Kernel Debug Flags R77.10

Kernel Debug Flags (R77.
10)
Table of Contents
Usage ............................................................................................................................................................................ 1
Example ........................................................................................................................................................................ 1
Explanation for 'fw ctl debug' ........................................................................................................................................ 2
Explanation for 'fw ctl kdebug' ...................................................................................................................................... 2
Debug severity .............................................................................................................................................................. 2
Kernel debugging options for Firewall module: FW ...................................................................................................... 3
Kernel debugging options for VPN module: VPN ......................................................................................................... 4
Kernel debugging options for Check Point Active Streaming module: CPAS .............................................................. 5
Kernel debugging options for Cluster module: cluster .................................................................................................. 6
Kernel debugging options for Web Intelligence module: WS ....................................................................................... 6
Kernel debugging options for FloodGate-1 (QoS) module: FG-1 ................................................................................. 7
Kernel debugging options for VoIP H323 module: h323 .............................................................................................. 8
Kernel debugging options for Real Time Monitoring module: RTM.............................................................................. 8
Kernel debugging options for Kernel Infrastructure module: kiss ................................................................................. 9
Kernel debugging options for Kernel Infrastructure Flow module: kissflow .................................................................. 9
Kernel debugging options for Multi-Kernel Inspection (CoreXL) module: multik ........................................................10
Kernel debugging options for Content Inspection module: CI ....................................................................................10
Kernel debugging options for Application Control Inspection module: APPI ..............................................................11
Kernel debugging options for Context Management Interface/Infrastructure Loader module: cmi_loader ................11
Kernel debugging options for Next Rule Base module: NRB .....................................................................................12
Kernel debugging options for Resource Advisor module: RAD_KERNEL .................................................................12
Kernel debugging options for Struct Generator module: SGEN .................................................................................12
Kernel debugging options for Web Intelligence Infrastructure module: WSIS ...........................................................13
Kernel debugging options for Web Intelligence SIP Parsermodule: WS_SIP ...........................................................13
Kernel debugging options for Data Leak Prevention module: DLPK..........................................................................14
Kernel debugging options for Data Leak Prevention User module: DLPUK ..............................................................14
Kernel debugging options for Identity Awareness module: IDAPI ..............................................................................15
Kernel debugging options for Stream File Type module: SFT ...................................................................................15
Kernel debugging options for UserCheck module: UC ...............................................................................................15
Kernel debugging options for Internet Content Adaptation Protocol Client module: ICAP_CLIENT ..........................16
Usage
# fw ctl debug -h :
# fw ctl debug [x] [m <module>] [+ |] <options | all | 0>
# fw ctl debug [t (NONE | ERR | WRN | NOTICE | INFO)] [f (RARE | COMMON)]
# fw ctl kdebug [i <file> | [f] o <file>] [b <buffer size>] [t | T] [p
fld1[,fld2...] [m <num> [s <size>]]
Example
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
fw
fw
fw
fw
fw
fw
fw
fw
fw
fw
fw
fw
fw
fw
fw
ctl
ctl
ctl
ctl
ctl
ctl
ctl
ctl
ctl
ctl
ctl
ctl
ctl
ctl
ctl
debug
debug
debug
debug
debug
debug
debug
debug
debug
debug
debug
debug
debug
debug
debug
0
-buf 32000
-m fw + flags
-m VPN + flags
-m cluster + flags
-m h323 + flags
-m CPAS + flags
-m WS + flags
-m FG-1 + flags
-m RTM + flags
-m kiss + flags
-m kissflow + flags
-m multik + flags
-m APPI + flags
-m CI + flags
Sergei Shir (Intl TAC)
// Setting kernel debug default options

// Setting kernel debug buffer
// FW debug
// VPN debug
// Cluster debug
// H.323 debug
// CPAS debug
// Web Intelligence debug
// FloodGate-1 (QoS) debug
// Real-Time Monitoring debug
// Kernel Infrastructure debug
// Kernel Infrastructure Flow debug
// Multi-Kernel Inspection debug
// Application Control debug
// Content Inspection (AV) debug
09 Sep 2014 21:29:00

Kernel Debug flags (R77.10)
Classification: [Protected]
page 1 of 16
#
#
#
#
#
#
#
#
#
#
#
#
fw
fw
fw
fw
fw
fw
fw
fw
fw
fw
fw
fw
ctl
ctl
ctl
ctl
ctl
ctl
ctl
ctl
ctl
ctl
ctl
ctl
debug -m cmi_loader + flags

