Are you a member of CheckMates?
×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
cpwd_admin list command is mentioned in the thread top 3 CLI commands and is an essential command to know to quickly check that key processes are up and running. I think it's also nice to know what each process are responsible for. RFL, room buddies for life? If you have a standalone installation you can prevent downtime by knowing what to restart and avoid cpstop/cpstart/reboot.
This shows an example from a security managment server. On a security gateway some of these will also be there but others in addition. If you take a closer look you will see a process called LPD which have another start date/time and nowhere to find what this process do. Can someone explain me what is LPD? I can not find documentation for this process.
Important to understand each column and its value.
| Column number | Explanation |
|---|---|
| 1 | APP. Application. Name of process. |
| 2 | PID (Process identification number). |
| 3 | STAT (status). E-established. T-terminated. |
| 4 | #START. How many times the process has started since cpwd took control of the process. |
| 5 | START_TIME. The last time the process started. |
| 6 | MON. Monitored actively. YES/NO. |
| 7 | Command. Used by cpwd to start the process. |
STAT column should have every row with the value E-established, meaning that it's running. If the value is T-terminated you should start the process and find out why it crashed/won't start. #START shows how many times the process has started. The values should be 1 and if the value is higher than 1 then something has happened with that process, causing restart and the value to increase. Also the start time should be very close to the other processes and not so far away from the time server booted up. We must mention cpwd (Check Point Watchdog daemon) which is a process that launches and monitors critical processes such as Check Point daemons on the local machine, and attempts to restart them if they fail.
Do you know what each process does? What happens if it's terminated? How to start/stop? How to debug?
Following is an explanation for each process from this example above (except lpd). From Check Point:
cpviewd:
| Description | On Security Gateway and Management Server. CPView Utility daemon (sk101878). |
| Path |
|
| Configuration file | $CPDIR/conf/cpview_conf.xml |
| Notes | "cpwd_admin list" command shows the process as "CPVIEWD". |
| To stop | [Expert@HostName]# cpwd_admin stop -name CPVIEWD |
| To start |
|
| Debug | Refer to sk101878 |
cpd:
| Description |
|
| Path | $CPDIR/bin/cpd %CPDIR%\bin\cpd |
| Logfile | $CPDIR/log/cpd.elg %CPDIR%\log\cpd.elg |
| Notes | "cpwd_admin list" command shows the process as "CPD". |
| To stop |
|
| To start |
|
| Debug | "cpd_admin debug" - refer to sk86320 |
fwd:
| Description |
|
| Path | $FWDIR/bin/fwd %FWDIR%\bin\fwd |
| Logfile | $FWDIR/log/fwd.elg %FWDIR%\log\fwd.elg |
| Notes |
|
| To stop |
|
| To start |
|
| Debug | Refer to sk86321
|
fwm:
| Description | Communication between SmartConsole applications and Security Management Server. |
| Path | $FWDIR/bin/fwm %FWDIR%\bin\fwm |
| Logfile | $FWDIR/log/fwm.elg %FWDIR%\log\fwm.elg |
| Notes | "cpwd_admin list" command shows the process as "FWM". |
| To stop | [Expert@HostName]# cpwd_admin stop -name FWM -path "$FWDIR/bin/fwm" -command "fw kill fwm" In addition, on R8x, you can use the ngm_stop.sh script (refer to sk111772😞
|
| To start | [Expert@HostName]# cpwd_admin start -name FWM -path "$FWDIR/bin/fwm" -command "fwm" In addition, on R8x, you can use the ngm_start.sh script (refer to sk111772😞
|
| Debug |
|
SOLR (java_solr):
| Description | Starting in R80 (SmartEvent NGSE was integrated). Jetty Server. Events are stored in the SOLR database. |
| Path | $RTDIR/bin/java_solr |
| Logfile | $RTDIR/log/solr.log $RTDIR/log/solrRun.log |
| Notes | ""cpwd_admin list" command shows the process as "SOLR". |
| Configuration | $RTDIR/conf/jetty.xml $RTDIR/conf/solr.log4j.properties $RTDIR/conf/solrConnectionConfig.xml $RTDIR/log_indexes/solr.xml |
| To stop | [Expert@HostName]# evstop |
| To start | [Expert@HostName]# evstart |
| Debug | Refer to sk105806. SmartEventSetDebugLevel solr <debug_level> $FWDIR/scripts/solr_debug.py {on | off} |
RFL (LogCore):
| Description | Starting in R80 (SmartEvent NGSE was integrated). Manages the queries it gets from the consumer processes, forwards them to SOLR database and returns the results. Also in charge of resolving and database maintenance (clean up old indexes to have space for the new ones). |
| Path | $RTDIR/bin/LogCore |
| Logfile | $RTDIR/log/RFL.log $RTDIR/log/rflRun.log |
| Notes | "cpwd_admin list" command shows the process as "RFL". |
| Configuration | $RTDIR/conf/rfl.log4j.properties $RTDIR/conf/rfl.log4j.properties.forUpgrade $RTDIR/conf/rflConfig.xml |
