Tuesday 24 February 2015 by krrunch

Daemons and Processes

Checkpoint Daemons and Processes

This article describes the different Checkpoint daemons and processes you may see running and what they are responsible for.

Gaia Processes and Daemons

All Gaia processes and daemons run by default, other than snmpd and dhcpd.

Daemon	Child daemon	Description	To Start	To Stop
`pm`		Gaia OS Process Manager. Controls other processes and daemons.
	`confd`	Database and configuration.	From Expert shell: `tellpm process:confd t`	From Expert shell: `tellpm process:confd`
	`searchd`	Search indexing daemon.	From Expert shell: `tellpm process:searchd t`	From Expert shell: `tellpm process:searchd`
	`clishd`	Gaia Clish CLI interface process – general information for all Clish sessions.	From Expert shell: `tellpm process:clishd t`	From Expert shell: `tellpm process:clishd`
	`clish`	Gaia Clish CLI interface process – Clish process per session.	From Expert shell: `tellpm process:clish t`	From Expert shell: `tellpm process:clish`
	`routed`	Routing daemon.	From Expert shell: `tellpm process:routed t`	From Expert shell: `tellpm process:routed`
	`httpd2`	Web server daemon (Gaia Portal).	From Expert shell: `tellpm process:httpd2 t`	From Expert shell: `tellpm process:httpd2`
	`monitord`	Hardware monitoring daemon.	From Expert shell: `tellpm process:monitord t`	From Expert shell: `tellpm process:monitord`
	`rconfd`	Provisioning daemon.	From Expert shell: `tellpm process:rconfd t`	From Expert shell: `tellpm process:rconfd`
	`cloningd`	Cloning Groups daemon.	From Expert shell: `tellpm process:cloningd t`	From Expert shell: `tellpm process:cloningd`
	`dhcpd`	DHCP server daemon.	From Clish: `set dhcp server enable` or use Gaia Portal	From Clish: `set dhcp server disable` or use Gaia Portal
	`snmpd`	SNMP (Linux) daemon.	From Clish: `set snmp agent on` or use Gaia Portal	From Clish: `set snmp agent off` or use Gaia Portal
`sshd`		SSH daemon.	From Expert shell: `service sshd start`	From Expert shell: `service sshd stop`
`syslogd`		Syslog (Linux) daemon.	From Expert shell: `service syslog start`	From Expert shell: `service syslog stop`
`DAService`		CPUSE (former ‘Gaia Software Updates’) service (sk98926 and sk92449).	From Expert shell, run these 2 commands: `$DADIR/bin/dastart` and `dbget installer:start`	From Expert shell, run these 2 commands: `$DADIR/bin/dastop` and `dbget installer:stop`

Other Gaia daemons can be stopped in Expert mode, but we do not recommend doing so.