// IPS CMI debug
debug -m dlpk + flags
// Data Leak Prevention (DLP) debug
debug -m IDAPI + flags
// Identity Awareness debug
debug -m NRB + flags
// Next Rule Base debug
debug -m RAD_KERNEL + flags
// Resource Advisor debug
debug -m SGEN + flags
// Struct Generator debug
debug -m WSIS + flags
// Web Intelligence Infrastructure debug
debug -m SFT + flags
// Stream File Type debug
debug -m WS_SIP + flags
// Web Intelligence SIP Parser debug
debug -m ICAP_CLIENT + flags
// Internet Content Adaptation Protocol client debug
debug -m UC + flags
// UserCheck debug
kdebug -T -f > /var/log/kernel_debug.ctl
// output file
Explanation for 'fw ctl debug'

# fw ctl debug 0
# fw ctl debug -x
# fw ctl debug -buf <size>
# fw ctl debug
# fw ctl debug -m
# fw ctl debug -m <module>
// defaults (clears) all kernel debugging options

// disables all kernel debugging options :
// de-allocatesthebuffer&automaticallykillsfwctldebugprocess
// allocates the buffer (OS will use maximal available buffer) :
// MIN value 128kB ; MAX value in NG is 16MB ,
// MAX value in VSX NGX is 16MB , MAX value in NGX is 32MB
// displays ALL kernel modules and their flags THAT WERE TURNED ON
// displays ALL kernel modules and their flags thatmachineunderstands
// displays the flags for this module THAT WERE TURNED ON
Explanation for 'fw ctl kdebug'

# fw ctl kdebug -t / -T
# fw ctl kdebug -p <field>
// in NGX only - prints the timestamp (t = seconds ; T = microseconds) helps synchronize packets in debug with packets in FW Monitor
// prints specific fields : all | proc | pid | date | mid | type |
freq | topic | time | ticks | tid | text | err | host
New in NGX :
# fw ctl kdebug -f -o <file_name> -m <num> -s <size>
file_name
= name of the output file
num
= maximum number of cyclic files to create
size
= maximum size of each cyclic file in kilobytes
When given <size> is reached (more or less), <file_name> is renamed to <file_name.0>, and a new
<file_name> is created. If <file_name.0> already exists, then <file_name> is renamed to <file_name.1>,
and so on - until the <number> limit is reached (then the rotation takes place - oldest files are just deleted).
Debug severity
# fw ctl kebug -m <module> <severity list> <subject list>
List of debug severities:
info
= informational purposes only
warning
= warnings: may affect connection behavior
error
= errors: the connection is probably rejected
fatal
= fatal errors: may prevent policy installation, etc.
List of debug subjects:
See the debug flags below
09 Sep 2014 21:29:00

