Professional Documents
Culture Documents
10)
Table of Contents
Usage ............................................................................................................................................................................ 1
Example ........................................................................................................................................................................ 1
Explanation for 'fw ctl debug' ........................................................................................................................................ 2
Explanation for 'fw ctl kdebug' ...................................................................................................................................... 2
Debug severity .............................................................................................................................................................. 2
Kernel debugging options for Firewall module: FW ...................................................................................................... 3
Kernel debugging options for VPN module: VPN ......................................................................................................... 4
Kernel debugging options for Check Point Active Streaming module: CPAS .............................................................. 5
Kernel debugging options for Cluster module: cluster .................................................................................................. 6
Kernel debugging options for Web Intelligence module: WS ....................................................................................... 6
Kernel debugging options for FloodGate-1 (QoS) module: FG-1 ................................................................................. 7
Kernel debugging options for VoIP H323 module: h323 .............................................................................................. 8
Kernel debugging options for Real Time Monitoring module: RTM.............................................................................. 8
Kernel debugging options for Kernel Infrastructure module: kiss ................................................................................. 9
Kernel debugging options for Kernel Infrastructure Flow module: kissflow .................................................................. 9
Kernel debugging options for Multi-Kernel Inspection (CoreXL) module: multik ........................................................10
Kernel debugging options for Content Inspection module: CI ....................................................................................10
Kernel debugging options for Application Control Inspection module: APPI ..............................................................11
Kernel debugging options for Context Management Interface/Infrastructure Loader module: cmi_loader ................11
Kernel debugging options for Next Rule Base module: NRB .....................................................................................12
Kernel debugging options for Resource Advisor module: RAD_KERNEL .................................................................12
Kernel debugging options for Struct Generator module: SGEN .................................................................................12
Kernel debugging options for Web Intelligence Infrastructure module: WSIS ...........................................................13
Kernel debugging options for Web Intelligence SIP Parsermodule: WS_SIP ...........................................................13
Kernel debugging options for Data Leak Prevention module: DLPK..........................................................................14
Kernel debugging options for Data Leak Prevention User module: DLPUK ..............................................................14
Kernel debugging options for Identity Awareness module: IDAPI ..............................................................................15
Kernel debugging options for Stream File Type module: SFT ...................................................................................15
Kernel debugging options for UserCheck module: UC ...............................................................................................15
Kernel debugging options for Internet Content Adaptation Protocol Client module: ICAP_CLIENT ..........................16
Usage
# fw ctl debug -h :
# fw ctl debug [x] [m <module>] [+ |] <options | all | 0>
# fw ctl debug [t (NONE | ERR | WRN | NOTICE | INFO)] [f (RARE | COMMON)]
# fw ctl kdebug [i <file> | [f] o <file>] [b <buffer size>] [t | T] [p
fld1[,fld2...] [m <num> [s <size>]]
Example
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
fw
fw
fw
fw
fw
fw
fw
fw
fw
fw
fw
fw
fw
fw
fw
ctl
ctl
ctl
ctl
ctl
ctl
ctl
ctl
ctl
ctl
ctl
ctl
ctl
ctl
ctl
debug
debug
debug
debug
debug
debug
debug
debug
debug
debug
debug
debug
debug
debug
debug
0
-buf 32000
-m fw + flags
-m VPN + flags
-m cluster + flags
-m h323 + flags
-m CPAS + flags
-m WS + flags
-m FG-1 + flags
-m RTM + flags
-m kiss + flags
-m kissflow + flags
-m multik + flags
-m APPI + flags
-m CI + flags
page 1 of 16
#
#
#
#
#
#
#
#
#
#
#
#
fw
fw
fw
fw
fw
fw
fw
fw
fw
fw
fw
fw
ctl
ctl
ctl
ctl
ctl
ctl
ctl
ctl
ctl
ctl
ctl
ctl
# fw ctl debug
# fw ctl debug -m
# fw ctl debug -m <module>
// in NGX only - prints the timestamp (t = seconds ; T = microseconds) helps synchronize packets in debug with packets in FW Monitor
// prints specific fields : all | proc | pid | date | mid | type |
freq | topic | time | ticks | tid | text | err | host
New in NGX :
# fw ctl kdebug -f -o <file_name> -m <num> -s <size>
file_name
= name of the output file
num
= maximum number of cyclic files to create
size
= maximum size of each cyclic file in kilobytes
When given <size> is reached (more or less), <file_name> is renamed to <file_name.0>, and a new
<file_name> is created. If <file_name.0> already exists, then <file_name> is renamed to <file_name.1>,
and so on - until the <number> limit is reached (then the rotation takes place - oldest files are just deleted).
