Start	cpstart
	Debug	Refer to sk89940
cccd	Description	This process exists starting from the R81.10 version. The single cccd daemon is responsible for the Client Communication Channel (CCC) protocol, while: IKE for the same clients runs in the IKE daemons iked. The TLS layer of the CCC protocol for the same clients runs in the VPN daemon vpnd.
	Path	$FWDIR/bin/ccc
	Log file	$FWDIR/log/cccd.elg
	Notes	This process is not monitored by Check Point WatchDog
	To Stop	cpstop
	To Start	cpstart
	Debug	---
Mobile Access Blade
cvpnd	Description	Back-end daemon of the Mobile Access Software Blade.
	Path	$CVPNDIR/bin/cvpnd
	Log file	$CVPNDIR/log/cvpnd.elg
	Configuration file	$CVPNDIR/conf/cvpnd.C
	Notes	The "cpwd_admin list" command shows the process as "CVPND"
	To Stop	cvpnstop
	To Start	cvpnstart
	Debug	"cvpnd_admin debug" - refer to sk104577, sk99053
dbwriter	Description	Offloads database commands from cvpnd (to prevent locks) and synchronize with other members.
	Path	$CVPNDIR/bin/dbwriter
	Log file	$CVPNDIR/log/dbwriter.elg
	Configuration file	$CVPNDIR/conf/dbwriter.C
	Notes	The "cpwd_admin list" command shows the process as "DBWRITER"
	To Stop	cvpnstop
	To Start	cvpnstart
cvpnproc	Description	Offloads blocking commands from cvpnd (to prevent locks). Example: Sending DynamicID.
	Path	$CVPNDIR/bin/cvpnproc
	Log file	$CVPNDIR/log/cvpnproc.elg
	Configuration file	$CVPNDIR/conf/cvpnproc.C
	Notes	The "cpwd_admin list" command shows the process as "CVPNPROC"
	To Stop	cvpnstop
	To Start	cvpnstart
	Debug	Refer to sk104577 Stop Mobile Access: cvpnstop Verify that cvpnproc process is not running: ps aux \| grep cvpnproc If the cvpnproc process is still running, then kill it: kill -KILL $(pidof cvpnproc) Start cvpnproc process under debug to run in background (by running these 2 commands): export TDERROR_ALL_ALL=5 $CVPNDIR/bin/cvpnproc $CVPNDIR/log/cvpnproc.elg $CVPNDIR/conf/cvpnproc.C & Start Mobile Access: cvpnstart Replicate the issue Stop debug: unset TDERROR_ALL_ALL Stop Mobile Access: cvpnstop Kill cvpnproc process: kill -TERM $(pidof cvpnproc) kill -KILL $(pidof cvpnproc) Start Mobile Access: cvpnstart Analyze: $CVPNDIR/log/cvpnproc.elg*
MoveFileServer	Description	Move files between cluster members to perform database synchronization.
	Path	$CVPNDIR/bin/MoveFileServer
	Log file	$CVPNDIR/log/MFServer.log
	Configuration file	$CVPNDIR/conf/mfserver.C
	Notes	The "cpwd_admin list" command shows the process: In R77.30 and higher: as "MFSERVER" In R77.20 and lower: as "MOVEFILESERVER"
	To Stop	cvpnstop
	To Start	cvpnstart
MoveFileDemuxer	Description	Related to MoveFileServer process (moving files between cluster members to perform database synchronization).
	Path	$CVPNDIR/bin/MoveFileDemuxer
	Log file	$CVPNDIR/log/MFDemux.log
	Configuration file	$CVPNDIR/conf/mfdemuxer.C
	Notes	The "cpwd_admin list" command shows the process: In R77.30 and higher: as "MFDEMUXER" In R77.20 and lower: as "MOVEFILEDEMUXER"
	To Stop	cvpnstop
	To Start	cvpnstart
Pinger	Description	Reduces the number of httpd processes that perform ActiveSync.
	Path	$CVPNDIR/bin/Pinger
	Log file	$CVPNDIR/log/Pinger.log
	Configuration file	$CVPNDIR/conf/Pinger.C
	Notes	The "cpwd_admin list" command shows the process as "PINGER"
	To Stop	cvpnstop
	To Start	cvpnstart
	Debug	Refer to sk104577 Verify that Pinger process is running: ps aux \| grep Pinger Enable debug for relevant users: PingerAdmin debug users <user1>,<user2>,<user3> Set the debug level: PingerAdmin debug set TDERROR_ALL_Pinger=3 or PingerAdmin debug set TDERROR_ALL_ALL=5 Set the debug type: PingerAdmin debug type All Delete all files from $CVPNDIR/log/trace_log/ directory: Note: Do NOT delete the directory itself! cd $CVPNDIR/log/trace_log/ rm -i * Enable trace log: Warning: This might print passwords to local files! PingerAdmin debug trace on Start debug: PingerAdmin debug on Replicate the issue Stop debug: PingerAdmin debug off Disable trace log: PingerAdmin debug trace off Reset the debug: PingerAdmin debug reset Analyze: $CVPNDIR/log/Pinger.log*
CvpnUMD	Description	Reports SNMP connected users to AMON.
	Path	$CVPNDIR/bin/CvpnUMD
	Log file	$CVPNDIR/log/CvpnUMD.log
	Notes	The "cpwd_admin list" command shows the process as "CVPNUMD"
	To Stop	cvpnstop
	To Start	cvpnstart
httpd	Description	Front-end daemon of the Mobile Access Software Blade (multi-processes).
	Path	$CPDIR/web/Apache/2.2.0/bin/httpd
	Log file	$CVPNDIR/log/httpd.log
	Configuration file	$CVPNDIR/conf/httpd.conf
	To Stop	cvpnstop
	To Start	cvpnstart
	Debug	Refer to sk104577, sk99053
fwpushd	Description	Mobile Access Push Notifications daemon that is controlled by "fwpush" command. It is a child of the fwd daemon (in R77.10 and higher).
	Path	$FWDIR/bin/fwpushd
	Log file	$FWDIR/log/fwpushd.elg
	To Stop	cpstop
	To Start	cpstart
	Debug	Enable debug: fwpush debug on Set the debug options: fwpush debug set all all Check the debug state: fwpush debug stat Replicate the issue Reset the debug options: fwpush debug reset Disable debug: fwpush debug off Check the debug state: fwpush debug stat Analyze: $FWDIR/log/fwpushd.elg*
postgres	Description	PostgreSQL server. Used by Remote Access Session Visibility and Management Utility.
	Path	$CPDIR/database/postgresql/bin/postgres
	Configuration file	/var/log$FWDIR/datadir/postgres/sessions/postgresql.conf
	To Stop	cpstop
	To Start	cpstart
	Debug	"su cp_postgres -c "$CPDIR/database/postgresql/bin/pg_ctl -D $RTDIR/events_db/data start" Also refer to sk93970
Identity Awareness Blade
pepd	Description	Policy Enforcement Point daemon: Receiving identities via identity sharing Redirecting users to Captive Portal
	Path	$FWDIR/bin/pep
	Log file	$FWDIR/log/pepd.elg
	Notes	The "cpwd_admin list" command shows the process as "PEPD"
	To Stop	cpstop
	To Start	cpstart
	Debug	"pep debug" - refer to the Identity Awareness Administration Guide for your version
pdpd	Description	Policy Decision Point daemon: Acquiring identities from identity sources Sharing identities with another gateways
	Path	$FWDIR/bin/pdpd
	Log file	$FWDIR/log/pdpd.elg
	Notes	The "cpwd_admin list" command shows the process as "PDPD"
	To Stop	cpstop
	To Start	cpstart
	Debug	"pdp debug" - refer to the Identity Awareness Administration Guide for your version
DLP Blade
fwdlp	Description	DLP core engine that performs the scanning / inspection.
	Path	$FWDIR/bin/fwdlp
	Log file	$FWDIR/log/fwdlp.elg $DLPDIR/log/dlpe.log (refer to sk60387) $DLPDIR/log/dlpe_msg.log (refer to sk73660) $DLPDIR/log/dlpe_files_error.log
	To Stop	cpstop
	To Start	cpstart
	Debug	Refer to sk73660, sk60388: Start debug: for PROC in $(pidof fwdlp) ; do fw debug $PROC on TDERROR_ALL_ALL=5 ; done Replicate the issue Stop debug: for PROC in $(pidof fwdlp) ; do fw debug $PROC off TDERROR_ALL_ALL=0 ; done Analyze: $FWDIR/log/fwdlp.elg*
cp_file_convert	Description	Used to convert various file formats to simple textual format for scanning by the DLP engine.
	Path	$FWDIR/bin/cp_file_convert
	Log file	$FWDIR/log/cp_file_convertd.elg
	To Stop	cpstop
	To Start	cpstart
	Debug	Refer to sk73660: Start debug: for PROC in $(pgrep cp_file_convert) ; do fw debug $PROC on TDERROR_ALL_ALL=5 ; done Replicate the issue Stop debug: fw debug cp_file_convert off TDERROR_ALL_ALL=0 Analyze: /var/log/jail/$FWDIR/log/cp_file_convertd.elg* $FWDIR/log/cp_file_convertd.elg*
dlp_fingerprint	Description	Used to identify the data according to a unique signature known as a fingerprint stored in your repository.
	Path	$FWDIR/bin/dlp_fingerprint
	To Stop	cpstop
	To Start	cpstart
cserver	Description	Check Server that either stops or processes the e-mail.
	Path	$FWDIR/bin/cserver
	Log file	$FWDIR/log/cserver.elg
	Notes	The "cpwd_admin list" command shows the process as "DLP_WS"
	To Stop	cpstop
	To Start	cpstart
	Debug	Refer to sk73660: Start debug: fw debug cserver on TDERROR_ALL_ALL=5 Replicate the issue Stop debug: fw debug cserver off TDERROR_ALL_ALL=0 Analyze: $FWDIR/log/cserver.elg*
dlpu	Description	Receives data from the Check Point kernel.
	Path	$FWDIR/bin/dlpu
	Log file	$FWDIR/log/dlpu.elg
	Notes	The "cpwd_admin list" command shows the process as "DLPU_<N>"
	To Stop	cpstop
	To Start	cpstart
	Debug	Refer to sk73660: Start debug: for PROC in $(pidof dlpu) ; do fw debug $PROC on TDERROR_ALL_ALL=5 ; done Replicate the issue Stop debug: for PROC in $(pidof dlpu) ; do fw debug $PROC off TDERROR_ALL_ALL=0 ; done Analyze: $FWDIR/log/dlpu.elg*
fwucd	Description	UserCheck back-end daemon that sends approval / disapproval requests to user.
	Path	$FWDIR/bin/fwucd
	Log file	$FWDIR/log/fwucd.elg
	Notes	The "cpwd_admin list" command shows the process as "FWUCD"
	To Stop	cpstop
	To Start	cpstart
	Debug	Refer to sk73660, sk60388: Start debug: fw debug fwucd on TDERROR_ALL_ALL=5 Replicate the issue Stop debug: fw debug fwucd off TDERROR_ALL_ALL=0 Analyze: $FWDIR/log/fwucd.elg*
usrchkd	Description	Main UserCheck daemon, which deals with UserCheck requests (from CLI / from the user) that are sent from the UserCheck Web Portal.
	Path	$FWDIR/bin/usrchkd
	Log file	$FWDIR/log/usrchkd.elg
	Configuration file	$FWDIR/conf/usrchkd.conf $FWDIR/orig/UCPortal/fwdir_conf/usrchkd.conf $FWDIR/conf/fwauthd.conf
	Notes	This daemon is not monitored by Check Point WatchDog ("cpwd_admin list") This daemon is spawned by the FWD daemon
	To Stop	cpstop
	To Start	cpstart
	To Restart	killall usrchkd
	Debug	Note: It might also be required to collect the relevant kernel debug. Start debug: usrchk debug set all all Verify: usrchk debug stat Replicate the issue. Stop debug: usrchk debug off Analyze: $FWDIR/log/usrchkd.elg*
usrchk	Description	The CLI client for the UserCheck daemon USRCHKD (this process runs only when it is called explicitly).
	Path	$FWDIR/bin/usrchk
	Log file	$FWDIR/log/usrchk.elg
Threat Emulation Blade
ted	Description	Threat Emulation daemon engine - responsible for emulating files and communication with the cloud.
	Path	$FWDIR/teCurrentPack/temain
	Log file	$FWDIR/log/ted.elg
	To Stop	cpstop
	To Start	cpstart
	Debug	"tecli debug" - refer to the Threat Prevention Administration Guide for your version
dlpu	Description	DLP process - receives data from Check Point kernel.
	Path	$FWDIR/bin/dlpu
	Log file	$FWDIR/log/dlpu.elg
	Notes	The "cpwd_admin list" command shows the process as "DLPU_<N>"
	To Stop	cpstop
	To Start	cpstart
	Debug	Refer to sk73660: Start debug: fw debug dlpu on TDERROR_ALL_ALL=5 Replicate the issue Stop debug: fw debug dlpu off TDERROR_ALL_ALL=0 Analyze: $FWDIR/log/dlpu.elg*
usrchkd	Description	Main UserCheck daemon, which deals with UserCheck requests (from CLI / from the user) that are sent from the UserCheck Web Portal.
	Path	$FWDIR/bin/usrchkd
	Log file	$FWDIR/log/usrchkd.elg
	Configuration file	$FWDIR/conf/usrchkd.conf $FWDIR/orig/UCPortal/fwdir_conf/usrchkd.conf $FWDIR/conf/fwauthd.conf
	Notes	This daemon is not monitored by Check Point WatchDog ("cpwd_admin list") This daemon is spawned by the FWD daemon
	To Stop	cpstop
	To Start	cpstart
	To Restart	killall usrchkd
	Debug	Note: It might also be required to collect the relevant kernel debug. Start debug: usrchk debug set all all Verify: usrchk debug stat Replicate the issue. Stop debug: usrchk debug off Analyze: $FWDIR/log/usrchkd.elg*
usrchk	Description	The CLI client for the UserCheck daemon USRCHKD (this process runs only when it is called explicitly).
	Path	$FWDIR/bin/usrchk
	Log file	$FWDIR/log/usrchk.elg
scanengine_b	Description	Third-party engine.
	Path	$FWDIR/teCurrentPack/scanengine_b
	Log file	$FWDIR/log/bdadvisor.elg
	To Stop	cpstop
	To Start	cpstart
	Debug	None
scanengine_k	Description	Third-party engine.
	Path	$FWDIR/teCurrentPack/scanengine_k
	Log file	$FWDIR/log/kavadvisor.elg
	To Stop	cpstop
	To Start	cpstart
	Debug	None
scanengine_s	Description	Third-party engine.
	Path	$FWDIR/teCurrentPack/scanengine_s
	Log file	$FWDIR/log/sopadvisor.elg
	To Stop	cpstop
	To Start	cpstart
	Debug	None
Threat Extraction Blade
scrub	Description	Main CLI process for Threat Extraction.
	Path	$FWDIR/bin/scrub
	Log file	$FWDIR/log/scrubd.elg /var/log/scrub/scrubd_messages $CPDIR/log/scrub_plg.log
	Configuration file	$FWDIR/conf/scrub_debug.conf
	To Stop	cpstop
	To Start	cpstart
	Debug	Start Threat Extraction debug: scrub debug on scrub debug set all all Verify Threat Extraction debug is enabled: scrub debug stat Start debug of cp_file_convert daemon: for PROC in $(pgrep cp_file_convert) ; do fw debug $PROC on TDERROR_ALL_ALL=5 ; done Replicate the issue Stop debug of cp_file_convert daemon: for PROC in $(pgrep cp_file_convert) ; do fw debug $PROC off TDERROR_ALL_ALL=0 ; done Stop Threat Extraction debug: scrub debug off scrub debug reset Verify Threat Extraction debug is disabled: scrub debug stat Analyze: $FWDIR/log/scrubd.elg* /var/log/jail/$FWDIR/log/scrub_cp_file_convertd.elg
scrubd	Description	Main Threat Extraction daemon.
	Path	$FWDIR/bin/scrubd
	Log file	$FWDIR/log/scrubd.elg /var/log/scrub/scrubd_messages $CPDIR/log/scrub_plg.log
	Configuration file	$FWDIR/conf/scrub_debug.conf
	To Stop	cpstop
	To Start	cpstart
	Debug	Start Threat Extraction debug: scrub debug on scrub debug set all all Verify Threat Extraction debug is enabled: scrub debug stat Start debug of cp_file_convert daemon: for PROC in $(pgrep cp_file_convert) ; do fw debug $PROC on TDERROR_ALL_ALL=5 ; done Replicate the issue Stop debug of cp_file_convert daemon: for PROC in $(pgrep cp_file_convert) ; do fw debug $PROC off TDERROR_ALL_ALL=0 ; done Stop Threat Extraction debug: scrub debug off scrub debug reset Verify Threat Extraction debug is disabled: scrub debug stat Analyze: $FWDIR/log/scrubd.elg* /var/log/jail/$FWDIR/log/scrub_cp_file_convertd.elg
scrub_cp_file_convertd	Description	Used to convert various file formats to simple textual format for scanning by the DLP engine.
	Path	$FWDIR/bin/cp_file_convert
	Log file	/var/log/jail/$FWDIR/log/scrub_cp_file_convertd.elg $FWDIR/log/cp_file_convert_start.log
	To Stop	cpstop
	To Start	cpstart
	Debug	Start debug: for PROC in $(pgrep cp_file_convert) ; do fw debug $PROC on TDERROR_ALL_ALL=5 ; done Replicate the issue Stop debug: for PROC in $(pgrep cp_file_convert) ; do fw debug $PROC off TDERROR_ALL_ALL=0 ; done Analyze: /var/log/jail/$FWDIR/log/scrub_cp_file_convertd.elg*
in.emaild.mta	Description	E-Mail Security Server that receives e-mails sent by user and sends them to their destinations.
	Path	$FWDIR/bin/fwssd
	Log file	$FWDIR/log/emaild.mta.elg /var/log/scrub/in.emaild.mta_messages
	To Stop	cpstop
	To Start	cpstart
	Debug	Refer to sk139892 - MTA Engine Debugging
usrchkd	Description	Main UserCheck daemon, which deals with UserCheck requests (from CLI / from the user) that are sent from the UserCheck Web Portal.
	Path	$FWDIR/bin/usrchkd
	Log file	$FWDIR/log/usrchkd.elg
	Configuration file	$FWDIR/conf/usrchkd.conf $FWDIR/orig/UCPortal/fwdir_conf/usrchkd.conf $FWDIR/conf/fwauthd.conf
	Notes	This daemon is not monitored by Check Point WatchDog ("cpwd_admin list") This daemon is spawned by the FWD daemon
	To Stop	cpstop
	To Start	cpstart
	To Restart	killall usrchkd
	Debug	Note: It might also be required to collect the relevant kernel debug. Start debug: usrchk debug set all all Verify: usrchk debug stat Replicate the issue. Stop debug: usrchk debug off Analyze: $FWDIR/log/usrchkd.elg*
usrchk	Description	The CLI client for the UserCheck daemon USRCHKD (this process runs only when it is called explicitly).
	Path	$FWDIR/bin/usrchk
	Log file	$FWDIR/log/usrchk.elg
Infinity Threat Prevention Blade
tp_conf_service	Description	Updatable configuration service for Threat Prevention Software Blades (R80.40 and higher).
	Path	$FWDIR/bin/tp_conf_service
	Notes	The cpwd_admin list command shows the process as "TP_CONF_SERVICE"
	Log file	$FWDIR/log/tp_conf.log
	To Stop	cpstop
	To Start	cpstart
	Configuration file	$FWDIR/conf/tp_conf.json
	Debug	cpwd_admin stop -name TP_CONF_SERVICE cpwd_admin start -name TP_CONF_SERVICE -path $FWDIR/bin/tp_conf_service -command "tp_conf_service --conf=tp_conf.json --log=info"
tpd	Description	Threat Prevention Daemon - communicates with the kernel and deals with User Space tasks (R80.40 and higher).
	Path	$FWDIR/bin/tpd
	Log file	$FWDIR/log/tpd.elg
	To Stop	cpstop
	To Start	cpstart
	Debug	Start debug: fw debug tpd on TDERROR_ALL_ALL=5 Replicate the issue Stop debug: fw debug tpd off TDERROR_ALL_ALL=0 Analyze: $FWDIR/log/tpd.elg*
IPS Blade
in.geod	Description	Updates the IPS Geo Protection Database.
	Path	$FWDIR/bin/fwssd
	Log file	$FWDIR/log/geod.elg
	To Stop	kill -KILL $(pidof in.geod)
	To Start	After being killed, it will be restarted automatically
	Debug	Refer to sk102329: Start debug: fw debug in.geod on TDERROR_ALL_ALL=5 Replicate the issue Stop debug: fw debug in.geod off TDERROR_ALL_ALL=0 Analyze: $FWDIR/log/geod.elg*
URL Filtering Blade
rad	Description	Resource Advisor - responsible for the detection of Social Network widgets. The detection is done via an online Application Control database, which identifies URLs as applications.
	Path	$FWDIR/bin/rad
	Log file	$FWDIR/log/rad.elg
	Configuration file	$FWDIR/conf/rad_scheme.C $FWDIR/conf/rad_settings.C $FWDIR/database/rad_services.C
	Notes	The "cpwd_admin list" command shows the process as "RAD"
	To Stop	rad_admin stop or cpstop
	To Start	rad_admin start or cpstart
	Debug	Refer to sk92743: Start debug: rad_admin rad debug on all Replicate the issue. Stop debug: rad_admin rad debug off ALL Analyze: $FWDIR/log/rad.elg*
usrchkd	Description	Main UserCheck daemon, which deals with UserCheck requests (from CLI / from the user) that are sent from the UserCheck Web Portal.
	Path	$FWDIR/bin/usrchkd
	Log file	$FWDIR/log/usrchkd.elg
	Configuration file	$FWDIR/conf/usrchkd.conf $FWDIR/orig/UCPortal/fwdir_conf/usrchkd.conf $FWDIR/conf/fwauthd.conf
	Notes	This daemon is not monitored by Check Point WatchDog ("cpwd_admin list") This daemon is spawned by the FWD daemon
	To Stop	cpstop
	To Start	cpstart
	To Restart	killall usrchkd
	Debug	Note: It might also be required to collect the relevant kernel debug. Start debug: usrchk debug set all all Verify: usrchk debug stat Replicate the issue. Stop debug: usrchk debug off Analyze: $FWDIR/log/usrchkd.elg*
usrchk	Description	The CLI client for the UserCheck daemon USRCHKD (this process runs only when it is called explicitly).
	Path	$FWDIR/bin/usrchk
	Log file	$FWDIR/log/usrchk.elg
Application Control Blade
rad	Description	Resource Advisor - responsible for the detection of Social Network widgets. The detection is done via an online Application Control database, which identifies URLs as applications.
	Path	$FWDIR/bin/rad
	Log file	$FWDIR/log/rad.elg
	Configuration file	$FWDIR/conf/rad_scheme.C $FWDIR/conf/rad_settings.C $FWDIR/database/rad_services.C
	Notes	The "cpwd_admin list" command shows the process as "RAD"
	To Stop	rad_admin stop or cpstop
	To Start	rad_admin start or cpstart
	Debug	Refer to sk92743: Start debug: rad_admin rad debug on all Replicate the issue. Stop debug: rad_admin rad debug off ALL Analyze: $FWDIR/log/rad.elg*
Anti-Bot Blade
in.acapd	Description	Packet capturing daemon for SmartView Tracker logs.
	Path	$FWDIR/bin/fwssd
	Log file	$FWDIR/log/acapd.elg
	To Stop	cpstop
	To Start	cpstart
	Debug	Refer to sk108179: Start debug: fw debug in.acapd on TDERROR_ALL_ALL=5 Replicate the issue Stop debug: fw debug in.acapd off TDERROR_ALL_ALL=0 Analyze: $FWDIR/log/acapd.elg*
rad	Description	Resource Advisor - responsible for the detection of Social Network widgets. The detection is done via an online Application Control database, which identifies URLs as applications.
	Path	$FWDIR/bin/rad
	Log file	$FWDIR/log/rad.elg
	Configuration file	$FWDIR/conf/rad_scheme.C $FWDIR/conf/rad_settings.C $FWDIR/database/rad_services.C
	Notes	The "cpwd_admin list" command shows the process as "RAD"
	To Stop	rad_admin stop or cpstop
	To Start	rad_admin start or cpstart
	Debug	Refer to sk92264: Start debug: rad_admin rad debug on all Replicate the issue. Stop debug: rad_admin rad debug off ALL Analyze: $FWDIR/log/rad.elg*
usrchkd	Description	Main UserCheck daemon, which deals with UserCheck requests (from CLI / from the user) that are sent from the UserCheck Web Portal.
	Path	$FWDIR/bin/usrchkd
	Log file	$FWDIR/log/usrchkd.elg
	Configuration file	$FWDIR/conf/usrchkd.conf $FWDIR/orig/UCPortal/fwdir_conf/usrchkd.conf $FWDIR/conf/fwauthd.conf
	Notes	This daemon is not monitored by Check Point WatchDog ("cpwd_admin list") This daemon is spawned by the FWD daemon
	To Stop	cpstop
	To Start	cpstart
	To Restart	killall usrchkd
	Debug	Note: It might also be required to collect the relevant kernel debug. Start debug: usrchk debug set all all Verify: usrchk debug stat Replicate the issue. Stop debug: usrchk debug off Analyze: $FWDIR/log/usrchkd.elg*
usrchk	Description	The CLI client for the UserCheck daemon USRCHKD (this process runs only when it is called explicitly).
	Path	$FWDIR/bin/usrchk
	Log file	$FWDIR/log/usrchk.elg
Anti-Virus Blade
in.acapd	Description	Packet capturing daemon for SmartView Tracker logs.
	Path	$FWDIR/bin/fwssd
	Log file	$FWDIR/log/acapd.elg
	To Stop	cpstop
	To Start	cpstart
	Debug	Refer to sk108179: Start debug: fw debug in.acapd on TDERROR_ALL_ALL=5 Replicate the issue Stop debug: fw debug in.acapd off TDERROR_ALL_ALL=0 Analyze: $FWDIR/log/acapd.elg*
in.emaild.mta	Description	E-Mail Security Server that receives e-mails sent by user and sends them to their destinations.
	Path	$FWDIR/bin/fwssd
	Log file	$FWDIR/log/emaild.mta.elg
	To Stop	cpstop
	To Start	cpstart
	Debug	Refer to sk60387: Start debug: fw debug in.emaild.mta on TDERROR_ALL_ALL=5 Replicate the issue Stop debug: fw debug in.emaild.mta off TDERROR_ALL_ALL=0 Analyze: $FWDIR/log/emaild.mta.elg*
in.emaild.smtp	Description	SMTP Security Server that receives e-mails sent by user and sends them to their destinations.
	Path	$FWDIR/bin/fwssd
	Log file	$FWDIR/log/emaild.smtp.elg
	To Stop	cpstop
	To Start	cpstart
	Debug	Refer to sk60387: Start debug: fw debug in.emaild.smtp on TDERROR_ALL_ALL=5 Replicate the issue Stop debug: fw debug in.emaild.smtp off TDERROR_ALL_ALL=0 Analyze: $FWDIR/log/emaild.smtp.elg*
in.emaild.pop3	Description	POP3 Security Server that receives e-mails sent by user.
	Path	$FWDIR/bin/fwssd
	Log file	$FWDIR/log/emaild.pop3.elg
	To Stop	cpstop
	To Start	cpstart
	Debug	Start debug: fw debug in.emaild.pop3 on TDERROR_ALL_ALL=5 Replicate the issue Stop debug: fw debug in.emaild.pop3 off TDERROR_ALL_ALL=0 Analyze: $FWDIR/log/emaild.pop3.elg*
dlpu	Description	DLP process - receives data from Check Point kernel.
	Path	$FWDIR/bin/dlpu
	Log file	$FWDIR/log/dlpu.elg
	Notes	The "cpwd_admin list" command shows the process as "DLPU_<N>"
	To Stop	cpstop
	To Start	cpstart
	Debug	Refer to sk73660: Start debug: fw debug dlpu on TDERROR_ALL_ALL=5 Replicate the issue Stop debug: fw debug dlpu off TDERROR_ALL_ALL=0 Analyze: $FWDIR/log/dlpu.elg*
rad	Description	Resource Advisor - responsible for the detection of Social Network widgets. The detection is done via an online Application Control database, which identifies URLs as applications.
	Path	$FWDIR/bin/rad
	Log file	$FWDIR/log/rad.elg
	Configuration file	$FWDIR/conf/rad_scheme.C $FWDIR/conf/rad_settings.C $FWDIR/database/rad_services.C
	Note	The "cpwd_admin list" command shows the process as "RAD"
	To Stop	rad_admin stop or cpstop
	To Start	rad_admin start or cpstart
	Debug	Refer to sk92264: Start debug: rad_admin rad debug on all Replicate the issue. Stop debug: rad_admin rad debug off ALL Analyze: $FWDIR/log/rad.elg*
usrchkd	Description	Main UserCheck daemon, which deals with UserCheck requests (from CLI / from the user) that are sent from the UserCheck Web Portal.
	Path	$FWDIR/bin/usrchkd
	Log file	$FWDIR/log/usrchkd.elg
	Configuration file	$FWDIR/conf/usrchkd.conf $FWDIR/orig/UCPortal/fwdir_conf/usrchkd.conf $FWDIR/conf/fwauthd.conf
	Notes	This daemon is not monitored by Check Point WatchDog ("cpwd_admin list") This daemon is spawned by the FWD daemon
	To Stop	cpstop
	To Start	cpstart
	To Restart	killall usrchkd
	Debug	Note: It might also be required to collect the relevant kernel debug. Start debug: usrchk debug set all all Verify: usrchk debug stat Replicate the issue. Stop debug: usrchk debug off Analyze: $FWDIR/log/usrchkd.elg*
usrchk	Description	The CLI client for the UserCheck daemon USRCHKD (this process runs only when it is called explicitly).
	Path	$FWDIR/bin/usrchk
	Log file	$FWDIR/log/usrchk.elg
Anti-Spam Blade
in.emaild.smtp	Description	SMTP Security Server that receives e-mails sent by user and sends them to their destinations.
	Path	$FWDIR/bin/fwssd
	Log file	$FWDIR/log/emaild.smtp.elg
	To Stop	cpstop
	To Start	cpstart
	Debug	Refer to sk60387: Start debug: fw debug in.emaild.smtp on TDERROR_ALL_ALL=5 Replicate the issue Stop debug: fw debug in.emaild.smtp off TDERROR_ALL_ALL=0 Analyze: $FWDIR/log/emaild.smtp.elg*
in.msd	Description	Mail Security Daemon that queries the Commtouch engine for reputation.
	Path	$FWDIR/bin/fwssd
	Log file	$FWDIR/log/msd.elg
	To Stop	cpstop
	To Start	cpstart
	Debug	Refer to sk92264: Start debug: fw debug in.msd on TDERROR_ALL_ALL=5 Replicate the issue Stop debug: fw debug in.msd off TDERROR_ALL_ALL=0 Analyze: $FWDIR/log/msd.elg*
ctasd	Description	Commtouch Anti-Spam daemon.
	Path	/opt/aspam_engine/ctipd/bin/ctasd
	Configuration file	/opt/aspam_engine/ctasd/conf/ctasd.conf
	To Stop	cpstop
	To Start	pstart
ctipd	Description	Commtouch IP Reputation daemon.
	Path	/opt/aspam_engine/ctipd/bin/ctipd
	Log file	None
	Configuration file	/opt/aspam_engine/ctipd/conf/ctipd.conf
	To Stop	cpstop
	To Start	cpstart
	Debug	None
Monitoring Blade
rtmd	Description	Real Time traffic statistics.
	Path	$FWDIR/bin/rtm %FWDIR%\bin\rtm (R77.30 and lower)
	Log file	$FWDIR/log/rtmd.elg %FWDIR%\log\rtmd.elg (R77.30 and lower)
	Notes	The "cpwd_admin list" command shows the process as "RTMD"
	To Stop	rtmstop
	To Start	rtmstart
	Debug	Refer to skI2821: Start debug: rtm debug on TDERROR_ALL_ALL=5 rtm debug on OPSEC_DEBUG_LEVEL=3 Replicate the issue Stop debug: rtm debug off TDERROR_ALL_ALL=0 rtm debug off OPSEC_DEBUG_LEVEL=0 Analyze: $FWDIR/log/rtmd.elg*
cpstat_monitor	Description	Process is responsible for collecting and sending information to SmartView Monitor.
	Path	$FWDIR/bin/cpstat_monitor %FWDIR%\bin\cpstat_monitor (R77.30 and lower)
	Log file	$FWDIR/log/cpstat_monitor.elg %FWDIR%\log\cpstat_monitor.elg (R77.30 and lower)
	Notes	The "cpwd_admin list" command shows the process as "CPSM". By default, does not run in the context of Domain Management Servers. By default, in MGMT HA runs only on "Active" Security Management Server.
	To Stop	cpwd_admin stop -name CPSM
	To Start	cpwd_admin start -name CPSM -path "$FWDIR/bin/cpstat_monitor" -command "cpstat_monitor"
	Debug	Refer to sk108177
HTTPS Inspection
wstlsd	Description	Handles SSL handshake for HTTPS Inspected connections.
	Path	$CPDIR/bin/wstlsd
	Log file	$FWDIR/log/wstlsd.elg
	To Stop	cpstop
	To Start	cpstart
	Debug	Refer to sk105559: Start debug: for PROC in $(pidof wstlsd) ; do fw debug $PROC on TDERROR_ALL_ALL=6 ; done Replicate the issue (it is very important to collect the relevant traffic using both TCPDump tool and the FW Monitor). Stop debug: for PROC in $(pidof wstlsd) ; do fw debug $PROC off TDERROR_ALL_ALL=0 ; done Analyze: $FWDIR/log/wstlsd.elg*
pkxld	Description	Performs asymmetric key operations for HTTPS Inspection (R77.30 and higher)
	Path	$CPDIR/bin/pkxld
	Log file	none
	Notes	Refer to sk104717
	To Stop	cpstop
	To Start	cpstart
	Debug	None
HTTP/HTTPS Proxy
wsdnsd	Description	DNS Resolver (in R77.30 and higher) - activated when Security Gateway is configured as HTTP/HTTPS Proxy, and no next proxy is used. The process is started and stopped during policy installation.
	Path	$FWDIR/bin/wsdnsd %FWDIR%\bin\wsdnsd (R77.30 only)
	Log file	$FWDIR/log/wsdnsd.elg %FWDIR%\log\wsdnsd.elg (R77.30 only)
	Notes	The "cpwd_admin list" command shows the process as "WSDNSD"
	To Stop	cpwd_admin stop -name WSDNSD -path "$FWDIR/bin/wsdnsd" -command "kill -SIGTERM $(pidof $FWDIR/bin/wsdnsd)"
	To Start	cpwd_admin start -name WSDNSD -path "$FWDIR/bin/wsdnsd" -command "wsdnsd"
	Debug	Refer to sk106443: Start debug: fw debug wsdnsd on TDERROR_ALL_ALL=5 Replicate the issue Stop debug: fw debug wsdnsd off TDERROR_ALL_ALL=0 Analyze: $FWDIR/log/wsdnsd.elg*
Cluster
cphamcset	Description	Clustering daemon - responsible for opening sockets on the NICs to allow them to pass multicast traffic (CCP) to the machine.
	Path	$FWDIR/bin/cphamcset %FWDIR%\bin\cphamcset (R77.30 and lower)
	Log file	$FWDIR/log/cphamcset.elg %FWDIR%\log\cphamcset.elg (R77.30 and lower)
	Notes	Refer to ATRG: ClusterXL R6x and R7x. Log file exists only in R77.20 and higher
	To Stop	cphastop
	To Start	cphastart
	Debug	Stop clustering: cphastop Start under debug: cphamcset -d Stop Check Point services: cphastop Start clustering: cphastart
cphaprob	Description	Process that lists the state of cluster members, cluster interfaces and Critical Devices (Pnotes).
	Path	$FWDIR/bin/cphaprob %FWDIR%\bin\cphaprob (R77.30 and lower)
	Configuration file	$FWDIR/conf/cphaprob.conf %FWDIR%\conf\cphaprob.conf (R77.30 and lower)
	Notes	Refer to ATRG: ClusterXL R6x and R7x - Chapter "ClusterXL Monitoring and Troubleshooting" - 'cphaprob' command.
	To Stop	None
	To Start	None
	Debug	"cphaprob -D <command>" (e.g., "cphaprob -D state")
cphaconf	Description	Cluster configuration process - installs the cluster configuration into Check Point kernel on cluster members.
	Path	$FWDIR/bin/cphaconf %FWDIR%\bin\cphaconf (R77.30 and lower)
	Log file	$FWDIR/log/cphaconf.elg %FWDIR%\log\cphaconf.elg (R77.30 and lower)
	Notes	Refer to ATRG: ClusterXL R6x and R7x - Chapter "ClusterXL Monitoring and Troubleshooting" - 'cphaconf' command. Log file exists only in R77.20 and higher
	To Stop	None
	To Start	None
	Debug	Refer to ATRG: ClusterXL R6x and R7x - Chapter "ClusterXL Monitoring and Troubleshooting" - 'cphaconf' command - 'cphaconf debug_data'.
cphastart	Description	Starts the cluster and state synchronization.
	Path	$FWDIR/bin/cphastart %FWDIR%\bin\cphastart (R77.30 and lower)
	Log file	$FWDIR/log/cphastart.elg %FWDIR%\log\cphastart.elg (R77.30 and lower)
	Notes	Refer to ATRG: ClusterXL R6x and R7x - Chapter "ClusterXL Monitoring and Troubleshooting" - 'cphastart' and 'cphastop' commands. Log file exists only in R77.20 and higher
	To Stop	None
	To Start	None
	Debug	"cphastart -d" - refer to sk39842
cphastop	Description	Stops the cluster and state synchronization.
	Path	$FWDIR/bin/cphastop %FWDIR%\bin\cphastop (R77.30 and lower)
	Notes	Refer to ATRG: ClusterXL R6x and R7x - Chapter "ClusterXL Monitoring and Troubleshooting" - 'cphastart' and 'cphastop' commands.
	To Stop	None
	To Start	None
	Debug	Standard CSH script debugging (csh -x -v $FWDIR/bin/cphastop)
cxld	Description	Runs the cluster Full Sync (R81 and higher).
	Path	$FWDIR/bin/cxld
	Log file	$FWDIR/log/cxld.elg
	To Stop	cpstop
	To Start	cpstart
	Debug	Runs with debug by default
SecureXL
sxl_statd	Description	Daemon that collects statistics information from the SecureXL on the Host appliance (R80.20 and higher).
	Path	$FWDIR/bin/sxl_statd
	Log File	None
	Notes	The "cpwd_admin list" command shows the process as "SXL_STATD"
	To Stop	cpwd_admin stop -name SXL_STATD
	To Start	cpwd_admin start -name SXL_STATD -path "$FWDIR/bin/sxl_statd" -command "sxl_statd"
	Debug	None
CoreXL
dsd	Description	Dynamic Balancing (initially called "Dynamic Split") - responsible for dynamically adjusting CoreXL for optimized CPU resources allocation, based on continuous monitoring of system resources (R80.40 and higher)
	Path	$FWDIR/bin/dsd
	Log File	$FWIDR/log/dsd.elg
	Notes	The "cpwd_admin list" command shows the process as "SDAEMON". See the Performance Tuning Administration Guide for your version.
	To Stop	dynamic_split -o disable
	To Start	dynamic_split -o enable reboot In R81 and higher, this feature is enabled by default
	Debug	None
VSX
CPUS_USGS	Description	Special task in the Check Point WatchDog on a Scalable Platform Security Group in the VSX mode (Maestro and Chassis) in R81 and higher. This task runs a Python script that collects the Resource Control data (CPU and Memory utilization) from each Virtual System and sends it to the "asg perf" tool.
	Path	/usr/scripts/get_cpus_usages/get_cpus_usages
	Log File	/var/log/cpus_usages.log /tmp/cpus_usages.txt
	To See the Current Status	service get_cpus_usages status
	To Stop	service get_cpus_usages stop
	To Start	service get_cpus_usages start
	To Restart	service get_cpus_usages restart
	Debug	Standard Python script debugging

Security Management Software Blades and Features

Enter the string you are searching for in this table:

Daemon	Section	Information
Network Policy Management Blade
cpm	Description	From Security Management Server R80: Serves requests from SmartConsole Responsible for writing all information to the PostgreSQL and SOLR databases
	Path	$FWDIR/scripts/cpm.sh
	Log file	$FWDIR/log/cpm.elg
	Notes	The "cpwd_admin list" command shows the process as "CPM"
	To Stop	cpstop In addition, you can use the ngm_stop.sh script (refer to sk111772): $FWDIR/scripts/ngm_stop.sh (refer to $FWDIR/log/ngm_stop.elg) $MDS_TEMPLATE/scripts/ngm_stop.sh (refer to $MDS_TEMPLATE/log/ngm_stop.elg)
	To Start	cpstart In addition, you can use the ngm_start.sh script (refer to sk111772): $FWDIR/scripts/ngm_start.sh (refer to $FWDIR/log/ngm_start.elg) $MDS_TEMPLATE/scripts/ngm_start.sh (refer to $MDS_TEMPLATE/log/ngm_start.elg)
	Debug	Refer to sk115557
fwm	Description	Communication between SmartConsole applications and Security Management Server.
	Path	$FWDIR/bin/fwm %FWDIR%\bin\fwm (R77.30 and lower)
	Log file	$FWDIR/log/fwm.elg %FWDIR%\log\fwm.elg (R77.30 and lower)
	Notes	The "cpwd_admin list" command shows the process as "FWM"
	To Stop	cpwd_admin stop -name FWM -path "$FWDIR/bin/fwm" -command "fw kill fwm" In addition, in R80 and higher, you can use the ngm_stop.sh script (refer to sk111772): $FWDIR/scripts/ngm_stop.sh (refer to $FWDIR/log/ngm_stop.elg) $MDS_TEMPLATE/scripts/ngm_stop.sh (refer to $MDS_TEMPLATE/log/ngm_stop.elg)
	To Start	cpwd_admin start -name FWM -path "$FWDIR/bin/fwm" -command "fwm" In addition, in R80 and higher, you can use the ngm_start.sh script (refer to sk111772): $FWDIR/scripts/ngm_start.sh (refer to $FWDIR/log/ngm_start.elg) $MDS_TEMPLATE/scripts/ngm_start.sh (refer to $MDS_TEMPLATE/log/ngm_start.elg)
	Debug	Security Management Server - refer to sk86186: Start debug: fw debug fwm on TDERROR_ALL_ALL=5 fw debug fwm on OPSEC_DEBUG_LEVEL=3 Replicate the issue Stop debug: fw debug fwm off TDERROR_ALL_ALL=0 fw debug fwm off OPSEC_DEBUG_LEVEL=0 Analyze: $FWDIR/log/fwm.elg* Domain Management Server - refer to sk33207: Switch to the context of the relevant Domain Management Server: mdsenv <Domain_Name> Start debug: fw debug fwm on TDERROR_ALL_ALL=5 fw debug fwm on OPSEC_DEBUG_LEVEL=3 Replicate the issue Stop debug: fw debug fwm off TDERROR_ALL_ALL=0 fw debug fwm off OPSEC_DEBUG_LEVEL=0 Analyze: $FWDIR/log/fwm.elg* Multi-Domain Security Management Server - refer to sk33208: Start debug: fw debug mds on TDERROR_ALL_ALL=5 fw debug mds on OPSEC_DEBUG_LEVEL=3 Replicate the issue Stop debug: fw debug mds off TDERROR_ALL_ALL=0 fw debug mds off OPSEC_DEBUG_LEVEL=0 Analyze: $MDS_TEMPLATE/log/mds.elg*
Endpoint Policy Management Blade
uepm	Description	Endpoint Management Server.
	Path	$UEPMDIR/bin/uepm %UEPMDIR%\bin\uepm (R77.30 and lower)
	Log file	$UEPMDIR/logs/server_messages.log %UEPMDIR%\logs\server_messages.log (R77.30 and lower)
	To Stop	uepm_stop
	To Start	uepm_start
	Debug	uepm debug Also refer to sk92619
httpd	Description	Communication with Endpoint Clients.
	Path	$UEPMDIR/apache22/bin/httpd %UEPMDIR%\apache22\bin\httpd (R77.30 and lower)
	To Stop	uepm_stop
	To Start	uepm_start
Monitoring Blade
rtmd	Description	Real Time traffic statistics.
	Path	$FWDIR/bin/rtm %FWDIR%\bin\rtm (R77.30 and lower)
	Log file	$FWDIR/log/rtmd.elg %FWDIR%\log\rtmd.elg (R77.30 and lower)
	Notes	The "cpwd_admin list" command shows the process as "RTMD"
	To Stop	rtmstop
	To Start	rtmstart
	Debug	Refer to skI2821 Start debug: rtm debug on TDERROR_ALL_ALL=5 rtm debug on OPSEC_DEBUG_LEVEL=3 Replicate the issue Stop debug: rtm debug off TDERROR_ALL_ALL=0 rtm debug off OPSEC_DEBUG_LEVEL=0 Analyze: $FWDIR/log/rtmd.elg*
cpstat_monitor	Description	Responsible for collecting and sending information to SmartView Monitor. By default, does not run in the context of Domain Management Servers.
	Path	$FWDIR/bin/cpstat_monitor %FWDIR%\bin\cpstat_monitor (R77.30 and lower)
	Log file	$FWDIR/log/cpstat_monitor.elg %FWDIR%\log\cpstat_monitor.elg (R77.30 and lower)
	Notes	The "cpwd_admin list" command shows the process as "CPSM"
	To Stop	cpwd_admin stop -name CPSM
	To Start	cpwd_admin start -name CPSM -path "$FWDIR/bin/cpstat_monitor" -command "cpstat_monitor"
	Debug	Refer to sk108177
Provisioning Blade
status_proxy	Description	Status collection of ROBO Gateways - SmartLSM / SmartProvisioning status proxy. This process runs only on Security Management Server / Domain Management Servers that are activated for Large Scale Management / SmartProvisioning.
	Path	$FWDIR/bin/status_proxy %FWDIR%\bin\status_proxy (R77.30 and lower)
	Log file	$FWDIR/log/status_proxy.elg %FWDIR%\log\status_proxy.elg (R77.30 and lower)
	Notes	The "cpwd_admin list" command shows the process as "STPR"
	To Stop	cpwd_admin stop -name STPR
	To Start	cpwd_admin start -name STPR -path "$FWDIR/bin/status_proxy" -command "status_proxy"
	Debug	Refer to sk108182
SmartReporter Blade
SVRServer	Description	Controller for the SmartReporter product. Traffic is sent over SSL.
	Path	$RTDIR/bin/SVRServer %RTDIR%\bin\SVRServer (R77.30 and lower)
	Log file	$RTDIR/log/SVRServer.log %RTDIR%\log\SVRServer.log (R77.30 and lower)
	Notes	The "cpwd_admin list" command shows the process as "SVR"
	To Stop	rmdstop or cpwd_admin stop -name SVR -path $RTDIR/bin/SVRServer -command "SVRServer kill SVRServer" Also refer to sk105485
	To Start	rmdstart or cpwd_admin start -name SVR -path "$RTDIR/bin/SVRServer" -command "SVRServer"
	Debug	Refer to sk93970
log_consolidator	Description	Log Consolidator for the SmartReporter product.
	Path	$RTDIR/log_consolidator_engine/bin/log_consolidator %RTDIR%\log_consolidator_engine\bin\log_consolidator (R77.30 and lower)
	Log file	$RTDIR/log_consolidator_engine/log/<Log_Server_IP_Address>/lc_rt.log %RTDIR%\log_consolidator_engine\log\<Log_Server_IP_Address>\lc_rt.log (R77.30 and lower)
	Configuration file	$RTDIR/log_consolidator_engine/conf/lc_rt_default.conf %RTDIR%\log_consolidator_engine\conf\lc_rt_default.conf (R77.30 and lower) $RTDIR/log_consolidator_engine/conf/<Log_Server_IP_Address>/lc_rt_default.conf %RTDIR%\log_consolidator_engine\conf\<Log_Server_IP_Address>\lc_rt_default.conf (R77.30 and lower)
	Notes	The "cpwd_admin list" command shows the process as "LC_<IP_Address _of_Log_Server>"
	To Stop	rmdstop or evstop or log_consolidator -C -m stop -s <IP_Address _of_Log_Server> [-g <Domain_Name>] and then log_consolidator -C -m exit -s <IP_Address _of_Log_Server> [-g <Domain_Name>]
	To Start	rmdstart or evstart or log_consolidator -C -m start -s <IP_Address _of_Log_Server> [-g <Domain_Name>]
dbsync	Description	DBsync enables SmartReporter to synchronize data stored in different parts of the network. After SIC is established, DBsync connects to the management server to retrieve all the objects. After the initial synchronization, it gets updates whenever an object is saved. In distributed information systems, DBsync provides one-way synchronization of data between the Security Management Servers object database and the SmartReporter computer, and supports configuration and administration of distributed systems.
	Path	$RTDIR/bin/dbsync %RTDIR%\bin\dbsync (R77.30 and lower)
	Log file	In R80 and higher: $FWDIR/log/dbsync.elg R77.30 and lower: $RTDIR/log/dbsync.elg %RTDIR%\log\dbsync.elg
	Notes	The "cpwd_admin list" command shows the process as "DBSYNC"
	To Stop	In R80 and higher: Runs part of CPM In R77.30 and lower: rmdstop or evstop or cpwd_admin stop -name DBSYNC
	To Start	In R80 and higher: Runs part of CPM In R77.30 and lower: rmdstart or evstart or cpwd_admin start -name DBSYNC -path "$RTDIR/bin/dbsync" -command "dbsync"
	Debug	Refer to sk93970
postgres	Description	PostgreSQL server.
	Path	$CPDIR/database/postgresql/bin/postgres %CPDIR%\database\postgresql\bin\postgres (R77.30 and lower)
	Log file	$RTDIR/events_db/data/pg_log/postgresql-YYY-MM-DD_HHMMSS.log
	Configuration file	$RTDIR/events_db/data/postgresql.conf
	To Stop	cpstop
	To Start	cpstart
	Debug	"su cp_postgres -c "$CPDIR/database/postgresql/bin/pg_ctl -D $RTDIR/events_db/data start" Also refer to sk93970
SmartEvent Blade
cpsead	Description	Responsible for Correlation Unit functionality.
	Path	$RTDIR/bin/cpsead %RTDIR%\bin\cpsead (R77.30 and lower)
	Log file	$RTDIR/log/cpsead.elg %RTDIR%\log\cpsead.elg (R77.30 and lower)
	Notes	The "cpwd_admin list" command shows the process as "CPSEAD"
	To Stop	evstop or cpwd_admin stop -name CPSEAD Also refer to sk105485
	To Start	evstart or cpwd_admin start -name CPSEAD -path "$RTDIR/bin/cpsead" -command "cpsead"
	Debug	Refer to sk95153, sk105806, sk93970
cpsemd	Description	Responsible for logging into the SmartEvent GUI.
	Path	$RTDIR/bin/cpsemd %RTDIR%\bin\cpsemd (R77.30 and lower)
	Log file	$RTDIR/log/cpsemd.elg %RTDIR%\log\cpsemd.elg (R77.30 and lower)
	Notes	The "cpwd_admin list" command shows the process as "CPSEMD"
	To Stop	evstop or cpwd_admin stop -name CPSEMD
	To Start	evstart or cpwd_admin start -name CPSEMD -path "$RTDIR/bin/cpsemd" -command "cpsemd"
	Debug	Refer to sk95153, sk105806, sk93970
dbsync	Description	DBsync enables SmartEvent to synchronize data stored in different parts of the network. In distributed information systems, DBsync provides one-way synchronization of data between the Security Management Server's object database and the SmartEvent computer, and supports configuration and administration of distributed systems. DBsync initially connects to the Management Server, with which SIC is established. It retrieves all the objects and after the initial synchronization it gets updates whenever an object is saved.
