REFERENCE DB ONLINE
🛡️ Check Point
R81.x · GAiA OS · SmartConsole
Ports
Commands
Processes
Quick Tips
No results for your search
Management & Communication
PortProtoService / Purpose
257TCPFW1_log — gateway → management log transport (FWD daemon)
18184TCPFW1_lea — OPSEC Log Export API (FWD daemon)
18185TCPFW1_omi — OPSEC Object Management Interface
18186TCPFW1_omi-sic — OMI with SIC
18190TCPCPMI — legacy SmartConsole / fwm daemon; used by R80+ SmartConsole for legacy object types (CPM on 19009 is primary from R80+)
18191TCPNRB / Policy install push — FWD daemon on gateway receives install from management
18192TCPCP AMON / get_topology — FWD reports status, management pulls topology
18209TCPFW1_CPRID control / SIC services between gateway and ICA (status, issue, revoke certs)
18210TCPFW1_ica_pull — gateway pulls its SIC cert from ICA (CPCA daemon)
18211TCPFW1_ica_push — ICA pushes cert to gateway (CPD daemon); used during SIC establishment/reset, not day-to-day traffic
18221TCPCP_redundant — Check Point Redundant Management Protocol between Management Servers / CMAs (FWM daemon). Not SmartUpdate.
18264TCPFW1_ica_services — ICA CRL fetch and user registration
18265TCPFW1_ica_mgmt_tools — ICA management (central ICA admin on mgmt server)
19009TCPCPM — Check Point Management (primary SmartConsole port from R80+). Not ClusterXL.
8211TCPCPM local (loopback) / log server for R80 MDS
VPN & Encryption
PortProtoService / Purpose
500UDPIKE Phase 1 (ISAKMP)
4500UDPNAT-T (NAT Traversal)
50IP PROTOESP — Encapsulating Security Payload
51IP PROTOAH — Authentication Header
264TCPFW1_topo — SecuRemote/SecureClient topology download (FWD). Not Visitor Mode.
265TCPFW1_key — public key transfer (legacy SecuRemote)
443TCPVisitor Mode / SSL Network Extender / Mobile Access Portal
444TCPTCPT — Remote Access client fallback for Visitor Mode (by vpnd)
2746UDPSecuRemote IPsec UDP Encapsulation (legacy, pre-NAT-T)
3500UDPIKE (R81.10+, handled by iked on some configs)
30500 / 34500UDPIKED IKE / IKED NAT-T (R81.10+, iked daemon)
9993 / 9994 / 9996TCPCCCD / IKED / VPND session infrastructure manager (R81.10+)
1701UDPL2TP (IKED, R81.10+)
Cluster & HA
PortProtoService / Purpose
8116UDPCCP — ClusterXL Control Protocol (heartbeat & sync). No secondary CCP port exists.
256TCPFull Sync between cluster members (fwd, over Sync network)
Identity Awareness & LDAP
PortProtoService / Purpose
389TCP/UDPLDAP (Active Directory / User queries)
636TCPLDAPS — Secure LDAP (TLS)
3268TCPGlobal Catalog LDAP
3269TCPGlobal Catalog LDAPS
443TCPIdentity Collector / Terminal Server Agent → PDP
4100TCPIdentity Agent → PDP (default, configurable)
System & Monitoring
PortProtoService / Purpose
22TCPSSH — GAiA admin access
80TCPHTTP — Captive Portal (Identity Awareness)
161/162UDPSNMP — Get (161) / Trap (162)
443TCPGaia Portal / Captive Portal (HTTPS)
514UDPSyslog
6514TCPSyslog over TLS (if configured)
Firewall & Policy 
fw stat                  # Policy name & install status
fw ver                   # Firewall version
fw ctl pstat             # Kernel stats (connections, memory)
fw ctl zdebug drop       # Real-time dropped packets
fw ctl zdebug + drop     # Verbose drop debug
fw tab -t connections -s # Connections table summary
fw tab -t connections -u # Unlimited connections table (-f is "format", not "full")
fw getifs                # Show interfaces
fw fetch <mgmt_IP>       # Fetch policy from management
fw unloadlocal           # Unload local policy
fw monitor -e "accept;"  # Capture all accepted packets
fw monitor -e "accept ifid=2;" # Filter by interface ID (not -i <iface>)
SecureXL Acceleration 
fwaccel stat            # SecureXL status (on/off)
fwaccel stats           # Acceleration statistics
fwaccel stats -s        # Summary stats
fwaccel off             # Disable SecureXL
fwaccel on              # Enable SecureXL
fwaccel conns           # List accelerated connections
sim affinity -l         # Show CoreXL CPU affinity
CoreXL 
fw ctl multik stat      # CoreXL instances status
fw ctl affinity -l -r  # Show CPU affinity (full)
cpconfig               # Configure CoreXL instances
ClusterXL & HA 
cphaprob stat           # Cluster members state
cphaprob -a if          # Check interface status
cphaprob list           # List monitored processes
cphaprob -f list        # Full list with details
clusterXL_admin down    # Force failover (down this member)
clusterXL_admin up      # Bring member back up
fw hastat               # HA status
cpstop ; cpstart        # Restart all CP services
VPN 
vpn tu                  # VPN Tunnel Util (interactive)
vpn debug on            # Enable VPN debug
vpn debug off           # Disable VPN debug
vpn debug trunc         # Truncate VPN debug log
vpn drv stat            # VPN driver status
vpn overlap_encdom      # Check overlapping enc domains
vpn shell /show/tunnels/ike # List active IKE SAs (R81.10+; use vpn tu interactively)
vpn accel stat          # VPN acceleration status
Logging & Debug 