Debug severity
# fw ctl kebug -m <module> <severity list> <subject list>
List of debug severities:
info
= informational purposes only
warning
= warnings: may affect connection behavior
error
= errors: the connection is probably rejected
fatal
= fatal errors: may prevent policy installation, etc.
List of debug subjects:
See the debug flags below
page 2 of 16
fw ctl debug -m fw
Explanation
Application Control accounting in Smart View Tracker log (also debug module 'APPI')
advanced patterns (signatures over port ranges) - runs under ASPII and CMI
Accelerated Stateful Protocol Inspection Infrastructure (INPSECT streaming)
ConnectControl - logical servers in kernel , load balancing
Bridge mode
cookie chain , chain modules
chain forwarding - related to fwha_perform_chain_forwarding global kernel variable
Common Internet File System (CIFS) - file sharing protocol in Windows-based networks
Citrix processing
Context Management Interface/Infrastructure - IPS signature manager
Connections Table issues
AV content inspection
operations on Memory context and CPU context in KISS module
virtual de-fragmentation , cookie issues (cookies in the data structure holding the packets)
CRYPTO-PRO Transport Layer Security (HTTPS inspection) - Russian VPN GOST
encrypted / decrypted packets, algorithms and keys are printed in clear text and cipher text
Mobile Access daemon
debug filter operations
Data Leak Prevention
DNS tunnels
DNS queries
DDoS attack mitigation (part of IPS)
kernel attachment - access to kernel is shown as log entries
associates a reason for (almost) every dropped packet
dynamic log enhancement (INSPECT logs)
End Point Quarantine (also AMD)
various general error messages (enabled by default)
dynamic table expiration issues (time-out)
packet filtering performed by kernel and all data loaded into kernel
FTP Data connections inspection (used to call applications over FTP Data - i.e., Anti-Virus)
cluster configuration - changes in the configuration and information about interfaces during
traffic processing
holding mechanism and all packets being held / released
ICMP tunnels
interface-related information - accessing the interfaces, installing a filter on an interfaces
driver installation - NIC attachment (fw ctl install and fw ctl uninstall)
client integrity mechanics
IOCTL control messages - communication between kernel and daemons, un/loading of FW-1
IP options enforcement
IPS logs and IPS IOCTL
IPv6 traffic debug
kernel-buffer memory pool - e.g., encryption keys use these memory allocations
kernel dynamic tables infrastructure - reads and writes to the tables (machine can hang!)
memory leak detection mechanism
Link creation in Connections Table
everything related to calls in the log
INSPECT Virtual Machine - actual assembler commands being processed (FW can hang!)
e-mail issues - POP3, IMAP
Anti-Malware (Anti-Virus, Anti-Spam)
Windows OS: Transport Driver Interface information (interface-related information)
memory allocation issues
Media Gateway Control Protocol (complementary to H.323 and SIP)
miscellaneous helpful information - not shown with other flags
ISP Redundancy
printsoutputsimilartofwmonitorintothedebugbuffer (also enable the 'misc' flag)
printsoutputsimilartofwmonitor -p allintothedebugbuffer (also enable the 'misc' flag)
synchronization (in kernel) between cluster members of Multicast Routes that are added
page 3 of 16
msnms
multik
nac
nat
ndis
netquota
packet
packval
portscan
q
qos
rad
route
sam
scv
shmem
sip
smtp
sock
span
spii
synatk
sync
tcpstr
te
ua
ucd
user
utest
vm
wap
warning
wire
xlate
xltrc
zeco
Explanation
cluster related events
compression for encrypted connections
various status counters (typically for SmartView Monitor)
hardware acceleration issues
kernel attachment - access to kernel is shown as log entries
errors that should not happen, or errors that critical to the working of the VPN module
GTP (GPRS Tunneling Protocol)
debugs notification of changes in interface status - up or down (received from OS).
turns on all IKE kernel debug in respect to moving the IKE to the interface, where it will
eventually leave and the modification of the source IP of the IKE packet, depending on the
configuration.
initializes the VPN kernel and kernel data structures, when kernel is up, or when policy is
installed - it will also print the values of the flags that are set using CPSET upon policy reload
L2TP protocol related events
allocation of VPN pools and VPN contexts
information related to creation and destruction of MSA / MSPI
VPN multicast
information related to VPN and CoreXL interaction
page 4 of 16
nat
om_alloc
osu
packet
pcktdmp
policy
queue
rdp
ref
resolver
sas
sr
tagging
tcpt
tnlmon
topology
vin
warn
xl
Kernel debugging options for Check Point Active Streaming module: CPAS
If you want to make sure that the firewall accepted the flags, you need to run:
Flag
api
conns
error
events
ftp
glue
http
icmp
notify
pkts
skinny
sync
tcp
tcpinfo
timer
warning
Explanation
interface layer messages
detailed description of connections, and connection's limit-related messages
errors: the connection is probably rejected
event-related messages
messages of the FTP example server
glue layer messages
messages of the HTTP example server
messages of the ICMP example server
e-mail Messaging Security application
packets handling messages (allocation, splitting, resizing, etc.)
SCCP (Skinny Client Control Protocol - Cisco proprietary VoIP protocol)
synchronization operations in cluster
TCP processing messages
TCP processing messages - more detailed description
reports of timer ticks (pours many messages, without real content)
warnings: may affect connection behavior
page 5 of 16
There is also the SYNC flag, which is in the FW module and shows debug that is related to SYNC only.
Set this variable to print the contents of the packets in HEX format as "FW-1: fwha_print_packet: Buffer:"
# fw ctl set int fwha_dprint_io 1
Set this variable to print all network checking printing
# fw ctl set int fwha_dprint_all_net_check 1
Flag
accel
ccp
conf
df
drop
forward
if
log
mac
nokia
pivot
pnote
select
stat
subs
timer
Explanation
related to status and support of SecureXL (should be used in parallel with 'conf' flag)
reception/transmission of Cluster Control Protocol (CCP) packets
configuration and policy installation
Decision Function - decides, which member will handle each packet in a Load Sharing mode
connections dropped by the CXL Decision Function (DF) module (only in NGX)- excluding
CCP packets
Forwarding Layer messages - when sending and receiving a forwarded packet
interface tracking and validation - all the operations and checks on interfaces
creating and sending of logs by cluster(should be used in parallel with 'log' flag in 'fw' module)
related to current configuration of and detection of cluster interfaces (should be used in
parallel with 'conf' flag and 'if' flag)
related to cluster running on Nokia IPSO platform
related to ClusterXL Load Sharing Unicast mode (Pivot mode)
related to registering and monitoring of critical devices (pnotes)
packet selection - including Decision Function (DF)
related to state of cluster members (state machine)
Subscriber module - set of APIs, which enable user space processes (by using a DLL) to be
aware of the current state of the ClusterXL state machine and other clustering configuration
parameters.
reports of cluster internal timers
fw ctl debug -m WS
Flag
address
body
connection
cookie
coverage
error
event
fatal
global
info
ioctl
mem_pool
memory
module
parser
Explanation
information about connection's IP address
HTTP body (content) layer
connection layer
HTTP cookie header
shows the coverage times - entering, blocking, and time spent
errors: the connection is probably rejected
events
fatal errors: may prevent policy installation, etc.
