Upload
mbaezasoto
View
96
Download
6
Tags:
Embed Size (px)
DESCRIPTION
debug
Citation preview
Sergei Shir (Intl TAC) Kernel Debug flags (R77.10) 09 Sep 2014 21:29:00 page 1 of 16
Classification: [Protected]
Kernel Debug Flags (R77.10)
Table of Contents Usage ............................................................................................................................................................................ 1 Example ........................................................................................................................................................................ 1 Explanation for 'fw ctl debug' ........................................................................................................................................ 2 Explanation for 'fw ctl kdebug' ...................................................................................................................................... 2 Debug severity .............................................................................................................................................................. 2 Kernel debugging options for Firewall module: FW ...................................................................................................... 3 Kernel debugging options for VPN module: VPN ......................................................................................................... 4 Kernel debugging options for Check Point Active Streaming module: CPAS .............................................................. 5 Kernel debugging options for Cluster module: cluster .................................................................................................. 6 Kernel debugging options for Web Intelligence module: WS ....................................................................................... 6 Kernel debugging options for FloodGate-1 (QoS) module: FG-1 ................................................................................. 7 Kernel debugging options for VoIP H323 module: h323 .............................................................................................. 8 Kernel debugging options for Real Time Monitoring module: RTM.............................................................................. 8 Kernel debugging options for Kernel Infrastructure module: kiss ................................................................................. 9 Kernel debugging options for Kernel Infrastructure Flow module: kissflow .................................................................. 9 Kernel debugging options for Multi-Kernel Inspection (CoreXL) module: multik ........................................................ 10 Kernel debugging options for Content Inspection module: CI .................................................................................... 10 Kernel debugging options for Application Control Inspection module: APPI .............................................................. 11 Kernel debugging options for Context Management Interface/Infrastructure Loader module: cmi_loader ................ 11 Kernel debugging options for Next Rule Base module: NRB ..................................................................................... 12 Kernel debugging options for Resource Advisor module: RAD_KERNEL ................................................................. 12 Kernel debugging options for Struct Generator module: SGEN ................................................................................. 12 Kernel debugging options for Web Intelligence Infrastructure module: WSIS ........................................................... 13 Kernel debugging options for Web Intelligence SIP Parser module: WS_SIP ........................................................... 13 Kernel debugging options for Data Leak Prevention module: DLPK.......................................................................... 14 Kernel debugging options for Data Leak Prevention User module: DLPUK .............................................................. 14 Kernel debugging options for Identity Awareness module: IDAPI .............................................................................. 15 Kernel debugging options for Stream File Type module: SFT ................................................................................... 15 Kernel debugging options for UserCheck module: UC ............................................................................................... 15 Kernel debugging options for Internet Content Adaptation Protocol Client module: ICAP_CLIENT .......................... 16
Usage
# fw ctl debug -h : # fw ctl debug [x] [m ] [+ |]
# fw ctl debug [t (NONE | ERR | WRN | NOTICE | INFO)] [f (RARE | COMMON)]
# fw ctl kdebug [i | [f] o ] [b ] [t | T] [p
fld1[,fld2...] [m [s ]]
Example
# fw ctl debug 0 // Setting kernel debug default options
# fw ctl debug -buf 32000 // Setting kernel debug buffer
# fw ctl debug -m fw + flags // FW debug
# fw ctl debug -m VPN + flags // VPN debug
# fw ctl debug -m cluster + flags // Cluster debug
# fw ctl debug -m h323 + flags // H.323 debug
# fw ctl debug -m CPAS + flags // CPAS debug
# fw ctl debug -m WS + flags // Web Intelligence debug
# fw ctl debug -m FG-1 + flags // FloodGate-1 (QoS) debug
# fw ctl debug -m RTM + flags // Real-Time Monitoring debug
# fw ctl debug -m kiss + flags // Kernel Infrastructure debug
# fw ctl debug -m kissflow + flags // Kernel Infrastructure Flow debug
# fw ctl debug -m multik + flags // Multi-Kernel Inspection debug
# fw ctl debug -m APPI + flags // Application Control debug
# fw ctl debug -m CI + flags // Content Inspection (AV) debug
Sergei Shir (Intl TAC) Kernel Debug flags (R77.10) 09 Sep 2014 21:29:00 page 2 of 16
Classification: [Protected]
# fw ctl debug -m cmi_loader + flags // IPS CMI debug
# fw ctl debug -m dlpk + flags // Data Leak Prevention (DLP) debug
# fw ctl debug -m IDAPI + flags // Identity Awareness debug
# fw ctl debug -m NRB + flags // Next Rule Base debug
# fw ctl debug -m RAD_KERNEL + flags // Resource Advisor debug
# fw ctl debug -m SGEN + flags // Struct Generator debug
# fw ctl debug -m WSIS + flags // Web Intelligence Infrastructure debug
# fw ctl debug -m SFT + flags // Stream File Type debug
# fw ctl debug -m WS_SIP + flags // Web Intelligence SIP Parser debug
# fw ctl debug -m ICAP_CLIENT + flags // Internet Content Adaptation Protocol client debug
# fw ctl debug -m UC + flags // UserCheck debug
# fw ctl kdebug -T -f > /var/log/kernel_debug.ctl // output file
Explanation for 'fw ctl debug'
# fw ctl debug 0 // defaults (clears) all kernel debugging options
# fw ctl debug -x // disables all kernel debugging options :
// de-allocatesthebuffer&automaticallykillsfwctldebugprocess # fw ctl debug -buf // allocates the buffer (OS will use maximal available buffer) :
// MIN value 128kB ; MAX value in NG is 16MB , // MAX value in VSX NGX is 16MB , MAX value in NGX is 32MB
# fw ctl debug // displays ALL kernel modules and their flags THAT WERE TURNED ON
# fw ctl debug -m // displays ALL kernel modules and their flags thatmachineunderstands
# fw ctl debug -m // displays the flags for this module THAT WERE TURNED ON
Explanation for 'fw ctl kdebug'
# fw ctl kdebug -t / -T // in NGX only - prints the timestamp (t = seconds ; T = microseconds) -
helps synchronize packets in debug with packets in FW Monitor # fw ctl kdebug -p // prints specific fields : all | proc | pid | date | mid | type |
freq | topic | time | ticks | tid | text | err | host
New in NGX : # fw ctl kdebug -f -o -m -s
file_name = name of the output file
num = maximum number of cyclic files to create
size = maximum size of each cyclic file in kilobytes
When given is reached (more or less), is renamed to , and a new
is created. If already exists, then is renamed to ,
and so on - until the limit is reached (then the rotation takes place - oldest files are just deleted).
Debug severity
# fw ctl kebug -m
List of debug severities:
info = informational purposes only
warning = warnings: may affect connection behavior
error = errors: the connection is probably rejected
fatal = fatal errors: may prevent policy installation, etc.
List of debug subjects:
See the debug flags below
Sergei Shir (Intl TAC) Kernel Debug flags (R77.10) 09 Sep 2014 21:29:00 page 3 of 16
Classification: [Protected]
Kernel debugging options for Firewall module: FW
If you want to make sure that the firewall accepted the flags, you need to run: fw ctl debug -m fw
Flag Explanation
acct Application Control accounting in Smart View Tracker log (also debug module 'APPI')
advp advanced patterns (signatures over port ranges) - runs under ASPII and CMI
aspii Accelerated Stateful Protocol Inspection Infrastructure (INPSECT streaming)
balance ConnectControl - logical servers in kernel , load balancing
bridge Bridge mode
chain cookie chain , chain modules
chainfwd chain forwarding - related to fwha_perform_chain_forwarding global kernel variable
cifs Common Internet File System (CIFS) - file sharing protocol in Windows-based networks
citrix Citrix processing
cmi Context Management Interface/Infrastructure - IPS signature manager
conn Connections Table issues
content AV content inspection
context operations on Memory context and CPU context in KISS module
cookie virtual de-fragmentation , cookie issues (cookies in the data structure holding the packets)
cptls CRYPTO-PRO Transport Layer Security (HTTPS inspection) - Russian VPN GOST
crypt encrypted / decrypted packets, algorithms and keys are printed in clear text and cipher text
cvpnd Mobile Access daemon
dfilter debug filter operations
dlp Data Leak Prevention
dnstun DNS tunnels
domain DNS queries
dos DDoS attack mitigation (part of IPS)
driver kernel attachment - access to kernel is shown as log entries
drop associates a reason for (almost) every dropped packet
dynlog dynamic log enhancement (INSPECT logs)
epq End Point Quarantine (also AMD)
error various general error messages (enabled by default)
ex dynamic table expiration issues (time-out)
filter packet filtering performed by kernel and all data loaded into kernel
ftp FTP Data connections inspection (used to call applications over FTP Data - i.e., Anti-Virus)
highavail cluster configuration - changes in the configuration and information about interfaces during traffic processing
hold holding mechanism and all packets being held / released
icmptun ICMP tunnels
if interface-related information - accessing the interfaces, installing a filter on an interfaces
install driver installation - NIC attachment (fw ctl install and fw ctl uninstall)
integrity client integrity mechanics
ioctl IOCTL control messages - communication between kernel and daemons, un/loading of FW-1
ipopt IP options enforcement
ips IPS logs and IPS IOCTL
ipv6 IPv6 traffic debug
kbuf kernel-buffer memory pool - e.g., encryption keys use these memory allocations
ld kernel dynamic tables infrastructure - reads and writes to the tables (machine can hang!)
leaks memory leak detection mechanism
link Link creation in Connections Table
log everything related to calls in the log
machine INSPECT Virtual Machine - actual assembler commands being processed (FW can hang!)
