- Products
- Learn
- Local User Groups
- Partners
- More
What's New in R82.10?
Watch HereWhen the Agents Attack
A Live Look at Agentic Exposure Validation
AI Security Masters E8:
Claude Mythos: New Era in Cyber Security
CheckMates Go:
CheckMates Fest
Hello folks,
I have a simple question, I need to troubleshooting one VPN site-to-site tunnel, it's safe to use ikeview tool to analyze the logs on a heavy (a lot of traffic and users) production firewall?
This tool does not have the ability to land a firewall (Stop working on debug mode)?
Thanks in advance guys
As long as you are doing "vpn debug" style commands and not kernel debugs (fw ctl debug) it is pretty safe as "vpn debug" is just switching on debugs in the vpnd daemon. Even if there is a runaway debug it will not impact the bulk of traffic operations happening in the kernel including encrypt/decrypt operations for existing VPN tunnels. If somehow vpnd crashes or becomes impaired new IKE negotiations cannot occur, and certain types of Remote Access VPN traffic (such as Visitor mode & NAT-T) will be impacted. However vpnd is a child process of fwd who will instantly restart vpnd if it dies.
IkeView is an offline viewer for the files generated with VPN debug and ike debug commands "vpn debug on" and "vpn debug ikeon" or a combo command "vpn debug trunc".
As per CP sk63560:
Warning: Part of this SK requires the performing of a Kernel Debug. Due to the potential for high load conditions and performance impact, up to and including Kernel Panic, it is not recommended to perform a kernel debug during normal Business hours. While a kernel panic is unlikely it is recommended to perform kernel debugs during a maintenance window where issues such as high loads and kernel panics can be addressed without negatively affecting production.
Hi,
Sorry for the misunderstanding, what I meant to say is: it is safe to enable debug mode on a production firewall to analyze later with ikeview?
Thanks in advance.
@Luis_Filipe , IMHO: nope, it is not safe to do it in production. It should be reserved for the situations when NOT doing it has worse consequences than those described in the "Warning" in my previous post.
I am sure that there are plenty of people here that may disagree with me though, and I would like for them to chime in here.
@PhoneBoy @Danny , @HeikoAnkenbrand and @Timothy_Hall , please state your opinion on debugs in production and if you think that CP Warning is overblown.
Thanks,
Vladimir
In such situations I quickly set up a another Check Point Security Gateway (VM), enabled SIC and VPN and troubleshooted the specific VPN tunnel on this gateway to make sure nothing is impacting production. After everything is clear I switched back the VPN tunnel to the main gateway and deleted the testing machine.
As long as you are doing "vpn debug" style commands and not kernel debugs (fw ctl debug) it is pretty safe as "vpn debug" is just switching on debugs in the vpnd daemon. Even if there is a runaway debug it will not impact the bulk of traffic operations happening in the kernel including encrypt/decrypt operations for existing VPN tunnels. If somehow vpnd crashes or becomes impaired new IKE negotiations cannot occur, and certain types of Remote Access VPN traffic (such as Visitor mode & NAT-T) will be impacted. However vpnd is a child process of fwd who will instantly restart vpnd if it dies.
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
| User | Count |
|---|---|
| 66 | |
| 22 | |
| 7 | |
| 6 | |
| 5 | |
| 4 | |
| 4 | |
| 3 | |
| 2 | |
| 2 |
Thu 09 Jul 2026 @ 10:00 AM (CEST)
Schutz souveräner Workloads: Check Point & die AWS European Sovereign CloudThu 09 Jul 2026 @ 11:00 AM (CEST)
The Cloud Architects Series: Check Point Edge Protection SD-WAN & SASEThu 09 Jul 2026 @ 11:00 AM (EDT)
Tips and Tricks 2026 #9 - What's New with Check Point Email SecurityFri 10 Jul 2026 @ 11:00 AM (IDT)
CheckMates Live Netherlands - Sessie 48: Nieuwe Check Point Workspace SecurityTue 14 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E11: READY OR NOT: Securing the AI Enterprise 3/5 - AI Workforce SecurityThu 30 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E12: READY OR NOT: Securing the AI Enterprise 4/5 - AI GatewayThu 09 Jul 2026 @ 11:00 AM (EDT)
Tips and Tricks 2026 #9 - What's New with Check Point Email SecurityFri 10 Jul 2026 @ 11:00 AM (IDT)
CheckMates Live Netherlands - Sessie 48: Nieuwe Check Point Workspace SecurityTue 14 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E11: READY OR NOT: Securing the AI Enterprise 3/5 - AI Workforce SecurityThu 30 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E12: READY OR NOT: Securing the AI Enterprise 4/5 - AI GatewayThu 20 Aug 2026 @ 10:00 AM (PDT)
AI Security Masters E13: READY OR NOT: Securing the AI Ent 5/5 - AI Research & Threat LandscapeAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY