Description
This article describes the various different processes running on the FortiGate, including an explanation of the processes and how to list the running processes on the FortiGate.
Scope
FortiGate.
Solution
Listing Running Processes on the FortiGate
To list the processes that are running in memory, run the following command:
diagnose sys top <refresh interval> <max # of lines> <iterations>
The above command can be run as-is (diagnose sys top) or it can be run with additional parameters to adjust the refresh rate of the data (default is 5 seconds), how many lines are displayed (default is 20), and the number of iterations that should be run (default is unlimited). For example the following version of the command displays up to 200 processes every 10 seconds for 3 iterations:
diagnose sys top 10 200 3
Additionally, the output of the top command can be sorted in certain ways:
- Hit the 'p' key to sort processes by CPU usage.
- Hit the 'm' key to sort by memory usage.
- Hit the 'n' key to sort by process ID value (very useful when gathering a sorted list of all processes running on the FortiGate).
Finally, the column output of top can be interpreted as follows:
List of Processes/Daemons on the FortiGate and their responsibilities
=== A to D ===
acd: Aggregate Controller process; handles LACP link-aggregation on the FortiGate.
authd: General authentication daemon; notably handles FSSO.
bcm.user: Userspace process that communicates and manages the internal hardware switch (for FortiGates with Integrated Switch Fabrics based on the BCM SDK).
- Do not kill this process manually, as it will cause an outage for FortiGate interfaces connected to the internal ISF until a system reboot is conducted.
bgpd: Handles the Border Gateway Protocol (BGP) dynamic routing protocol; part of the ZebOS Routing Daemons.
- Notably, bgpd handles IPv4 and IPv6 within a single daemon (as opposed to RIP and OSPF having separate IPv4 and IPv6 daemons).
cfmd: Connectivity Fault Management daemon; useful for diagnosing/resolving issues within Ethernet networks (when configured).
- Introduced in FortiOS 7.4.1 as part of Issue #765007. See also: Connectivity Fault Management
cmdbsvr: Handles the internal database used to store the running state and configuration of the FortiGate. Also handles the saving of configuration changes to the filesystem/persistent boot storage.
cw_acd / cw_acd_helper / cu_acd: Handles management of FortiAP/FortiSwitch via CAPWAP traffic.
dhcpd / dhcpcd / dhcprd / dhcpsd: Daemons for handling DHCP functions on the FortiGate (c = client, s = server, r = relay).
dnsproxy: DNS helper process that performs a number of tasks including handling DNS caching on the FortiGate, DNS Filtering and inspection, DNS server functionality, etc.
- In FortiOS 6.4 and earlier, dnsproxy was always handling DNS traffic in a proxy-like fashion (even when performing flow-based inspection). In FortiOS 7.0 and later, DNS Filter duty is now handled by the IPS Engine see also: DNS filter handled by IPS engine in flow mode
=== E to H ===
fcnacd: FortiClient NAC daemon; handles communication between FortiGate and FortiClient EMS.
fgfmd: FortiGate-FortiManager daemon; handles the establishment of fgfm secure management tunnels to FortiManager/FortiGate Cloud.
fnbamd - Handles remote user authentication (LDAP, RADIUS, FortiToken, etc.,) as well as x.509 certificate verification.
foauthd: Handles authentication when Web Filter Override is configured.
forticldd: FortiCloud daemon; handles communication between the FortiGate and FortiCloud services (such as FortiGate Cloud).
forticron: Performs internal job scheduling, similar to Linux crontab.
fortilinkd: Handles management controller functionality for FortiSwitches connected to the FortiGate via FortiLink.
getty: Linux daemon that handles serial console logins on the FortiGate.
hasync: Performs object/session/configuration synchronization between members of a FortiGate High-Availability (HA) cluster. Can be restarted safely without disrupting traffic.
hatalk: Handles heartbeat/cluster communication between members of a FortiGate HA cluster. It is not recommended to restart this process or it can lead to cluster instability and/or split-brain behavior.
httpsd: Provides HTTPS and REST API services on the FortiGate, including the administrative web GUI.
=== I to L ===
liked: Handles the negotiation and operation of all IPsec VPN tunnels on the FortiGate.
init (aka initXXXXXXXXXXX): Linux init process. First process to start that initializes the system and all other processes.
insmod - Linux utility for inserting modules into the Linux Kernel.
ipmc_sensord - Daemon responsible for monitoring onboard hardware sensors (e.g. temperature, PSU, fan speed, etc.)
ipsengine - Performs the actual security inspection of traffic in flow-based Firewall Policies using pattern-matching and signature-/heuristic-matching.
- One of the ipsengine workers will have a 'master:1' flag signifying it as the master engine. The master ipsengine handles additional tasks, such as cleaning up SSL cache entries and updating signature databases on the Content Processor.
ipshelper - Handles configuration management tasks for IPS Engine as a whole, including monitoring CMDB config changes related to IPS and pushing them to the ipsengine workers.
- Also handles the compilation of the IPS rule database and generating DFA entries for upload to the Content Processor (if present).
ipsmonitor - Oversees ipsengine workers and serves as a watchdog, starting/stopping/restarting engines as required.