mail e-mail issues - POP3, IMAP
malware Anti-Malware (Anti-Virus, Anti-Spam)
media Windows OS: Transport Driver Interface information (interface-related information)
memory memory allocation issues
mgcp Media Gateway Control Protocol (complementary to H.323 and SIP)
misc miscellaneous helpful information - not shown with other flags
misp ISP Redundancy
monitor printsoutputsimilartofwmonitorintothedebugbuffer (also enable the 'misc' flag) monitorall printsoutputsimilartofwmonitor -p allintothedebugbuffer (also enable the 'misc' flag) mrtsync synchronization (in kernel) between cluster members of Multicast Routes that are added
Sergei Shir (Intl TAC) Kernel Debug flags (R77.10) 09 Sep 2014 21:29:00 page 4 of 16
Classification: [Protected]
when working with Dynamic Routing Multicast protocols
msnms MSN over MSMS (MSN Messenger protocol) - always include sip flag
multik CoreXL related (enables all the flags except for flag 'packet' in the 'MULTIK' module)
nac Network Access Control (NAC) Blade (refer to Identity Awareness)
nat NAT issues - basic information
ndis Windows OS: Network Driver Interface Specification (interface-related information)
netquota Network Quota IPS protection
packet actions performed on packet - like accept, drop, fragment (esp. KFUNCs called by INSPECT)
packval stateless verifications - sequences, fragments, translations and other header verifications
portscan port scanning prevention mechanics
q driver queue - e.g., synchronization operations (crucial for ClusterXL debugging)
qos QoS (FloodGate-1)
rad Resource Advisor policy
route routing debugging (ISP Redundancy, fwcookie code)
sam Suspicious Activity Monitoring (OPSec)
scv SecureClient Verification
shmem shared memory - currently is not used
sip VoIP traffic - SIP and H323
smtp e-mail issues - SMTP
sock Sockstress TCP DoS attack (CVE-2008-4609)
span mirror port (duplicates the network traffic and records the activity in logs)
spii Stateful Protocol Inspection Infrastructure and INSPECT Streaming Infrastructure
synatk 'SYN Attack' (SYNDefender) IPS protection
sync synchronization operations in ClusterXL
tcpstr TCP streaming mechanism
te prints name of an interface for incoming connection from Threat Emulation Machine
ua VoIP traffic - Universal Alcatel "UA" Protocol
ucd UserCheck connections to other cluster members
user User Space communication with Kernel Space (most useful for configuration and VSX debug)
utest currently is not used
vm Virtual Machine chain decisions on traffic going through fw_filter_chain
wap Multimedia Messaging Service (Wireless Application Protocol)
warning various general warning messages (enabled by default)
wire wire-mode Virtual Machine chain module
xlate NAT issues - basic information
xltrc NAT issues - additional information - going through NAT rulebase
zeco Zero-Copy kernel module memory allocations
Kernel debugging options for VPN module: VPN
If you want to make sure that the firewall accepted the flags, you need to run: fw ctl debug -m VPN
Flag Explanation
cluster cluster related events
comp compression for encrypted connections
counters various status counters (typically for SmartView Monitor)
cphwd hardware acceleration issues
driver kernel attachment - access to kernel is shown as log entries
err errors that should not happen, or errors that critical to the working of the VPN module
gtp GTP (GPRS Tunneling Protocol)
ifnotify debugs notification of changes in interface status - up or down (received from OS).
ike turns on all IKE kernel debug in respect to moving the IKE to the interface, where it will eventually leave and the modification of the source IP of the IKE packet, depending on the configuration.
init initializes the VPN kernel and kernel data structures, when kernel is up, or when policy is installed - it will also print the values of the flags that are set using CPSET upon policy reload
l2tp L2TP protocol related events
mem allocation of VPN pools and VPN contexts
mspi information related to creation and destruction of MSA / MSPI
multicast VPN multicast
multik information related to VPN and CoreXL interaction
Sergei Shir (Intl TAC) Kernel Debug flags (R77.10) 09 Sep 2014 21:29:00 page 5 of 16
Classification: [Protected]
nat NAT issues , cluster IP manipulation (Virtual_IP-to-Member_IP and backwards)
om_alloc allocation of Office Mode IP addresses
osu Optimal Service Upgrade
packet events that can happen for every packet, unless covered by more specific debug flags
pcktdmp dumps the encrypted / decrypted packets (before encryption / after decryption)
policy events that can happen only for a special packet in a connection, usually related to policy decisions or logs / traps
queue handling of Security Association (SA) queues
rdp handling of RDP packets
ref information regarding reference counting for MSA / MSPI when storing or deleting SAs
resolver link selection table manipulation and Certificate Revocation List (CRL), which is also part of the peer resolving mechanism
sas printing of keys and SA information
sr SecureClient/SecureRemote related issues
tagging sets the VPN policy of a connection according to VPN communities, VPN Policy related info
tcpt TCP Tunnel (Visitor mode) related information (FW traversal on port 443)
tnlmon tunnel monitoring
topology information related to VPN Link Selection
vin information related to IPSec NIC interaction (on Windows OS only)
warn warnings: may affect connection behavior
xl Accelerator cards interaction (AC II / III / IV)
Kernel debugging options for Check Point Active Streaming module: CPAS
If you want to make sure that the firewall accepted the flags, you need to run: fw ctl debug -m CPAS
Flag Explanation
api interface layer messages
conns detailed description of connections, and connection's limit-related messages
error errors: the connection is probably rejected
events event-related messages
ftp messages of the FTP example server
glue glue layer messages
http messages of the HTTP example server
icmp messages of the ICMP example server
notify e-mail Messaging Security application
pkts packets handling messages (allocation, splitting, resizing, etc.)
skinny SCCP (Skinny Client Control Protocol - Cisco proprietary VoIP protocol)
sync synchronization operations in cluster
tcp TCP processing messages
tcpinfo TCP processing messages - more detailed description
timer reports of timer ticks (pours many messages, without real content)
warning warnings: may affect connection behavior
Sergei Shir (Intl TAC) Kernel Debug flags (R77.10) 09 Sep 2014 21:29:00 page 6 of 16
Classification: [Protected]
Kernel debugging options for Cluster module: cluster
If you want to make sure that the firewall accepted the flags, you need to run: fw ctl debug -m cluster
There is also the SYNC flag, which is in the FW module and shows debug that is related to SYNC only. Set this variable to print the contents of the packets in HEX format as "FW-1: fwha_print_packet: Buffer:"
# fw ctl set int fwha_dprint_io 1
Set this variable to print all network checking printing # fw ctl set int fwha_dprint_all_net_check 1
Flag Explanation
accel related to status and support of SecureXL (should be used in parallel with 'conf' flag)
ccp reception/transmission of Cluster Control Protocol (CCP) packets
conf configuration and policy installation
df Decision Function - decides, which member will handle each packet in a Load Sharing mode
drop connections dropped by the CXL Decision Function (DF) module (only in NGX) - excluding CCP packets
forward Forwarding Layer messages - when sending and receiving a forwarded packet
if interface tracking and validation - all the operations and checks on interfaces
log creating and sending of logs by cluster (should be used in parallel with 'log' flag in 'fw' module) mac related to current configuration of and detection of cluster interfaces (should be used in
parallel with 'conf' flag and 'if' flag)
nokia related to cluster running on Nokia IPSO platform
pivot related to ClusterXL Load Sharing Unicast mode (Pivot mode) pnote related to registering and monitoring of critical devices (pnotes) select packet selection - including Decision Function (DF)
stat related to state of cluster members (state machine)
subs Subscriber module - set of APIs, which enable user space processes (by using a DLL) to be aware of the current state of the ClusterXL state machine and other clustering configuration parameters.
timer reports of cluster internal timers
Kernel debugging options for Web Intelligence module: WS
If you want to make sure that the firewall accepted the flags, you need to run: fw ctl debug -m WS
Set this variable to debug specific Virtual System: # fw ctl set int ws_debug_vs VSID
Set this variable to 0 (zero) to debug all Virtual Systems (default): # fw ctl set int ws_debug_vs 0
Set this variable to debug specific IP address: # fw ctl set int ws_debug_vs XXX.XXX.XXX.XXX
Set this variable to 0 (zero) to debug all IP addresses (default): # fw ctl set int ws_debug_vs 0
Flag Explanation
address information about connection's IP address
body HTTP body (content) layer
connection connection layer
cookie HTTP cookie header
coverage shows the coverage times - entering, blocking, and time spent
error errors: the connection is probably rejected
event events
fatal fatal errors: may prevent policy installation, etc.
