Enis Dunic

cpwd_admin list overview (SMS)

Discussion created by Enis Dunic on Jun 7, 2018
Latest reply on Oct 17, 2018 by Günther W. Albrecht

cpwd_admin list command is mentioned in the thread top 3 CLI commands and is an essential command to know to quickly check that key processes are up and running. I think it's also nice to know what each process are responsible for. RFL, room buddies for life? If you have a standalone installation you can prevent downtime by knowing what to restart and avoid cpstop/cpstart/reboot. 

 

This shows an example from a security managment server. On a security gateway some of these will also be there but others in addition. If you take a closer look you will see a process called LPD which have another start date/time and nowhere to find what this process do. Can someone explain me what is LPD? I can not find documentation for this process. 

Important to understand each column and its value. 

 

Column numberExplanation
1APP. Application. Name of process. 
2PID (Process identification number). 
3STAT (status). E-established. T-terminated.
4#START. How many times the process has started since cpwd took control of the process.
5START_TIME. The last time the process started.
6MON. Monitored actively. YES/NO. 
7Command. Used by cpwd to start the process. 

 

STAT column should have every row with the value E-established, meaning that it's running. If the value is T-terminated you should start the process and find out why it crashed/won't start. #START shows how many times the process has started. The values should be 1 and if the value is higher than 1 then something has happened with that process, causing restart and the value to increase. Also the start time should be very close to the other processes and not so far away from the time server booted up. We must mention cpwd (Check Point Watchdog daemon) which is a process that launches and monitors critical processes such as Check Point daemons on the local machine, and attempts to restart them if they fail.

 

Do you know what each process does? What happens if it's terminated? How to start/stop? How to debug?

Following is an explanation for each process from this example above (except lpd). From Check Point:

 

cpviewd:

DescriptionOn Security Gateway and Management Server.
CPView Utility daemon (sk101878).
Path
  • In R77.30 and above:
    $CPDIR/bin/cpviewd
  • In R77-R77.20:
    $FWDIR/bin/cpviewd
Configuration file$CPDIR/conf/cpview_conf.xml
Notes"cpwd_admin list" command shows the process as "CPVIEWD".
To stop[Expert@HostName]# cpwd_admin stop -name CPVIEWD
To start
  • In R77.30 and above:
    [Expert@HostName]# cpwd_admin start -name CPVIEWD -path "$CPDIR/bin/cpviewd" -command "cpviewd" 

  • In R77-R77.20:
    [Expert@HostName]# cpwd_admin start -name CPVIEWD -path "$FWDIR/bin/cpviewd" -command "cpviewd"
DebugRefer to sk101878

 

 

cpd:

Description
  • Port 18191 - Generic process (add-ons container) for many Check Point services, such as installing and fetching policy, and online updates
  • Port 18211 - SIC push certificate (from Internal CA)
Path$CPDIR/bin/cpd
%CPDIR%\bin\cpd
Logfile$CPDIR/log/cpd.elg
%CPDIR%\log\cpd.elg
Notes"cpwd_admin list" command shows the process as "CPD".
To stop
  • MGMT / Gateway mode:

    [Expert@HostName]# cpwd_admin stop -name CPD -path "$CPDIR/bin/cpd_admin" -command "cpd_admin stop"
    or
    [Expert@HostName]# cpstop 

  • VSX mode:

    [Expert@HostName:0]# vsenv <VSID>
    [Expert@HostName:<VSID>]# cpwd_admin stop -name CPD -ctx <VSID> -path "$CPDIR/bin/cpd_admin" -command "cpd_admin stop" -env inherit 
    or
    [Expert@HostName:0]# cpstop
To start
  • MGMT / Gateway mode:

    [Expert@HostName]# cpwd_admin start -name CPD -path "$CPDIR/bin/cpd" -command "cpd"
    or
    [Expert@HostName]# cpstart 

  • VSX mode:

    [Expert@HostName:0]# vsenv <VSID>
    [Expert@HostName:<VSID>]# cpwd_admin start -name CPD -ctx <VSID> -path "$CPDIR/bin/cpd" -command "cpd" -env inherit 
    or
    [Expert@HostName:0]# cpstart
Debug"cpd_admin debug" - refer to sk86320

 

 

fwd:

Description
  • Logging
  • Spawning child processes (e.g., vpnd)
Path$FWDIR/bin/fwd
%FWDIR%\bin\fwd
Logfile$FWDIR/log/fwd.elg
%FWDIR%\log\fwd.elg
Notes
  • "cpwd_admin list" command shows the process as "FWD".
  • "top" / "ps" commands might also show "fw" process and/or "fw_full" process, which are just wrappers for the "fwd" process.
To stop
  • MGMT / Gateway mode:

    [Expert@HostName]# cpwd_admin stop -name FWD -path "$FWDIR/bin/fw" -command "fw kill fwd"
    or
    [Expert@HostName]# cpstop 

  • VSX mode:

    [Expert@HostName:0]# vsenv <VSID>
    [Expert@HostName:<VSID>]# cpwd_admin stop -name FWD -ctx <VSID> -path "$FWDIR/bin/fw" -command "fw kill fwd" -env inherit
    or
    [Expert@HostName:0]# cpstop
To start
  • MGMT / Gateway mode:

    [Expert@HostName]# cpwd_admin start -name FWD -path "$FWDIR/bin/fw" -command "fwd"
    or
    [Expert@HostName]# cpstart 

  • VSX mode:

    [Expert@HostName:0]# vsenv <VSID>
    [Expert@HostName:<VSID>]# cpwd_admin start -name FWD -ctx <VSID> -path "$FWDIR/bin/fwd" -command "fwd" -env inherit
    or
    [Expert@HostName:0]# cpstart
DebugRefer to sk86321
  1. Start debug:
    fw debug fwd on TDERROR_ALL_ALL=5
    fw debug fwd on OPSEC_DEBUG_LEVEL=3
  2. Replicate the issue
  3. Stop debug:
    fw debug fwd off TDERROR_ALL_ALL=0
    fw debug fwd off OPSEC_DEBUG_LEVEL=0
  4. Analyze:
    $FWDIR/log/fwd.elg*

 

 

fwm:

Description

Communication between SmartConsole applications and Security Management Server.

Path$FWDIR/bin/fwm
%FWDIR%\bin\fwm
Logfile$FWDIR/log/fwm.elg
%FWDIR%\log\fwm.elg
Notes"cpwd_admin list" command shows the process as "FWM".
To stop

[Expert@HostName]# cpwd_admin stop -name FWM -path "$FWDIR/bin/fwm" -command "fw kill fwm"

In addition, on R8x, you can use the ngm_stop.sh script (refer to sk111772):
  • $FWDIR/scripts/ngm_stop.sh
    (refer to $FWDIR/log/ngm_stop.elg)
  • $MDS_TEMPLATE/scripts/ngm_stop.sh
    (refer to $MDS_TEMPLATE/log/ngm_stop.elg)
To start

[Expert@HostName]# cpwd_admin start -name FWM -path "$FWDIR/bin/fwm" -command "fwm"

In addition, on R8x, you can use the ngm_start.sh script (refer to sk111772):
  • $FWDIR/scripts/ngm_start.sh
    (refer to $FWDIR/log/ngm_start.elg)
  • $MDS_TEMPLATE/scripts/ngm_start.sh
    (refer to $MDS_TEMPLATE/log/ngm_start.elg)
Debug
  • Security Management Server - refer to sk86186:

    1. Start debug:
      fw debug fwm on TDERROR_ALL_ALL=5
      fw debug fwm on OPSEC_DEBUG_LEVEL=3
    2. Replicate the issue
    3. Stop debug:
      fw debug fwm off TDERROR_ALL_ALL=0
      fw debug fwm off OPSEC_DEBUG_LEVEL=0
    4. Analyze:
      $FWDIR/log/fwm.elg*
  • Domain Management Server - refer to sk33207:

    1. Switch to the context of the relevant Domain Management Server:
      mdsenv <Domain_Name>
    2. Start debug:
      fw debug fwm on TDERROR_ALL_ALL=5
      fw debug fwm on OPSEC_DEBUG_LEVEL=3
    3. Replicate the issue
    4. Stop debug:
      fw debug fwm off TDERROR_ALL_ALL=0
      fw debug fwm off OPSEC_DEBUG_LEVEL=0
    5. Analyze:
      $FWDIR/log/fwm.elg*
  • Multi-Domain Security Management Server - refer to sk33208:

    1. Start debug:
      fw debug mds on TDERROR_ALL_ALL=5
      fw debug mds on OPSEC_DEBUG_LEVEL=3
    2. Replicate the issue
    3. Stop debug:
      fw debug mds off TDERROR_ALL_ALL=0
      fw debug mds off OPSEC_DEBUG_LEVEL=0
    4. Analyze:
      $MDS_TEMPLATE/log/mds.elg*

 

SOLR (java_solr):

Description

Starting in R80 (SmartEvent NGSE was integrated).

Jetty Server.

Events are stored in the SOLR database.

Path$RTDIR/bin/java_solr
Logfile$RTDIR/log/solr.log
$RTDIR/log/solrRun.log
Notes""cpwd_admin list" command shows the process as "SOLR".
Configuration$RTDIR/conf/jetty.xml
$RTDIR/conf/solr.log4j.properties
$RTDIR/conf/solrConnectionConfig.xml
$RTDIR/log_indexes/solr.xml
To stop

[Expert@HostName]# evstop

To start

[Expert@HostName]# evstart

Debug

Refer to sk105806.

SmartEventSetDebugLevel solr <debug_level>

$FWDIR/scripts/solr_debug.py {on | off}

 

RFL (LogCore):

Description

Starting in R80 (SmartEvent NGSE was integrated).

Manages the queries it gets from the consumer processes, forwards them to SOLR database and returns the results. Also in charge of resolving and database maintenance (clean up old indexes to have space for the new ones).

Path$RTDIR/bin/LogCore
Logfile$RTDIR/log/RFL.log
$RTDIR/log/rflRun.log
Notes"cpwd_admin list" command shows the process as "RFL".
Configuration$RTDIR/conf/rfl.log4j.properties
$RTDIR/conf/rfl.log4j.properties.forUpgrade
$RTDIR/conf/rflConfig.xml
To stop

[Expert@HostName]# evstop

To start

[Expert@HostName]# evstart

Debug

 

Refer to sk105806.

SmartEventSetDebugLevel rfl <debug_level>

 

 

SmartView:

Description

SmartEvent Web Application that allows you to connect to SmartEvent NGSE server (at https://<IP_Address_of_SmartEvent_Server>/smartview/) and see the event views and analysis directly from a Web Browser, without installing SmartConsole. The Web page comes with predefined views that you can customize.

Refer to sk105684.

Path$RTDIR/bin/SmartView
Logfile$RTDIR/log/smartview.log
$RTDIR/log/SmartViewRun.log
$RTDIR/log/smartview-service.log
Notes"cpwd_admin list" command shows the process as "SMARTVIEW"
Configuration$RTDIR/conf/smartview.log4j.properties
To stop

[Expert@HostName]# evstop

To start

[Expert@HostName]# evstart

Debug

 

Refer to sk105806.

SmartEventSetDebugLevel smartview <debug_level>

 

Indexer (log_indexer):

Description

Starting in R80 (SmartEvent NGSE was integrated).

Log indexer.

Path$RTDIR/log_indexer/log_indexer
Logfile$RTDIR/log_indexer/log/log_indexer.elg
$RTDIR/log_indexer/log/log_indexerRun.log
Notes"cpwd_admin list" command shows the process as "INDEXER".
Configuration$RTDIR/log_indexer/conf/log_indexer_settings.conf
$RTDIR/log_indexer/log_indexer_custom_settings.conf
To stop

[Expert@HostName]# evstop

To start

[Expert@HostName]# evstart

 

CPM:

Description

On Security Management Server R80 and above:

  • Serves requests from SmartConsole
  • Responsible for writing all information to the PostgreSQL and SOLR databases
Path$FWDIR/scripts/cpm.sh
Logfile$FWDIR/log/cpm.elg
Notes"cpwd_admin list" command shows the process as "CPM".
To stop

[Expert@HostName]# cpstop

In addition, on R8x, you can use the ngm_stop.sh script (refer to sk111772):

  • $FWDIR/scripts/ngm_stop.sh
    (refer to $FWDIR/log/ngm_stop.elg)
  • $MDS_TEMPLATE/scripts/ngm_stop.sh
    (refer to $MDS_TEMPLATE/log/ngm_stop.elg)
To start

[Expert@HostName]# cpstart

In addition, on R8x, you can use the ngm_start.sh script (refer to sk111772):

  • $FWDIR/scripts/ngm_start.sh
    (refer to $FWDIR/log/ngm_start.elg)
  • $MDS_TEMPLATE/scripts/ngm_start.sh
    (refer to $MDS_TEMPLATE/log/ngm_start.elg)
Debug

Refer to sk115557

 

 

SMARTLOG_SERVER:

Description

 

SmartLog product.
Path$SMARTLOGDIR/smartlog_server
Logfile$SMARTLOGDIR/log/smartlog_server.elg
Notes"cpwd_admin list" command shows the process as "SMARTLOG_SERVER"
To stop

[Expert@HostName]# smartlogstop

To start

[Expert@HostName]# smartlogstart

Debug
  1. Stop SmartLog:
    smartlogstop
  2. Start SmartLog under debug:
    env TDERROR_ALL_ALL=5 $SMARTLOGDIR/smartlog_server 1>> /var/log/smartlog.debug 2>> /var/log/smartlog.debug
  3. Replicate the issue
  4. Stop debug - press CTRL+C.
  5. Start SmartLog normally:
    smartlogstart

 

 

DAService:

Description

Check Point Upgrade Service Engine (CPUSE) - former 'Gaia Software Updates' service (refer to sk92449).

Path$DADIR/bin/DAService
Logfile/opt/CPInstLog/DeploymentAgent.log
/opt/CPInstLog/DA_UI.log
Notes"cpwd_admin list" command shows the process as "DASERVICE"
(command is "$DADIR/bin/DAService_script" - this is a watchdog script that starts the $DADIR/bin/DAService if it is not running).
To stop
  1. [Expert@HostName]# $DADIR/bin/dastop
  2. [Expert@HostName]# dbget installer:stop
To start
  1. [Expert@HostName]# $DADIR/bin/dastart
  2. [Expert@HostName]# dbget installer:start
Debug

Refer to sk92449:

  1. Create the configuration file:
    touch $DADIR/bin/DAconf
  2. Add the following line (case-sensitive; spaces are not allowed):
    PING_TRACE=1
  3. Save the changes
  4. Re-load the new configuration:
    DAClient conf
  5. As soon as possible:
    1. Replicate the issue
    2. Delete the $DADIR/bin/DAconf file
    3. Re-load the configuration with DAClient conf command
  6. Analyze:
    /opt/CPInstLog/DeploymentAgent.log

 

 

CPSM (cpstat_monitor):

Description

Process is responsible for collecting and sending information to SmartView Monitor.

Path$FWDIR/bin/cpstat_monitor
%FWDIR%\bin\cpstat_monitor
Logfile$FWDIR/log/cpstat_monitor.elg
%FWDIR%\log\cpstat_monitor.elg
Notes
  • "cpwd_admin list" command shows the process as "CPSM".
  • By default, does not run in the context of Domain Management Servers.
  • By default, in MGMT HA runs only on "Active" Security Management Server.
Configuration$RTDIR/conf/jetty.xml
$RTDIR/conf/solr.log4j.properties
$RTDIR/conf/solrConnectionConfig.xml
$RTDIR/log_indexes/solr.xml
To stop

[Expert@HostName]# cpwd_admin stop -name CPSM

To start

[Expert@HostName]# cpwd_admin start -name CPSM -path "$FWDIR/bin/cpstat_monitor" -command "cpstat_monitor"

Debug

Refer to sk108177

Outcomes