Infrastructure Processes

Daemon	Description	To Start	To Stop
`cpwd`	WatchDog is a process that launches and monitors critical processes such as Check Point daemons on the local machine, and attempts to restart them if they fail. Among the processes monitored by Watchdog are `cpd`, `fwd` and `fwm`. Watchdog is controlled by the `cpwd_admin` utility. To learn how to start and stop various daemons, run `cpwd_admin` command.	From Expert shell: `cpstart` or `cpwd_admin start_monitor`	From Expert shell: `cpstop` or `cpwd_admin stop_monitor`
`cpd`	Port 18191 – Generic process (add-ons container) for many Check Point services, such as installing and fetching policy, and online updates Port 18211 – SIC push certificate (from Internal CA) Note: ‘`cpwd_admin list`‘ command shows the process as “`CPD`“.	MGMT / Gateway mode – from Expert shell: `cpstart` or `cpwd_admin start -name CPD -path "$CPDIR/bin/cpd" -command "cpd"`VSX mode – from Expert shell: `[Expert@HostName:0]# cpstart` or `[Expert@HostName:0]# vsenv VSID` `[Expert@HostName:VSID]# cpwd_admin start -name CPD -ctx VSID -path "$CPDIR/bin/cpd" -command "cpd" -env inherit`	MGMT / Gateway mode – from Expert shell: `cpstop` or `cpwd_admin stop -name CPD -path "$CPDIR/bin/cpd_admin" -command "cpd_admin stop"`VSX mode – from Expert shell: `[Expert@HostName:0]# cpstop` or `[Expert@HostName:0]# vsenv VSID` `[Expert@HostName:VSID]# cpwd_admin stop -name CPD -ctx VSID -path "$CPDIR/bin/cpd_admin" -command "cpd_admin stop" -env inherit`
`fwd`	Logging. Spawning child processes (e.g., `vpnd`) Note: ‘`cpwd_admin list`‘ command shows the process as “`FWD`“.	MGMT / Gateway mode – from Expert shell: `cpstart` or `cpwd_admin start -name FWD -path "$FWDIR/bin/fwd" -command "fwd"`VSX mode – from Expert shell: `[Expert@HostName:0]# cpstart` or `[Expert@HostName:0]# vsenv VSID` `[Expert@HostName:VSID]# cpwd_admin start -name FWD -ctx VSID -path "$FWDIR/bin/fwd" -command "fwd" -env inherit`	Gateway mode – from Expert shell: `cpstop` or `cpwd_admin stop -name FWD -path "$FWDIR/bin/fw" -command "fw kill fwd"`VSX mode – from Expert shell: `[Expert@HostName:0]# cpstop` or `[Expert@HostName:0]# vsenv VSID` `[Expert@HostName:VSID]# cpwd_admin stop -name FWD -ctx VSID -path "$FWDIR/bin/fw" -command "fw kill fwd" -env inherit`

Security Gateway Software Blades

Daemon	Description	To Start	To Stop
Firewall Blade
`fwd`	Logging. Spawning child processes (e.g., `vpnd`) Note: ‘`cpwd_admin list`‘ command shows the process as “`FWD`“.	Gateway mode – from Expert shell: `cpstart` or `cpwd_admin start -name FWD -path "$FWDIR/bin/fwd" -command "fwd"`VSX mode – from Expert shell: `[Expert@HostName:0]# cpstart` or `[Expert@HostName:0]# vsenv VSID` `[Expert@HostName:VSID]# cpwd_admin start -name FWD -ctx VSID -path "$FWDIR/bin/fwd" -command "fwd" -env inherit`	Gateway mode – from Expert shell: `cpstop` or `cpwd_admin stop -name FWD -path "$FWDIR/bin/fw" -command "fw kill fwd"`VSX mode – from Expert shell: `[Expert@HostName:0]# cpstop` or `[Expert@HostName:0]# vsenv VSID` `[Expert@HostName:VSID]# cpwd_admin stop -name FWD -ctx VSID -path "$FWDIR/bin/fw" -command "fw kill fwd" -env inherit`
IPSec VPN Blade
`vpnd`	IKE (UDP/TCP) SSL Network Extender Remote Access Client configuration Visitor Mode NAT-T Tunnel test Topology Update for SecureClient RDP L2TP	From Expert shell: `cpstart`	From Expert shell: `cpstop`
Mobile Access Blade
`cvpnd`	Back-end daemon of the Mobile Access Software Blade. Note: ‘`cpwd_admin list`‘ command shows the process as “`CVPND`“.	From Expert shell: `cvpnstart`	From Expert shell: `cvpnstop`
`dbwriter`	Offload database commands from `cvpnd` (to prevent locks) and syncronize with other members. Note: ‘`cpwd_admin list`‘ command shows the process as “`DBWRITER`“.	From Expert shell: `cvpnstart`	From Expert shell: `cvpnstop`
`cvpnproc`	Offload blocking commands from `cvpnd` (to prevent locks). Example: sending DynamicID. Note: ‘`cpwd_admin list`‘ command shows the process as “`CVPNPROC`“.	From Expert shell: `cvpnstart`	From Expert shell: `cvpnstop`
`MoveFileServer`	Move files between cluster members in order to perform database synchronization. Note: ‘`cpwd_admin list`‘ command shows the process as “`MOVEFILESERVER`“.	From Expert shell: `cvpnstart`	From Expert shell: `cvpnstop`
`Pinger`	Offload long-lasting requests from `httpd`. Note: ‘`cpwd_admin list`‘ command shows the process as “`PINGER`“.	From Expert shell: `cvpnstart`	From Expert shell: `cvpnstop`
`CvpnUMD`	Report SNMP connected users to AMON. Note: ‘`cpwd_admin list`‘ command shows the process as “`CVPNUMD`“.	From Expert shell: `cvpnstart`	From Expert shell: `cvpnstop`
`httpd`	Front-end daemon of the Mobile Access Software Blade (multi-processes).	From Expert shell: `cvpnstart`	From Expert shell: `cvpnstop`
Identity Awareness Blade
`pepd`	Policy Enforcement Point daemon Receiving identities via identity sharing Redirecting users to Captive Portal Note: ‘`cpwd_admin list`‘ command shows the process as “`PEPD`“.	From Expert shell: `cpstart`	From Expert shell: `cpstop`
`pdpd`	Policy Decision Point daemon Acquiring identities from identity sources Sharing identities with another gateways Note: ‘cpwd_admin list’ command shows the process as “PDPD”.	From Expert shell: `cpstart`	From Expert shell: `cpstop`
DLP Blade
`fwdlp`	DLP core engine that performs the scanning / inspection.	From Expert shell: `cpstart`	From Expert shell: `cpstop`
`cp_file_convert`	Used to convert various file formats to simple textual format for scanning by the DLP engine.	From Expert shell: `cpstart`	From Expert shell: `cpstop`
`dlp_fingerprint`	Used to identify the data according to a unique signature known as a fingerprint stored in your repository.	From Expert shell: `cpstart`	From Expert shell: `cpstop`
`cserver`	Check Server that either stops or processes the e-mail. Note: ‘`cpwd_admin list`‘ command shows the process as “`DLP_WS`“.	From Expert shell: `cpstart`	From Expert shell: `cpstop`