global structure handling (usually policy related)
informational purposes only
IOCTL control messages - communication between kernel and daemon, un/loading of FW-1
memory pool related
memory allocation issues
module related
HTTP header parser layer
page 6 of 16
parser_err
pfinder
pkt_dump
policy
regexp
report_mgr
session
spii
ssl_insp
sslt
stat
stream
subject
timestamp
uuid
vs
warning
Explanation
authenticated QoS feature
report matching process (debug version only)
report scheduling process (debug version only) - a good way to report the rates on rules
tracing each packet through FloodGate-1 points in the cookie chain
holding and releasing packets during critical actions (policy install / uninstall) internal Chain Q mechanism
Citrix processing
connection information and identification processing
DNS classification mechanism
kernel attachment - access to kernel is shown as log entries
dropped packets due to WFRED policy
dropped packets due to WFRED policy - with additional debug information (verbose version)
different error messages (default)
report rate statistics per interface and direction
currently unused
policy installation and building internal data structure (for future use)
low latency queuing
everything related to calls in the log
Load Sharing
memory allocation issues
CoreXL related
packet recording mechanism
QoS policy rules matching classification mechanism
QoS acceleration
reporting rule / connection rates - IQ Engine behaviour and status
failed to open a key from Check Point Registry ($CPDIR/registry/HKLM_registry.data)
failures in information gathering in RTM module (SmartView Monitor)
basic scheduling information
TCP streaming (re-transmission detection) mechanism
currently unused
reports of timer ticks (pours many messages, without real content)
URL and URI for QoS classification mechanism
used with other flags - for additional information
page 7 of 16
Explanation
VoIP debug general messages (for example, VOIP infrastructure)
CPAS TCP debug messages - since H323 : H225 and H245 are over TCP ;
this flag is not included when debug is run with "all" flag ( # fw ctl debug -m h323 all )
H323 decoder messages
different error messages (default)
H225 call signaling messages (SETUP, CONNECT, RELEASE COMPLETE, etc.)
H245 control signaling messages (OPEN LOGICAL CHANNEL, END SESSION COMMAND, etc.)
used for internal errors
H225 RAS messages (REGISTRATION, ADMISSION, and STATUS REQUEST / RESPONSE)
Explanation
displays SecureXL information regarding accelerated packets, connections, etc.
displays information about chain registering, and about the E2E chain function actions;
this important flag helps you know if the E2E (VL) is identifying VL packets.
displaysthesameinformationasper_connflag
kernel attachment - access to kernel is shown as log entries
different error messages (default)
displays information about RTM importing functions from other modules (FW-1, FG-1)
rarely used
RTM IOCTL control messages
displays information about how the RTM handles netmasks,
if you are monitoring network object, which is a network
messages per connection (when a new connection is handled by RTM)
messages per packet (when a new packet arrives) - use it with care
currently unused
displays FireWall-1 load/unload messages
(indicates that the RTM received the FW-1 callback)
displays information about RTM monitoring
displays various error messages (regarding tables info and other failures)
debugging the RTM top X monitoring sorting
display information about how E2E modifies E2ECP protocol packets
currently unused
display information about how the RTM calculates network topography
when Views are added or deleted
when Views are updated with new information
when Views are updated with new information
displays information regarding WebDefense views
page 8 of 16
Explanation
CPU benchmarker
Pattern Matcher (Deterministic Finite Automaton) compilation and execution
when FW driver is loaded / unloaded
different error messages (default)
FLow prOFILER
multi-threaded safe global hash tables
Memory Pool allocation for tables
multi-threaded safe hash tables
IOCTL control messages - communication between kernel and daemon
Kernel Worker thread statistics mechanism - resetting, initializing, turning off
Kernel Worker state and Pattern Matcher inspection
memory allocation issues
CPU counters, Memory counters, getting/setting of global kernel parameters
multi-threaded context - memory allocation, reference count
Perl Compatible Regular Expressions - execution, memory allocation
Pattern Matcher compilation and execution
Pattern Matcher DFA (dumping XMLs of DFAs)
Pattern Matcher compilation
Memory Pool allocation issues
Kernel Worker thread queues
Regular Expression Matcher - Pattern Matcher 2nd tier (slow path)
System Memory allocation
shared memory allocation
String Matcher - Pattern Matcher 1st tier (fast path)
statistics for categories and maps
registration of Software Blades
currently unused (Thin NFA)
kernel thread that supplies kernel thread low level APIs
User Space platform memory usage
virtual buffer
warnings (default)
Kernel Worker - queuing and dequeuing
Explanation
Pattern Matcher - pattern compilation
Pattern Matcher (Deterministic Finite Automaton) compilation and execution
different error messages (default)
memory allocation issues
Pattern Matcher - general information
warnings (default)
page 9 of 16
When enabling the 'multik' flag in the 'FW' module, it enables all the flags in this module except for flag 'packet'
Flag
api
clb
conn
counter
error
event
fwstats
ioctl
lock
message
packet
packet_err
queue
quota
state
uid
Explanation
registration and unregistration of cross-instance function calls
statistics collection for the core load balancer utility
