Policy Installation Process

Checkpoint Policy Installation Process

This short article describes the process of policy installation when it is initiated via SmartDashboard.

Policy installation flow:

Assuming the initiation was made by the SmartDashboard, as opposed to using command line options, such as fwm load (on Management Server) or fw fetch (on Security Gateway), the Check Point Management Interface (CPMI) policy installation command is sent to FWM process on the Management Server where the verification and compilation takes place.

  1. FWM process forwards the command to CPD process for code generation and compilation.
  2. CPD process invokes the Check Point Policy Transfer Agent (CPTA) command that sends the policy to all applicable Security Gateways.
  3. CPD process on the Security Gateway receives the policy and verifies its integrity.
  4. FWD process on the Security Gateway updates all of the user-mode processes responsible for enforcement aspects. These include VPND process for VPN issues, FWSSD processes for Security Server issues, and so on. Once complete, the CPD process then initiates the update for Check Point kernel.
  5. The new policy is prepared, and the Check Point kernel halts the current traffic and starts queuing all incoming traffic.
  6. The Atomic Load takes place. This process should take a fraction of a second.
    Note: During Atomic Load, SecureXL is disabled and re-enabled afterwards.
  7. The traffic queue is released, and all of the packets are handled by the new security policy.

CCSE Revision Questions 156-315.77 – Part 2

This entry is part 2 of 3 in the series CCSE Revision Questions 156-315.77

CCSE Revision Questions 156-315.77 – Part 2

This is the next post in the series, following on from the first CCSE Revision Questions article. Without further ado, let’s get stuck in:

QUESTION 31

If your firewall is performing a lot of IPS inspection and the CPUs assigned to fw_worker_thread are at or near 100%, which of the following could you do to improve performance?

A. Add more RAM to the system.
B. Add more Disk Drives.
C. Assign more CPU cores to CoreXL
D. Assign more CPU cores to SecureXL.

[su_spoiler title=”Answer:” style=”default”] C

Explanation: By adding more cores you will reduce the load on existing cores. Do this using cpconfig:

From a command line on the gateway, run: cpconfig.
The configuration menu shows.
Enter option 8: Configure Check Point CoreXL.

[/su_spoiler]

QUESTION 32

Which of the following CLISH commands would you use to set the admin user’s shell to bash?
A. set user admin shell bash
B. set user admin shell /bin/bash
C. set user admin shell = /bin/bash
D. set user admin /bin/bash

[su_spoiler title=”Answer:” style=”default”] B

Explanation:

See here for details.

[/su_spoiler]

QUESTION 33

What is Check Point’s CoreXL?
A. A way to synchronize connections across cluster members
B. TCP-18190
C. Multiple core interfaces on the device to accelerate traffic
D. Multi Core support for Firewall Inspection

[su_spoiler title=”Answer:” style=”default”] D

Explanation: CoreXL is a performance-enhancing technology for Security Gateways on multi-core processing platforms. CoreXL enhances Security Gateway performance by enabling the processing cores to concurrently perform multiple tasks.
[/su_spoiler]

 

 

QUESTION 34

Does Check Point recommend generating an upgrade_export on standby SmartCenters?
A. Yes. This is the only way to get the upgrade_export
B. No. All Check Point processes are stopped.
C. No. There is no way to verify the actual configuration.
D. Yes. All information is available at both SmartCenters.

[su_spoiler title=”Answer:” style=”default”] C

Explanation:

[/su_spoiler]

QUESTION 35

The challenges to IT involve deployment, security, management, and what else?

A. Assessments
B. Maintenance
C. Transparency
D. Compliance

[su_spoiler title=”Answer:” style=”default”] D

Explanation: An ambiguous question; compliance is certainly important from a security perspective though

[/su_spoiler]

QUESTION 36

What is the correct policy installation process order?

1. Verification
2. Code generation and compilation
3. Initiation
4. Commit
5. Conversion
6. CPTA

A. 1, 2, 3, 4, 5, 6
B. 3, 1, 5, 2, 6, 4
C. 4, 2, 3, 5, 6, 1
D. 6, 5, 4, 3, 2, 1

[su_spoiler title=”Answer:” style=”default”] B

Explanation:

The answer B is correct assuming:

* verification refers to the viability of the policy and not the integrity of the policy file which is transferred to the gateway for installation
* we ignore “conversion” as it is not mentioned in any checkpoint docs

See here for the actual process.

[/su_spoiler]

QUESTION 37

What is the offline CPSIZEME upload procedure?
A. Find the cpsizeme_of_<gwname>.pdf, attach it to an e-mail and send it to cpsizeme_upload@checkpoint.com
B. Use the webbrowser version of cpsizeme and fax it to Check Point.
C. Find the cpsizeme_of_<gwname>.xml, attach it to an e-mail and send it to cpsizeme_upload@checkpoint.com
D. There is no offline upload method.

