NGX - Basic Debugging

FireWall-1 Common Debug

This document lists the commands to run basic debugging on the NGX.

Kernel mode
FireWall-1 Kernel Primary Debug for Packet Filter Analysis
# fw ctl debug -buf 12288 # fw ctl debug -m fw conn drop ld packet if # fw ctl kdebug -f > <output_file> In R55 and above you can use fw crl zdebug. However, this command allocates only 1024K of buffer. Also ld creates a high CPU load and generates a lot of messages. It can cause kernel panic and thus there are circumstances where it is not recommended to run ld at all.

FirewWall-1 Monitor for Packet Flow Analysis

# fw monitor -e accept; -o <output file>

User Mode Processes: CPD, FWM, FWD

General Syntax
# fw debug <process_name> <on / off> TDERROR_ALL_ALL=<value 1 5> NOTE: CPD is an exception and is executed differently (see below).

CPD
CPD is a high hierarchy process and is responsible for SIC, Licensing and status report. For CPD debug: # cpd_admin debug on TDERROR_ALL_ALL=5 # cpd_admin debug off TDERROR_ALL_ALL=1 The debug file is located in $CPDIR/log/cpd.elg (start) (stop)

FWM process
FWM is responsible for Managements database activities: Policy installation, Management HA Synchronization, etc... For FWM debug: # # # # fw fw fw fw debug debug debug debug fwm fwm fwm fwm on TDERROR_ALL_ALL=5 (start) on OPSEC_DEBUG_LEVEL=9 (start) off TDERROR_ALL_ALL=1 (stop) off OPSEC_DEBUG_LEVEL=1 (stop)

2009 Check Point Software Technologies Ltd. All rights reserved.

Classification:

[Unrestricted]For everyone

The debug file located in $FWDIR/log/fwm.elg

FWD
FWD process on the Management is responsible for logging. For FWD debug: # fw debug fwd on TDERROR_ALL_ALL=5 # fw debug fwd off TDERROR_ALL_ALL=1 The debug file is located in $FWDIR/log/fwd.elg (start) (stop)

Security Server Debugging

HTTP Security Server
To turn on the HTTP security Server debug: # fw debug in.ahttpd on TDERROR_ALL_ALL=5 # fw debug in.ahttpd on OPSEC_DEBUG_LEVEL=3 NOTE: The commands below correlate with the Unix environment. If more then one HTTP Security Server process is running: # # # # fw kill fwd setenv TDERROR_ALL_ALL=5 setenv OPSEC_DEBUG_LEVEL=3 fwd -d >& <output file> &

SMTP Security Server

To debug the SMTP Security Server: # fw debug in.asmtpd on TDERROR_ALL_ALL=5 NOTE: The debug output is located in $FWDIR/log/asmtpd.elg* To debug the mdq: # fw debug mdq on TDERROR_ALL_ALL=5 NOTE: The debug output is located in $FWDIR/log/mdq.elg*

Debugging User Authentication

The debug is performed on the service itself. (in.ahttpd, in.atelnetd, in.aftpd etc) # fw debug <process name> on TDERROR_ALL_ALL=5

Debugging Session Authentication

# fw debug in.asessiond on TDERROR_ALL_ALL=5

2009 Check Point Software Technologies Ltd. All rights reserved.

Classification:

[Unrestricted]For everyone

Debugging Client Authentication

For HTTP to port 900: # fw debug in.ahclientd on TDERROR_ALL_ALL=5 For Telnet to port 259: # fw debug in.aclientd on TDERROR_ALL_ALL=5

VPN-1 Debugging
Firewall Side
To Start: # vpn debug trunc NOTE: This is equivalent to the two commands: vpn debug on, vpn debug ikeon To Stop: # vpn debug off; vpn debug ikeoff NOTE: Output is written to $FWDIR/log/ike.elg and $FWDIR/log/vpnd.elg

Client Side
To Start: # sc debug on To Stop: # sc debug off NOTE: Output is written to sr_service_tde.log which is located in the SecuRemote installation folder. For example: C:\Program files\CheckPoint\SecuRemote. For packet capture from the client side: # srfw monitor -e "accept;" -o <output file>

Provider-1 Debugging
MDS Level
Most of the MDS actions are preformed by the MDSs fwm. # mdsenv # fw debug mds on TDERROR_ALL_ALL=5 # fw debug mds on OPSEC_DEBUG_LEVEL=9 NOTE: Debug outputs are gathered in /opt/CPsuit-R60/fw1/log/mds.elg

2009 Check Point Software Technologies Ltd. All rights reserved.

Classification:

[Unrestricted]For everyone

CMA Level
Refer above to the FireWall-1 Common Debugging section.

VSX debugging
Refer above to the FireWall-1 Common Debugging section.

ClsuterXL debugging
# # # # cphaprob state cphaprob -ia list cphaprob -a if fw ctl pstat For kernel debug for packet filter analysis: # fw ctl debug -buf 12288 # fw ctl debug -m fw conn drop ld packet if # fw ctl kdebug -T -f > <output file> add sync to -m fw add fw ctl debug -m cluster all

Connectra debugging
This section discusses debugging issues with Web files, Webmail, OWA, iNotes, and Citrix. To debug the httpd process: 1. Start debug: $CVPNDIR/conf/httpd.conf 2. Change LogLevel to debug 3. Run: cvpnrestart 4. The output is: $CVPNDIR/log/httpd.log If there is a debugging issue with Authentication, you should debug cvpnd. To debug cvpnd: 1. Run: cvpnd_admin debug 2. Set TDERROR_ALL_ALL=5

2009 Check Point Software Technologies Ltd. All rights reserved.

Classification:

[Unrestricted]For everyone

To start debug: # cvpnrestart NOTE: The output is: $CVPNDIR/log/cvpnd.elg To stop debug: # cvpnd_admin debug off

GX Debugging
You should refer above to FireWall-1 Common Debugging for more information. For kernel debug for packet filter analysis: # fw ctl debug -buf 12288 # fw ctl debug -m fw conn drop ld packet filter # fw ctl kdebug -T -f > <output file>

InterSpect Debugging
Memory Diagnostics - SPLAT, InterSpect, Connectra Appliance, VSX
# # # # # # # free vmstat 2 10 sar -k 2 10 top ps -auxw cat /proc/meminfo cat /proc/slabinfo

Routing Information
# arp -a # netstat -ie # netstat

2009 Check Point Software Technologies Ltd. All rights reserved.

Classification:

[Unrestricted]For everyone