creation and deletion of connections in the dispatcher table
cross-instance counter infrastructure
various error conditions in CoreXL infrastructure
cross-instance event aggregation infrastructure
FW-1 statistics
distribution of IOCTLs to different instances
obtaining and releasing fw_lock on multiple instances
cross-instance messages (used for local sync and port scanning)
per packet, shows the dispatching decision - instance and reason
invalidpackets,forwhichdispatchingdecisioncantbemade
packet queue
cross-instance quota table (used by the network quota feature)
starting and stopping of instances, establishment of relationship between instances
Cross-instance Unique IDs
fw ctl debug -m CI
Explanation
shows connection address [Source_IP:Source_Port -> Dest_IP:Dest_Port]
Anti-Virus inspection
shows the coverage times - entering, blocking, and time spent
basic information about encryption and decryption
various general error messages
fatal errors
basic information about URL filters
general information
currently unused
memory allocation issues
CI module operations - initialization, module loading, calls to module, policy loading, etc
information about CI policy
very basic information about CI module - initialization, destroying, freeing
regular expression library
session layer
Content Inspection statistics
shows the debug subject of each message
a timestamp for each debug message (changes when 'coverage' is active)
URL filters and URL cache
prints VSID of the debugged Virtual System
warnings
page 10 of 16
Explanation
accounting information
information about connection's IP address
browse time
APPI connections
shows the coverage times - entering, blocking, and time spent
various general error messages
global policy operations
general information
APPI limits
memory allocation issues
APPI module operations - initialization, module loading, calls to module, policy loading, etc
information about APPI policy
session layer
shows the debug subject of each message
a timestamp for each debug message (changes when 'coverage' is active)
URL Filtering for SSL
used with other flags - for additional information
prints VSID of the debugged Virtual System
warnings
Kernel debugging options for Context Management Interface/Infrastructure Loader module: cmi_loader
If you want to make sure that the firewall accepted the flags, you need to run:
Flag
address
connection
coverage
error
global_states
info
inspect
memory
module
policy
sigload
subject
timestamp
verbose
vs
warning
Explanation
information about connection's IP address
currently unused
shows the coverage times - entering, blocking, and time spent
various general error messages
user space global states structures
general information
cmi_loader INSPECT code
memory allocation issues
cmi_loader module operations - initialization, module loading, calls to module, contexts, etc
policy installation
signatures, patterns, ranges
shows the debug subject of each message
a timestamp for each debug message (changes when 'coverage' is active)
used with other flags - for additional information
prints VSID of the debugged Virtual System
warnings
page 11 of 16
Explanation
information about connection's IP address
rules and applications
shows the coverage times - entering, blocking, and time spent
Data Leak Prevention
various general error messages
general information
rule matching
memory allocation issues
NRB module operations - initialization, module loading, calls to module, contexts, etc
policy installation
security rulebase
session layer
HTTPS SSL Inspection
shows the debug subject of each message
a timestamp for each debug message (changes when 'coverage' is active)
used with other flags - for additional information
prints VSID of the debugged Virtual System
warnings
Explanation
information about connection's IP address
RAD kernel malware cache
shows the coverage times - entering, blocking, and time spent
various general error messages
RAD global contexts
general information
memory allocation issues
shows the debug subject of each message
a timestamp for each debug message (changes when 'coverage' is active)
used with other flags - for additional information
prints VSID of the debugged Virtual System
warnings
Explanation
Struct Generator engine operations
various general error messages
fatal errors
operations on fields
general types macros
general information
loading of macros
serialization during loading of macros
warnings
page 12 of 16
Flag
address
common
coverage
datastruct
decoder
error
info
memory
parser
subject
timestamp
verbose
vs
warning
Explanation
information about connection's IP address
prints a message when parameters are invalid
shows the coverage times - entering, blocking, and time spent
data structure tree
decoder for content transfer encoding (UUEncode, UTF-8, HTML encoding &#)
various general error messages
general information
memory allocation issues
HTTP header parser layer
shows the debug subject of each message
a timestamp for each debug message (changes when 'coverage' is active)
used with other flags - for additional information
prints VSID of the debugged Virtual System
warnings
Kernel debugging options for Web Intelligence SIP Parsermodule: WS_SIP
If you want to make sure that the firewall accepted the flags, you need to run:
Flag
address
body
connection
cookie
coverage
error
event
fatal
global
info
ioctl
mem_pool
memory
module
parser
parser_err
pfinder
pkt_dump
Explanation
information about connection's IP address
HTTP body (content) layer
connection layer
HTTP cookie header
shows the coverage times - entering, blocking, and time spent
errors: the connection is probably rejected
events
fatal errors: may prevent policy installation, etc.
global structure handling (usually policy related)
informational purposes only
IOCTL control messages - communication between kernel and daemon, un/loading of FW-1
memory pool related
memory allocation issues
module related
HTTP header parser layer
HTTP header parsing errors
pattern finder related
traffic packet dump (requires connection)
page 13 of 16
policy
regexp
report_mgr
session
spii
ssl_insp
sslt
stat
stream
subject
timestamp
uuid
vs
warning
Explanation
various general error messages
HTTP Proxy, connection redirection, identity information, Async
DLP inspection
user identity, connection identity, Async
DLP rulebase match
counters statistics
warnings
Kernel debugging options for Data Leak Prevention User module: DLPUK
If you want to make sure that the firewall accepted the flags, you need to run:
Flag
address
buffer
coverage
error
info
memory
module
policy
serialize
subject
timestamp
verbose
vs
warning
Explanation
information about connection's IP address
currently unused
shows the coverage times - entering, blocking, and time spent
various general error messages
general information
memory allocation issues
initiating / removing of DLPUK debug infrastructure
currently unused
data buffers and data sizes
shows the debug subject of each message
a timestamp for each debug message (changes when 'coverage' is active)
used with other flags - for additional information
prints VSID of the debugged Virtual System
warnings
page 14 of 16
Explanation
information about connection's IP address
checking known network
shows the coverage times - entering, blocking, and time spent
Portal, IP address matching for Terminal Servers Identity Agent, session handling
various general error messages
checking for network IP address, working with kernel tables
general information
memory allocation issues
removing of IDAPI debug IS, failed to convert to Base64, failed to append src to dst
shows the debug subject of each message
IP test, IDAPI sync
a timestamp for each debug message (changes when 'coverage' is active)
used with other flags - for additional information
prints VSID of the debugged Virtual System
warnings
Explanation
various general error messages
fatal errors
general information
rule match, database, connection processing, classification
warnings
fw ctl debug -m UC
Explanation
information about connection's IP address
shows the coverage times - entering, blocking, and time spent
various general error messages
hash table
general information
memory allocation issues
UC module initializing, UC table hits, finding User ID in cache, removing of UC debug IS
shows the debug subject of each message
a timestamp for each debug message (changes when 'coverage' is active)
used with other flags - for additional information
prints VSID of the debugged Virtual System
warnings
URL patterns, UC incidents, connection redirection
page 15 of 16
Kernel debugging options for Internet Content Adaptation Protocol Client module: ICAP_CLIENT
If you want to make sure that the firewall accepted the flags, you need to run:
Flag
address
coverage
error
global
info
memory
module
policy
subject
timestamp
verbose
vs
warning
Explanation
information about connection's IP address
shows the coverage times - entering, blocking, and time spent
various general error messages
global client
general information
memory allocation issues
kernel handler, user mode handler,
policy
shows the debug subject of each message
a timestamp for each debug message (changes when 'coverage' is active)
used with other flags - for additional information
prints VSID of the debugged Virtual System
warnings
page 16 of 16