Professional Documents
Culture Documents
Overview
©2015 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals 1
Introduction
©2015 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals 2
Agenda
1 MGMT roles
2 Main processes
4 GUI DBedit
1 MGMT roles
2 Main processes
4 GUI DBedit
Main
Certificate Authority
processes
fwm
Log Server
fwd
Status Monitoring
cpd
cpca
Users
Rules &
Policy
Classes C
GUI DBedit
Policy config
Policy Configuration
The MGMT server is the entity responsible for configuring, maintaining and
CA
deploying the policy among the different managed GWs.
Stat monitor
Log server
Users
Rules &
Policy
Classes C
GUI DBedit
Policy config
Log Server
By default the MGMT server will also be functioning as a log server,
CA
meaning that all managed GW's will send their logs to the MGMT server.
Stat monitor It’s also possible to install a dedicated log server in addition to the MGMT
Log server server.
Main
processes
fwm Status Monitoring
fwd
The MGMT server is also responsible for monitoring the different Check
Point products in the environment.
cpd
It monitors various parameters for each product (such as cpu & memory
cpca consumption, Interfaces, statuses etc…)
cpwd The different statuses are presented in Smart View monitor.
Important DB
files
Objects
Users
Rules &
Policy
Classes C
GUI DBedit
1 MGMT roles
2 Main processes
4 GUI DBedit
Policy config
Who is it?
CA The main process of the MGMT server is the fwm process.
Stat monitor it will only run on MGMT products such as MGMT, Log server, Eventia.
Log server
The fwm process is responsible for most operations made in the MGMT
server.
Main
processes
What does it do?
fwm
Users
Rules &
Policy
Classes C
GUI DBedit
CA All the communications between the different GUI clients (Smart Dashboard\tracker\
Stat monitor monitor etc..) and the MGMT server are done through the fwm process on the
MGMT sever using the CPMI* protocol (Check Point MGMT interface) over port 18190.
Log server
Main In this scenario the SmartConsole applications acts as CPMI clients while the fwm
processes process acts as a CPMI server.
fwm For example: whenever we connect to the MGMT server with SmartDashboard we
are basically opening a connection from the GUI dashboard machine to the fwm
fwd
process on the MGMT serve over port 18190 via the CPMI protocol.
cpd In the background: during the login process the GUI client sends CPMI commands
to the fwm process asking it to present us the database, the fwm process then
cpca
sends the relevant database information which allows us to view our database via
cpwd SmartDashboard.
Important DB
files Note: In case the fwm process is down, or if port 18190 is blocked for some reason, it
wont be possible to establish a connection to the MGMT server with any GUI client.
Objects
Users
Rules &
Policy
Classes C
GUI DBedit
CA The fwm process is also responsible to perform all database tasks, such as:
Stat monitor Creating, removing and modifying Objects rules etc.
Whenever we create an Object via SmartDashboard we are basically sending a
Log server CPMI command to the fwm process on the MGMT server requesting it to
Main create the Object.
processes
fwm 3. Collecting statuses
fwd
All statuses presented in Smartview Monitor are being collected by the fwm
cpd process.
The fwm process contacts the different GW's, asking them to send him their
cpca
Statuses and then it presents them on Smartview Monitor.
cpwd
Important DB
4. Policy complication
files
As you will learn later on, the Policy Installation process has several stages.
Objects
The first stage in the policy installation process is verifying the policy and
Users compiling it to a "language" the GW can understand and implement.
Rules & The verification and compilation stages are performed by the fwm process.
Policy
Classes C
GUI DBedit
CA Each Check Point process (such as fwm) has a unique log file.
Stat monitor The name of the log file contains the following: <process name>.elg.
Log server By default, the log file will write "critical" messages to the log file (for example: every
Main time that the fwm process will start or crash ).
processes
fwm Most of Check Point log files are stored under: $FWDIR/log
and some of them are under: $CPDIR/log.
fwd
cpd
Note: the fwm log file is called: fwm.elg and its located under $FWDIR/log
cpca
cpwd
Important DB
files
Objects
Users
Rules &
Policy
Classes C
GUI DBedit
Stat monitor [FWM 2309 2002617920]@cpmodule [18 Dec 23:04:47] FWM: Sat Dec 18 23:04:47
2010
Log server VPN-1 Power/UTM SmartCenter Server is running
Main FireWall-1 SmartCenter Server going to die on sig 15
processes
fwm FWM- the process name
2309 – PID (Process id).
fwd
Each time a process is coming up it gets a unique ID number by the operating system.
cpd This number (PID) will accompany the process until it will restarted (due to Administrator
operation such as reboot, cpstop; cpstart etc. ) or crashes. Each of those scenarios are
cpca
mentioned in the log file.
cpwd cpmodule- machine hostname
Important DB
[18 Dec 23:04:47] FWM – the date and time when the message was written. This
files information is extremely important to understand whether the message is relevant to
the examined issue.
Objects
The pink part is the message itself written into the fwm.elg file
Users
Rules & NOTE: In some cases we need to collect a more detailed output about the fwm process
Policy
operation in order to troubleshoot the issue (for example if we cant connect to the MGMT
Classes C server with the Dashboard). We will discuss this further on…
GUI DBedit
Log server In order to enable the fwm process in debug mode we need to perform the following:
Main 1. Start the fwm debug by running the following commands on the MGMT server:
processes
# fw debug fwm on TDERROR_ALL_ALL=5
fwm
cpca 2. Reproduce the problem, or take the relevant steps you want to investigate.
cpwd
3. Stop the debug by running the following commands on the MGMT server:
Important DB # fw debug fwm off TDERROR_ALL_ALL=0
files Stop the tail with CTRL +C
Objects
4. As mentioned previously all output will be written to: $FWDIR/log/fwm.elg*
Users or if tail is used it will print it to the <output file name> .
Rules &
Policy
Classes C
GUI DBedit
GUI DBedit
Log server Another limitation is for the amount of only 10 fwm log files
Main In case that the system tries to write a new log file (11 th in number), the
processes oldest log file (fwm.elg.8) will be removed automatically. All other log files will
fwm be renamed accordingly.
fwd
cpd
Note: the fwm.elg will always contain the most updated info written by the fwm
process.
cpca
cpwd
Important DB
files
Objects
Users
Rules &
Policy
Classes C
GUI DBedit
CA The fwd process is responsible for sending and receiving the logs from the different
Check Point entities to the MGMT\log server (sometimes they are on the same machine ).
Stat monitor
Log server
Main
processes What does it do?
fwm
On MGMT side:
fwd fwd listens on port 257, waiting for logs to be sent from various GW’s that are
cpd connected to it.
cpca
On GW side:
cpwd fwd opens a connection to the fwd on the log\MGMT server side on port 257.
Important DB
files
Note: In case fwd is down on either MGMT or GW, logging will not work.
Objects
Users
Rules &
Policy
Classes C
GUI DBedit
Main To enable fwd debug use the same syntax as the fwm debug and change the fwm with
processes fwd:
fwm 1. Start the fwd debug by running the following commands on the MGMT server:
fwd # fw debug fwd on TDERROR_ALL_ALL=5
cpd
Note: In order to print all data to a single file run:
cpca # tail -f $FWDIR/log/fwd.elg &> <output file name>
cpwd
2. Reproduce the problem, or take the relevant steps you want to investigate
Important DB
files 3. Stop the debug by running the following commands on the MGMT server:
Objects # fw debug fwd off TDERROR_ALL_ALL=0
Stop the tail with CTRL +C
Users
Rules &
Policy
4. As mentioned previously all output will be written to: $FWDIR/log/fwd.elg*
or if tail was not used it will print it to the <output file name>
Classes C
GUI DBedit
Policy config
PING
Stat monitor
cpd
cpca
cpwd
Important DB
files
Check Connectivity
Objects 5. Is Database
the log fileis growing
out of sync – install
on the database
Security Gateway? #cd $FWDIR/log/fw.log #ls -la fw.log
Users 6. Verify Connection is established on
Verify that FWD is up on booth GW & MGMT/Log port 257 #netstat
server–nap | grep 257 list
#cpwd_admin
Rules & 7. Verifypolicy
Install configuration
Verify SICFireWall Object
is properly > Logging > Logs and Masters > Log Servers
working
Policy 8. For more troubleshooting steps see sk32758, sk38848
Classes C
GUI DBedit
Users Status collection – the fwm process requests the cpd process for the different Check
Rules & Point Gateways statuses and also from the MGMT server itself and then it presents it in
Policy SmartView monitor.
Classes C The protocol which is used to collect the statuses is called AMON, and it works over
port 18192. In case the cpd process is down we will not be able to get the Gateways
GUI DBedit and MGMT statuses on SmartView monitor.
Policy config Please test it yourself: open SmartView monitor and check the current status of a MGMT server.
