Daemons and Processes

Checkpoint Daemons and Processes

This article describes the different Checkpoint daemons and processes you may see running and what they are responsible for.

Gaia Processes and Daemons

All Gaia processes and daemons run by default, other than snmpd and dhcpd.

DaemonChild daemonDescriptionTo StartTo Stop
pmGaia OS Process Manager. Controls other processes and daemons.
confdDatabase and configuration.From Expert shell:
tellpm process:confd t
From Expert shell:
tellpm process:confd
searchdSearch indexing daemon.From Expert shell:
tellpm process:searchd t
From Expert shell:
tellpm process:searchd
clishdGaia Clish CLI interface process – general information for all Clish sessions.From Expert shell:
tellpm process:clishd t
From Expert shell:
tellpm process:clishd
clishGaia Clish CLI interface process – Clish process per session.From Expert shell:
tellpm process:clish t
From Expert shell:
tellpm process:clish
routedRouting daemon.From Expert shell:
tellpm process:routed t
From Expert shell:
tellpm process:routed
httpd2Web server daemon (Gaia Portal).From Expert shell:
tellpm process:httpd2 t
From Expert shell:
tellpm process:httpd2
monitordHardware monitoring daemon.From Expert shell:
tellpm process:monitord t
From Expert shell:
tellpm process:monitord
rconfdProvisioning daemon.From Expert shell:
tellpm process:rconfd t
From Expert shell:
tellpm process:rconfd
cloningdCloning Groups daemon.From Expert shell:
tellpm process:cloningd t
From Expert shell:
tellpm process:cloningd
dhcpdDHCP server daemon.From Clish:
set dhcp server enable
or
use Gaia Portal
From Clish:
set dhcp server disable
or
use Gaia Portal
snmpdSNMP (Linux) daemon.From Clish:
set snmp agent on
or
use Gaia Portal
From Clish:
set snmp agent off
or
use Gaia Portal
sshdSSH daemon.From Expert shell:
service sshd start
From Expert shell:
service sshd stop
syslogdSyslog (Linux) daemon.From Expert shell:
service syslog start
From Expert shell:
service syslog stop
DAServiceCPUSE (former ‘Gaia Software Updates’) service (sk98926 and sk92449).From Expert shell,
run these 2 commands:
$DADIR/bin/dastart
and
dbget installer:start
From Expert shell,
run these 2 commands:
$DADIR/bin/dastop
and
dbget installer:stop

Other Gaia daemons can be stopped in Expert mode, but we do not recommend doing so.

 

Infrastructure Processes

DaemonDescriptionTo StartTo Stop
cpwdWatchDog is a process that launches and monitors critical processes such as Check Point daemons on the local machine, and attempts to restart them if they fail. Among the processes monitored by Watchdog are cpd, fwd and fwm. Watchdog is controlled by the cpwd_admin utility. To learn how to start and stop various daemons, run cpwd_admin command.From Expert shell:
cpstart
or
cpwd_admin start_monitor
From Expert shell:
cpstop
or
cpwd_admin stop_monitor
cpd
  • Port 18191 – Generic process (add-ons container) for many Check Point services, such as installing and fetching policy, and online updates
  • Port 18211 – SIC push certificate (from Internal CA)

Note: ‘cpwd_admin list‘ command shows the process as “CPD“.

MGMT / Gateway mode – from Expert shell:
cpstart
or
cpwd_admin start -name CPD -path "$CPDIR/bin/cpd" -command "cpd"VSX mode – from Expert shell:
[Expert@HostName:0]# cpstart
or
[Expert@HostName:0]# vsenv VSID
[Expert@HostName:VSID]# cpwd_admin start -name CPD -ctx VSID -path "$CPDIR/bin/cpd" -command "cpd" -env inherit
MGMT / Gateway mode – from Expert shell:
cpstop
or
cpwd_admin stop -name CPD -path "$CPDIR/bin/cpd_admin" -command "cpd_admin stop"VSX mode – from Expert shell:
[Expert@HostName:0]# cpstop
or
[Expert@HostName:0]# vsenv VSID
[Expert@HostName:VSID]# cpwd_admin stop -name CPD -ctx VSID -path "$CPDIR/bin/cpd_admin" -command "cpd_admin stop" -env inherit
fwd
  • Logging.
  • Spawning child processes (e.g., vpnd)

Note: ‘cpwd_admin list‘ command shows the process as “FWD“.