[su_spoiler title=”Answer:” style=”default”] C

Explanation:

From sk88160:

The ‘cpsizeme’ is a lightweight shell script that produces a detailed performance report of Check Point Security Gateway. This script measures the ongoing resource utilization on Security Gateway during the given time period (refer to “Running ‘cpsizeme'” section). During this period, the script gathers information about CPU, memory consumption, throughput and few other important performance parameters.

This script allows to automatically upload the collected raw performance data securely to Check Point servers. If an e-mail address was provided, then after getting the raw performance data, a PDF report will be sent to that e-mail address.

Offline upload procedure – If the Security Gateway does not have connectivity to Check Point servers, you can upload the data via e-mail:

Procedure:

  • Locate the cpsizeme output XML file on the Security Gateway. Run:
    [Expert@HostName]# ./cpsizeme -S
  • Select option 5 ‘Show location of generated files’.
  • Transfer the cpsizeme output XML file from the Security Gateway to your computer.
  • Attach the cpsizeme output XML file to an e-mail.
  • Send the e-mail to the following e-mail address: cpsizeme_upload@checkpoint.com
  • You will receive an e-mail from sizing@checkpoint.com with attached PDF report within 1 hour.

[/su_spoiler]

QUESTION 38

How frequently does CPSIZEME run by default?
A. weekly
B. 12 hours
C. 24 hours
D. 1 hour

[su_spoiler title=”Answer:” style=”default”] C

Explanation: From the sk:

To run the script with default parameters:
[Expert@HostName]# ./cpsizeme
By default, the script will run for 24 hours.
[/su_spoiler]

QUESTION 39

How do you run “CPSIZEME” on SPLAT?
A. [expert@HostName]#>./cpsizeme -h
B. [expert@HostName]# ./cpsizeme -R
C. This is not possible on SPLAT
D. [expert@HostName]# ./cpsizeme

[su_spoiler title=”Answer:” style=”default”] D

Explanation: As previous question:
To run the script with default parameters:
[Expert@HostName]# ./cpsizeme
[/su_spoiler]

QUESTION 40

How do you check the version of “CPSIZEME” on GAiA?
A. [expert@HostName]# ./cpsizeme.exe
B. [expert@HostName]# ./cpsizeme.exe version
C. [expert@HostName]# ./cpsizeme -V
D. [expert@HostName]# ./cpsizeme version

[su_spoiler title=”Answer:” style=”default”] C

Explanation: A and C are .exe – this refers to a Gaia installation. The correct switch is “-V”
[/su_spoiler]

QUESTION 41

How do you upload the results of “CPSIZEME” to Check Point when using a PROXY server with authentication?
A. [expert@HostName]# ./cpsizeme.exe -a username:password@proxy_address:port
B. [expert@HostName]# ./cpsizeme -p username:password@proxy_address:port
C. [expert@HostName]# ./cpsizeme -a username:password@proxy_address:port
D. [expert@HostName]# ./cpsizeme.exe -p username:password@proxy_address:port

[su_spoiler title=”Answer:” style=”default”] B

Explanation: “-p” is the correct switch to use for a proxy:

If a Proxy is used to access HTTPS servers, then run:
[Expert@HostName]# ./cpsizeme -p PROXY_IP_ADDRESS:PROXY_PORT
If a username and password are required for the Proxy, then run:
[Expert@HostName]# ./cpsizeme -p USERNAME:PASSWORD@PROXY_IP_ADDRESS:PROXY_PORT
[/su_spoiler]

QUESTION 42

By default, what happens to the existing connections on a firewall when a new policy is installed?

A. All existing data connections will be kept open until the connections have ended.
B. Existing connections are always allowed
C. All existing control and data connections will be kept open until the connections have ended.
D. All existing connections not allowed under the new policy will be terminated.

[su_spoiler title=”Answer:” style=”default”] D
[/su_spoiler]

QUESTION 43

Which protocol can be used to provide logs to third-party reporting?
A. CPMI (Check Point Management Interface)
B. LEA (Log Export API)
C. AMON (Application Monitoring)
D. ELA (Event Logging API)

[su_spoiler title=”Answer:” style=”default”] B

Explanation:

The OPSEC LEA (Log Export API) provides the ability to pull logs from a Check Point device based on the OPSEC SDK. OPSEC LEA listens on port tcp/18184 on the device (OPSEC LEA Server) which will contain your logs. Your OPSEC LEA Client will then connect into 18184 and pull the logs.
[/su_spoiler]

QUESTION 44

Can the smallest appliance handle all Blades simultaneously?
A. Depends on the number of protected clients and throughput.
B. Depends on number of concurrent sessions.
C. Firewall throughput is the only relevant factor.
D. It depends on required SPU for customer environment.