`dlpu`	Receives data from Check Point kernel. Note: ‘`cpwd_admin list`‘ command shows the process as “`DLPU_N`“.	From Expert shell: `cpstart`	From Expert shell: `cpstop`
`fwucd`	UserCheck back-end daemon that sends approval / disapproval requests to user. Note: ‘`cpwd_admin list`‘ command shows the process as “`FWUCD`“.	From Expert shell: `cpstart`	From Expert shell: `cpstop`
Threat Emulation Blade
`ted`	Threat Emulation daemon engine – responsible for emulating files and communication with the cloud.	From Expert shell: `cpstart`	From Expert shell: `cpstop`
`dlpu`	DLP process – receives data from Check Point kernel. Note: ‘`cpwd_admin list`‘ command shows the process as “`DLPU_N`“.	From Expert shell: `cpstart`	From Expert shell: `cpstop`
IPS Blade
`in.geod`	Updates the IPS Geo Protection Database.	After being killed, it will be restarted automatically	From Expert shell: `kill -KILL $(pidof in.geod)`
URL Filtering Blade
`rad`	Resource Advisor – responsible for the detection of Social Network widgets. The detection is done via an online service available at Check Servers which identifies specific URLs as applications. Note: ‘`cpwd_admin list`‘ command shows the process as “`RAD`“.	`cpstart` or `rad_admin start`	`cpstop` or `rad_admin stop`
Anti-Bot Blade
`acapd`	Packet capturing daemon for SmartView Tracker logs.	`cpstart`	`cpstop`
`rad`	Resource Advisor – responsible for the detection of Social Network widgets. The detection is done via an online service available at Check Servers which identifies specific URLs as applications. Note: ‘`cpwd_admin list`‘ command shows the process as “`RAD`“.	`cpstart` or `rad_admin start`	`cpstop` or `rad_admin stop`
Anti-Virus Blade
`acapd`	Packet capturing daemon for SmartView Tracker logs.	From Expert shell: `cpstart`	From Expert shell: `cpstop`
`dlpu`	DLP process – receives data from Check Point kernel. Note: ‘`cpwd_admin list`‘ command shows the process as “`DLPU_N`“.	From Expert shell: `cpstart`	From Expert shell: `cpstop`
`rad`	Resource Advisor – responsible for the detection of Social Network widgets. The detection is done via an online service available at Check Servers which identifies specific URLs as applications. Note: ‘`cpwd_admin list`‘ command shows the process as “`RAD`“.	From Expert shell: `cpstart` or `rad_admin start`	From Expert shell: `cpstop` or `rad_admin stop`
Anti-Spam Blade
`in.emaild.smtp`	SMTP Security Server that receives e-mails sent by user.	From Expert shell: `cpstart`	From Expert shell: `cpstop`
`msd`	Mail Security Daemon that queries the Commtouch engine for reputation.	From Expert shell: `cpstart`	From Expert shell: `cpstop`
`ctasd`	Commtouch Anti-Spam daemon.	From Expert shell: `cpstart`	From Expert shell: `cpstop`
`ctipd`	Commtouch IP Reputation daemon.	From Expert shell: `cpstart`	From Expert shell: `cpstop`
Monitoring Blade
`rtmd`	Real Time traffic statistics. Note: ‘`cpwd_admin list`‘ command shows the process as “`RTMD`“.	From Expert shell: `rtmstart`	From Expert shell: `rtmstop`
`cpstat_monitor`	Process is responsible for SmartView Monitor. Note: ‘`cpwd_admin list`‘ command shows the process as “`CPSM`“.	From Expert shell: `cpwd_admin start -name CPSM -path "$FWDIR/bin/cpstat_monitor" -command "cpstat_monitor"`	From Expert shell: `cpwd_admin stop -name CPSM`
HTTPS Inspection
`wstlsd`	Handles SSL handshake for HTTPS Inspected connections.	From Expert shell: `cpstart`	From Expert shell: `cpstop`
`pkxld`	Performs asymmetric key operations for HTTPS Inspection (R77.30 and above)	From Expert shell: `cpstart`	From Expert shell: `cpstop`