global global structure handling (usually policy related)
info informational purposes only
ioctl IOCTL control messages - communication between kernel and daemon, un/loading of FW-1
mem_pool memory pool related
memory memory allocation issues
module module related
parser HTTP header parser layer
Sergei Shir (Intl TAC) Kernel Debug flags (R77.10) 09 Sep 2014 21:29:00 page 7 of 16
Classification: [Protected]
parser_err HTTP header parsing errors
pfinder pattern finder related
pkt_dump traffic packet dump (requires connection)
policy policy (installation and enforcement)
regexp regular expression library
report_mgr report manager (errors and logs)
session session layer
spii Stateful Protocol Inspection Infrastructure (INSPECT streaming)
ssl_insp HTTPS SSL Inspection
sslt SSLT library
stat memory usage statistics
stream stream virtualization
subject shows the debug subject of each message
timestamp a timestamp for each debug message (changes when 'coverage' is active)
uuid session UUID related
vs prints VSID of the debugged Virtual System
warning warnings: may affect connection behavior
Kernel debugging options for FloodGate-1 (QoS) module: FG-1
If you want to make sure that the firewall accepted the flags, you need to run: fw ctl debug -m FG-1
Flag Explanation
auth authenticated QoS feature
automatch report matching process (debug version only)
autosched report scheduling process (debug version only) - a good way to report the rates on rules
chain tracing each packet through FloodGate-1 points in the cookie chain
chainq holding and releasing packets during critical actions (policy install / uninstall) - internal Chain Q mechanism
citrix Citrix processing
conn connection information and identification processing
dns DNS classification mechanism
driver kernel attachment - access to kernel is shown as log entries
drops dropped packets due to WFRED policy
dropsv dropped packets due to WFRED policy - with additional debug information (verbose version)
error different error messages (default)
fwrate report rate statistics per interface and direction
general currently unused
install policy installation and building internal data structure (for future use)
llq low latency queuing
log everything related to calls in the log
ls Load Sharing
memory memory allocation issues
multik CoreXL related
pkt packet recording mechanism
policy QoS policy rules matching classification mechanism
qosaccel QoS acceleration
rates reporting rule / connection rates - IQ Engine behaviour and status
registry failed to open a key from Check Point Registry ($CPDIR/registry/HKLM_registry.data)
rtm failures in information gathering in RTM module (SmartView Monitor)
sched basic scheduling information
tcp TCP streaming (re-transmission detection) mechanism
time currently unused
timers reports of timer ticks (pours many messages, without real content)
url URL and URI for QoS classification mechanism
verbose used with other flags - for additional information
Sergei Shir (Intl TAC) Kernel Debug flags (R77.10) 09 Sep 2014 21:29:00 page 8 of 16
Classification: [Protected]
Kernel debugging options for VoIP H323 module: h323
If you want to make sure that the firewall accepted the flags, you need to run: fw ctl debug -m h323
Flag Explanation
align VoIP debug general messages (for example, VOIP infrastructure)
cpas CPAS TCP debug messages - since H323 : H225 and H245 are over TCP ; this flag is not included when debug is run with "all" flag ( # fw ctl debug -m h323 all )
decode H323 decoder messages
error different error messages (default)
h225 H225 call signaling messages (SETUP, CONNECT, RELEASE COMPLETE, etc.)
h245 H245 control signaling messages (OPEN LOGICAL CHANNEL, END SESSION COMMAND, etc.)
init used for internal errors
ras H225 RAS messages (REGISTRATION, ADMISSION, and STATUS REQUEST / RESPONSE)
Kernel debugging options for Real Time Monitoring module: RTM
If you want to make sure that the firewall accepted the flags, you need to run: fw ctl debug -m rtm
Flag Explanation
accel displays SecureXL information regarding accelerated packets, connections, etc.
chain displays information about chain registering, and about the E2E chain function actions; this important flag helps you know if the E2E (VL) is identifying VL packets.
con_conn displaysthesameinformationasper_connflag
driver kernel attachment - access to kernel is shown as log entries
err different error messages (default)
import displays information about RTM importing functions from other modules (FW-1, FG-1)
init rarely used
ioctl RTM IOCTL control messages
netmasks displays information about how the RTM handles netmasks, if you are monitoring network object, which is a network
per_conn messages per connection (when a new connection is handled by RTM)
per_pckt messages per packet (when a new packet arrives) - use it with care
performance currently unused
policy displays FireWall-1 load/unload messages (indicates that the RTM received the FW-1 callback)
rtm displays information about RTM monitoring
s_err displays various error messages (regarding tables info and other failures)
sort debugging the RTM top X monitoring sorting
special display information about how E2E modifies E2ECP protocol packets
tabs currently unused
topo display information about how the RTM calculates network topography
view_add when Views are added or deleted
view_update when Views are updated with new information
view_update1 when Views are updated with new information
wd displays information regarding WebDefense views
Sergei Shir (Intl TAC) Kernel Debug flags (R77.10) 09 Sep 2014 21:29:00 page 9 of 16
Classification: [Protected]
Kernel debugging options for Kernel Infrastructure module: kiss
If you want to make sure that the firewall accepted the flags, you need to run: fw ctl debug -m kiss
Flag Explanation
bench CPU benchmarker
dfa Pattern Matcher (Deterministic Finite Automaton) compilation and execution
driver when FW driver is loaded / unloaded
error different error messages (default)
flofiler FLow prOFILER
ghtab multi-threaded safe global hash tables
handles Memory Pool allocation for tables
htab multi-threaded safe hash tables
ioctl IOCTL control messages - communication between kernel and daemon
kqstats Kernel Worker thread statistics mechanism - resetting, initializing, turning off
kw Kernel Worker state and Pattern Matcher inspection
memory memory allocation issues
misc CPU counters, Memory counters, getting/setting of global kernel parameters
mtctx multi-threaded context - memory allocation, reference count
pcre Perl Compatible Regular Expressions - execution, memory allocation
pm Pattern Matcher compilation and execution
pmdump Pattern Matcher DFA (dumping XMLs of DFAs)
pmint Pattern Matcher compilation
pools Memory Pool allocation issues
queue Kernel Worker thread queues
rem Regular Expression Matcher - Pattern Matcher 2nd tier (slow path)
salloc System Memory allocation
shmem shared memory allocation
sm String Matcher - Pattern Matcher 1st tier (fast path)
stat statistics for categories and maps
swblade registration of Software Blades
thinnfa currently unused (Thin NFA)
thread kernel thread that supplies kernel thread low level APIs
usrmem User Space platform memory usage
vbuf virtual buffer
warning warnings (default)
worker Kernel Worker - queuing and dequeuing
Kernel debugging options for Kernel Infrastructure Flow module: kissflow
If you want to make sure that the firewall accepted the flags, you need to run: fw ctl debug -m kissflow
Flag Explanation
compile Pattern Matcher - pattern compilation
dfa Pattern Matcher (Deterministic Finite Automaton) compilation and execution
error different error messages (default)
memory memory allocation issues
pm Pattern Matcher - general information
warning warnings (default)
Sergei Shir (Intl TAC) Kernel Debug flags (R77.10) 09 Sep 2014 21:29:00 page 10 of 16
Classification: [Protected]
Kernel debugging options for Multi-Kernel Inspection (CoreXL) module: multik
If you want to make sure that the firewall accepted the flags, you need to run: fw ctl debug -m multik
When enabling the 'multik' flag in the 'FW' module, it enables all the flags in this module except for flag 'packet'
Flag Explanation
api registration and unregistration of cross-instance function calls
clb statistics collection for the core load balancer utility
conn creation and deletion of connections in the dispatcher table
counter cross-instance counter infrastructure
error various error conditions in CoreXL infrastructure
event cross-instance event aggregation infrastructure
fwstats FW-1 statistics
ioctl distribution of IOCTLs to different instances
lock obtaining and releasing fw_lock on multiple instances
message cross-instance messages (used for local sync and port scanning)
packet per packet, shows the dispatching decision - instance and reason
packet_err invalidpackets,forwhichdispatchingdecisioncantbemade queue packet queue
quota cross-instance quota table (used by the network quota feature)
state starting and stopping of instances, establishment of relationship between instances
uid Cross-instance Unique IDs
Kernel debugging options for Content Inspection module: CI
If you want to make sure that the firewall accepted the flags, you need to run: fw ctl debug -m CI
Flag Explanation
address shows connection address [Source_IP:Source_Port -> Dest_IP:Dest_Port]
av Anti-Virus inspection
coverage shows the coverage times - entering, blocking, and time spent
crypto basic information about encryption and decryption
error various general error messages
fatal fatal errors filter basic information about URL filters
info general information
ioctl currently unused
memory memory allocation issues
module CI module operations - initialization, module loading, calls to module, policy loading, etc
policy information about CI policy
profile very basic information about CI module - initialization, destroying, freeing
regexp regular expression library
session session layer
stat Content Inspection statistics subject shows the debug subject of each message
timestamp a timestamp for each debug message (changes when 'coverage' is active)
uf URL filters and URL cache
vs prints VSID of the debugged Virtual System
warning warnings
Sergei Shir (Intl TAC) Kernel Debug flags (R77.10) 09 Sep 2014 21:29:00 page 11 of 16
Classification: [Protected]
Kernel debugging options for Application Control Inspection module: APPI
If you want to make sure that the firewall accepted the flags, you need to run: fw ctl debug -m APPI
Flag Explanation
account accounting information
address information about connection's IP address
btime browse time
connection APPI connections
coverage shows the coverage times - entering, blocking, and time spent
error various general error messages
global global policy operations
info general information
limit APPI limits
memory memory allocation issues
module APPI module operations - initialization, module loading, calls to module, policy loading, etc
policy information about APPI policy
session session layer
subject shows the debug subject of each message
timestamp a timestamp for each debug message (changes when 'coverage' is active)