fw log                  # View FW log
fw log -f              # Follow live log
cpinfo -y all          # Full system diagnostic dump
cpinfo -o <file>       # Output cpinfo to file
fw ctl debug 0          # Reset all debug flags
fw ctl debug -buf 32768 # Set debug buffer size
fw ctl kdebug -T -f /tmp/out # Kernel debug to file
tcpdump -i eth0 -n    # Standard packet capture
fw ctl zdebug + drop     # Debug kernel drops (standalone zdebug is not a real command)
Management & SIC 
cpconfig               # Main config (SIC reset, licences)
fwm sic_reset          # Reset SIC on management
cpca_client lscert     # List certificates
cpca_client create_cert # Create new SIC cert
fw lichosts            # List licensed hosts
cplic print            # Show installed licences
cpstat fw              # FW statistics
cpstat blades          # Software blade stats
cpstat ha              # HA / cluster stats
System & GAiA 
cpview                 # Real-time performance monitor
top                    # System process monitor
cpwd_admin list        # WatchDog monitored processes
cpwd_admin start -name FWD -path "$FWDIR/bin/fw" -command "fwd" # Start FWD via WatchDog
show version all       # GAiA OS + CP version
show interfaces all    # All interface config
show route             # Routing table
show arp dynamic all   # ARP table (also: show arp static all / show arp proxy)
set interface eth0 state on # Enable interface
save config            # Save GAiA config
Upgrade & Migration 
migrate export         # Export management database
migrate import         # Import management database
installer              # CPUSE: use Clish installer menu or expert-mode installer binary (cpuse is not a shell command)
# upgrade_export is deprecated — use migrate export instead:
migrate export         # Export for upgrade (replaces upgrade_export)
cppkg print            # List available packages
FWD
Firewall Daemon
On SMS: log forwarding & Full Sync transport. On gateway: parent of vpnd/iked/cccd/fwssd and other user-space inspectors.
FWM
FireWall Management
SMS only. Handles legacy SmartConsole (CPMI/18190), policy verify & compile, management HA sync.
CPM
Check Point Management
SMS only (R80+). Java process backing the primary SmartConsole on TCP/19009.
CPD
Check Point Daemon
Core daemon — SIC, licensing, and status reporting to management
CPCA
CP Certificate Authority
Manages SIC certificate issuance and PKI operations
TED
Threat Emulation Daemon
File emulation sandbox (SandBlast / Threat Emulation blade). Actual process name is ted, not FGAED.
CPWD
WatchDog
Monitors CP processes and automatically restarts crashed daemons
RAD
Resource Advisor Daemon
URL Filtering, App Control, Anti-Bot, Anti-Virus, Zero Phishing ThreatCloud lookups. Not "Remote Access Daemon".
IKED
IKE Daemon
Manages IKE/IPSec VPN key exchange and tunnel negotiations
PDPD
Policy Decision Point
Identity Awareness — makes policy decisions based on user identity
PEPD
Policy Enforcement Point
Identity Awareness — enforces identity-based policy on traffic
VPND
VPN Daemon
Manages VPN tunnel state and VPN-related operations
RTMD
Real Time Monitoring
Collects performance metrics and statistics for SmartView
HTTPD
HTTP Daemon
Web portal for Mobile Access blade and Captive Portal
CPHAMCSET
ClusterXL Daemon
The actual ClusterXL user-space daemon. Started/stopped via cphastart/cphastop. Debug: $FWDIR/log/cphamcset.elg
CPHAD
pnote label (not a daemon)
Not a daemon process — it is the pnote name reported by cphaprob list when cphamcset fails to report state in time.
FWSSD
Security Server
Legacy proxy and authentication processes (HTTP, FTP, SMTP security servers)
CPRID
Remote Installation Daemon
Used for pushing packages and upgrades from SmartUpdate
SNMPD
SNMP Daemon
SNMP monitoring — responds to GET requests and sends TRAP alerts
SYSLOGD
Syslog Daemon
System logging — forwards logs to external syslog servers
First Command Per Problem Type
cphaprob stat
Cluster issue? Always run this first to check member states (Active/Standby/Down)
fwaccel stat
Performance issue? Check SecureXL acceleration status before anything else
fw ctl zdebug drop
Dropped packets? Real-time kernel drop debug — shows reason for each drop
cpinfo -y all
Opening a TAC case? Run this first — it's always the first thing support will ask for
vpn tu
VPN tunnel down? Use the interactive Tunnel Utility to delete and re-establish SAs
fw monitor -e "accept;"
Traffic not passing? Use fw monitor to see if packets even hit the firewall
Port Memory Tricks
Port 18190 / 19009
SmartConsole login — 19009 (CPM) is primary from R80+; 18190 (CPMI/fwm) handles legacy object types. Both generally need to be open.
Port 500 / 4500
IKE / NAT-T — always in VPN questions. 4500 only when NAT is between peers
Port 8116 UDP
CCP heartbeat — "if 8116 is blocked, the cluster breaks"
Port 18211
SIC cert push (ICA → gateway). Blocking it breaks new SIC establishment/reset, not day-to-day traffic on an already-established trust.