- Restarting ipsmonitor with diag test app ipsmonitor 99 gracefully restarts all ipsengine processes with no disruption to flow-based traffic sessions.
isisd - Handles the Intermediate System-to-Intermediate System (IS-IS) dynamic routing protocol; part of the ZebOS Routing Daemons.
=== M to P ===
merged_daemons - Legacy process that handles ipsufd (IPS URL Filter Daemon) as of Issue #458157
miglogd - Handles event logging on the FortiGate.
- kmiglogd - the Kernel Log Daemon
newcli - Manages the creation or termination of CLI connections (management/telnet/GUI)
nsm - Network Services Module; component of the ZebOS routing software that manages the routing table by adding/removing routes.
ospfd - Handles the IPv4 Open Shortest Path First (OSPF) dynamic routing protocol; part of the ZebOS Routing Daemons.
ospf6d - Handles the IPv6 Open Shortest Path First v3 (OSPF6) dynamic routing protocol; part of the ZebOS Routing Daemons.
pdmd - Handles the Protocol-Independent Multicast Dense-Mode (PIM-DM) multicast routing protocol; part of the ZebOS Routing Daemons.
pimd - Handles the IPv4 Protocol-Independent Multicast Sparse-Mode (PIM-SM) multicast routing protocol; part of the ZebOS Routing Daemons.
pim6d - Handles the Protocol-Independent Multicast for IPv6 (PIMv6-SM) multicast routing protocol; part of the ZebOS Routing Daemons.
pyfcgid - Python Configuration Daemon; provided Web GUI services alongside httpsd.
- Was removed from FortiOS as of version 6.2.4 and 6.4.0 (see Resolved Issue #599284).
- See also: Technical Tip: pyfcgid (python config daemon) entry in FortiGate crash log
=== Q to T ===
quard - Quarantine daemon.
reportd - Handles local report generation based on existing logs.
ripd - Handles the IPv4-based Routing Information Protocol (RIP) dynamic routing protocol; part of ZebOS Routing Daemons.
ripngd - Handles the IPv6-based Routing Information Protocol next generation (RIPng); part of the ZebOS Routing Daemons.
scanunit - Scanning unit; handles Antivirus scanning of certain traffic types.
sflowd - Handles sFlow and NetFlow functionality on the FortiGate (i.e. packet sampling and session statistic tracking).
snmpd - Handles SNMP connections as well as processing traps/queries.
src-vis - Handles Device Identification/Detection functionality on the FortiGate (i.e. creating MAC address entries and snooping traffic to identify a given device on the network).
sshd - Handles management connections to the FortiGate via SSH.
sslvpnd - Handles all SSL-VPN related tasks including authentication/authorization and VPN tunneling on the FortiGate.
=== U to X ===
updated - Handles communication with FortiGuard for the purposes of on-device database and licensing updates (such as IPS/AV databases, Internet Service DB, etc.)
uploadd - Fortinet upload daemon; handles the uploading of log files to FortiGate Cloud.
urlfilter - Caches and verifies URL requests against the Web Filter profile.
voipd - Performs proxying/inspection of SIP traffic using the SIP Application Layer Gateway (ALG).
- In FortiOS 6.4 and earlier, voipd handled SIP traffic in a proxy-based manner, regardless of the inspection-mode. In FortiOS 7.0 and later, flow-based SIP inspection is handled by the IPS Engine (see also: https://docs.fortinet.com/document/fortigate/7.0.0/new-features/644799/flow-based-sip-inspection)
vwl - Virtual WAN Link daemon (aka SD-WAN). Handles packet routing along SD-WAN configuration.
wad - Handles traffic proxying on the FortiGate, including Explicit Web Proxy, proxy-based security-inspection, and proxy-based Firewall Policy traffic.
- In FortiOS 6.0 and earlier, inspection modes were set on a per-VDOM or global basis. In FortiOS 6.2.1 and later, it became possible to set Firewall Policies to be either flow-based or proxy-based, which results in traffic largely being inspected by the IPS Engine or WAD respectively (see: https://docs.fortinet.com/document/fortigate/6.2.0/new-features/497716/flow-versus-proxy-policy-impr...)
- Refer to the following KB article for more in-depth information regarding the various sub-processes of WAD: Technical Tip: Overview of WAD process structure
=== Y to Z ===
zebos_launcher - Launcher daemon for the ZebOS routing software (handles routing tables on the FortiGate).
The following applications / daemons can be further diagnosed.
(this list is available in FortiOS 6.2; older firmware may have less options, or different names).