Security Management Software Blades

Daemon	Description	To Start	To Stop
Network Policy Management Blade
`fwm`	Communication between SmartConsole applications and Security Management Server. Note: ‘`cpwd_admin list`‘ command shows the process as “`FWM`“.	From Expert shell: `cpwd_admin start -name FWM -path "$FWDIR/bin/fwm" -command "fwm"`	From Expert shell: `cpwd_admin stop -name FWM -path "$FWDIR/bin/fw" -command "fw kill fwm"`
Endpoint Policy Management Blade
`epm`	Endpoint Management Server.	From Expert shell: `uepm_start`	From Expert shell: `uepm_stop`
`httpd`	Communication with Endpoint Clients.	From Expert shell: `uepm_start`	From Expert shell: `uepm_stop`
Monitoring Blade
`rtmd`	Real Time traffic statistics. Note: ‘`cpwd_admin list`‘ command shows the process as “`RTMD`“.	From Expert shell: `rtmstart`	From Expert shell: `rtmstop`
`cpstat_monitor`	Process is responsible for SmartView Monitor. Note: ‘`cpwd_admin list`‘ command shows the process as “`CPSM`“.	From Expert shell: `cpwd_admin start -name CPSM -path "$FWDIR/bin/cpstat_monitor" -command "cpstat_monitor"`	From Expert shell: `cpwd_admin stop -name CPSM`
Provisioning Blade
`status_proxy`	Status collection of ROBO Gateways – SmartLSM/SmartProvisioning status proxy. This process runs only on Security Management Server / Domain Management Servers that are activated for Large Scale Management. Note: ‘`cpwd_admin list`‘ command shows the process as “`SPTR`“.	From Expert shell: `cpstart` or `cpwd_admin start -name STPR -path "$FWDIR/bin/status_proxy" -command "status_proxy"`	From Expert shell: `cpstop` or `cpwd_admin stop -name STPR`
SmartReporter Blade
`SVRServer`	Controller for the SmartReporter product. Traffic is sent via SSL. Note: ‘`cpwd_admin list`‘ command shows the process as “`SVR`“.	From Expert shell: `rmdstart` or `cpwd_admin start -name SVR -path "$RTDIR/bin/SVRServer" -command "SVRServer"`	From Expert shell: `rmdstop` or `cpwd_admin stop -name SVR -path $RTDIR/bin/SVRServer -command "SVRServer kill SVRServer"`
`log_consolidator`	Log Consolidator for the SmartReporter product. Note: ‘`cpwd_admin list`‘ command shows the process as “`LC_<IP Address of Log Server>`“.	From Expert shell: `rmdstart` or `evstart` or `log_consolidator -C -m start -s <IP Address of Log Server> [-g <Domain Name>]`	From Expert shell: `rmdstop` or `evstop` or these 2 commands `log_consolidator -C -m stop -s <IP Address of Log Server> [-g <Domain Name>] and log_consolidator -C -m exit -s <IP Address of Log Server> [-g <Domain Name>]`
`dbsync`	DBsync enables SmartReporter to synchronize data stored in different parts of the network. After SIC is established, DBsync connects to the management server to retrieve all the objects. After the initial synchronization, it gets updates whenever an object is saved. In distributed information systems DBsync provides one-way synchronization of data between the Security Management Servers object database and the SmartReporter computer, and supports configuration and administration of distributed systems. Note: ‘`cpwd_admin list`‘ command shows the process as “`DBSYNC`“.	From Expert shell: `rmdstart` or `evstart` or `cpwd_admin start -name DBSYNC -path "$RTDIR/bin/dbsync" -command "dbsync"`	From Expert shell: `rmdstop` or `evstop` or `cpwd_admin stop -name DBSYNC`
`postgres`	PostgreSQL server.	From Expert shell: `cpstart`	From Expert shell: `cpstop`
SmartEvent Blade
`cpsead`	Responsible for Correlation Unit functionality. Note: ‘`cpwd_admin list`‘ command shows the process as “`CPSEAD`“.	From Expert shell: `evstart` or `cpwd_admin start -name CPSEAD -path "$RTDIR/bin/cpsead" -command "cpsead"`	From Expert shell: `evstop` or `cpwd_admin stop -name CPSEAD`
`cpsemd`	Responsible for logging into the SmartEvent GUI. Note: ‘`cpwd_admin list`‘ command shows the process as “`CPSEMD`“.	From Expert shell: `evstart` or `cpwd_admin start -name CPSEMD -path "$RTDIR/bin/cpsemd" -command "cpsemd"`	From Expert shell: `evstop` or `cpwd_admin stop -name CPSEMD`
`dbsync`	DBsync enables SmartEvent to synchronize data stored in different parts of the network. In distributed information systems DBsync provides one-way synchronization of data between the Security Management Servers object database and the SmartEvent computer, and supports configuration and administration of distributed systems. DBsync initially connects to the Management Server, with which SIC is established. It retrieves all the objects and after the initial synchronization it gets updates whenever an object is saved. Note: ‘`cpwd_admin list`‘ command shows the process as “`DBSYNC`“.	From Expert shell: `evstart` or `cpwd_admin start -name DBSYNC -path "$RTDIR/bin/dbsync" -command "dbsync"`	From Expert shell: `evstop` or `cpwd_admin stop -name DBSYNC`
`postgres`	PostgreSQL server.	From Expert shell: `cpstart`	From Expert shell: `cpstop`
Logging & Status Blade
`cplmd`	In order to get the data that should be presented in SmartView Tracker, FWM spawns a child process CPLMD, which reads the information from the log file and performs unification (if necessary). Upon receiving an answer from CPLMD, FWM transfers it to SmartView Tracker.	From Expert shell: `cpstart`	From Expert shell: `cpstop`
Management Portal
`cpwmd`	Check Point Web Management Daemon – back-end for Management Portal / SmartPortal. Note: ‘`cpwd_admin list`‘ command shows the process as “`CPWMD`“.	From Expert shell: `cpwd_admin start -name CPWMD -path "$WEBDIR/bin/cpwmd" -command "cpwmd -D -app SmartPortal"`	From Expert shell: `cpwd_admin stop -name CPWMD`
`cp_http_server`	HTTP Server for Management Portal (SmartPortal) and for OS WebUI. Note: ‘`cpwd_admin list`‘ command shows the process as “`CPHTTPD`“.	From Expert shell: `cpwd_admin start -name CPHTTPD -path "$WEBDIR/bin/cp_http_server" -command "cp_http_server -f '$MPDIR/conf/cp_httpd_admin.conf'"`	From Expert shell: `cpwd_admin stop -name CPHTTPD`
SmartLog
`smartlog_server`	SmartLog product. Note: ‘`cpwd_admin list`‘ command shows the process as “`SMARTLOG_SERVER`“.	From Expert shell: `smartlogstart`	From Expert shell: `smartlogstop`
Internal CA
`cpca`	Check Point Internal Certificate Authority: SIC certificate pulling Certificate enrollment CRL fetch Admin WebUI	From Expert shell: `cpstart`	From Expert shell: `cpstop`
SofaWare Management Server
`sms`	Manages communication (status collection, logs collection, policy update, configuration update) with UTM-1 Edge Security Gateways. This process runs only on Security Management Server / Multi-Domain Security Management Servers that manage UTM-1 Edge devices. Note: ‘`cpwd_admin list`‘ command shows the process as “`VPN-1 Embedded Connector`“.	From Expert shell: `smsstart`	From Expert shell: `smsstop`

