Professional Documents
Culture Documents
Kernel mode
FireWall-1 Kernel Primary Debug for Packet Filter Analysis
# fw ctl debug -buf 12288 # fw ctl debug -m fw conn drop ld packet if # fw ctl kdebug -f > <output_file> In R55 and above you can use fw crl zdebug. However, this command allocates only 1024K of buffer. Also ld creates a high CPU load and generates a lot of messages. It can cause kernel panic and thus there are circumstances where it is not recommended to run ld at all.
CPD
CPD is a high hierarchy process and is responsible for SIC, Licensing and status report. For CPD debug: # cpd_admin debug on TDERROR_ALL_ALL=5 # cpd_admin debug off TDERROR_ALL_ALL=1 The debug file is located in $CPDIR/log/cpd.elg (start) (stop)
FWM process
FWM is responsible for Managements database activities: Policy installation, Management HA Synchronization, etc... For FWM debug: # # # # fw fw fw fw debug debug debug debug fwm fwm fwm fwm on TDERROR_ALL_ALL=5 (start) on OPSEC_DEBUG_LEVEL=9 (start) off TDERROR_ALL_ALL=1 (stop) off OPSEC_DEBUG_LEVEL=1 (stop)
Classification:
[Unrestricted]For everyone
FWD
FWD process on the Management is responsible for logging. For FWD debug: # fw debug fwd on TDERROR_ALL_ALL=5 # fw debug fwd off TDERROR_ALL_ALL=1 The debug file is located in $FWDIR/log/fwd.elg (start) (stop)
Classification:
[Unrestricted]For everyone
VPN-1 Debugging
Firewall Side
To Start: # vpn debug trunc NOTE: This is equivalent to the two commands: vpn debug on, vpn debug ikeon To Stop: # vpn debug off; vpn debug ikeoff NOTE: Output is written to $FWDIR/log/ike.elg and $FWDIR/log/vpnd.elg
Client Side
To Start: # sc debug on To Stop: # sc debug off NOTE: Output is written to sr_service_tde.log which is located in the SecuRemote installation folder. For example: C:\Program files\CheckPoint\SecuRemote. For packet capture from the client side: # srfw monitor -e "accept;" -o <output file>
Provider-1 Debugging
MDS Level
Most of the MDS actions are preformed by the MDSs fwm. # mdsenv # fw debug mds on TDERROR_ALL_ALL=5 # fw debug mds on OPSEC_DEBUG_LEVEL=9 NOTE: Debug outputs are gathered in /opt/CPsuit-R60/fw1/log/mds.elg
Classification:
[Unrestricted]For everyone
CMA Level
Refer above to the FireWall-1 Common Debugging section.
VSX debugging
Refer above to the FireWall-1 Common Debugging section.
ClsuterXL debugging
# # # # cphaprob state cphaprob -ia list cphaprob -a if fw ctl pstat For kernel debug for packet filter analysis: # fw ctl debug -buf 12288 # fw ctl debug -m fw conn drop ld packet if # fw ctl kdebug -T -f > <output file> add sync to -m fw add fw ctl debug -m cluster all
Connectra debugging
This section discusses debugging issues with Web files, Webmail, OWA, iNotes, and Citrix. To debug the httpd process: 1. Start debug: $CVPNDIR/conf/httpd.conf 2. Change LogLevel to debug 3. Run: cvpnrestart 4. The output is: $CVPNDIR/log/httpd.log If there is a debugging issue with Authentication, you should debug cvpnd. To debug cvpnd: 1. Run: cvpnd_admin debug 2. Set TDERROR_ALL_ALL=5
Classification:
[Unrestricted]For everyone
To start debug: # cvpnrestart NOTE: The output is: $CVPNDIR/log/cvpnd.elg To stop debug: # cvpnd_admin debug off
GX Debugging
You should refer above to FireWall-1 Common Debugging for more information. For kernel debug for packet filter analysis: # fw ctl debug -buf 12288 # fw ctl debug -m fw conn drop ld packet filter # fw ctl kdebug -T -f > <output file>
InterSpect Debugging
Memory Diagnostics - SPLAT, InterSpect, Connectra Appliance, VSX
# # # # # # # free vmstat 2 10 sar -k 2 10 top ps -auxw cat /proc/meminfo cat /proc/slabinfo
Routing Information
# arp -a # netstat -ie # netstat
Classification:
[Unrestricted]For everyone