	Path	$RTDIR/bin/dbsync %RTDIR%\bin\dbsync (R77.30 and lower)
	Log file	$RTDIR/log/dbsync.elg %RTDIR%\log\dbsync.elg (R77.30 and lower)
	Notes	The "cpwd_admin list" command shows the process as "DBSYNC"
	To Stop	evstop or cpwd_admin stop -name DBSYNC
	To Start	evstart or cpwd_admin start -name DBSYNC -path "$RTDIR/bin/dbsync" -command "dbsync"
	Debug	Refer to sk93970
java_solr	Description	Starting in R80 (SmartEvent NGSE was integrated). Jetty Server. Events are stored in the SOLR database.
	Path	$RTDIR/bin/java_solr
	Log file	$RTDIR/log/solr.log $RTDIR/log/solrRun.log
	Notes	The "cpwd_admin list" command shows the process as "SOLR"
	Configuration file	$RTDIR/rfl_server/solr/solr.xml (R80.10 and higher) $RTDIR/conf/jetty.xml (R80 and higher) $RTDIR/conf/solr.log4j.properties (R80 and higher) $RTDIR/conf/solrConnectionConfig.xml (R80 and higher) $RTDIR/log_indexes/solr.xml (R80 and higher)
	To Stop	evstop
	To Start	evstart
	Debug	Refer to sk105806. SmartEventSetDebugLevel solr <Debug_Level> $FWDIR/scripts/solr_debug.py {on \| off}
LogCore	Description	Starting in R80 (SmartEvent NGSE was integrated). Manages the queries it gets from the consumer processes, forwards them to SOLR database and returns the results. Also in charge of resolving and database maintenance (clean up old indexes to have space for the new ones).
	Path	$RTDIR/bin/LogCore
	Log file	$RTDIR/log/RFL.log $RTDIR/log/rflRun.log
	Notes	The "cpwd_admin list" command shows the process as "RFL"
	Configuration file	$RTDIR/conf/rfl.log4j.properties $RTDIR/conf/rfl.log4j.properties.forUpgrade $RTDIR/conf/rflConfig.xml
	To Stop	evstop
	To Start	evstart
	Debug	Refer to sk105806. SmartEventSetDebugLevel rfl <Debug_Level>
SmartView	Description	SmartEvent Web Application that allows you to connect to SmartEvent NGSE server (at https://<IP_Address_of_SmartEvent_Server>/smartview/) and see the event views and analysis directly from a Web Browser, without installing SmartConsole. The Web page comes with predefined views that you can customize. Refer to sk105684.
	Path	$RTDIR/bin/SmartView
	Log file	$RTDIR/log/smartview.log $RTDIR/log/SmartViewRun.log $RTDIR/log/smartview-service.log
	Notes	The "cpwd_admin list" command shows the process as "SMARTVIEW"
	Configuration file	$RTDIR/conf/smartview.log4j.properties
	To Stop	evstop
	To Start	evstart
	Debug	Refer to sk105806. SmartEventSetDebugLevel smartview <Debug_Level>
log_indexer	Description	Starting in R80 (SmartEvent NGSE was integrated). Log indexer.
	Path	$RTDIR/log_indexer/log_indexer
	Log file	$RTDIR/log_indexer/log/log_indexer.elg $RTDIR/log_indexer/log/log_indexerRun.log
	Notes	The "cpwd_admin list" command shows the process as "INDEXER"
	Configuration file	$RTDIR/log_indexer/conf/log_indexer_settings.conf $RTDIR/log_indexer/log_indexer_custom_settings.conf
	To Stop	evstop Important - On a Multi-Domain Server, the evstop command stops the log_indexer process for all levels (MDS and Domains)
	To Start	On a Security Management Server: evstart On a Multi-Domain Server - for MDS context only: evstart On a Multi-Domain Server - for MDS context and Domain contexts: mdsstart
postgres	Description	PostgreSQL server.
	Path	$CPDIR/database/postgresql/bin/postgres %CPDIR%\database\postgresql\bin\postgres (R77.30 and lower)
	Log file	$RTDIR/events_db/data/pg_log/postgresql-YYY-MM-DD_HHMMSS.log
	Configuration file	$RTDIR/events_db/data/postgresql.conf
	To Stop	cpstop
	To Start	cpstart
	Debug	"su cp_postgres -c "$CPDIR/database/postgresql/bin/pg_ctl -D $RTDIR/events_db/data start" Also refer to sk93970
Logging & Status Blade
cplmd	Description	To get the data that should be presented in SmartView Tracker, the FWM spawns a child process CPLMD, which reads the information from the log file and performs unification (if necessary). Upon receiving an answer from CPLMD, FWM transfers it to SmartView Tracker.
	Path	$FWDIR/bin/cplmd %FWDIR%\bin\cplmd (R77.30 and lower)
	Log file	$FWDIR/log/cplmd.elg %FWDIR%\log\cplmd.elg (R77.30 and lower)
	To Stop	cpstop
	To Start	cpstart
	Debug	Refer to sk86324: Start debug: fw debug cplmd on TDERROR_ALL_ALL=5 Replicate the issue Stop debug: fw debug cplmd off TDERROR_ALL_ALL=0 Analyze: $FWDIR/log/cplmd.elg*
Management Portal
cpwmd	Description	Check Point Web Management Daemon - back-end for Management Portal / SmartPortal.
	Path	$WEBDIR/bin/cpwmd %WEBDIR%\bin\cpwmd (R77.30 and lower)
	Log file	/opt/CPportal-<RXX>/portal/log/cpwmd.elg C:\Program Files\CheckPoint\SmartPortal\<RXX>\SmartPortal\log\cpwmd.elg
	Notes	The "cpwd_admin list" command shows the process as "CPWMD"
	To Stop	cpwd_admin stop -name CPWMD
	To Start	cpwd_admin start -name CPWMD -path "$WEBDIR/bin/cpwmd" -command "cpwmd -D -app SmartPortal"
	Debug	Refer to sk31023
cp_http_server	Description	HTTP Server for Management Portal (SmartPortal) and for OS WebUI.
	Path	$WEBDIR/bin/cp_http_server %WEBDIR%\bin\cp_http_server (R77.30 and lower)
	Log file	Refer to sk31023; sk30634
	Configuration file	$MPDIR/conf/cp_httpd_admin.conf
	Notes	The "cpwd_admin list" command shows the process as "CPHTTPD"
	To Stop	cpwd_admin stop -name CPHTTPD
	To Start	cpwd_admin start -name CPHTTPD -path "$WEBDIR/bin/cp_http_server" -command "cp_http_server -f '$MPDIR/conf/cp_httpd_admin.conf'"
	Debug	Refer to sk31023
SmartLog
smartlog_server	Description	SmartLog product.
	Path	$SMARTLOGDIR/smartlog_server
	Log file	$SMARTLOGDIR/log/smartlog_server.elg
	Notes	The "cpwd_admin list" command shows the process as "SMARTLOG_SERVER"
	To Stop	smartlogstop
	To Start	smartlogstart
	Debug	Stop SmartLog: smartlogstop Start SmartLog under debug: env TDERROR_ALL_ALL=5 $SMARTLOGDIR/smartlog_server 1>> /var/log/smartlog.debug 2>> /var/log/smartlog.debug Replicate the issue Stop debug - press CTRL+C. Start SmartLog normally: smartlogstart
Internal CA
cpca	Description	Check Point Internal Certificate Authority (ICA): SIC certificate pulling Certificate enrollment CRL fetch Admin WebUI Note: By default, in MGMT HA, it runs only on "Active" Security Management Server. On the "Backup" Security Management Server, the "`cpstat mg`" command will show "`SmartCenter CA is not running`".
	Path	$FWDIR/bin/cpca %FWDIR%\bin\cpca (R77.30 and lower)
	Log file	$FWDIR/log/cpca.elg %FWDIR%\log\cpca.elg (R77.30 and lower)
	To Stop	cpstop
	To Start	cpstart
	Debug	Refer to sk60338: Start debug: fw debug cpca on TDERROR_ALL_ALL=5 Replicate the issue Stop debug: fw debug cpca off TDERROR_ALL_ALL=0 Analyze: $FWDIR/log/cpca.elg*
Compliance Blade
interpreter	Description	Process is responsible for Compliance Blade database scan.
	Path	$FWDIR/bin/interpreter %FWDIR%\bin\interpreter (R77.30 and lower)
	Log file	In R77 and higher: $FWDIR/log/grc_interpreter.elg %FWDIR%\log\grc_interpreter.elg In R76: /opt/CPPIgrc-R76/bin/grc_interpreter.elg In R75.40/R75.45/R75.46/R75.47: /opt/CPPIgrc-R75.40/bin/grc_interpreter.elg
	Configuration file	$FWDIR/conf/grc.conf (R77 and higher) %FWDIR%\conf\grc.conf (R77.X)
	Notes	This process is not monitored by Check Point WatchDog.
	To Stop	cpstop
	To Start	cpstart
	Debug	In R77 and higher: Stop Check Point service with "cpstop" command Either run "interpreter debug=1" command, or in configuration file "grc.conf", manually set the value of "debugMode" from "0" to "1" Start Check Point service with "cpstart" command In R75.4x, R76: Stop Check Point service with "cpstop" command In configuration file "grc.conf", manually set the value of "debugMode" from "0" to "1" Start Check Point service with "cpstart" command In addition, refer to the "interpreter -help" command and to sk92861
SofaWare Management Server (Service Center for centrally managed Edge devices)
sms	Description	Manages communication (status collection, logs collection, policy update, configuration update) with UTM-1 Edge Security Gateways. This process runs only on Security Management Server / Multi-Domain Security Management Servers that manage UTM-1 Edge devices.
	Path	$FWDIR/bin/sms %FWDIR%\bin\sms (R77.30 and lower)
	Configuration file	$FWDIR/conf/sofaware/SWManagementServer.ini %FWDIR%\conf\sofaware\SWManagementServer.ini (R77.30 and lower)
	Notes	The "cpwd_admin list" command shows the process as "VPN-1 Embedded Connector"
	To Stop	smsstop
	To Start	smsstart
	Debug	Refer to sk60780
OPSEC LEA (Log Export API)
lea_session	Description	Responsible for OPSEC LEA session between the OPSEC LEA Client and the OPSEC LEA Server on Check Point Management Server / Log Server. Spawned by the FWD daemon.
	Path	$FWDIR/bin/lea_session %FWDIR%\bin\lea_session (R77.30 and lower)
	Configuration file	$FWDIR/conf/fwopsec.conf %FWDIR%\conf\fwopsec.conf (R77.30 and lower) Refer to "`lea_server`" lines
	Log file	$FWDIR/log/lea_session.<PID>.elg %FWDIR%\log\lea_session.<PID>.elg (R77.30 and lower)
	Notes	The "top" and "ps" commands show the process as "lea_session"
	To Stop	cpwd_admin stop -name FWD -path "$FWDIR/bin/fw" -command "fw kill fwd" or cpstop
	To Start	cpwd_admin start -name FWD -path "$FWDIR/bin/fw" -command "fwd" or cpstart
	Debug	Refer to sk86321 Start debug: fw debug fwd on TDERROR_ALL_ALL=5 fw debug fwd on OPSEC_DEBUG_LEVEL=3 Replicate the issue Stop debug: fw debug fwd off TDERROR_ALL_ALL=0 fw debug fwd off OPSEC_DEBUG_LEVEL=0 Analyze: $FWDIR/log/lea_session.<PID>.elg*