Additional Processes

Daemon	Description	To Start	To Stop
`mpdaemon`	On Security Gateway and Management Server. Platform Portal / Multi Portal (`https://IP_Address/`). Each portal has his own Apache server (which can have multiple processes). ‘`mpdaemon`‘ process is responsible for starting these web servers. Note: ‘`cpwd_admin list`‘ command shows the process as “`MPDAEMON`“.	From Expert shell: `cpwd_admin start -name MPDAEMON -path "$CPDIR/bin/mpdaemon" -command "mpdaemon $CPDIR/log/mpdaemon.elg $CPDIR/conf/mpdaemon.conf"`	From Expert shell: `cpwd_admin stop -name MPDAEMON` or `mpclient stopall`
`avi_del_tmp_files`	On Security Gateway and Management Server. Shell script (from ‘`$FWDIR/bin/`‘) that periodically deletes various old temporary Anti-Virus files. Note: ‘`cpwd_admin list`‘ command shows the process as “`CI_CLEANUP`“.	From Expert shell: `cpwd_admin start -name CI_CLEANUP -path $FWDIR/bin/avi_del_tmp_files -command "avi_del_tmp_files"`	From Expert shell: `cpwd_admin stop -name CI_CLEANUP`
`ci_http_server`	On Security Gateway. HTTP Server for Content Inspection. Note: ‘`cpwd_admin list`‘ command shows the process as “`CIHS`“.	From Expert shell: `cpwd_admin start -name CIHS -path $FWDIR/bin/ci_http_server -command "ci_http_server -j -f $FWDIR/conf/cihs.conf"`	From Expert shell: `cpwd_admin stop -name CIHS`
`cpviewd`	On Security Gateway and Management Server. CPView Utility daemon (sk101878). Note: ‘`cpwd_admin list`‘ command shows the process as “`CPVIEWD`“.	From Expert shell: `cpwd_admin start -name CPVIEWD -path "$FWDIR/bin/cpviewd" -command "cpviewd"`	From Expert shell: `cpwd_admin stop -name CPVIEWD`
`cpview_historyd`	On Security Gateway and Management Server. CPView Utility History daemon (sk101878). Note: ‘`cpwd_admin list`‘ command shows the process as “`HISTORYD`“.	From Expert shell: `cpview history on`	From Expert shell: `cpview history off`
`cp_http_server`	On Security Gateway and Management Server. HTTP Server for OS WebUI and Management Portal (SmartPortal). Note: ‘`cpwd_admin list`‘ command shows the process as “`CPHTTPD`“.	From Expert shell: `cpwd_admin start -name CPHTTPD -path "$WEBDIR/bin/cp_http_server" -command "cp_http_server -f '$MPDIR/conf/cp_httpd_admin.conf'"`	From Expert shell: `cpwd_admin stop -name CPHTTPD`
`cpsnmpd`	On Security Gateway and Management Server. Listens on UDP port 260 and is capable of responding to SNMP queries for Check Point OIDs only (under OID .1.3.6.1.4.1.2620) Accepts only SNMPv1 Supplied as a part of Check Point Suite (`$CPDIR/bin/cpsnmpd`)	From Expert shell: `cpsnmpd -p 260`	From Expert shell: `killall cpsnmpd`

Related

Leave a ReplyCancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.