| To stop | [Expert@HostName]# evstop |
| To start | [Expert@HostName]# evstart |
| Debug | Refer to sk105806. SmartEventSetDebugLevel rfl <debug_level> |
SmartView:
| Description | SmartEvent Web Application that allows you to connect to SmartEvent NGSE server (at https://<IP_Address_of_SmartEvent_Server>/smartview/) and see the event views and analysis directly from a Web Browser, without installing SmartConsole. The Web page comes with predefined views that you can customize. Refer to sk105684. |
| Path | $RTDIR/bin/SmartView |
| Logfile | $RTDIR/log/smartview.log $RTDIR/log/SmartViewRun.log $RTDIR/log/smartview-service.log |
| Notes | "cpwd_admin list" command shows the process as "SMARTVIEW" |
| Configuration | $RTDIR/conf/smartview.log4j.properties |
| To stop | [Expert@HostName]# evstop |
| To start | [Expert@HostName]# evstart |
| Debug | Refer to sk105806. SmartEventSetDebugLevel smartview <debug_level> |
Indexer (log_indexer):
| Description | Starting in R80 (SmartEvent NGSE was integrated). Log indexer. |
| Path | $RTDIR/log_indexer/log_indexer |
| Logfile | $RTDIR/log_indexer/log/log_indexer.elg $RTDIR/log_indexer/log/log_indexerRun.log |
| Notes | "cpwd_admin list" command shows the process as "INDEXER". |
| Configuration | $RTDIR/log_indexer/conf/log_indexer_settings.conf $RTDIR/log_indexer/log_indexer_custom_settings.conf |
| To stop | [Expert@HostName]# evstop |
| To start | [Expert@HostName]# evstart |
CPM:
| Description | On Security Management Server R80 and above:
|
| Path | $FWDIR/scripts/cpm.sh |
| Logfile | $FWDIR/log/cpm.elg |
| Notes | "cpwd_admin list" command shows the process as "CPM". |
| To stop | [Expert@HostName]# cpstop In addition, on R8x, you can use the ngm_stop.sh script (refer to sk111772😞
|
| To start | [Expert@HostName]# cpstart In addition, on R8x, you can use the ngm_start.sh script (refer to sk111772😞
|
| Debug | Refer to sk115557 |
SMARTLOG_SERVER:
| Description | SmartLog product. |
| Path | $SMARTLOGDIR/smartlog_server |
| Logfile | $SMARTLOGDIR/log/smartlog_server.elg |
| Notes | "cpwd_admin list" command shows the process as "SMARTLOG_SERVER" |
| To stop | [Expert@HostName]# smartlogstop |
| To start | [Expert@HostName]# smartlogstart |
| Debug |
|
DAService:
| Description | Check Point Upgrade Service Engine (CPUSE) - former 'Gaia Software Updates' service (refer to sk92449). |
| Path | $DADIR/bin/DAService |
| Logfile | /opt/CPInstLog/DeploymentAgent.log /opt/CPInstLog/DA_UI.log |
| Notes | "cpwd_admin list" command shows the process as "DASERVICE" (command is "$DADIR/bin/DAService_script" - this is a watchdog script that starts the $DADIR/bin/DAService if it is not running). |
| To stop |
|
| To start |
|
| Debug | Refer to sk92449:
|
CPSM (cpstat_monitor):
| Description | Process is responsible for collecting and sending information to SmartView Monitor. |
| Path | $FWDIR/bin/cpstat_monitor %FWDIR%\bin\cpstat_monitor |
| Logfile | $FWDIR/log/cpstat_monitor.elg %FWDIR%\log\cpstat_monitor.elg |
| Notes |
|
| Configuration | $RTDIR/conf/jetty.xml $RTDIR/conf/solr.log4j.properties $RTDIR/conf/solrConnectionConfig.xml $RTDIR/log_indexes/solr.xml |
| To stop | [Expert@HostName]# cpwd_admin stop -name CPSM |
| To start | [Expert@HostName]# cpwd_admin start -name CPSM -path "$FWDIR/bin/cpstat_monitor" -command "cpstat_monitor" |
| Debug | Refer to sk108177 |
pstree shows this:
And also:
Thanks for sharing, nice post. When I check form the management servers (R80.10), I realised that one of them has an LPD but the other one does not ? I could not find any information about this daemon.
Just want to drop some extra info in here on RFL.
SmartEvent R80 Architecture to go with this description:
- Manages the queries it get from the consumer processes, forward them to Solr and return the results. Also in charge of resolving and database maintenance (clean up old indexes to have space for the new ones).
From:
https://www.checkpoint.com/downloads/products/r80.10-security-management-architecture-overview.pdf
We get this diagram:
and this other info on debugging:
DEBUGGING Debug with Database Modifications. Use mgmt_cli.
In Pre-R80.10 systems, debugging was done using dbedit, which can still be used for the objects still managed from FWM (such as gateways, VSX objects and QoS policy).
Also in earlier systems, you could manual edit config files in $FWDIR/conf.
In R80.10, manual editing of files does not work. The configuration is stored in the PostgreSQL database, and not in the $FWDIR/conf files. R80.10 now uses these files to create a representation of the installed revision, on Install Policy.
R80.10 Logging Processes are from one CLI command set, rather than various tools of before.
SmartEventSetDebugLevel <component> <debug level>
Example:
RFL:
Start: SmartEventSetDebugLevel rfl debug
Stop: SmartEventSetDebugLevel rfl info
and finally this:
