Security Servers

Overview

Security Servers on a Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. are user space processes that perform content security and authentication for various protocols.

The parent process FWD on a Security Gateway starts the applicable Security Server process in these cases:

In an Access Control rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session., the Services & Applications column contains a Resource object.
In an Access Control rule, the Action column contains the value User Auth or Client Auth.
An IPS Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System). protection requires a Security Server process to complete its inspection.

The Security Server processes save their messages in the corresponding log files (see sk97638.).

The $FWDIR/conf/fwauthd.conf file on a Security Gateway contains the list of the supported Security Server user space processes:

Connect to the command line on the Security Gateway.
Log in to the Expert mode.

Run:

cat $FWDIR/conf/fwauthd.conf

Example output from R81.20 Take 631 (manually formatted for better visibility):

[Expert@MyGW:0]# cat $FWDIR/conf/fwauthd.conf
21      fwssd             in.aftpd                     wait    0
80      fwssd             in.ahttpd                    wait    -8
513     fwssd             in.arlogind                  wait    0
25      fwssd             in.asmtpd                    wait    0
2525    fwssd             in.emaild.smtp               wait    0
110     fwssd             in.emaild.pop3               wait    0
23      fwssd             in.atelnetd                  wait    0
#259    fwssd             in.aclientd                  wait    259
10081   fwssd             in.lhttpd                    wait    0
900     fwssd             in.ahclientd                 wait    900
45232   fwdlp             fwdlpd                       wait    -6
45233   cp_file_convert   cp_file_convertd             wait    -6
45234   dlp_fingerprint   dlp_fingerprintd             wait    0
45235   fwdlp             discovery_fwdlpd             wait    -6
45236   cp_file_convert   discovery_cp_file_convertd   wait    0
45237   cp_file_convert   scrub_cp_file_convertd       wait    0
45238   cp_file_convert   watermark_cp_file_convertd   wait    0
0       fwssd             in.pingd                     respawn 0
0       fwssd             in.asessiond                 respawn 0
0       fwssd             in.aufpd                     respawn 0
0       fwssd             in.ufclnt                    respawn 0
0       fwssd             in.ufsrvr                    respawn 0
0       vpn               vpnd                         respawn 0
0       ccc               cccd                         respawn 0
0       fwssd             mdq                          respawn 0
0       stormd            stormd                       respawn 0
0       igwd              igwd                         respawn 0
0       fwssd             in.emaild.mta                respawn 0
0       fwssd             in.msd                       respawn 0
0       sds               sdsd                         respawn 0
0       dtps              dtpsd                        respawn 0
0       dtls              dtlsd                        respawn 0
0       pdpd              pdpd                         respawn 0   -t
0       pepd              pepd                         respawn 0   -t
0       usrchkd           usrchkd                      respawn 0
0       fwpushd           fwpushd                      respawn 0
0       ted               ted                          respawn 0
0       scrubd            scrubd                       respawn 0
0       sessiond          sessiond                     respawn 0   sessiond.elg sessiond.C
0       mta_monitor       mta_monitor                  respawn 0
0       tpd               tpd                          respawn 0
0       zphd              zphd                         respawn 0
[Expert@MyGW:0]#

Important Notes

Do not make any changes in the $FWDIR/conf/fwauthd.conf file, unless Check Point R&D or Support explicitly told you to do so.
In a Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., you must configure all the Cluster Members in the same way.

Before you make any changes in the $FWDIR/conf/fwauthd.conf file, create a backup copy:

On a Security Gateway / each Cluster Member Security Gateway that is part of a cluster.:

cp -v $FWDIR/conf/fwauthd.conf{,_BKP}

On a Scalable Platform Security Group A logical group of Security Appliances (in Maestro) / Security Gateway Modules (on Scalable Chassis) that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances / Security Gateway Modules. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. In Maestro, each Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected.:

g_all cp -v $FWDIR/conf/fwauthd.conf{,_BKP}

If you changed the $FWDIR/conf/fwauthd.conf file on a Scalable Platform Security Group, then you must copy the modified file to all Security Group Members Member of a Security Group in ElasticXL Cluster, Maestro, and Scalable Chassis. Acronym: SGM.:

asg_cp2blades $FWDIR/conf/fwauthd.conf}

After you make changes in the $FWDIR/conf/fwauthd.conf file, it is necessary to stop and start all Check Point process with the "cpstop ; cpstart" commands.

This stops all traffic through the Security Gateway / Cluster / Security Group.

In a cluster, this can cause a failover.