CA
Now kill the cpd process on the MGMT server side. as you can see the MGMT server will now appear
as ‘Disconnected’ although it's actually up and running, that is because the fwm failed to receive the
Stat monitor status from the cpd process (as it's down).
Log server
Main
processes
fwm
fwd
cpd
cpca
cpwd
Important DB
files
Objects
Users
Rules &
Policy
Classes C
GUI DBedit
Log server Note: In order to print all data to a single file run:
# tail -f $CPDIR/log/cpd.elg &> <output file name>
Main
processes 2. Reproduce the problem, or take the relevant steps you want to investigate
fwm
fwd
3. Stop the debug by running the following commands on the MGMT server:
# cpd_admin debug off TDERROR_ALL_ALL=0
cpd Stop the tail with CTRL +C
cpca
4. As mentioned previously all output will be written to: $CPDIR/log/cpd.elg*
cpwd or if tail was not used it will print it to the <output file name>
Important DB
files
Objects
All Process take there settings for there operation and there environment variable
from the registry file to $CPDR/registry/HKLM_registry.data
Users
Rules &
Policy
Classes C
GUI DBedit
CA The cpca is a child process of the fwd process, meaning that in case the fwd process
Stat monitor will be down for some reason, cpca will also be down.
In case cpca is down it will not be possible to generate any new certificate at that time.
Log server Cpca process listens to ports:
Main 18264 – Used to retrieve the CRL
processes 18265 – Used for “ICA management tool”
fwm
What does it do?
fwd
The cpca process is responsible for the ICA (internal CA).
cpd It’s responsible for generating\modifying certificates for the defined Check Point
entities.
cpca
cpwd
Important DB
files
Objects
Users
Rules &
Policy
Classes C
GUI DBedit
Log server Note: In order to print all data to a single file run:
# tail -f $FWDIR/log/cpca.elg &> <output file name>
Main
processes 2. Reproduce the problem, or take the relevant steps you want to investigate
fwm
fwd
3. Stop the debug by running the following commands on the MGMT server:
# fw debug cpca off TDERROR_ALL_ALL=0
cpd Stop the tail with CTRL +C
cpca
4. As mentioned previously all output will be written to: $FWDIR/log/cpca.elg*
cpwd or if tail was not used it will print it to the <output file name>
Important DB
files
Objects
Users
Rules &
Policy
Classes C
GUI DBedit
1 MGMT roles
2 Main processes
4 GUI DBedit
©2015 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals 26
Important database files
MGMT roles
All the data presented on SmartDashboard is loaded from the MGMT server
Policy config
using the fwm process.
CA
Stat monitor
Most of the database files on the MGMT server are stored in $FWDIR/conf
directory, which is very important as it contains almost all of the Check Point
Log server
database (rules, objects, and all other configuration).
Main
processes We will discuss 4 of the main DB files:
fwm
1. $FWDIR/conf/Objects_5_0.C
fwd
2. $FWDIR/conf/fwauth.NDB
cpd
cpca 3. $FWDIR/conf/rulebases_5_0.fws
cpwd 4. $FWDIR/conf/classes.C
Important DB
files
Objects
Users
Rules &
Policy
Classes C
GUI DBedit
fwd
$FWDIR/conf/fwauth.NDB
cpd
contains all users and administrators information.
This file is a binary file and cannot be modified manually.
cpca Any corruption in this file will cause the fwm process to crash.
This file can be removed:
cpwd
after performing # cpstop; cpstart a new file will be created, however by
Important DB removing this file all users database will be lost.
files
Objects
Users
Rules &
Policy
Classes C
GUI DBedit
cpwd
Important DB
files
Objects
Users
Rules &
Policy
Classes C
GUI DBedit
cpca
cpwd
Important DB
files
Objects
Users
Rules &
Policy
Classes C
GUI DBedit
1 MGMT roles
2 Main processes
4 GUI DBedit
Policy config
CA
Stat monitor
Log server
Main
processes
fwm
fwd
cpd
cpca
cpwd
Important DB
files
Objects
Users - - At the bottom you can see all objects fields (like IP address) and you can modify them if it’s
Rules & needed.
Policy - Note there are some fields which will only appear in the relevant database file and will not appear in
GUIDBEDIT.
Classes C
GUI DBedit
Stat monitor The different Check Point processes and their responsibilities
Log server
cpd
How to identify objects in the objects_5_0.C file
cpca
Users
Rules &
Policy
Classes C
GUI DBedit