urlf_ssl URL Filtering for SSL
verbose used with other flags - for additional information
vs prints VSID of the debugged Virtual System
warning warnings
Kernel debugging options for Context Management Interface/Infrastructure Loader module: cmi_loader
If you want to make sure that the firewall accepted the flags, you need to run: fw ctl debug -m cmi_loader
Flag Explanation
address information about connection's IP address
connection currently unused
coverage shows the coverage times - entering, blocking, and time spent
error various general error messages
global_states user space global states structures
info general information
inspect cmi_loader INSPECT code
memory memory allocation issues
module cmi_loader module operations - initialization, module loading, calls to module, contexts, etc
policy policy installation
sigload signatures, patterns, ranges
subject shows the debug subject of each message
timestamp a timestamp for each debug message (changes when 'coverage' is active) verbose used with other flags - for additional information
vs prints VSID of the debugged Virtual System
warning warnings
Sergei Shir (Intl TAC) Kernel Debug flags (R77.10) 09 Sep 2014 21:29:00 page 12 of 16
Classification: [Protected]
Kernel debugging options for Next Rule Base module: NRB
If you want to make sure that the firewall accepted the flags, you need to run: fw ctl debug -m NRB
Flag Explanation
address information about connection's IP address
appi rules and applications
coverage shows the coverage times - entering, blocking, and time spent
dlp Data Leak Prevention
error various general error messages
info general information
match rule matching
memory memory allocation issues
module NRB module operations - initialization, module loading, calls to module, contexts, etc
policy policy installation
sec_rb security rulebase
session session layer
ssl_insp HTTPS SSL Inspection
subject shows the debug subject of each message
timestamp a timestamp for each debug message (changes when 'coverage' is active) verbose used with other flags - for additional information
vs prints VSID of the debugged Virtual System
warning warnings
Kernel debugging options for Resource Advisor module: RAD_KERNEL
If you want to make sure that the firewall accepted the flags, you need to run: fw ctl debug -m RAD_KERNEL
Flag Explanation
address information about connection's IP address
cache RAD kernel malware cache
coverage shows the coverage times - entering, blocking, and time spent
error various general error messages
global RAD global contexts
info general information
memory memory allocation issues
subject shows the debug subject of each message
timestamp a timestamp for each debug message (changes when 'coverage' is active) verbose used with other flags - for additional information
vs prints VSID of the debugged Virtual System
warning warnings
Kernel debugging options for Struct Generator module: SGEN
If you want to make sure that the firewall accepted the flags, you need to run: fw ctl debug -m SGEN
Flag Explanation
engine Struct Generator engine operations error various general error messages
fatal fatal errors field operations on fields
general general types macros
info general information
load loading of macros
serialize serialization during loading of macros
warning warnings
Sergei Shir (Intl TAC) Kernel Debug flags (R77.10) 09 Sep 2014 21:29:00 page 13 of 16
Classification: [Protected]
Kernel debugging options for Web Intelligence Infrastructure module: WSIS
If you want to make sure that the firewall accepted the flags, you need to run: fw ctl debug -m WSIS
Set this variable to debug specific Virtual System: # fw ctl set int ws_debug_vs VSID
Set this variable to 0 (zero) to debug all Virtual Systems (default): # fw ctl set int ws_debug_vs 0
Set this variable to debug specific IP address: # fw ctl set int ws_debug_vs XXX.XXX.XXX.XXX
Set this variable to 0 (zero) to debug all IP addresses (default): # fw ctl set int ws_debug_vs 0
Flag Explanation
address information about connection's IP address
common prints a message when parameters are invalid
coverage shows the coverage times - entering, blocking, and time spent
datastruct data structure tree
decoder decoder for content transfer encoding (UUEncode, UTF-8, HTML encoding )
error various general error messages
info general information
memory memory allocation issues
parser HTTP header parser layer
subject shows the debug subject of each message
timestamp a timestamp for each debug message (changes when 'coverage' is active) verbose used with other flags - for additional information
vs prints VSID of the debugged Virtual System
warning warnings
Kernel debugging options for Web Intelligence SIP Parser module: WS_SIP
If you want to make sure that the firewall accepted the flags, you need to run: fw ctl debug -m WS_SIP
Set this variable to debug specific Virtual System: # fw ctl set int ws_debug_vs VSID
Set this variable to 0 (zero) to debug all Virtual Systems (default): # fw ctl set int ws_debug_vs 0
Set this variable to debug specific IP address: # fw ctl set int ws_debug_vs XXX.XXX.XXX.XXX
Set this variable to 0 (zero) to debug all IP addresses (default): # fw ctl set int ws_debug_vs 0
Flag Explanation
address information about connection's IP address
body HTTP body (content) layer
connection connection layer
cookie HTTP cookie header
coverage shows the coverage times - entering, blocking, and time spent
error errors: the connection is probably rejected
event events
fatal fatal errors: may prevent policy installation, etc.