This list is available by typing in the command line: '# diagnose debug application ?'.
http HTTP proxy.
smtp SMTP proxy.
ftpd FTP proxy.
pop3 POP3 proxy.
imap IMAP proxy.
nntp NNTP proxy.
proxy Proxy.
radvd Router adv daemon.
miglogd Log daemon.
kmiglogd Kernel Log daemon.
forticldd FortiCloud daemon.
alertmail Alert mail daemon.
ppp PPP daemon.
l2tp L2TP daemon.
pptp PPTP daemon.
pptpc PPTP client.
authd Auth daemon.
foauthd FortiguardOverride auth daemon.
fcnacd FortiClient NAC daemon.
fcld Fclicense daemon.
fssod FSSO daemon.
dhcps DHCP server.
dhcp6s DHCPv6 server.
update Update daemon.
vpd VPN policy daemon.
fnbamd Fortigate non-blocking auth daemon.
eap_proxy EAP proxy daemon.
ipsmonitor ips monitor
ipsengine ips sensor
urlfilter Urlfilter daemon.
wf_monitor WF monitor, parent of urlfilter daemon.
ddnscd DDNS client daemon.
dhcprelay DHCP relay daemon.
dhcp6r DHCPv6 relay.
snmpd SNMP daemon.
chassis Chassis daemon.
scanunit Scanunit daemon (File scanning).
emailfilter Emailfilter module.
wpad Port access entity daemon.
wpad-crash-hexdump Dump wpad crash in hexedecimal format.
wpa-show-keys Dump keys in wpad or wpas log.
wpa-timestamp Dump timestamp in wpad or wpas log.
wifi WiFi setting.
dnsproxy DNS proxy module.
sflowd sFlow protocol module.
hatalk HA protocol module.
hasync HA synchronization module.
harelay HA relay module. Relays the slave daemons' local-out tcp connection to the public network
hamonitord HA monitor module.
quarantine Quarantine daemon.
dhcpc DHCP client module.
zebos-launcher ZebOS launcher daemon.
zebos ZebOS
modemd MODEM daemon.
radiusd RADIUS daemon.
sshd Sshd daemon.
sslvpn SSL VPN proxy daemon
guacd Guacamole proxy daemon
info-sslvpn SSL-VPN info daemon for Fortinet top bar.
sessionsync Session sync daemon.
ipldbd Ipldbd daemon.
crl-update CRL update daemon.
alarmd Alarmd daemon.
forticron Forticron daemon.
uploadd Upload daemon.
smbcd SMB client daemon.
samld SAML SSO daemon.
acd Aggregate Controller
alicloud-sdn AliCloud SDN controller
alicloud-ha AliCloud HA controller
sip SIP ALG.
sccp SCCP ALG.
ike IKE daemon.
ocvpn Overlay Controller VPN.
fgfmd FortiGate/FortiManager communication daemon.
wccpd WCCP daemon.
waocs WAN acceleration object cache storage.
wabcs WAN acceleration byte cache storage.
garpd VIP gratuitous ARP daemon.
scep SCEP
ipsufd IPS URL filter resolver daemon.
cw_acd Capwap AC daemon.
cw_acd_helper Capwap AC helper daemon.
cw_acd_wpad CAPWAP AC and WPA daemon (wpad).
cw_acd_wlev CAPWAP AC daemon wireless event notification.
cu_acd caputp AC daemon
fortilinkd fortilink daemon
flcfgd fortilink configuration daemon
rsyslogd Rsyslogd daemon.
reportd report daemon
dlp DLP
vrrpd VRRP daemon.
fgd_alert FortiGuard alert message.
ntpd NTPd daemon.
fsd Forti-start daemon.
dlpfingerprint DLP fingerprint daemon.
httpsd HTTPS daemon.
stp Spanning Tree Protocol daemon.
spareblock Set debug spare block count.
lted USB LTE daemon.
lldprx Link Layer Discovery Protocol (LLDP) Receiver
lldptx Link Layer Discovery Protocol (LLDP) Transmitter
src-vis Source Visibility daemon.
wiredap Wired AP (802.1X port-based auth) daemon.
dhcp6c DHCPv6 client.
server-probe Server probe daemon.
link-monitor Link monitor daemon.
pppoed PPPoE client Daemon.
ovrd Override daemon.
extenderd Extender Wan daemon.
awsd Amazon Web Services (AWS) daemon.
netxd NetX REST API daemon.
gcpd Google Cloud Platform daemon.
azd Microsoft Azure daemon.
ocid Oracle Cloud Infrastructure (OCI) daemon
openstackd OpenStack SDN connector daemon.
kubed Kubernetes daemon.
vmwd VMware vSphere daemon
init System init process.
mrd Mobile router daemon.
dssccd PCI DSS Compliance Check daemon.
radius-das RADIUS DAS daemon.
csfd Security Fabric daemon.
fsvrd FortiService daemon.
virtual-wan-link Virtual-Wan-Link daemon.
ftm-push FTM-Push daemon.
cmp CMPv2.
sdncd SDN Connector daemon.
ptpd Precision Time Protocol daemon.
autod Automation daemon.
bfdd BFD daemon.
fsso_ldap FSSO LDAP daemon.
cmdbrsv Applies configuration changes
updated FortiGuard updates
wad WAN optimization, explicit proxy, proxy based inspection for HTTP and HTTPS, and FTP
proxyworker Proxy-based inspection for IMAP, POP, SMTP
Some applications can be seen in the list of top processes and cannot be debugged or investigated in-depth, because the information may not serve in troubleshooting.
Related articles:
Technical Tip: How to list processes in FortiOS
