Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Blason_R
Advisor

Can someone please forward my observation to R&D or Development team

Hi Team,

Since we most of the time dealing with Advanced debugging pertaining to customer issues. And those issues could be related to so many blades now there are lot many services that we need to debug or Check Point firewall has. Now the challenge is every process has its own debug procedure, flags and log location. I feel at at least more than 50+ processes and those are those many flags for every daemon.

Plus every debug logs has its own log location and need to keep in mind that as well.

Its very difficult to remember those flags debug procedure, log location and 99% of the time we need to search for ATRG which is really time consuming. Plus certain debugs are needs to be done for user specific as well and like trace user logs

This makes the overall troubleshooting  very cumbersome and hectic.

Hence is this possible to have a some kind of uniform debug procedure as with other vendors and flags like follow nomenclature
where

fw <known_blade_name> debug on/off <debug_level>

fw vpn debug on
fw cvpn debug on
fw https debug on
fw urlf debug on

fw appi debug on level <1,2,3,4,5>

so on...

Plus store the logs at one location like /var/log/debug

Feel free to share to thoughts/questions/concerns -

@PhoneBoy or any other folks can raise my voice/concern to R&D/development team?

0 Kudos
7 Replies
G_W_Albrecht
Legend
Legend

Best you do an RFE for this feature: https://rfe.checkpoint.com/rfe/rfe.htm

But honestly, i do not think you will succeed here because of the restless product extensions that happen since more than 20 years... And i am rather lucky that it needs technical expertise, broad knowledge and good memory to do advanced debugging - otherwise, no one would pay me as a support provider if it is all so very simple 😎.

But why do you not write yourself a bash script incorporating all the debug variants you are using and control them by menue ? You would not have to look the commands up again and again.

Blason_R
Advisor

Hi,

Yes I already punched in the RFE and I know its not easy but I thought to give a try. Script could be a good idea but again clearing the flags once the debug is over is equally important hence I feel it need a manual intervention

0 Kudos
_Val_
Admin
Admin

Technically this is VERY hard to achieve. 

As for the scripts, TAC has them, if you are doing troubleshooting with their assistance, ask upfront. Not 100% coverage though, different ones for specific cases.

0 Kudos
G_W_Albrecht
Legend
Legend

@Dannys ccc  script also has some simple debug commands integrated. But the big challenge is juggling with flags and load on the GW until you get decisive results from kernel debugs whle replicating the issue.

0 Kudos
PhoneBoy
Admin
Admin

R&D does read and participate in the community.
While I agree it would be ideal if there were a more "uniform" way to enable debugging, in practice this is not such an easy thing.
A given piece of functionality may rely on several infrastructures "under the hood."
Enabling lots of debug messages will create a performance issue and it needs to be done fairly precisely to minimize the potential impact.

0 Kudos
shais
Employee
Employee

Hi,

We understand the difficulty in debugging such a large system and we are working on optimization and improving this procedure.
We are currently working on multiple changes that address those issues such as

* Debug tools – allow you to run the required debug without knowing the syntax

* Unified debug files – combine important messages from different debugs files into a unified file.

The above is still under development and we will update once integrated into our product.

Blason_R
Advisor

Yeah we as a administrator are not bothered about remembering the syntax but the different flags different places for log files is really cumbersome hence wondering if something unified can be made. It would be very great if such feature can be made available.

0 Kudos