This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
_Val_
Admin
Admin
‎2017-11-06 08:36 AM
Jump to solution

fw ctl zdebug - this is wrong...

I see just too much of "fw ctl zdebug..." flying around these days. To explain my issue with this practice, I have posted an entry in my blog:

https://checkpoint-master-architect.blogspot.ch/2017/11/kernel-debug-best-practices-or-why-fw.html

Feel free to read and comment

debug‌ kernel_debug best practices

1 Solution

Accepted Solutions
RickHoppe
Advisor
‎2017-11-10 06:58 AM
Jump to solution

I've used zdebug a lot and never got into trouble. It also helped me fixing issues. Perhaps I was lucky.

On the other hand...more often I had to issue specific debug commands (received from TAC) that really did make things worse on production environments.

I understand your concerns about debugging but I guess you need to be carefull with every debug command. With or without 'z' in front of it.

My blog: https://checkpoint.engineer

View solution in original post

0 Kudos
12 Replies
Moti
Admin
Admin
‎2017-11-06 09:51 PM
Jump to solution

So in theory if there was ‘fw ctl lzdebug’ (“l” for Loukine) macro , what would u have it do ?

0 Kudos
_Val_
Admin
Admin
‎2017-11-07 12:20 AM
In response to Moti
Jump to solution

Do not get me wrong, as internal R&D tool, zdebug is just fine. My problem is that you guys do not discourage using it on the field and even post SK articles of HOWTO kind to promote it.

My issues are:

  • zdebug is way too simple to use, and it can be dangerous in inexperienced hands
  • it is not flexible and does not allow adding or removing flags when running
  • most importantly, the buffer is way too limited for live production

Fixing the buffer is no brainer, Tamir could fix it with a blink of an eye. The other two points are a bit more tricky. Ideally, if you really want CP users to run debug in production (which is questionable by itself), do a GUI based tool. Because, if you don't someone else will. Actually, there is already something for the matter: Check Point debugging GUI 

Tomer_Sole
Mentor
Mentor
‎2017-11-07 01:33 AM
In response to _Val_
Jump to solution

Valeri Loukine wrote:

Ideally, if you really want CP users to run debug in production (which is questionable by itself), do a GUI based tool. 

like Packet-Mode search and SmartLog search?

0 Kudos
_Val_
Admin
Admin
‎2017-11-07 01:35 AM
In response to Tomer_Sole
Jump to solution

When I think about it, yes. SmartConsole extension with particular limited kernel debug abilities would be an ideal solution. You can call it ldebug, where L stands for "light"

0 Kudos
Tomer_Sole
Mentor
Mentor
‎2017-11-07 01:42 AM
In response to _Val_
Jump to solution

so can we open this discussion to at which cases would you choose to kernel debug rather than search a log or a matched rule? just rules with Track=none or other cases?

0 Kudos
_Val_
Admin
Admin
‎2017-11-07 01:50 AM
In response to Tomer_Sole
Jump to solution

There is not much to discuss. kernel debug should be only employed when other means of troubleshooting, mentioned above included, are exhausted. This is my main personal issue with zdebug: people use it instead of other means to find their config errors. 

However, there are troubleshooting scenarios, where log and policy search may not produce conclusive results, if any. In these cases kernel debug, if performed in educated and controlled manner, might help

0 Kudos
PhoneBoy
Admin
Admin
‎2017-11-07 06:44 AM
In response to _Val_
Jump to solution

So what you're saying is you're against the idea of putting fw ctl zdebug on a t-shirt

_Val_
Admin
Admin
‎2017-11-07 06:51 AM
In response to PhoneBoy
Jump to solution

As part of wider subject, yes. why should check point promote a debug command in the first place, I might ask? Some people say, a good product does not need to be debugged on the field after being released to GA 🙂

0 Kudos
Tomer_Sole
Mentor
Mentor
‎2017-11-07 09:27 AM
In response to _Val_
Jump to solution

I'd much rather see this T-Shirt instead

Hugo_vd_Kooij
Advisor
‎2017-11-08 12:56 AM
In response to _Val_
Jump to solution

I guess it has more to do with the Geek factor.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
RickHoppe
Advisor
‎2017-11-10 06:58 AM
Jump to solution

I've used zdebug a lot and never got into trouble. It also helped me fixing issues. Perhaps I was lucky.

On the other hand...more often I had to issue specific debug commands (received from TAC) that really did make things worse on production environments.

I understand your concerns about debugging but I guess you need to be carefull with every debug command. With or without 'z' in front of it.

My blog: https://checkpoint.engineer
0 Kudos
_Val_
Admin
Admin
‎2017-11-10 07:45 AM
In response to RickHoppe
Jump to solution

Absolutely correct, Rick. To execute kernel debug, one needs to understand and appreciate the implications. However, using zdebug shortcut saves you all those efforts of understanding and appreciation. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events