page 2 of 16
Kernel debugging options for Firewall module: FW

If you want to make sure that the firewall accepted the flags, you need to run:
Flag
acct
advp
aspii
balance
bridge
chain
chainfwd
cifs
citrix
cmi
conn
content
context
cookie
cptls
crypt
cvpnd
dfilter
dlp
dnstun
domain
dos
driver
drop
dynlog
epq
error
ex
filter
ftp
highavail
hold
icmptun
if
install
integrity
ioctl
ipopt
ips
ipv6
kbuf
ld
leaks
link
log
machine
mail
malware
media
memory
mgcp
misc
misp
monitor
monitorall
mrtsync
fw ctl debug -m fw
Explanation
Application Control accounting in Smart View Tracker log (also debug module 'APPI')
advanced patterns (signatures over port ranges) - runs under ASPII and CMI
Accelerated Stateful Protocol Inspection Infrastructure (INPSECT streaming)
ConnectControl - logical servers in kernel , load balancing
Bridge mode
cookie chain , chain modules
chain forwarding - related to fwha_perform_chain_forwarding global kernel variable
Common Internet File System (CIFS) - file sharing protocol in Windows-based networks
Citrix processing
Context Management Interface/Infrastructure - IPS signature manager
Connections Table issues
AV content inspection
operations on Memory context and CPU context in KISS module
virtual de-fragmentation , cookie issues (cookies in the data structure holding the packets)
CRYPTO-PRO Transport Layer Security (HTTPS inspection) - Russian VPN GOST
encrypted / decrypted packets, algorithms and keys are printed in clear text and cipher text
Mobile Access daemon
debug filter operations
Data Leak Prevention
DNS tunnels
DNS queries
DDoS attack mitigation (part of IPS)
kernel attachment - access to kernel is shown as log entries
associates a reason for (almost) every dropped packet
dynamic log enhancement (INSPECT logs)
End Point Quarantine (also AMD)
various general error messages (enabled by default)
dynamic table expiration issues (time-out)
packet filtering performed by kernel and all data loaded into kernel
FTP Data connections inspection (used to call applications over FTP Data - i.e., Anti-Virus)
cluster configuration - changes in the configuration and information about interfaces during
traffic processing
holding mechanism and all packets being held / released
ICMP tunnels
interface-related information - accessing the interfaces, installing a filter on an interfaces
driver installation - NIC attachment (fw ctl install and fw ctl uninstall)
client integrity mechanics
IOCTL control messages - communication between kernel and daemons, un/loading of FW-1
IP options enforcement
IPS logs and IPS IOCTL
IPv6 traffic debug
kernel-buffer memory pool - e.g., encryption keys use these memory allocations
kernel dynamic tables infrastructure - reads and writes to the tables (machine can hang!)
memory leak detection mechanism
Link creation in Connections Table
everything related to calls in the log
INSPECT Virtual Machine - actual assembler commands being processed (FW can hang!)
e-mail issues - POP3, IMAP
Anti-Malware (Anti-Virus, Anti-Spam)
Windows OS: Transport Driver Interface information (interface-related information)
memory allocation issues
Media Gateway Control Protocol (complementary to H.323 and SIP)
miscellaneous helpful information - not shown with other flags
ISP Redundancy
printsoutputsimilartofwmonitorintothedebugbuffer (also enable the 'misc' flag)
printsoutputsimilartofwmonitor -p allintothedebugbuffer (also enable the 'misc' flag)
synchronization (in kernel) between cluster members of Multicast Routes that are added
09 Sep 2014 21:29:00

page 3 of 16
msnms
multik
nac
nat
ndis
netquota
packet
packval
portscan
q
qos
rad
route
sam
scv
shmem
sip
smtp
sock
span
spii
synatk
sync
tcpstr
te
ua
ucd
user
utest
vm
wap
warning
wire
xlate
xltrc
zeco
when working with Dynamic Routing Multicast protocols

MSN over MSMS (MSN Messenger protocol) - always include sip flag
CoreXL related (enables all the flags except for flag 'packet' in the 'MULTIK' module)
Network Access Control (NAC) Blade (refer to Identity Awareness)
NAT issues - basic information
Windows OS: Network Driver Interface Specification (interface-related information)
Network Quota IPS protection
actions performed on packet - like accept, drop, fragment (esp. KFUNCs called by INSPECT)
stateless verifications - sequences, fragments, translations and other header verifications
port scanning prevention mechanics
driver queue - e.g., synchronization operations (crucial for ClusterXL debugging)
QoS (FloodGate-1)
Resource Advisor policy
routing debugging (ISP Redundancy, fwcookie code)
Suspicious Activity Monitoring (OPSec)
SecureClient Verification
shared memory - currently is not used
VoIP traffic - SIP and H323
e-mail issues - SMTP
Sockstress TCP DoS attack (CVE-2008-4609)
mirror port (duplicates the network traffic and records the activity in logs)
Stateful Protocol Inspection Infrastructure and INSPECT Streaming Infrastructure
'SYN Attack' (SYNDefender) IPS protection
synchronization operations in ClusterXL
TCP streaming mechanism
prints name of an interface for incoming connection from Threat Emulation Machine
VoIP traffic - Universal Alcatel "UA" Protocol
UserCheck connections to other cluster members
User Space communication with Kernel Space (most useful for configuration and VSX debug)
currently is not used
Virtual Machine chain decisions on traffic going through fw_filter_chain
Multimedia Messaging Service (Wireless Application Protocol)
various general warning messages (enabled by default)
wire-mode Virtual Machine chain module
NAT issues - basic information
NAT issues - additional information - going through NAT rulebase
Zero-Copy kernel module memory allocations
Kernel debugging options for VPN module: VPN