global global structure handling (usually policy related)
info informational purposes only
ioctl IOCTL control messages - communication between kernel and daemon, un/loading of FW-1
mem_pool memory pool related
memory memory allocation issues
module module related
parser HTTP header parser layer
parser_err HTTP header parsing errors
pfinder pattern finder related
pkt_dump traffic packet dump (requires connection)
Sergei Shir (Intl TAC) Kernel Debug flags (R77.10) 09 Sep 2014 21:29:00 page 14 of 16
Classification: [Protected]
policy policy (installation and enforcement)
regexp regular expression library
report_mgr report manager (errors and logs)
session session layer
spii Stateful Protocol Inspection Infrastructure (INSPECT streaming)
ssl_insp HTTPS SSL Inspection
sslt SSLT library
stat memory usage statistics
stream stream virtualization
subject shows the debug subject of each message
timestamp a timestamp for each debug message (changes when 'coverage' is active)
uuid session UUID related
vs prints VSID of the debugged Virtual System
warning warnings: may affect connection behavior
Kernel debugging options for Data Leak Prevention module: DLPK
If you want to make sure that the firewall accepted the flags, you need to run: fw ctl debug -m dlpk
Flag Explanation
error various general error messages
cmi HTTP Proxy, connection redirection, identity information, Async
drv DLP inspection
identity user identity, connection identity, Async
rulebase DLP rulebase match
stat counters statistics
warning warnings
Kernel debugging options for Data Leak Prevention User module: DLPUK
If you want to make sure that the firewall accepted the flags, you need to run: fw ctl debug -m dlpuk
Flag Explanation
address information about connection's IP address
buffer currently unused
coverage shows the coverage times - entering, blocking, and time spent
error various general error messages
info general information
memory memory allocation issues
module initiating / removing of DLPUK debug infrastructure policy currently unused serialize data buffers and data sizes subject shows the debug subject of each message timestamp a timestamp for each debug message (changes when 'coverage' is active) verbose used with other flags - for additional information
vs prints VSID of the debugged Virtual System
warning warnings
Sergei Shir (Intl TAC) Kernel Debug flags (R77.10) 09 Sep 2014 21:29:00 page 15 of 16
Classification: [Protected]
Kernel debugging options for Identity Awareness module: IDAPI
If you want to make sure that the firewall accepted the flags, you need to run: fw ctl debug -m IDAPI
Flag Explanation
address information about connection's IP address
async checking known network
coverage shows the coverage times - entering, blocking, and time spent
data Portal, IP address matching for Terminal Servers Identity Agent, session handling
error various general error messages
htab checking for network IP address, working with kernel tables
info general information
memory memory allocation issues
module removing of IDAPI debug IS, failed to convert to Base64, failed to append src to dst
subject shows the debug subject of each message test IP test, IDAPI sync
timestamp a timestamp for each debug message (changes when 'coverage' is active) verbose used with other flags - for additional information
vs prints VSID of the debugged Virtual System
warning warnings
Kernel debugging options for Stream File Type module: SFT
If you want to make sure that the firewall accepted the flags, you need to run: fw ctl debug -m SFT
Flag Explanation
error various general error messages
fatal fatal errors info general information mgr rule match, database, connection processing, classification warning warnings
Kernel debugging options for UserCheck module: UC
If you want to make sure that the firewall accepted the flags, you need to run: fw ctl debug -m UC
Flag Explanation
address information about connection's IP address
coverage shows the coverage times - entering, blocking, and time spent
error various general error messages
htab hash table info general information memory memory allocation issues
module UC module initializing, UC table hits, finding User ID in cache, removing of UC debug IS subject shows the debug subject of each message timestamp a timestamp for each debug message (changes when 'coverage' is active)
verbose used with other flags - for additional information
vs prints VSID of the debugged Virtual System
warning warnings webapi URL patterns, UC incidents, connection redirection
Sergei Shir (Intl TAC) Kernel Debug flags (R77.10) 09 Sep 2014 21:29:00 page 16 of 16
Classification: [Protected]
Kernel debugging options for Internet Content Adaptation Protocol Client module: ICAP_CLIENT
If you want to make sure that the firewall accepted the flags, you need to run: fw ctl debug -m ICAP_CLIENT
Flag Explanation
address information about connection's IP address
coverage shows the coverage times - entering, blocking, and time spent
error various general error messages
global global client
info general information
memory memory allocation issues
module kernel handler, user mode handler,
policy policy
subject shows the debug subject of each message timestamp a timestamp for each debug message (changes when 'coverage' is active)
verbose used with other flags - for additional information
vs prints VSID of the debugged Virtual System
warning warnings
UsageExampleExplanation for 'fw ctl debug'Explanation for 'fw ctl kdebug'Debug severityKernel debugging options for Firewall module: FWKernel debugging options for VPN module: VPNKernel debugging options for Check Point Active Streaming module: CPASKernel debugging options for Cluster module: clusterKernel debugging options for Web Intelligence module: WSKernel debugging options for FloodGate-1 (QoS) module: FG-1Kernel debugging options for VoIP H323 module: h323Kernel debugging options for Real Time Monitoring module: RTMKernel debugging options for Kernel Infrastructure module: kissKernel debugging options for Kernel Infrastructure Flow module: kissflowKernel debugging options for Multi-Kernel Inspection (CoreXL) module: multikKernel debugging options for Content Inspection module: CIKernel debugging options for Application Control Inspection module: APPIKernel debugging options for Context Management Interface/Infrastructure Loader module: cmi_loaderKernel debugging options for Next Rule Base module: NRBKernel debugging options for Resource Advisor module: RAD_KERNELKernel debugging options for Struct Generator module: SGENKernel debugging options for Web Intelligence Infrastructure module: WSISKernel debugging options for Web Intelligence SIP Parser module: WS_SIPKernel debugging options for Data Leak Prevention module: DLPKKernel debugging options for Data Leak Prevention User module: DLPUKKernel debugging options for Identity Awareness module: IDAPIKernel debugging options for Stream File Type module: SFTKernel debugging options for UserCheck module: UCKernel debugging options for Internet Content Adaptation Protocol Client module: ICAP_CLIENT