MGMT / Gateway mode – from Expert shell:
cpstart
or
cpwd_admin start -name FWD -path "$FWDIR/bin/fwd" -command "fwd"VSX mode – from Expert shell:
[Expert@HostName:0]# cpstart
or
[Expert@HostName:0]# vsenv VSID
[Expert@HostName:VSID]# cpwd_admin start -name FWD -ctx VSID -path "$FWDIR/bin/fwd" -command "fwd" -env inherit
Gateway mode – from Expert shell:
cpstop
or
cpwd_admin stop -name FWD -path "$FWDIR/bin/fw" -command "fw kill fwd"VSX mode – from Expert shell:
[Expert@HostName:0]# cpstop
or
[Expert@HostName:0]# vsenv VSID
[Expert@HostName:VSID]# cpwd_admin stop -name FWD -ctx VSID -path "$FWDIR/bin/fw" -command "fw kill fwd" -env inherit

 

Security Gateway Software Blades

DaemonDescriptionTo StartTo Stop
Firewall Blade
fwd
  • Logging.
  • Spawning child processes (e.g., vpnd)

Note: ‘cpwd_admin list‘ command shows the process as “FWD“.

Gateway mode – from Expert shell:
cpstart
or
cpwd_admin start -name FWD -path "$FWDIR/bin/fwd" -command "fwd"VSX mode – from Expert shell:
[Expert@HostName:0]# cpstart
or
[Expert@HostName:0]# vsenv VSID
[Expert@HostName:VSID]# cpwd_admin start -name FWD -ctx VSID -path "$FWDIR/bin/fwd" -command "fwd" -env inherit
Gateway mode – from Expert shell:
cpstop
or
cpwd_admin stop -name FWD -path "$FWDIR/bin/fw" -command "fw kill fwd"VSX mode – from Expert shell:
[Expert@HostName:0]# cpstop
or
[Expert@HostName:0]# vsenv VSID
[Expert@HostName:VSID]# cpwd_admin stop -name FWD -ctx VSID -path "$FWDIR/bin/fw" -command "fw kill fwd" -env inherit
IPSec VPN Blade
vpnd
  • IKE (UDP/TCP)
  • SSL Network Extender
  • Remote Access Client configuration
  • Visitor Mode
  • NAT-T
  • Tunnel test
  • Topology Update for SecureClient
  • RDP
  • L2TP
From Expert shell:
cpstart
From Expert shell:
cpstop
Mobile Access Blade
cvpndBack-end daemon of the Mobile Access Software Blade.
Note: ‘cpwd_admin list‘ command shows the process as “CVPND“.
From Expert shell:
cvpnstart
From Expert shell:
cvpnstop
dbwriterOffload database commands from cvpnd (to prevent locks) and syncronize with other members.
Note: ‘cpwd_admin list‘ command shows the process as “DBWRITER“.
From Expert shell:
cvpnstart
From Expert shell:
cvpnstop
cvpnprocOffload blocking commands from cvpnd (to prevent locks). Example: sending DynamicID.
Note: ‘cpwd_admin list‘ command shows the process as “CVPNPROC“.
From Expert shell:
cvpnstart
From Expert shell:
cvpnstop
MoveFileServerMove files between cluster members in order to perform database synchronization.
Note: ‘cpwd_admin list‘ command shows the process as “MOVEFILESERVER“.
From Expert shell:
cvpnstart
From Expert shell:
cvpnstop
PingerOffload long-lasting requests from httpd.
Note: ‘cpwd_admin list‘ command shows the process as “PINGER“.
From Expert shell:
cvpnstart
From Expert shell:
cvpnstop
CvpnUMDReport SNMP connected users to AMON.
Note: ‘cpwd_admin list‘ command shows the process as “CVPNUMD“.
From Expert shell:
cvpnstart
From Expert shell:
cvpnstop
httpdFront-end daemon of the Mobile Access Software Blade (multi-processes).From Expert shell:
cvpnstart
From Expert shell:
cvpnstop
Identity Awareness Blade
pepdPolicy Enforcement Point daemon