Flag
cluster
comp
counters
cphwd
driver
err
gtp
ifnotify
ike
init
l2tp
mem
mspi
multicast
multik
fw ctl debug -m VPN
Explanation
cluster related events
compression for encrypted connections
various status counters (typically for SmartView Monitor)
hardware acceleration issues
errors that should not happen, or errors that critical to the working of the VPN module
GTP (GPRS Tunneling Protocol)
debugs notification of changes in interface status - up or down (received from OS).
turns on all IKE kernel debug in respect to moving the IKE to the interface, where it will
eventually leave and the modification of the source IP of the IKE packet, depending on the
configuration.
initializes the VPN kernel and kernel data structures, when kernel is up, or when policy is
installed - it will also print the values of the flags that are set using CPSET upon policy reload
L2TP protocol related events
allocation of VPN pools and VPN contexts
information related to creation and destruction of MSA / MSPI
VPN multicast
information related to VPN and CoreXL interaction
09 Sep 2014 21:29:00

page 4 of 16
nat
om_alloc
osu
packet
pcktdmp
policy
queue
rdp
ref
resolver
sas
sr
tagging
tcpt
tnlmon
topology
vin
warn
xl
NAT issues , cluster IP manipulation (Virtual_IP-to-Member_IP and backwards)

allocation of Office Mode IP addresses
Optimal Service Upgrade
events that can happen for every packet, unless covered by more specific debug flags
dumps the encrypted / decrypted packets (before encryption / after decryption)
events that can happen only for a special packet in a connection,
usually related to policy decisions or logs / traps
handling of Security Association (SA) queues
handling of RDP packets
information regarding reference counting for MSA / MSPI when storing or deleting SAs
link selection table manipulation and Certificate Revocation List (CRL), which is also part of
the peer resolving mechanism
printing of keys and SA information
SecureClient/SecureRemote related issues
sets the VPN policy of a connection according to VPN communities, VPN Policy related info
TCP Tunnel (Visitor mode) related information (FW traversal on port 443)
tunnel monitoring
information related to VPN Link Selection
information related to IPSec NIC interaction (on Windows OS only)
warnings: may affect connection behavior
Accelerator cards interaction (AC II / III / IV)
Kernel debugging options for Check Point Active Streaming module: CPAS
Flag
api
conns
error
events
ftp
glue
http
icmp
notify
pkts
skinny
sync
tcp
tcpinfo
timer
warning
fw ctl debug -m CPAS
Explanation
interface layer messages
detailed description of connections, and connection's limit-related messages
errors: the connection is probably rejected
event-related messages
messages of the FTP example server
glue layer messages
messages of the HTTP example server
messages of the ICMP example server
e-mail Messaging Security application
packets handling messages (allocation, splitting, resizing, etc.)
SCCP (Skinny Client Control Protocol - Cisco proprietary VoIP protocol)
synchronization operations in cluster
TCP processing messages
TCP processing messages - more detailed description
reports of timer ticks (pours many messages, without real content)
09 Sep 2014 21:29:00

page 5 of 16
Kernel debugging options for Cluster module: cluster

fw ctl debug -m cluster
There is also the SYNC flag, which is in the FW module and shows debug that is related to SYNC only.
Set this variable to print the contents of the packets in HEX format as "FW-1: fwha_print_packet: Buffer:"
# fw ctl set int fwha_dprint_io 1
Set this variable to print all network checking printing
# fw ctl set int fwha_dprint_all_net_check 1
Flag
accel
ccp
conf
df
drop
forward
if
log
mac
nokia
pivot
pnote
select
stat
subs
timer
Explanation
related to status and support of SecureXL (should be used in parallel with 'conf' flag)
reception/transmission of Cluster Control Protocol (CCP) packets
configuration and policy installation
Decision Function - decides, which member will handle each packet in a Load Sharing mode
connections dropped by the CXL Decision Function (DF) module (only in NGX)- excluding
CCP packets
Forwarding Layer messages - when sending and receiving a forwarded packet
interface tracking and validation - all the operations and checks on interfaces
creating and sending of logs by cluster(should be used in parallel with 'log' flag in 'fw' module)
related to current configuration of and detection of cluster interfaces (should be used in
parallel with 'conf' flag and 'if' flag)
related to cluster running on Nokia IPSO platform
related to ClusterXL Load Sharing Unicast mode (Pivot mode)
related to registering and monitoring of critical devices (pnotes)
packet selection - including Decision Function (DF)
related to state of cluster members (state machine)
Subscriber module - set of APIs, which enable user space processes (by using a DLL) to be
aware of the current state of the ClusterXL state machine and other clustering configuration
parameters.
reports of cluster internal timers
Kernel debugging options for Web Intelligence module: WS

fw ctl debug -m WS
Set this variable to debug specific Virtual System:

# fw ctl set int ws_debug_vs VSID
Set this variable to 0 (zero) to debug all Virtual Systems (default):
# fw ctl set int ws_debug_vs 0
Set this variable to debug specific IP address:
# fw ctl set int ws_debug_vs XXX.XXX.XXX.XXX
Set this variable to 0 (zero) to debug all IP addresses (default):
Flag
address
body
connection
cookie
coverage
error
event
fatal
global
info
ioctl
mem_pool
memory
module
parser
Explanation
information about connection's IP address
HTTP body (content) layer
connection layer
HTTP cookie header
shows the coverage times - entering, blocking, and time spent
events
fatal errors: may prevent policy installation, etc.
global structure handling (usually policy related)
informational purposes only
IOCTL control messages - communication between kernel and daemon, un/loading of FW-1
memory pool related
module related
HTTP header parser layer
09 Sep 2014 21:29:00

page 6 of 16
parser_err
pfinder
pkt_dump
policy
regexp
report_mgr
session
spii
ssl_insp
sslt
stat
stream
subject
timestamp
uuid
vs
warning
HTTP header parsing errors

pattern finder related
traffic packet dump (requires connection)
policy (installation and enforcement)
regular expression library
report manager (errors and logs)
session layer
Stateful Protocol Inspection Infrastructure (INSPECT streaming)
HTTPS SSL Inspection
SSLT library
memory usage statistics
stream virtualization
shows the debug subject of each message
a timestamp for each debug message (changes when 'coverage' is active)
session UUID related
prints VSID of the debugged Virtual System
Kernel debugging options for FloodGate-1 (QoS) module: FG-1

Flag
auth
automatch
autosched
chain
chainq
citrix
conn
dns
driver
drops
dropsv
error
fwrate
general
install
llq
log
ls
memory
multik
pkt
policy
qosaccel
rates
registry
rtm
sched
tcp
time
timers
url
verbose
fw ctl debug -m FG-1
Explanation
authenticated QoS feature
report matching process (debug version only)
report scheduling process (debug version only) - a good way to report the rates on rules
tracing each packet through FloodGate-1 points in the cookie chain
holding and releasing packets during critical actions (policy install / uninstall) internal Chain Q mechanism
Citrix processing
connection information and identification processing
DNS classification mechanism
dropped packets due to WFRED policy
dropped packets due to WFRED policy - with additional debug information (verbose version)
different error messages (default)
report rate statistics per interface and direction
currently unused
policy installation and building internal data structure (for future use)
low latency queuing
everything related to calls in the log
Load Sharing
CoreXL related
packet recording mechanism
QoS policy rules matching classification mechanism
QoS acceleration
reporting rule / connection rates - IQ Engine behaviour and status
failed to open a key from Check Point Registry ($CPDIR/registry/HKLM_registry.data)
failures in information gathering in RTM module (SmartView Monitor)
basic scheduling information
TCP streaming (re-transmission detection) mechanism
currently unused
reports of timer ticks (pours many messages, without real content)
URL and URI for QoS classification mechanism
used with other flags - for additional information
09 Sep 2014 21:29:00

page 7 of 16
Kernel debugging options for VoIP H323 module: h323

Flag
align
cpas
decode
error
h225
h245
init
ras
fw ctl debug -m h323
Explanation
VoIP debug general messages (for example, VOIP infrastructure)
CPAS TCP debug messages - since H323 : H225 and H245 are over TCP ;
this flag is not included when debug is run with "all" flag ( # fw ctl debug -m h323 all )
H323 decoder messages
H225 call signaling messages (SETUP, CONNECT, RELEASE COMPLETE, etc.)
H245 control signaling messages (OPEN LOGICAL CHANNEL, END SESSION COMMAND, etc.)
used for internal errors
H225 RAS messages (REGISTRATION, ADMISSION, and STATUS REQUEST / RESPONSE)
Kernel debugging options for Real Time Monitoring module: RTM

Flag
accel
chain
con_conn
driver
err
import
init
ioctl
netmasks
per_conn
per_pckt
performance
policy
rtm
s_err
sort
special
tabs
topo
view_add
view_update
view_update1
wd
fw ctl debug -m rtm
Explanation
displays SecureXL information regarding accelerated packets, connections, etc.
displays information about chain registering, and about the E2E chain function actions;
this important flag helps you know if the E2E (VL) is identifying VL packets.
displaysthesameinformationasper_connflag
displays information about RTM importing functions from other modules (FW-1, FG-1)
rarely used
RTM IOCTL control messages
displays information about how the RTM handles netmasks,
if you are monitoring network object, which is a network
messages per connection (when a new connection is handled by RTM)
messages per packet (when a new packet arrives) - use it with care
currently unused
displays FireWall-1 load/unload messages
(indicates that the RTM received the FW-1 callback)
displays information about RTM monitoring
displays various error messages (regarding tables info and other failures)
debugging the RTM top X monitoring sorting
display information about how E2E modifies E2ECP protocol packets
currently unused
display information about how the RTM calculates network topography
when Views are added or deleted
when Views are updated with new information
when Views are updated with new information
displays information regarding WebDefense views
09 Sep 2014 21:29:00

page 8 of 16
Kernel debugging options for Kernel Infrastructure module: kiss

Flag
bench
dfa
driver
error
flofiler
ghtab
handles
htab
ioctl
kqstats
kw
memory
misc
mtctx
pcre
pm
pmdump
pmint
pools
queue
rem
salloc
shmem
sm
stat
swblade
thinnfa
thread
usrmem
vbuf
warning
worker
fw ctl debug -m kiss
Explanation
CPU benchmarker
Pattern Matcher (Deterministic Finite Automaton) compilation and execution
when FW driver is loaded / unloaded
FLow prOFILER
multi-threaded safe global hash tables
Memory Pool allocation for tables
multi-threaded safe hash tables
IOCTL control messages - communication between kernel and daemon
Kernel Worker thread statistics mechanism - resetting, initializing, turning off
Kernel Worker state and Pattern Matcher inspection
CPU counters, Memory counters, getting/setting of global kernel parameters
multi-threaded context - memory allocation, reference count
Perl Compatible Regular Expressions - execution, memory allocation
Pattern Matcher compilation and execution
Pattern Matcher DFA (dumping XMLs of DFAs)
Pattern Matcher compilation
Memory Pool allocation issues
Kernel Worker thread queues
Regular Expression Matcher - Pattern Matcher 2nd tier (slow path)
System Memory allocation
shared memory allocation
String Matcher - Pattern Matcher 1st tier (fast path)
statistics for categories and maps
registration of Software Blades
currently unused (Thin NFA)
kernel thread that supplies kernel thread low level APIs
User Space platform memory usage
virtual buffer
warnings (default)
Kernel Worker - queuing and dequeuing
Kernel debugging options for Kernel Infrastructure Flow module: kissflow

Flag
compile
dfa
error
memory
pm
warning
fw ctl debug -m kissflow
Explanation
Pattern Matcher - pattern compilation
Pattern Matcher (Deterministic Finite Automaton) compilation and execution
Pattern Matcher - general information
warnings (default)
09 Sep 2014 21:29:00

page 9 of 16
Kernel debugging options for Multi-Kernel Inspection (CoreXL) module: multik

fw ctl debug -m multik
When enabling the 'multik' flag in the 'FW' module, it enables all the flags in this module except for flag 'packet'
Flag
api
clb
conn
counter
error
event
fwstats
ioctl
lock
message
packet
packet_err
queue
quota
state
uid
Explanation
registration and unregistration of cross-instance function calls
statistics collection for the core load balancer utility
creation and deletion of connections in the dispatcher table
cross-instance counter infrastructure
various error conditions in CoreXL infrastructure
cross-instance event aggregation infrastructure
FW-1 statistics
distribution of IOCTLs to different instances
obtaining and releasing fw_lock on multiple instances
cross-instance messages (used for local sync and port scanning)
per packet, shows the dispatching decision - instance and reason
invalidpackets,forwhichdispatchingdecisioncantbemade
packet queue
cross-instance quota table (used by the network quota feature)
starting and stopping of instances, establishment of relationship between instances
Cross-instance Unique IDs
Kernel debugging options for Content Inspection module: CI

Flag
address
av
coverage
crypto
error
fatal
filter
info
ioctl
memory
module
policy
profile
regexp
session
stat
subject
timestamp
uf
vs
warning
fw ctl debug -m CI
Explanation
shows connection address [Source_IP:Source_Port -> Dest_IP:Dest_Port]
Anti-Virus inspection
basic information about encryption and decryption
various general error messages
fatal errors
basic information about URL filters
general information
currently unused
CI module operations - initialization, module loading, calls to module, policy loading, etc
information about CI policy
very basic information about CI module - initialization, destroying, freeing
session layer
Content Inspection statistics
URL filters and URL cache
warnings
09 Sep 2014 21:29:00

page 10 of 16
Kernel debugging options for Application Control Inspection module: APPI