[su_spoiler title=”Answer:” style=”default”] D

Explanation:

SPU is a new metric introduced by Checkpoint to provide more useful information on appliances’ capabilities.
[/su_spoiler]

QUESTION 45

The process _______ provides service to access the GAIA configuration database.
A. configdbd
B. confd
C. fwm
D. ipsrd

[su_spoiler title=”Answer:” style=”default”] B

Explanation:

See here
[/su_spoiler]

QUESTION 46

Which CLI tool helps on verifying proper ClusterXL sync?
A. fw stat
B. fw ctl sync
C. fw ctl pstat
D. cphaprob stat

[su_spoiler title=”Answer:” style=”default”] C

Explanation: fw ctl pstat outputs the ClusterXL sync statistics.
[/su_spoiler]

QUESTION 47

The connection to the ClusterXL member `A’ breaks. The ClusterXL member `A’ status is now `down’. Afterwards the switch admin set a port to ClusterXL member `B’ to `down’. What will happen?
A. ClusterXL member `B’ also left the cluster.
B. ClusterXL member `B’ stays active as last member.
C. Both ClusterXL members share load equally.
D. ClusterXL member `A’ is asked to come back to cluster.

[su_spoiler title=”Answer:” style=”default”] B

Explanation:

As B is the last member it will stay active – “Active Attention”
[/su_spoiler]

QUESTION 48

Which command will only show the number of entries in the connection table?
A. fw tab -t connections -s
B. fw tab -t connections -u
C. fw tab -t connections
D. fw tab

[su_spoiler title=”Answer:” style=”default”] A

Explanation: The “-s” switch shows a summary:

[Expert@gw]# fw tab -t connections -s
HOST NAME ID #VALS #PEAK #SLINKS
localhost connections 8158 67 1893 252

[/su_spoiler]

QUESTION 49

Which statements about Management HA are correct?

1) Primary SmartCenter describes first installed SmartCenter
2) Active SmartCenter is always used to administrate with SmartConsole
3) Active SmartCenter describes first installed SmartCenter
4) Primary SmartCenter is always used to administrate with SmartConsole

A. 1 and 4
B. 2 and 3
C. 1 and 2
D. 3 and 4

[su_spoiler title=”Anwer:” style=”default”] C

Explanation: Primary is always installed first, administration is done on the active smartcentre, irrelevant of whether primary or secondary.
[/su_spoiler]

QUESTION 50

Which process should you debug if SmartDashboard login fails?
A. sdm
B. cpd
C. fwd
D. fwm

[su_spoiler title=”Answer:” style=”default”] D

Explanation:

fwm is responsible for communication between SmartConsole applications and Security Management Server. See here.

[/su_spoiler]

QUESTION 51

Paul has just joined the MegaCorp security administration team. Natalie, the administrator, creates a new administrator account for Paul in SmartDashboard and installs the policy. When Paul tries to login it fails. How can Natalie verify whether Paul’s IP address is predefined on the security management server?

A. Login to Smart Dashboard, access Properties of the SMS, and verify whether Paul’s IP address is listed.
B. Type cpconfig on the Management Server and select the option “GUI client List” to see if Paul’s IP address is listed.
C. Login in to Smart Dashboard, access Global Properties, and select Security Management, to verify whether Paul’s IP address is listed.
D. Access the WEBUI on the Security Gateway, and verify whether Paul’s IP address is listed as a GUI client.

[su_spoiler title=”Answer:” style=”default”] B

Explanation:
[Expert@gw]# cpconfig
This program will let you re-configure
your Check Point products configuration.

Configuration Options:
———————-
(1) Licenses and contracts
(2) Administrator
(3) GUI Clients <----- .... [/su_spoiler]

QUESTION 52

MultiCorp has bought company OmniCorp and now has two active AD domains. How would you deploy Identity Awareness in this environment?
A. You must run an ADquery for every domain.
B. Identity Awareness can only manage one AD domain.
C. Only one ADquery is necessary to ask for all domains.
D. Only Captive Portal can be used.

[su_spoiler title=”Answer:” style=”default”] A

Explanation:

One query per AD domain is required.
[/su_spoiler]

QUESTION 53

Which of the following is the preferred method for adding static routes in GAiA?
A. In the CLI with the command “route add”
B. In Web Portal, under Network Management > IPv4 Static Routes
C. In the CLI via sysconfig
D. In SmartDashboard under Gateway Properties > Topology

[su_spoiler title=”Answer:” style=”default”] B

Explanation: Preferred administration with Gaia is via web gui or clish: A is a linux (expert) command, sysconfig is deprecated and there is no routing config in dashboard.
[/su_spoiler]

QUESTION 54

Which command will erase all CRL’s?
A. vpn crladmin
B. cpstop/cpstart
C. vpn crl_zap
D. vpn flush

[su_spoiler title=”Answer:” style=”default”] C

Explanation: vpn crl_zap

This command is used to erase all Certificate Revocation Lists (CRLs) from the cache, see the VPN admin guide.

QUESTION 55

Which of the following is NOT an advantage of SmartLog?
A. SmartLog has a “Top Results” pane showing things like top sources, rules, and users.
B. SmartLog displays query results across multiple log files, reducing the need to open previous files to view results.
C. SmartLog requires less disk space by consolidating log entries into fewer records.
D. SmartLog creates an index of log entries, increasing query speed.

[su_spoiler title=”Answer:” style=”default”] C

Explanation: See here for details.
[/su_spoiler]

QUESTION 56

Write the full fw command and syntax that you would use to troubleshoot ClusterXL sync issues.

[su_spoiler title=”Answer:” style=”default”] fw ctl pstat [/su_spoiler]

QUESTION 57

Type the full cphaprob command and syntax that will show full synchronization status.

[su_spoiler title=”Answer:” style=”default”] cphaprob -i list

Explanation: Somewhat ambiguous – cphaprob -i list will show a list of all devices, cphaprob synstat will show all statistics but not necessarily *status*
[/su_spoiler]

QUESTION 58

Type the full fw command and syntax that will show full synchronization status.

[su_spoiler title=”Answer:” style=”default”] fw ctl pstat [/su_spoiler]

QUESTION 59

Type the full fw command and syntax that allows you to disable only sync on a cluster firewall member.

[su_spoiler title=”Answer:” style=”default”] fw ctl setsync off [/su_spoiler]

Explanation: fw ctl setsync off and fw ctl setsync on will turn sync off and on respectively [/su_spoiler]

QUESTION 60

Type the command and syntax you would use to verify that your Check Point cluster is functioning correctly.

[su_spoiler title=”Answer:” style=”default”] cphaprob state [/su_spoiler]

Daemons and Processes

Checkpoint Daemons and Processes

This article describes the different Checkpoint daemons and processes you may see running and what they are responsible for.

Gaia Processes and Daemons

All Gaia processes and daemons run by default, other than snmpd and dhcpd.

Daemon Child daemon Description To Start To Stop
pm Gaia OS Process Manager. Controls other processes and daemons.
confd Database and configuration. From Expert shell:
tellpm process:confd t
From Expert shell:
tellpm process:confd
searchd Search indexing daemon. From Expert shell:
tellpm process:searchd t
From Expert shell:
tellpm process:searchd
clishd Gaia Clish CLI interface process – general information for all Clish sessions. From Expert shell:
tellpm process:clishd t
From Expert shell:
tellpm process:clishd
clish Gaia Clish CLI interface process – Clish process per session. From Expert shell:
tellpm process:clish t
From Expert shell:
tellpm process:clish
routed Routing daemon. From Expert shell:
tellpm process:routed t
From Expert shell:
tellpm process:routed
httpd2 Web server daemon (Gaia Portal). From Expert shell:
tellpm process:httpd2 t
From Expert shell:
tellpm process:httpd2
monitord Hardware monitoring daemon. From Expert shell:
tellpm process:monitord t
From Expert shell:
tellpm process:monitord
rconfd Provisioning daemon. From Expert shell:
tellpm process:rconfd t
From Expert shell:
tellpm process:rconfd
cloningd Cloning Groups daemon. From Expert shell:
tellpm process:cloningd t
From Expert shell:
tellpm process:cloningd
dhcpd DHCP server daemon. From Clish:
set dhcp server enable
or
use Gaia Portal
From Clish:
set dhcp server disable
or
use Gaia Portal
snmpd SNMP (Linux) daemon. From Clish:
set snmp agent on
or
use Gaia Portal
From Clish:
set snmp agent off
or
use Gaia Portal
sshd SSH daemon. From Expert shell:
service sshd start
From Expert shell:
service sshd stop
syslogd Syslog (Linux) daemon. From Expert shell:
service syslog start
From Expert shell:
service syslog stop
DAService CPUSE (former ‘Gaia Software Updates’) service (sk98926 and sk92449). From Expert shell,
run these 2 commands:
$DADIR/bin/dastart
and
dbget installer:start
From Expert shell,
run these 2 commands:
$DADIR/bin/dastop
and
dbget installer:stop

Other Gaia daemons can be stopped in Expert mode, but we do not recommend doing so.

 

Infrastructure Processes

Daemon Description To Start To Stop
cpwd WatchDog is a process that launches and monitors critical processes such as Check Point daemons on the local machine, and attempts to restart them if they fail. Among the processes monitored by Watchdog are cpd, fwd and fwm. Watchdog is controlled by the cpwd_admin utility. To learn how to start and stop various daemons, run cpwd_admin command. From Expert shell:
cpstart
or
cpwd_admin start_monitor
From Expert shell:
cpstop
or
cpwd_admin stop_monitor
cpd
  • Port 18191 – Generic process (add-ons container) for many Check Point services, such as installing and fetching policy, and online updates
  • Port 18211 – SIC push certificate (from Internal CA)

Note: ‘cpwd_admin list‘ command shows the process as “CPD“.

MGMT / Gateway mode – from Expert shell:
cpstart
or
cpwd_admin start -name CPD -path "$CPDIR/bin/cpd" -command "cpd"VSX mode – from Expert shell:
[Expert@HostName:0]# cpstart
or
[Expert@HostName:0]# vsenv VSID
[Expert@HostName:VSID]# cpwd_admin start -name CPD -ctx VSID -path "$CPDIR/bin/cpd" -command "cpd" -env inherit
MGMT / Gateway mode – from Expert shell:
cpstop
or
cpwd_admin stop -name CPD -path "$CPDIR/bin/cpd_admin" -command "cpd_admin stop"VSX mode – from Expert shell:
[Expert@HostName:0]# cpstop
or
[Expert@HostName:0]# vsenv VSID
[Expert@HostName:VSID]# cpwd_admin stop -name CPD -ctx VSID -path "$CPDIR/bin/cpd_admin" -command "cpd_admin stop" -env inherit
fwd
  • Logging.
  • Spawning child processes (e.g., vpnd)

Note: ‘cpwd_admin list‘ command shows the process as “FWD“.

MGMT / Gateway mode – from Expert shell:
cpstart
or
cpwd_admin start -name FWD -path "$FWDIR/bin/fwd" -command "fwd"VSX mode – from Expert shell:
[Expert@HostName:0]# cpstart
or
[Expert@HostName:0]# vsenv VSID
[Expert@HostName:VSID]# cpwd_admin start -name FWD -ctx VSID -path "$FWDIR/bin/fwd" -command "fwd" -env inherit
Gateway mode – from Expert shell:
cpstop
or
cpwd_admin stop -name FWD -path "$FWDIR/bin/fw" -command "fw kill fwd"VSX mode – from Expert shell:
[Expert@HostName:0]# cpstop
or
[Expert@HostName:0]# vsenv VSID
[Expert@HostName:VSID]# cpwd_admin stop -name FWD -ctx VSID -path "$FWDIR/bin/fw" -command "fw kill fwd" -env inherit

 

Security Gateway Software Blades

Daemon Description To Start To Stop
Firewall Blade
fwd
  • Logging.
  • Spawning child processes (e.g., vpnd)

Note: ‘cpwd_admin list‘ command shows the process as “FWD“.

Gateway mode – from Expert shell:
cpstart
or
cpwd_admin start -name FWD -path "$FWDIR/bin/fwd" -command "fwd"VSX mode – from Expert shell:
[Expert@HostName:0]# cpstart
or
[Expert@HostName:0]# vsenv VSID
[Expert@HostName:VSID]# cpwd_admin start -name FWD -ctx VSID -path "$FWDIR/bin/fwd" -command "fwd" -env inherit
Gateway mode – from Expert shell:
cpstop
or
cpwd_admin stop -name FWD -path "$FWDIR/bin/fw" -command "fw kill fwd"VSX mode – from Expert shell:
[Expert@HostName:0]# cpstop
or
[Expert@HostName:0]# vsenv VSID
[Expert@HostName:VSID]# cpwd_admin stop -name FWD -ctx VSID -path "$FWDIR/bin/fw" -command "fw kill fwd" -env inherit
IPSec VPN Blade
vpnd
  • IKE (UDP/TCP)
  • SSL Network Extender
  • Remote Access Client configuration
  • Visitor Mode
  • NAT-T
  • Tunnel test
  • Topology Update for SecureClient
  • RDP
  • L2TP
From Expert shell:
cpstart
From Expert shell:
cpstop
Mobile Access Blade
cvpnd Back-end daemon of the Mobile Access Software Blade.
Note: ‘cpwd_admin list‘ command shows the process as “CVPND“.
From Expert shell:
cvpnstart
From Expert shell:
cvpnstop
dbwriter Offload database commands from cvpnd (to prevent locks) and syncronize with other members.
Note: ‘cpwd_admin list‘ command shows the process as “DBWRITER“.
From Expert shell:
cvpnstart
From Expert shell:
cvpnstop
cvpnproc Offload blocking commands from cvpnd (to prevent locks). Example: sending DynamicID.
Note: ‘cpwd_admin list‘ command shows the process as “CVPNPROC“.
From Expert shell:
cvpnstart
From Expert shell:
cvpnstop
MoveFileServer Move files between cluster members in order to perform database synchronization.
Note: ‘cpwd_admin list‘ command shows the process as “MOVEFILESERVER“.
From Expert shell:
cvpnstart
From Expert shell:
cvpnstop
Pinger Offload long-lasting requests from httpd.
Note: ‘cpwd_admin list‘ command shows the process as “PINGER“.
From Expert shell:
cvpnstart
From Expert shell:
cvpnstop
CvpnUMD Report SNMP connected users to AMON.
Note: ‘cpwd_admin list‘ command shows the process as “CVPNUMD“.
From Expert shell:
cvpnstart
From Expert shell:
cvpnstop
httpd Front-end daemon of the Mobile Access Software Blade (multi-processes). From Expert shell:
cvpnstart
From Expert shell:
cvpnstop
Identity Awareness Blade
pepd Policy Enforcement Point daemon

  • Receiving identities via identity sharing
  • Redirecting users to Captive Portal

Note: ‘cpwd_admin list‘ command shows the process as “PEPD“.