  • Receiving identities via identity sharing
  • Redirecting users to Captive Portal

Note: ‘cpwd_admin list‘ command shows the process as “PEPD“.

From Expert shell:
cpstart
From Expert shell:
cpstop
pdpdPolicy Decision Point daemon

  • Acquiring identities from identity sources
  • Sharing identities with another gateways

Note: ‘cpwd_admin list’ command shows the process as “PDPD”.

From Expert shell:
cpstart
From Expert shell:
cpstop
DLP Blade
fwdlpDLP core engine that performs the scanning / inspection.From Expert shell:
cpstart
From Expert shell:
cpstop
cp_file_convertUsed to convert various file formats to simple textual format for scanning by the DLP engine.From Expert shell:
cpstart
From Expert shell:
cpstop
dlp_fingerprintUsed to identify the data according to a unique signature known as a fingerprint stored in your repository.From Expert shell:
cpstart
From Expert shell:
cpstop
cserverCheck Server that either stops or processes the e-mail.
Note: ‘cpwd_admin list‘ command shows the process as “DLP_WS“.
From Expert shell:
cpstart
From Expert shell:
cpstop
dlpuReceives data from Check Point kernel.
Note: ‘cpwd_admin list‘ command shows the process as “DLPU_N“.
From Expert shell:
cpstart
From Expert shell:
cpstop
fwucdUserCheck back-end daemon that sends approval / disapproval requests to user.
Note: ‘cpwd_admin list‘ command shows the process as “FWUCD“.
From Expert shell:
cpstart
From Expert shell:
cpstop
Threat Emulation Blade
tedThreat Emulation daemon engine – responsible for emulating files and communication with the cloud.From Expert shell:
cpstart
From Expert shell:
cpstop
dlpuDLP process – receives data from Check Point kernel.
Note: ‘cpwd_admin list‘ command shows the process as “DLPU_N“.
From Expert shell:
cpstart
From Expert shell:
cpstop
IPS Blade
in.geodUpdates the IPS Geo Protection Database.After being killed, it will be restarted automaticallyFrom Expert shell:
kill -KILL $(pidof in.geod)
URL Filtering Blade
radResource Advisor – responsible for the detection of Social Network widgets. The detection is done via an online service available at Check Servers which identifies specific URLs as applications.
Note: ‘cpwd_admin list‘ command shows the process as “RAD“.
cpstart
or
rad_admin start
cpstop
or
rad_admin stop
Anti-Bot Blade
acapdPacket capturing daemon for SmartView Tracker logs.cpstartcpstop
radResource Advisor – responsible for the detection of Social Network widgets. The detection is done via an online service available at Check Servers which identifies specific URLs as applications.
Note: ‘cpwd_admin list‘ command shows the process as “RAD“.
cpstart
or
rad_admin start
cpstop
or
rad_admin stop
Anti-Virus Blade
acapdPacket capturing daemon for SmartView Tracker logs.From Expert shell:
cpstart
From Expert shell:
cpstop
dlpuDLP process – receives data from Check Point kernel.
Note: ‘cpwd_admin list‘ command shows the process as “DLPU_N“.
From Expert shell:
cpstart
From Expert shell:
cpstop
radResource Advisor – responsible for the detection of Social Network widgets. The detection is done via an online service available at Check Servers which identifies specific URLs as applications.
Note: ‘cpwd_admin list‘ command shows the process as “RAD“.
From Expert shell:
cpstart
or
rad_admin start
From Expert shell:
cpstop
or
rad_admin stop
Anti-Spam Blade
in.emaild.smtpSMTP Security Server that receives e-mails sent by user.From Expert shell:
cpstart
From Expert shell:
cpstop
msdMail Security Daemon that queries the Commtouch engine for reputation.From Expert shell:
cpstart
From Expert shell:
cpstop
ctasdCommtouch Anti-Spam daemon.From Expert shell:
cpstart
From Expert shell:
cpstop
ctipdCommtouch IP Reputation daemon.From Expert shell:
cpstart
From Expert shell:
cpstop
Monitoring Blade
rtmdReal Time traffic statistics.
Note: ‘cpwd_admin list‘ command shows the process as “RTMD“.
From Expert shell:
rtmstart
From Expert shell:
rtmstop
cpstat_monitorProcess is responsible for SmartView Monitor.
Note: ‘cpwd_admin list‘ command shows the process as “CPSM“.
From Expert shell:
cpwd_admin start -name CPSM -path "$FWDIR/bin/cpstat_monitor" -command "cpstat_monitor"
From Expert shell:
cpwd_admin stop -name CPSM
HTTPS Inspection
wstlsd
Handles SSL handshake for HTTPS Inspected connections.From Expert shell:
cpstart
From Expert shell:
cpstop
pkxldPerforms asymmetric key operations for HTTPS Inspection (R77.30 and above)From Expert shell:
cpstart
From Expert shell:
cpstop