Flag
account
address
btime
connection
coverage
error
global
info
limit
memory
module
policy
session
subject
timestamp
urlf_ssl
verbose
vs
warning
fw ctl debug -m APPI
Explanation
accounting information
browse time
APPI connections
global policy operations
general information
APPI limits
APPI module operations - initialization, module loading, calls to module, policy loading, etc
information about APPI policy
session layer
URL Filtering for SSL
warnings
Kernel debugging options for Context Management Interface/Infrastructure Loader module: cmi_loader
Flag
address
connection
coverage
error
global_states
info
inspect
memory
module
policy
sigload
subject
timestamp
verbose
vs
warning
fw ctl debug -m cmi_loader
Explanation
currently unused
user space global states structures
general information
cmi_loader INSPECT code
cmi_loader module operations - initialization, module loading, calls to module, contexts, etc
policy installation
signatures, patterns, ranges
warnings
09 Sep 2014 21:29:00

page 11 of 16
Kernel debugging options for Next Rule Base module: NRB

Flag
address
appi
coverage
dlp
error
info
match
memory
module
policy
sec_rb
session
ssl_insp
subject
timestamp
verbose
vs
warning
fw ctl debug -m NRB
Explanation
rules and applications
Data Leak Prevention
general information
rule matching
NRB module operations - initialization, module loading, calls to module, contexts, etc
policy installation
security rulebase
session layer
warnings
Kernel debugging options for Resource Advisor module: RAD_KERNEL

Flag
address
cache
coverage
error
global
info
memory
subject
timestamp
verbose
vs
warning
fw ctl debug -m RAD_KERNEL
Explanation
RAD kernel malware cache
RAD global contexts
general information
warnings
Kernel debugging options for Struct Generator module: SGEN

Flag
engine
error
fatal
field
general
info
load
serialize
warning
fw ctl debug -m SGEN
Explanation
Struct Generator engine operations
fatal errors
operations on fields
general types macros
general information
loading of macros
serialization during loading of macros
warnings
09 Sep 2014 21:29:00

page 12 of 16
Kernel debugging options for Web Intelligence Infrastructure module: WSIS

fw ctl debug -m WSIS

Flag
address
common
coverage
datastruct
decoder
error
info
memory
parser
subject
timestamp
verbose
vs
warning
Explanation
prints a message when parameters are invalid
data structure tree
decoder for content transfer encoding (UUEncode, UTF-8, HTML encoding &#)
general information
warnings
Kernel debugging options for Web Intelligence SIP Parsermodule: WS_SIP
fw ctl debug -m WS_SIP

Flag
address
body
connection
cookie
coverage
error
event
fatal
global
info
ioctl
mem_pool
memory
module
parser
parser_err
pfinder
pkt_dump
Explanation
HTTP body (content) layer
connection layer
HTTP cookie header
events
fatal errors: may prevent policy installation, etc.
global structure handling (usually policy related)
informational purposes only
IOCTL control messages - communication between kernel and daemon, un/loading of FW-1
memory pool related
module related
HTTP header parsing errors
pattern finder related
traffic packet dump (requires connection)
09 Sep 2014 21:29:00

page 13 of 16
policy
regexp
report_mgr
session
spii
ssl_insp
sslt
stat
stream
subject
timestamp
uuid
vs
warning
policy (installation and enforcement)

report manager (errors and logs)
session layer
Stateful Protocol Inspection Infrastructure (INSPECT streaming)
SSLT library
memory usage statistics
stream virtualization
session UUID related
Kernel debugging options for Data Leak Prevention module: DLPK

Flag
error
cmi
drv
identity
rulebase
stat
warning
fw ctl debug -m dlpk
Explanation
HTTP Proxy, connection redirection, identity information, Async
DLP inspection
user identity, connection identity, Async
DLP rulebase match
counters statistics
warnings
Kernel debugging options for Data Leak Prevention User module: DLPUK
Flag
address
buffer
coverage
error
info
memory
module
policy
serialize
subject
timestamp
verbose
vs
warning
fw ctl debug -m dlpuk
Explanation
currently unused
general information
initiating / removing of DLPUK debug infrastructure
currently unused
data buffers and data sizes
warnings
09 Sep 2014 21:29:00

page 14 of 16
Kernel debugging options for Identity Awareness module: IDAPI

Flag
address
async
coverage
data
error
htab
info
memory
module
subject
test
timestamp
verbose
vs
warning
fw ctl debug -m IDAPI
Explanation
checking known network
Portal, IP address matching for Terminal Servers Identity Agent, session handling
checking for network IP address, working with kernel tables
general information
removing of IDAPI debug IS, failed to convert to Base64, failed to append src to dst
IP test, IDAPI sync
warnings
Kernel debugging options for Stream File Type module: SFT