From Expert shell:
cpstart
From Expert shell:
cpstop
pdpd Policy Decision Point daemon

  • Acquiring identities from identity sources
  • Sharing identities with another gateways

Note: ‘cpwd_admin list’ command shows the process as “PDPD”.

From Expert shell:
cpstart
From Expert shell:
cpstop
DLP Blade
fwdlp DLP core engine that performs the scanning / inspection. From Expert shell:
cpstart
From Expert shell:
cpstop
cp_file_convert Used to convert various file formats to simple textual format for scanning by the DLP engine. From Expert shell:
cpstart
From Expert shell:
cpstop
dlp_fingerprint Used to identify the data according to a unique signature known as a fingerprint stored in your repository. From Expert shell:
cpstart
From Expert shell:
cpstop
cserver Check Server that either stops or processes the e-mail.
Note: ‘cpwd_admin list‘ command shows the process as “DLP_WS“.
From Expert shell:
cpstart
From Expert shell:
cpstop
dlpu Receives data from Check Point kernel.
Note: ‘cpwd_admin list‘ command shows the process as “DLPU_N“.
From Expert shell:
cpstart
From Expert shell:
cpstop
fwucd UserCheck back-end daemon that sends approval / disapproval requests to user.
Note: ‘cpwd_admin list‘ command shows the process as “FWUCD“.
From Expert shell:
cpstart
From Expert shell:
cpstop
Threat Emulation Blade
ted Threat Emulation daemon engine – responsible for emulating files and communication with the cloud. From Expert shell:
cpstart
From Expert shell:
cpstop
dlpu DLP process – receives data from Check Point kernel.
Note: ‘cpwd_admin list‘ command shows the process as “DLPU_N“.
From Expert shell:
cpstart
From Expert shell:
cpstop
IPS Blade
in.geod Updates the IPS Geo Protection Database. After being killed, it will be restarted automatically From Expert shell:
kill -KILL $(pidof in.geod)
URL Filtering Blade
rad Resource Advisor – responsible for the detection of Social Network widgets. The detection is done via an online service available at Check Servers which identifies specific URLs as applications.
Note: ‘cpwd_admin list‘ command shows the process as “RAD“.
cpstart
or
rad_admin start
cpstop
or
rad_admin stop
Anti-Bot Blade
acapd Packet capturing daemon for SmartView Tracker logs. cpstart cpstop
rad Resource Advisor – responsible for the detection of Social Network widgets. The detection is done via an online service available at Check Servers which identifies specific URLs as applications.
Note: ‘cpwd_admin list‘ command shows the process as “RAD“.
cpstart
or
rad_admin start
cpstop
or
rad_admin stop
Anti-Virus Blade
acapd Packet capturing daemon for SmartView Tracker logs. From Expert shell:
cpstart
From Expert shell:
cpstop
dlpu DLP process – receives data from Check Point kernel.
Note: ‘cpwd_admin list‘ command shows the process as “DLPU_N“.
From Expert shell:
cpstart
From Expert shell:
cpstop
rad Resource Advisor – responsible for the detection of Social Network widgets. The detection is done via an online service available at Check Servers which identifies specific URLs as applications.
Note: ‘cpwd_admin list‘ command shows the process as “RAD“.
From Expert shell:
cpstart
or
rad_admin start
From Expert shell:
cpstop
or
rad_admin stop
Anti-Spam Blade
in.emaild.smtp SMTP Security Server that receives e-mails sent by user. From Expert shell:
cpstart
From Expert shell:
cpstop
msd Mail Security Daemon that queries the Commtouch engine for reputation. From Expert shell:
cpstart
From Expert shell:
cpstop
ctasd Commtouch Anti-Spam daemon. From Expert shell:
cpstart
From Expert shell:
cpstop
ctipd Commtouch IP Reputation daemon. From Expert shell:
cpstart
From Expert shell:
cpstop
Monitoring Blade
rtmd Real Time traffic statistics.
Note: ‘cpwd_admin list‘ command shows the process as “RTMD“.
From Expert shell:
rtmstart
From Expert shell:
rtmstop
cpstat_monitor Process is responsible for SmartView Monitor.
Note: ‘cpwd_admin list‘ command shows the process as “CPSM“.
From Expert shell:
cpwd_admin start -name CPSM -path "$FWDIR/bin/cpstat_monitor" -command "cpstat_monitor"
From Expert shell:
cpwd_admin stop -name CPSM
HTTPS Inspection
wstlsd
Handles SSL handshake for HTTPS Inspected connections. From Expert shell:
cpstart
From Expert shell:
cpstop
pkxld Performs asymmetric key operations for HTTPS Inspection (R77.30 and above) From Expert shell:
cpstart
From Expert shell:
cpstop

 

