Commonly Used Processes/Daemons
230194
Created On 04/09/19 19:18 PM - Last Modified 01/16/24 22:28 PM
Question
What are the processes running on the firewall responsible for?
Environment
Most hardware firewalls consist of a management plane and one or multiple dataplanes. Smaller platforms and VM-Series firewalls only have a management plane that runs the dataplane processes. Some larger platforms have an additional control plane, and Panorama does not have a dataplane.
Answer
Management Plane Processes
- Masterd: Manages all other daemons. Use CLI 'show system software status' to show all daemon statuses.
- Sysd: Manages inter-daemon communications.
- Mgmtsrvr: Management backend. Takes care of configuration management, commit, reporting, etc.
- Devsrvr: Takes care of pushing config to dataplane. Responsible for miscellaneous communication with dataplane (i.e., URL filtering request response).
- Useridd: Communicate with User-ID agents.
- Sslvpn: Secure web pages for SSL VPN and GlobalProtect.
- Rasmgr: Backend logic for SSL VPN and GlobalProtect.
- Sslmgr: Fulfill OCSP and CRL query request by daemons and dataplane. Manages OCSP and CRL repository.
- Satd: Satellite VPN.
- Cryptod: Encrypt and decrypt passwords, private keys, etc. in order to be included in configuration file.
- Ikemgr/Keymgr: ISAKMP daemon and IPSec key repository management.
- Authd: User authentication, lock account.
- Ha-agent: Manages HA status, configuration sync, etc.
- Logrcvr: Recording traffic log sent by dataplane.
- Varrcvr: Recording URL filtering log and packet capture sent by dataplane. Involved with WildFire logs.
- L3svc: Serves web pages for captive portal, NTLM authentication, URL admin override page and URL block page.
- Websrvr: Secures web pages for admin user interface.
- Routed: Routing daemon and dynamic routing.
- icd: identity client daemon is in charge of communication with the edge service to get verdict/policy recommendation for IOT devices.
- iotd: iot daemon is in charge of managing ip-device mapping in the local database of the firewall.
- distributord: has been introduced staring 10.0 to be the central point within PAN-OS to handle all redistribution exchanges.
- reportd: has been introduced to FW starting 10.1 to handle all reporting and report query functionalities.
Dataplane Processes
- Sysdagent: Communicates with sysd on management plane. Monitors dataplane and management plane.
- Brdagent: Configuration, management, and monitor peripheral chips and front-panel ports.
- Comm/pan_comm: Communicate with devsrvr. Participate in commit and other configuration changes. Pushes serialized buffer to pan_comm, which pushes to shared memory.
- Dha/pan_dha: Implement link/path monitoring and also responsible for status changes on interface status, etc.
- Mprelay: Communicate with routed, keymgr, etc. Implements VPN and PBF monitoring. Install or remove FIB and tunnels.
- Pan_tasks: Responsible for packet forwarding daemons. Runs on dedicated CPU cores.
- icd: identity client daemon is in charge of communication with the edge service to get verdict/policy recommendation for IOT devices.
- dssd: Distributed session synchronization daemon which manages the Distributed Session Synchronization functionalities, such as session cache, save, lookup, aging out etc