Explanation about the $FWDIR/conf/fwauthd.conf File

Column

Description

Examples

1st from the left

Number of the port, on which the Security Server process is listening to incoming traffic.

Value "0" means it is not supported to configure a different port number.

Note - To prevent a Security Server process from starting, add the pound "#" character at the beginning of this column.

Example:

#21 fwssd in.aftpd wait 0

21

80

0

2nd

General name of the Security Server process.

fwssd

vpn

3rd

Specific name of the Security Server process.

in.aftpd

usrchkd

4th

Controls how to start the Security Server process:

wait

Starts the Security Server process only when the applicable incoming traffic arrives.
respawn

Makes sure that one Security Server process is always running.

wait

respawn

5th

Controls how many Security Server process to start:

Value "0" means that only one Security Server process starts.
Value "8" means that a maximum of eight Security Server processes start.
Minus in front of the number means that the same Security Server process inspects the same connection (sticky inspection).
Values "259" and "900" are reserved for Client Authentication and denote a port number.

0

-8

6th

Specific advanced parameters for the Security Server process:

-t or -d

Specifies to generate only basic log messages (-t) or debug log messages (-d).
sessiond.elg sessiond.C

Specifies the log file and the configuration file.
ssl:defaultCert

Specifies to use the default SSL certificate.

-t

-d

sessiond.elg sessiond.C

ssl:defaultCert

List of Security Servers

For additional information, see sk97638.

Main Security Server Process	Specific Security Server Process	Log File	Purpose	Description
`fwssd`	`in.aclientd`	`$FWDIR/log/aclientd.elg`	Authentication	Client Authentication process (port 259).
`fwssd`	`in.aftpd`	`$FWDIR/log/aftpd.elg`	Content inspection	FTP Security Server.
`fwssd`	`in.ahclientd`	`$FWDIR/log/ahclientd.elg`	Authentication	Client Authentication via Web (port 900). This process starts when user initiates Client Authentication through a web browser.
`fwssd`	`in.ahttpd`	`$FWDIR/log/ahttpd.elg`	Content inspection	HTTP Security Server.
`fwssd`	`in.arlogind`	`$FWDIR/log/arlogind.elg`	Content inspection	RLogin Security Server.
`fwssd`	`in.asessiond`	`$FWDIR/log/asessiond.elg`	Authentication	Session Authentication Security Server Agent.
`fwssd`	`in.asmtpd`	`$FWDIR/log/asmtpd.elg`	Content inspection	SMTP Security Server (used to receive SMTP messages).
`fwssd`	`mdq`	`$FWDIR/log/mdq.elg`	Content inspection	Mail DeQueuer daemon (delivers mail messages queued by `in.asmtpd`).
`fwssd`	`in.atelnetd`	`$FWDIR/log/atelnetd.elg`	Content inspection	Telnet Security Server.
`fwssd`	`in.aufpd`	`$FWDIR/log/aufpd.elg`	Content inspection	URL Filtering Check Point Software Blade on a Security Gateway that allows granular control over which web sites can be accessed by a given group of users, computers or networks. Acronym: URLF. Protocol (UFP) daemon (communicates with UFP server).
`fwssd`	`in.emaild.mta`	`$FWDIR/log/emaild.elg`	Content inspection	E-Mail Security Server (Anti-Virus Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV. scanning of e-mails).
`fwssd`	`in.emaild.pop3`	`$FWDIR/log/emaild.elg`	Content inspection	POP3 Security Server (Anti-Virus scanning of incoming e-mails).
`fwssd`	`in.emaild.smtp`	`$FWDIR/log/emaild.elg`	Content inspection	SMTP Security Server (Anti-Virus scanning of outgoing e-mails).
`fwssd`	`in.lhttpd`	`$FWDIR/log/lhttpd.elg`	Load balancing	Load Balancing daemon is the user mode process that handles HTTP requests, when the load balancing method is set to HTTP - listens for and redirects HTTP requests coming for load balancing.
`fwssd`	`in.msd`	`$FWDIR/log/msd.elg`	Content inspection	Mail Security Daemon that queries the Commtouch engine for reputation.
`fwssd`	`in.pingd`	`$FWDIR/log/pingd.elg`	Load balancing	Load balancing or/and Client Authentication in the "Wait" mode.
`fwssd`	`in.ufclnt`	`$FWDIR/log/ufclnt.elg`	Content inspection	URL Filtering Protocol Client (from the R71 version, part of the URL Filtering engine in kernel).
`fwssd`	`in.ufsrvr`	`$FWDIR/log/ufsrvr.elg`	Content inspection	URL Filtering Protocol Server (from the R71 version, part of the URL Filtering engine in kernel).
`fwdlp`	`fwdlpd`	`$FWDIR/log/fwdlp.elg`	Content inspection	Data Loss Prevention Check Point Software Blade on a Security Gateway that detects and prevents the unauthorized transmission of confidential information outside the organization. Acronym: DLP. (DLP) core engine that performs the scanning / inspection.
`fwdlp`	`discovery_fwdlpd`	`$FWDIR/log/discovery_fwdlpd.elg`	Content inspection	Dedicated discovery process for the Data Loss Prevention (DLP) core engine.
`dlp_fingerprint`	`dlp_fingerprintd`	`$FWDIR/log/dlp_fingerprintd.elg`	Content inspection	Identifies the data according to a unique signature known as a fingerprint stored in your Data Loss Prevention (DLP) repository.
`cp_file_convert`	`cp_file_convertd`	`$FWDIR/log/cp_file_convertd.elg`	Content inspection	Converts various file formats to simple textual format for scanning by the Data Loss Prevention (DLP) engine.
`cp_file_convert`	`discovery_cp_file_convertd`	`$FWDIR/log/discovery_cp_file_convertd.elg`	Content inspection	Dedicated file conversion process for the Data Loss Prevention (DLP) core engine.
`cp_file_convert`	`scrub_cp_file_convertd`	`$FWDIR/log/scrub_cp_file_convertd.elg`	Content inspection	Dedicated file conversion process for the Threat Extraction Check Point Software Blade on a Security Gateway that removes malicious content from files. Acronym: TEX. core engine. convert
`cp_file_convert`	`watermark_cp_file_convertd`	`$FWDIR/log/watermark_cp_file_convertd.elg`	Content inspection	Dedicated file conversion process for the Data Loss Prevention (DLP) core engine.
`vpn`	`vpnd`	`$FWDIR/log/vpnd.elg`	VPN	Session Authentication Agent.
`ccc`	`cccd`	`$FWDIR/log/cccd.elg`	VPN	Client Communication Channel (CCC) protocol.
`sds`	`sdsd`	`$FWDIR/log/sdsd.elg`	VPN	Software Distribution Server. Distributes software to SecureClient users.
`dtps`	`dtpsd`	`$FWDIR/log/dtpsd.elg`	VPN	Desktop Policy Server. SecureClient users fetch policy from this Desktop Policy Server.
`dtls`	`dtlsd`	`$FWDIR/log/dtlsd.elg`	VPN	Desktop Log Server Dedicated Check Point server that runs Check Point software to store and process logs.. Receives logs from SecureClient users.
`pdpd`	`pdpd`	`$FWDIR/log/pdpd.elg`	Content inspection	Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. Policy Decision Point.
`pepd`	`pepd`	`$FWDIR/log/pepd.elg`	Content inspection	Identity Awareness Policy Enforcement Point.
`usrchkd`	`usrchkd`	`$FWDIR/log/usrchkd.elg`	Content inspection	UserCheck main daemon that deals with UserCheck requests (from CLI / from the user) that are sent from the UserCheck Web Portal.
`tpd`	`tpd`	`$FWDIR/log/tpd.elg`	Content inspection	Threat Prevention Daemon - communicates with the kernel and deals with User Space tasks.
`ted`	`ted`	`$FWDIR/log/ted.elg`	Content inspection	Threat Emulation Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE. daemon engine - responsible for emulating files and communication with the cloud.
`scrubd`	`scrubd`	`$FWDIR/log/scrubd.elg`	Content inspection	Threat Extraction main daemon.
`fwpushd`	`fwpushd`	`$FWDIR/log/fwpushd.elg`	Content inspection	Mobile Access Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB. Push Notifications daemon that is controlled by the "`fwpush`" command.
`sessiond`	`sessiond`	`$FWDIR/log/sessiond.elg`	Content inspection	Mobile Access session daemon.
`mta_monitor`	`mta_monitor`	`$FWDIR/log/mtad.elg`	Content inspection	Mail Transfer Agent (MTA) monitoring.
`zphd`	`zphd`	`$FWDIR/log/zphd.elg`	Content inspection	Zero Phishing Check Point Software Blade on a Security Gateway (R81.20 and higher) that provides real-time phishing prevention based on URLs. Acronym: ZPH..
`igwd`	`igwd`	`$FWDIR/log/igwd.elg`	Content inspection	Cooperative Enforcement (drops packets from endpoint computers that either do not have Endpoint Security Client installed, or are in a non-compliant state).
`stormd`	`stormd`	`$FWDIR/log/stormd.elg`	Content inspection	IPS Storm Center Module.