Security Management Software Blades

Daemon Description To Start To Stop
Network Policy Management Blade
fwm Communication between SmartConsole applications and Security Management Server.
Note: ‘cpwd_admin list‘ command shows the process as “FWM“.
From Expert shell:
cpwd_admin start -name FWM -path "$FWDIR/bin/fwm" -command "fwm"
From Expert shell:
cpwd_admin stop -name FWM -path "$FWDIR/bin/fw" -command "fw kill fwm"
Endpoint Policy Management Blade
epm Endpoint Management Server. From Expert shell:
uepm_start
From Expert shell:
uepm_stop
httpd Communication with Endpoint Clients. From Expert shell:
uepm_start
From Expert shell:
uepm_stop
Monitoring Blade
rtmd Real Time traffic statistics.
Note: ‘cpwd_admin list‘ command shows the process as “RTMD“.
From Expert shell:
rtmstart
From Expert shell:
rtmstop
cpstat_monitor Process is responsible for SmartView Monitor.
Note: ‘cpwd_admin list‘ command shows the process as “CPSM“.
From Expert shell:
cpwd_admin start -name CPSM -path "$FWDIR/bin/cpstat_monitor" -command "cpstat_monitor"
From Expert shell:
cpwd_admin stop -name CPSM
Provisioning Blade
status_proxy Status collection of ROBO Gateways – SmartLSM/SmartProvisioning status proxy. This process runs only on Security Management Server / Domain Management Servers that are activated for Large Scale Management.
Note: ‘cpwd_admin list‘ command shows the process as “SPTR“.
From Expert shell:
cpstart
or
cpwd_admin start -name STPR -path "$FWDIR/bin/status_proxy" -command "status_proxy"
From Expert shell:
cpstop
or
cpwd_admin stop -name STPR
SmartReporter Blade
SVRServer Controller for the SmartReporter product. Traffic is sent via SSL.
Note: ‘cpwd_admin list‘ command shows the process as “SVR“.
From Expert shell:
rmdstart
or
cpwd_admin start -name SVR -path "$RTDIR/bin/SVRServer" -command "SVRServer"
From Expert shell:
rmdstop
or
cpwd_admin stop -name SVR -path $RTDIR/bin/SVRServer -command "SVRServer kill SVRServer"
log_consolidator Log Consolidator for the SmartReporter product.
Note: ‘cpwd_admin list‘ command shows the process as “LC_<IP Address of Log Server>“.
From Expert shell:
rmdstart
or
evstart
or
log_consolidator -C -m start -s <IP Address of Log Server> [-g <Domain Name>]
From Expert shell:
rmdstop
or
evstop
or these 2 commands
log_consolidator -C -m stop -s <IP Address of Log Server> [-g <Domain Name>]
and
log_consolidator -C -m exit -s <IP Address of Log Server> [-g <Domain Name>]
dbsync DBsync enables SmartReporter to synchronize data stored in different parts of the network. After SIC is established, DBsync connects to the management server to retrieve all the objects. After the initial synchronization, it gets updates whenever an object is saved. In distributed information systems DBsync provides one-way synchronization of data between the Security Management Servers object database and the SmartReporter computer, and supports configuration and administration of distributed systems.
Note: ‘cpwd_admin list‘ command shows the process as “DBSYNC“.
From Expert shell:
rmdstart
or
evstart
or
cpwd_admin start -name DBSYNC -path "$RTDIR/bin/dbsync" -command "dbsync"
From Expert shell:
rmdstop
or
evstop
or
cpwd_admin stop -name DBSYNC
postgres PostgreSQL server. From Expert shell:
cpstart
From Expert shell:
cpstop
SmartEvent Blade
cpsead Responsible for Correlation Unit functionality.
Note: ‘cpwd_admin list‘ command shows the process as “CPSEAD“.
From Expert shell:
evstart
or
cpwd_admin start -name CPSEAD -path "$RTDIR/bin/cpsead" -command "cpsead"
From Expert shell:
evstop
or
cpwd_admin stop -name CPSEAD
cpsemd Responsible for logging into the SmartEvent GUI.
Note: ‘cpwd_admin list‘ command shows the process as “CPSEMD“.
From Expert shell:
evstart
or
cpwd_admin start -name CPSEMD -path "$RTDIR/bin/cpsemd" -command "cpsemd"
From Expert shell:
evstop
or
cpwd_admin stop -name CPSEMD
dbsync DBsync enables SmartEvent to synchronize data stored in different parts of the network. In distributed information systems DBsync provides one-way synchronization of data between the Security Management Servers object database and the SmartEvent computer, and supports configuration and administration of distributed systems. DBsync initially connects to the Management Server, with which SIC is established. It retrieves all the objects and after the initial synchronization it gets updates whenever an object is saved.
Note: ‘cpwd_admin list‘ command shows the process as “DBSYNC“.
From Expert shell:
evstart
or
cpwd_admin start -name DBSYNC -path "$RTDIR/bin/dbsync" -command "dbsync"
From Expert shell:
evstop
or
cpwd_admin stop -name DBSYNC
postgres PostgreSQL server. From Expert shell:
cpstart
From Expert shell:
cpstop
Logging & Status Blade
cplmd In order to get the data that should be presented in SmartView Tracker, FWM spawns a child process CPLMD, which reads the information from the log file and performs unification (if necessary). Upon receiving an answer from CPLMD, FWM transfers it to SmartView Tracker. From Expert shell:
cpstart
From Expert shell:
cpstop
Management Portal
cpwmd Check Point Web Management Daemon – back-end for Management Portal / SmartPortal.
Note: ‘cpwd_admin list‘ command shows the process as “CPWMD“.
From Expert shell:
cpwd_admin start -name CPWMD -path "$WEBDIR/bin/cpwmd" -command "cpwmd -D -app SmartPortal"
From Expert shell:
cpwd_admin stop -name CPWMD
cp_http_server HTTP Server for Management Portal (SmartPortal) and for OS WebUI.
Note: ‘cpwd_admin list‘ command shows the process as “CPHTTPD“.
From Expert shell:
cpwd_admin start -name CPHTTPD -path "$WEBDIR/bin/cp_http_server" -command "cp_http_server -f '$MPDIR/conf/cp_httpd_admin.conf'"
From Expert shell:
cpwd_admin stop -name CPHTTPD
SmartLog
smartlog_server SmartLog product.
Note: ‘cpwd_admin list‘ command shows the process as “SMARTLOG_SERVER“.
From Expert shell:
smartlogstart
From Expert shell:
smartlogstop
Internal CA
cpca Check Point Internal Certificate Authority:

  • SIC certificate pulling
  • Certificate enrollment
  • CRL fetch
  • Admin WebUI
From Expert shell:
cpstart
From Expert shell:
cpstop
SofaWare Management Server
sms Manages communication (status collection, logs collection, policy update, configuration update) with UTM-1 Edge Security Gateways. This process runs only on Security Management Server / Multi-Domain Security Management Servers that manage UTM-1 Edge devices.
Note: ‘cpwd_admin list‘ command shows the process as “VPN-1 Embedded Connector“.
From Expert shell:
smsstart
From Expert shell:
smsstop

 

Additional Processes

Daemon Description To Start To Stop
mpdaemon On Security Gateway and Management Server.
Platform Portal / Multi Portal (https://IP_Address/).
Each portal has his own Apache server (which can have multiple processes).
mpdaemon‘ process is responsible for starting these web servers.
Note: ‘cpwd_admin list‘ command shows the process as “MPDAEMON“.
From Expert shell:
cpwd_admin start -name MPDAEMON -path "$CPDIR/bin/mpdaemon" -command "mpdaemon $CPDIR/log/mpdaemon.elg $CPDIR/conf/mpdaemon.conf"
From Expert shell:
cpwd_admin stop -name MPDAEMON
or
mpclient stopall
avi_del_tmp_files On Security Gateway and Management Server.
Shell script (from ‘$FWDIR/bin/‘) that periodically deletes various old temporary Anti-Virus files.
Note: ‘cpwd_admin list‘ command shows the process as “CI_CLEANUP“.
From Expert shell:
cpwd_admin start -name CI_CLEANUP -path $FWDIR/bin/avi_del_tmp_files -command "avi_del_tmp_files"
From Expert shell:
cpwd_admin stop -name CI_CLEANUP
ci_http_server On Security Gateway.
HTTP Server for Content Inspection.
Note: ‘cpwd_admin list‘ command shows the process as “CIHS“.
From Expert shell:
cpwd_admin start -name CIHS -path $FWDIR/bin/ci_http_server -command "ci_http_server -j -f $FWDIR/conf/cihs.conf"
From Expert shell:
cpwd_admin stop -name CIHS
cpviewd On Security Gateway and Management Server.
CPView Utility daemon (sk101878).
Note: ‘cpwd_admin list‘ command shows the process as “CPVIEWD“.
From Expert shell:
cpwd_admin start -name CPVIEWD -path "$FWDIR/bin/cpviewd" -command "cpviewd"
From Expert shell:
cpwd_admin stop -name CPVIEWD
cpview_historyd On Security Gateway and Management Server.
CPView Utility History daemon (sk101878).
Note: ‘cpwd_admin list‘ command shows the process as “HISTORYD“.
From Expert shell:
cpview history on
From Expert shell:
cpview history off
cp_http_server On Security Gateway and Management Server.
HTTP Server for OS WebUI and Management Portal (SmartPortal).
Note: ‘cpwd_admin list‘ command shows the process as “CPHTTPD“.
From Expert shell:
cpwd_admin start -name CPHTTPD -path "$WEBDIR/bin/cp_http_server" -command "cp_http_server -f '$MPDIR/conf/cp_httpd_admin.conf'"
From Expert shell:
cpwd_admin stop -name CPHTTPD
cpsnmpd On Security Gateway and Management Server.

  • Listens on UDP port 260 and is capable of responding to SNMP queries for Check Point OIDs only (under OID .1.3.6.1.4.1.2620)
  • Accepts only SNMPv1
  • Supplied as a part of Check Point Suite ($CPDIR/bin/cpsnmpd)
From Expert shell:
cpsnmpd -p 260
From Expert shell:
killall cpsnmpd