1800 / 1600 / 1500 / 1400 / 1200R / 1100 / 900 / 700 / 600 appliances

Enter the string you are searching for in this table:

Daemon	Section	Information
sfwd	Description	Main process: Logging Policy installation VPN negotiation Identity Awareness enforcement UserCheck enforcement etc.
	Log file	$FWDIR/log/sfwd.elg Also refer to $FWDIR/log/cpwd.elg
	Notes	The "cpwd_admin list" command shows the process as "SFWD". The "ps auxw" command shows the process as "fw sfwd".
	To Stop	$FWDIR/bin/cpwd_admin stop -name SFWD
	To Start	$FWDIR/bin/cpwd_admin start -name SFWD -path $FWDIR/bin/fw -command "fw sfwd"
	Debug	Refer to sk86321
cposd	Description	SMB-specific daemon responsible for OS Networking operations.
	Log file	$FWDIR/log/cposd.elg
	Notes	The "cpwd_admin list" command shows the process as "cposd".
	To Stop	cpwd_admin stop -name cposd
	To Start	cpwd_admin start -name cposd -path /pfrm2.0/bin/cposd -command "cposd"
rtdbd	Description	Real Time database daemon.
	Configuration file	/pfrm2.0/etc/rtdbd.conf
	Notes	The "cpwd_admin list" command shows the process as "RTDB"
	To Stop	$FWDIR/bin/cpwd_admin stop -name RTDB
	To Start	$FWDIR/bin/cpwd_admin start -name RTDB -path /pfrm2.0/bin/rtdbd -command "rtdbd"
dropbear	Description	LightWeight SSH server. This process does not exist starting from the R80.20.60 and R81.10 versions. This process does not exist on 900, 700, and 600 models.
	Notes	The "cpwd_admin list" command shows the process as "dropbear"
	To Stop	None
	To Start	None

Endpoint Security Client

Enter the string you are searching for in this table:

Daemon	Section	Information
cpda.exe	Check Point Client connection service (Device Agent) - Check Point Endpoint Agent	Roles: Communication with Harmony Endpoint Server - HTTPS Heart Beat & Sync Endpoint Authentication Software Deployment Managing Client State EMON (Reporting) Data Files & Drivers Download Policy Download
IDAFServerHostService.exe	Check Point Device Auxiliary Framework Host	Roles: Communication with Harmony Endpoint Security Blades and with Device Agent Policy Storage (persistent) Provider Info Store EMON (Reporting), Harmony Endpoint Client state status and SYNC Harmony Endpoint Security Logs Store (persistent) and Logs from each Harmony Endpoint Security Blade
EPWD.exe	Check Point Endpoint Client Watchdog service	Used to keep Harmony Endpoint Security Blades, services and processes running.
Imguardsvc64.exe	Check Point Capsule Docs Client Service	Enables the Check Point Capsule Docs Client. If this service is stopped, Check Point Capsule Docs protected content will be unavailable.
Imdci.exe	Check Point Capsule Docs DCI Process
FDE_srv.exe	Check Point Full Disk Encryption	Responsible for boot protection, Preboot Authentication and providing strong encryption to ensure that only authorized users can access data stored on the machine/device.
TESvc.exe	Check Point Endpoint Threat Emulation Check Point Harmony Agent Threat Emulation (32 bit)	Check Point Endpoint Threat Emulation silently protects your computer from potential malware. Monitors file creations on the system, scans each file and emulates it if needed.
vsmon.exe	Check Point Endpoint Security Network Protection	Protects your network and your computer from unauthorized network access.
Compliance.exe	Check Point Endpoint Security Compliance	Checks conformance of the computer to the security policies.
epab_svc.exe	Check Point Endpoint Security Anti-Bot service	Detects bot-infected machines and prevents bot damages by blocking bot C&C communications.
NEM_svc.exe	Check Point Endpoint Security Bitlocker Management	Our Bitlocker Management service uses APIs provided by Microsoft Windows to control and to manage Bitlocker.
RemediationService.exe	Check Point Endpoint Security Remediation service	Responsible for remediation of files. In practice, we quarantine a file (quarantine means creating a backup and then deleting the file) or deleting of malicious processes.
EFRService.exe	Check Point Endpoint Security Forensics service	Used to constantly monitoring the system operation and gathers the information in to a dedicated database. When triggered, the EFRService is analyzing the collected data and generating a report.
cptrayUI.exe	Check Point Endpoint Security Client UI Service	Responsible for all the UI aspects. Everything visual/graphical you can see in the Harmony Endpoint Client.
cptrayLogic.exe	Check Point Endpoint Security Client UI Service	Responsible for all Logic/Status data. Everything as far a textual and dynamic updates.
disknet.exe	Check Point ESME Client Check Point Endpoint Security MEPP Service	Main Media Encryption & Port Protection (MEPP) Service
ServiceRequest.exe		Helps support the MEPP Blade/Application
Unlock.exe		Used for the Access to Business Data.exe. This is the Explorer Utility used with MEPP
TracSrvWrapper.exe	Check Point Endpoint Connect - Check Point Endpoint Security VPN Service	Main Remote Access/VPN Blade Service
TrGui.exe		Remote Access/VPN Blade UI Service
TracCAPI.exe		Provides access to users certificate storage for authentication. VPN service runs under SYSTEM account and can't access personal certificates of users. The TracSrvWrapper.exe service launches TracCAPI.exe under the user's account, and TracCAPI.exe reads the user's certificates.
VPN_ProxyServer.exe		Simulates a HTTP Server which hosts a PAC File in order to handle and use Proxy. Starting with Windows 10, PAC files cannot be accessed through a file:// protocol. Only http:// is allowed.