Flag
error
fatal
info
mgr
warning
fw ctl debug -m SFT
Explanation
fatal errors
general information
rule match, database, connection processing, classification
warnings
Kernel debugging options for UserCheck module: UC

Flag
address
coverage
error
htab
info
memory
module
subject
timestamp
verbose
vs
warning
webapi
fw ctl debug -m UC
Explanation
hash table
general information
UC module initializing, UC table hits, finding User ID in cache, removing of UC debug IS
warnings
URL patterns, UC incidents, connection redirection
09 Sep 2014 21:29:00

page 15 of 16
Kernel debugging options for Internet Content Adaptation Protocol Client module: ICAP_CLIENT
Flag
address
coverage
error
global
info
memory
module
policy
subject
timestamp
verbose
vs
warning
fw ctl debug -m ICAP_CLIENT
Explanation
global client
general information
kernel handler, user mode handler,
policy
warnings
09 Sep 2014 21:29:00

page 16 of 16

Kernel Debug Flags R77.10

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Kernel Debug Flags R77.10

Uploaded by

Copyright:

Available Formats

Kernel Debug Flags (R77.

Sergei Shir (Intl TAC)

// Setting kernel debug default options

09 Sep 2014 21:29:00

debug -m cmi_loader + flags

Explanation for 'fw ctl debug'

// defaults (clears) all kernel debugging options

Explanation for 'fw ctl kdebug'

Sergei Shir (Intl TAC)

09 Sep 2014 21:29:00

Kernel debugging options for Firewall module: FW

Sergei Shir (Intl TAC)

09 Sep 2014 21:29:00

when working with Dynamic Routing Multicast protocols

Kernel debugging options for VPN module: VPN

fw ctl debug -m VPN

Sergei Shir (Intl TAC)

09 Sep 2014 21:29:00

NAT issues , cluster IP manipulation (Virtual_IP-to-Member_IP and backwards)

fw ctl debug -m CPAS

Sergei Shir (Intl TAC)

09 Sep 2014 21:29:00

Kernel debugging options for Cluster module: cluster

fw ctl debug -m cluster

Kernel debugging options for Web Intelligence module: WS

Set this variable to debug specific Virtual System:

Sergei Shir (Intl TAC)

09 Sep 2014 21:29:00

HTTP header parsing errors

Kernel debugging options for FloodGate-1 (QoS) module: FG-1

fw ctl debug -m FG-1

Sergei Shir (Intl TAC)

09 Sep 2014 21:29:00

Kernel debugging options for VoIP H323 module: h323

fw ctl debug -m h323

Kernel debugging options for Real Time Monitoring module: RTM

fw ctl debug -m rtm

Sergei Shir (Intl TAC)

09 Sep 2014 21:29:00

Kernel debugging options for Kernel Infrastructure module: kiss

fw ctl debug -m kiss

Kernel debugging options for Kernel Infrastructure Flow module: kissflow

fw ctl debug -m kissflow

Sergei Shir (Intl TAC)

09 Sep 2014 21:29:00

Kernel debugging options for Multi-Kernel Inspection (CoreXL) module: multik

fw ctl debug -m multik

Kernel debugging options for Content Inspection module: CI

Sergei Shir (Intl TAC)

09 Sep 2014 21:29:00

Kernel debugging options for Application Control Inspection module: APPI

fw ctl debug -m APPI

fw ctl debug -m cmi_loader

Sergei Shir (Intl TAC)

09 Sep 2014 21:29:00

Kernel debugging options for Next Rule Base module: NRB

fw ctl debug -m NRB

Kernel debugging options for Resource Advisor module: RAD_KERNEL

fw ctl debug -m RAD_KERNEL

Kernel debugging options for Struct Generator module: SGEN

fw ctl debug -m SGEN

Sergei Shir (Intl TAC)

09 Sep 2014 21:29:00

Kernel debugging options for Web Intelligence Infrastructure module: WSIS