 

Security Management Software Blades

DaemonDescriptionTo StartTo Stop
Network Policy Management Blade
fwmCommunication between SmartConsole applications and Security Management Server.
Note: ‘cpwd_admin list‘ command shows the process as “FWM“.
From Expert shell:
cpwd_admin start -name FWM -path "$FWDIR/bin/fwm" -command "fwm"
From Expert shell:
cpwd_admin stop -name FWM -path "$FWDIR/bin/fw" -command "fw kill fwm"
Endpoint Policy Management Blade
epmEndpoint Management Server.From Expert shell:
uepm_start
From Expert shell:
uepm_stop
httpdCommunication with Endpoint Clients.From Expert shell:
uepm_start
From Expert shell:
uepm_stop
Monitoring Blade
rtmdReal Time traffic statistics.
Note: ‘cpwd_admin list‘ command shows the process as “RTMD“.
From Expert shell:
rtmstart
From Expert shell:
rtmstop
cpstat_monitorProcess is responsible for SmartView Monitor.
Note: ‘cpwd_admin list‘ command shows the process as “CPSM“.
From Expert shell:
cpwd_admin start -name CPSM -path "$FWDIR/bin/cpstat_monitor" -command "cpstat_monitor"
From Expert shell:
cpwd_admin stop -name CPSM
Provisioning Blade
status_proxyStatus collection of ROBO Gateways – SmartLSM/SmartProvisioning status proxy. This process runs only on Security Management Server / Domain Management Servers that are activated for Large Scale Management.
Note: ‘cpwd_admin list‘ command shows the process as “SPTR“.
From Expert shell:
cpstart
or
cpwd_admin start -name STPR -path "$FWDIR/bin/status_proxy" -command "status_proxy"
From Expert shell:
cpstop
or
cpwd_admin stop -name STPR
SmartReporter Blade
SVRServerController for the SmartReporter product. Traffic is sent via SSL.
Note: ‘cpwd_admin list‘ command shows the process as “SVR“.
From Expert shell:
rmdstart
or
cpwd_admin start -name SVR -path "$RTDIR/bin/SVRServer" -command "SVRServer"
From Expert shell:
rmdstop
or
cpwd_admin stop -name SVR -path $RTDIR/bin/SVRServer -command "SVRServer kill SVRServer"
log_consolidatorLog Consolidator for the SmartReporter product.
Note: ‘cpwd_admin list‘ command shows the process as “LC_<IP Address of Log Server>“.
From Expert shell:
rmdstart
or
evstart
or
log_consolidator -C -m start -s <IP Address of Log Server> [-g <Domain Name>]
From Expert shell:
rmdstop
or
evstop
or these 2 commands
log_consolidator -C -m stop -s <IP Address of Log Server> [-g <Domain Name>]
and
log_consolidator -C -m exit -s <IP Address of Log Server> [-g <Domain Name>]
dbsyncDBsync enables SmartReporter to synchronize data stored in different parts of the network. After SIC is established, DBsync connects to the management server to retrieve all the objects. After the initial synchronization, it gets updates whenever an object is saved. In distributed information systems DBsync provides one-way synchronization of data between the Security Management Servers object database and the SmartReporter computer, and supports configuration and administration of distributed systems.
Note: ‘cpwd_admin list‘ command shows the process as “DBSYNC“.
From Expert shell:
rmdstart
or
evstart
or
cpwd_admin start -name DBSYNC -path "$RTDIR/bin/dbsync" -command "dbsync"
From Expert shell:
rmdstop
or
evstop
or
cpwd_admin stop -name DBSYNC
postgresPostgreSQL server.From Expert shell:
cpstart
From Expert shell:
cpstop
SmartEvent Blade
cpseadResponsible for Correlation Unit functionality.
Note: ‘cpwd_admin list‘ command shows the process as “CPSEAD“.
From Expert shell:
evstart
or
cpwd_admin start -name CPSEAD -path "$RTDIR/bin/cpsead" -command "cpsead"
From Expert shell:
evstop
or
cpwd_admin stop -name CPSEAD
cpsemdResponsible for logging into the SmartEvent GUI.
Note: ‘cpwd_admin list‘ command shows the process as “CPSEMD“.
From Expert shell:
evstart
or
cpwd_admin start -name CPSEMD -path "$RTDIR/bin/cpsemd" -command "cpsemd"
From Expert shell:
evstop
or
cpwd_admin stop -name CPSEMD
dbsyncDBsync enables SmartEvent to synchronize data stored in different parts of the network. In distributed information systems DBsync provides one-way synchronization of data between the Security Management Servers object database and the SmartEvent computer, and supports configuration and administration of distributed systems. DBsync initially connects to the Management Server, with which SIC is established. It retrieves all the objects and after the initial synchronization it gets updates whenever an object is saved.
Note: ‘cpwd_admin list‘ command shows the process as “DBSYNC“.
From Expert shell:
evstart
or
cpwd_admin start -name DBSYNC -path "$RTDIR/bin/dbsync" -command "dbsync"
From Expert shell:
evstop
or
cpwd_admin stop -name DBSYNC
postgresPostgreSQL server.From Expert shell:
cpstart
From Expert shell:
cpstop
Logging & Status Blade
cplmdIn order to get the data that should be presented in SmartView Tracker, FWM spawns a child process CPLMD, which reads the information from the log file and performs unification (if necessary). Upon receiving an answer from CPLMD, FWM transfers it to SmartView Tracker.From Expert shell:
cpstart
From Expert shell:
cpstop
Management Portal
cpwmdCheck Point Web Management Daemon – back-end for Management Portal / SmartPortal.
Note: ‘cpwd_admin list‘ command shows the process as “CPWMD“.
From Expert shell:
cpwd_admin start -name CPWMD -path "$WEBDIR/bin/cpwmd" -command "cpwmd -D -app SmartPortal"
From Expert shell:
cpwd_admin stop -name CPWMD
cp_http_serverHTTP Server for Management Portal (SmartPortal) and for OS WebUI.
Note: ‘cpwd_admin list‘ command shows the process as “CPHTTPD“.
From Expert shell:
cpwd_admin start -name CPHTTPD -path "$WEBDIR/bin/cp_http_server" -command "cp_http_server -f '$MPDIR/conf/cp_httpd_admin.conf'"
From Expert shell:
cpwd_admin stop -name CPHTTPD
SmartLog
smartlog_serverSmartLog product.
Note: ‘cpwd_admin list‘ command shows the process as “SMARTLOG_SERVER“.
From Expert shell:
smartlogstart
From Expert shell:
smartlogstop
Internal CA
cpcaCheck Point Internal Certificate Authority:

  • SIC certificate pulling
  • Certificate enrollment
  • CRL fetch
  • Admin WebUI
From Expert shell:
cpstart
From Expert shell:
cpstop
SofaWare Management Server
smsManages communication (status collection, logs collection, policy update, configuration update) with UTM-1 Edge Security Gateways. This process runs only on Security Management Server / Multi-Domain Security Management Servers that manage UTM-1 Edge devices.
Note: ‘cpwd_admin list‘ command shows the process as “VPN-1 Embedded Connector“.
From Expert shell:
smsstart
From Expert shell:
smsstop

 

Additional Processes

DaemonDescriptionTo StartTo Stop
mpdaemonOn Security Gateway and Management Server.
Platform Portal / Multi Portal (https://IP_Address/).
Each portal has his own Apache server (which can have multiple processes).
mpdaemon‘ process is responsible for starting these web servers.
Note: ‘cpwd_admin list‘ command shows the process as “MPDAEMON“.
From Expert shell:
cpwd_admin start -name MPDAEMON -path "$CPDIR/bin/mpdaemon" -command "mpdaemon $CPDIR/log/mpdaemon.elg $CPDIR/conf/mpdaemon.conf"
From Expert shell:
cpwd_admin stop -name MPDAEMON
or
mpclient stopall
avi_del_tmp_filesOn Security Gateway and Management Server.
Shell script (from ‘$FWDIR/bin/‘) that periodically deletes various old temporary Anti-Virus files.
Note: ‘cpwd_admin list‘ command shows the process as “CI_CLEANUP“.
From Expert shell:
cpwd_admin start -name CI_CLEANUP -path $FWDIR/bin/avi_del_tmp_files -command "avi_del_tmp_files"
From Expert shell:
cpwd_admin stop -name CI_CLEANUP
ci_http_serverOn Security Gateway.
HTTP Server for Content Inspection.
Note: ‘cpwd_admin list‘ command shows the process as “CIHS“.
From Expert shell:
cpwd_admin start -name CIHS -path $FWDIR/bin/ci_http_server -command "ci_http_server -j -f $FWDIR/conf/cihs.conf"
From Expert shell:
cpwd_admin stop -name CIHS
cpviewdOn Security Gateway and Management Server.
CPView Utility daemon (sk101878).
Note: ‘cpwd_admin list‘ command shows the process as “CPVIEWD“.
From Expert shell:
cpwd_admin start -name CPVIEWD -path "$FWDIR/bin/cpviewd" -command "cpviewd"
From Expert shell:
cpwd_admin stop -name CPVIEWD
cpview_historydOn Security Gateway and Management Server.
CPView Utility History daemon (sk101878).
Note: ‘cpwd_admin list‘ command shows the process as “HISTORYD“.
From Expert shell:
cpview history on
From Expert shell:
cpview history off
cp_http_serverOn Security Gateway and Management Server.
HTTP Server for OS WebUI and Management Portal (SmartPortal).
Note: ‘cpwd_admin list‘ command shows the process as “CPHTTPD“.
From Expert shell:
cpwd_admin start -name CPHTTPD -path "$WEBDIR/bin/cp_http_server" -command "cp_http_server -f '$MPDIR/conf/cp_httpd_admin.conf'"
From Expert shell:
cpwd_admin stop -name CPHTTPD
cpsnmpdOn Security Gateway and Management Server.

  • Listens on UDP port 260 and is capable of responding to SNMP queries for Check Point OIDs only (under OID .1.3.6.1.4.1.2620)
  • Accepts only SNMPv1
  • Supplied as a part of Check Point Suite ($CPDIR/bin/cpsnmpd)
From Expert shell:
cpsnmpd -p 260
From Expert shell:
killall cpsnmpd

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.