Additional Processes

Enter the string you are searching for in this table:

Daemon	Section	Information
mpdaemon	Description	On Security Gateway and Management Server. Platform Portal / Multi Portal (https://<IP_Address>/). Each portal has its Apache server (which can have multiple processes). The mpdaemon process is responsible for starting these web servers.
	Path	$CPDIR/bin/mpdaemon
	Log file	$CPDIR/log/mpdaemon.elg $CPDIR/log/mpclient.elg
	Configuration file	$CPDIR/conf/mpdaemon.conf
	Notes	The "cpwd_admin list" command shows the process as "MPDAEMON".
	To Stop	cpwd_admin stop -name MPDAEMON or mpclient stopall
	To Start	cpwd_admin start -name MPDAEMON -path "$CPDIR/bin/mpdaemon" -command "mpdaemon $CPDIR/log/mpdaemon.elg $CPDIR/conf/mpdaemon.conf"
	Debug	Refer to sk87920: Start debug: mpclient debug on mpclient debug set TDERROR_ALL_ALL=5 Replicate the issue Stop debug: mpclient debug set TDERROR_ALL_ALL=0 mpclient debug off
CloudGuard Controller	Description	CloudGuard Controller (Management Server)
	Path	$VSECDIR
	Log file	$MDS_FWDIR/log/cloud_proxy.elg
	Configuration file	$MDS_FWDIR/conf/vsec.conf
	Notes	The "cpwd_admin list" command shows the process as "CLOUDGUARD"
	To Stop	To stop temporarily: vsec stop To stop permanently: vsec off
	To Start	To start after ‘vsec stop’: vsec start To start after ‘vsec off': vsec on
	Debug	Refer to sk115657
avi_del_tmp_files	Description	Shell script (from $FWDIR/bin/) that periodically deletes various old temporary Anti-Virus files on Security Gateway and Management Server.
	Path	$FWDIR/bin/avi_del_tmp_files
	Log file	$FWDIR/log/avi_del_tmp_files.elg
	Notes	The "cpwd_admin list" command shows the process as "CI_CLEANUP".
	To Stop	cpwd_admin stop -name CI_CLEANUP
	To Start	cpwd_admin start -name CI_CLEANUP -path $FWDIR/bin/avi_del_tmp_files -command "avi_del_tmp_files"
	Debug	Standard CSH script debugging (csh -x -v $FWDIR/bin/avi_del_tmp_files)
ci_http_server	Description	HTTP Server for Content Inspection on a Security Gateway.
	Path	$FWDIR/bin/ci_http_server
	Log file	$FWDIR/log/cphttpd.elg
	Configuration file	$FWDIR/conf/cihs.conf
	Notes	The "cpwd_admin list" command shows the process as "CIHS"
	To Stop	cpwd_admin stop -name CIHS
	To Start	cpwd_admin start -name CIHS -path $FWDIR/bin/ci_http_server -command "ci_http_server -j -f $FWDIR/conf/cihs.conf"
	Debug	Stop: cpwd_admin stop -name CIHS Start under debug (with "-v" flag): cpwd_admin start -name CIHS -path $FWDIR/bin/ci_http_server -command "ci_http_server -v -j -f $FWDIR/conf/cihs.conf" Replicate the issue Stop: cpwd_admin stop -name CIHS Start normally: cpwd_admin start -name CIHS -path $FWDIR/bin/ci_http_server -command "ci_http_server -j -f $FWDIR/conf/cihs.conf"
cp_http_server	Description	On Security Gateway and Management Server. HTTP Server for OS WebUI and Management Portal (SmartPortal).
	Path	$WEBDIR/bin/cp_http_server
	Log file	$FWDIR/log/cphttpd.elg
	Configuration file	$MPDIR/conf/cp_httpd_admin.conf
	Notes	The "cpwd_admin list" command shows the process as "CPHTTPD".
	To Stop	cpwd_admin stop -name CPHTTPD
	To Start	cpwd_admin start -name CPHTTPD -path "$WEBDIR/bin/cp_http_server" -command "cp_http_server -f '$MPDIR/conf/cp_httpd_admin.conf'"
	Debug	Stop: cpwd_admin stop -name CPHTTPD Start under debug (with "-v" flag): cpwd_admin start -name CPHTTPD -path "$WEBDIR/bin/cp_http_server" -command "cp_http_server -v -f '$MPDIR/conf/cp_httpd_admin.conf'" Replicate the issue Stop: cpwd_admin stop -name CPHTTPD Start normally: cpwd_admin start -name CPHTTPD -path "$WEBDIR/bin/cp_http_server" -command "cp_http_server -f '$MPDIR/conf/cp_httpd_admin.conf'"
cpviewd	Description	On Security Gateway and Management Server. CPView Utility daemon (sk101878).
	Path	In R77.30 and higher: $CPDIR/bin/cpviewd In R77, R77.10, R77.20: $FWDIR/bin/cpviewd
	Configuration file	$CPDIR/conf/cpview_conf.xml
	Notes	The "cpwd_admin list" command shows the process as "CPVIEWD".
	To Stop	cpwd_admin stop -name CPVIEWD
	To Start	In R77.30 and higher: cpwd_admin start -name CPVIEWD -path "$CPDIR/bin/cpviewd" -command "cpviewd" In R77, R77,10, R77.20: cpwd_admin start -name CPVIEWD -path "$FWDIR/bin/cpviewd" -command "cpviewd"
	Debug	Refer to sk101878
cpview_services	Description	On Security Gateway and Management Server. CPView Utility Services daemon (sk101878).
	Path	$CPDIR/bin/cpview_services
	Configuration file	$CPDIR/conf/cpview_services_conf.xml
	Notes	The "cpwd_admin list" command shows the process as "CPVIEWS".
	To Stop	cpwd_admin stop -name CPVIEWS
	To Start	cpwd_admin start -name CPVIEWS -path "$CPDIR/bin/cpview_services" -command "cpview_services"
	Debug	Refer to sk101878
cpview_historyd	Description	On Security Gateway and Management Server. CPView Utility History daemon (sk101878).
	Path	In R77.30 and higher: $CPDIR/bin/cpview_historyd In R77, R77.10, R77.20: $FWDIR/bin/cpview_historyd
	Log file	/var/log/CPView_history/CPViewDB.dat
	Notes	The "cpwd_admin list" command shows the process as "HISTORYD"
	To Stop	cpview history off
	To Start	cpview history on
cpsnmpd	Description	On Security Gateway and Management Server: Listens on UDP port 260 and is capable of responding to SNMP queries for Check Point OIDs only (under OID .1.3.6.1.4.1.2620) Accepts only SNMPv1 Supplied as a part of Check Point Suite ($CPDIR/bin/cpsnmpd)
	To Stop	killall cpsnmpd
	To Start	cpsnmpd -p 260
	Debug	Refer to sk66384
lpd	Description	Log Parser Daemon - Search predefined patterns in log files
	Path	$DIAGDIR/bin/lpd
	Log file	$FWDIR/log/lpd.elg
	Configuration file	$DIAGDIR/signatures/sdb.dat
	Notes	The "cpwd_admin list" command shows the process as "LPD"
	To Stop	cpwd_admin stop -name LPD
	To Start	cpwd_admin start -name LPD -path "$DIAGDIR/bin/lpd" -command "lpd"
	Debug	Start debug: fw debug lpd on TDERROR_ALL_ALL=5 Stop debug: fw debug lpd off TDERROR_ALL_ALL=0 Replicate the issue Analyze: $FWDIR/log/lpd.elg*
spike_detective	Description	CPU Spike Detective - see sk166454 Non-Scalable Platforms - R81 and higher, R80.40 Jumbo Take 69 (and higher) On Maestro and Scalable Chassis - R81.10 and higher
	Path	$FWDIR/bin/spike_detective
	Log file	CPView > CPU > Spikes /var/log/spike_detective/spike_detective.log /var/log/messages (in R81 and higher) /var/log/spike_detective/data_spike_general_<Date>_<Time>/* /var/log/spike_detective/data_spike_thread_<Thread_ID>_<Date>_<Time> /var/log/spike_detective/data_spike_cpu_<Core_Number>_<Date>_<Time>
	Notes	The "cpwd_admin list" command shows the process as "SPIKE_DETECTIVE"
	Configuration file	$FWDIR/conf/spike_detective_conf.xml
	To Disable	$CPDIR/bin/cpprod_util CPPROD_SetValue fw1 SpikedetectiveOff 4 1 1 reboot
	To Stop	cpwd_admin stop -name SPIKE_DETECTIVE
	To Enable	Note - In R81 and higher, this tool is enabled by default $CPDIR/bin/cpprod_util CPPROD_SetValue fw1 SpikedetectiveOff 4 0 1 reboot
	To Start	cpwd_admin start -name SPIKE_DETECTIVE -path $FWDIR/bin/spike_detective -command "spike_detective"
	Debug	None

Give us Feedback

Please rate this document

[1=Worst,5=Best]

Comment
	Submitting rating