This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Achilles_Tagg
Participant
‎2018-12-17 11:18 PM
Jump to solution

useful debug command in checkpoint

Please share useful debug command in checkpoint cli if any.

1 Solution

Accepted Solutions
HeikoAnkenbrand
MVP Gold
MVP Gold
‎2019-09-10 01:34 PM
Jump to solution

"fw ctl zdebug" is a powertool that is not exhausted from being used with "fw ctl zdebug drop". There is not much to be found in Check Point KB or in the documentation. "fw ctl zdebug" is an R&D tool for testing software in development. Therefore, the insert should be used with care. It starts a debugging in the background until it is aborted with CTRL+C. On productive systems it can have a high performance impact. Furthermore, the debug buffer is not the largest.

fw ctl zdebug" Helpful Command Combinations

fw ctl zdebug + packet
fw ctl zdebug + packet | grep -B 1 TCP |grep -B 1 "(SYN)"      <<< change SYN-ACK,ACK,FIN,... and/or UDP,TCP...
fw ctl zdebug + all |grep -A 1 "Monitor" | grep "1.1.1.1"            <<< change IP address
fw ctl zdebug + all |grep -A 2 "Monitor"
fw ctl zdebug + sync                     
fw ctl zdebug + conn |grep "After  VM:" |grep "(SYN)"
fw ctl zdebug + xlate
fw ctl zdebug + monitorall                                                     <<< use with host IP "| grep 1.1.1.1" or network range "| grep 1.1."
fw ctl zdebug + monitor                                                            <<< use with host IP "| grep 1.1.1.1" or network range "| grep 1.1."
fw ctl zdebug + filter conn | grep -A 8 "rule 1"                          <<< change rule number - show connetions to rule xyz
fw ctl zdebug + filter monitor  | grep -A 8 "rule 2"                     <<< change rule number - show connetions to rule xyz

    
Attention, if you turn on debugging, this will affect the performance of the firewall.

A list with kernel debug flags can be found here:

Kernel Debug Flags R80.10

Kernel Debug Flags R77

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

10 Replies
G_W_Albrecht
MVP Silver
MVP Silver
‎2018-12-18 12:46 AM
Jump to solution

Debug command for which blade ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
G_W_Albrecht
MVP Silver
MVP Silver
‎2018-12-18 01:00 AM
Jump to solution

sk98799: Kernel Debug

sk97443: Support Debug Tools

sk103212: Traffic analysis using the 'CPMonitor' tool

sk101878: CPView Utility

sk85780: How to use the 'connstat' utility

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
G_W_Albrecht
MVP Silver
MVP Silver
‎2018-12-18 01:30 AM
Jump to solution

And do not forget that fw ctl zdebug - this is wrong...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
jordi_Torres_Ba
Explorer
‎2019-09-10 09:34 AM
In response to G_W_Albrecht
Jump to solution

thanks for your time and help

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2018-12-18 05:25 AM
Jump to solution

How can this epic CheckMates thread not be included:

My Top 3 Check Point CLI commands

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
HeikoAnkenbrand
MVP Gold
MVP Gold
‎2019-09-10 01:34 PM
Jump to solution

"fw ctl zdebug" is a powertool that is not exhausted from being used with "fw ctl zdebug drop". There is not much to be found in Check Point KB or in the documentation. "fw ctl zdebug" is an R&D tool for testing software in development. Therefore, the insert should be used with care. It starts a debugging in the background until it is aborted with CTRL+C. On productive systems it can have a high performance impact. Furthermore, the debug buffer is not the largest.

fw ctl zdebug" Helpful Command Combinations

fw ctl zdebug + packet
fw ctl zdebug + packet | grep -B 1 TCP |grep -B 1 "(SYN)"      <<< change SYN-ACK,ACK,FIN,... and/or UDP,TCP...
fw ctl zdebug + all |grep -A 1 "Monitor" | grep "1.1.1.1"            <<< change IP address
fw ctl zdebug + all |grep -A 2 "Monitor"
fw ctl zdebug + sync                     
fw ctl zdebug + conn |grep "After  VM:" |grep "(SYN)"
fw ctl zdebug + xlate
fw ctl zdebug + monitorall                                                     <<< use with host IP "| grep 1.1.1.1" or network range "| grep 1.1."
fw ctl zdebug + monitor                                                            <<< use with host IP "| grep 1.1.1.1" or network range "| grep 1.1."
fw ctl zdebug + filter conn | grep -A 8 "rule 1"                          <<< change rule number - show connetions to rule xyz
fw ctl zdebug + filter monitor  | grep -A 8 "rule 2"                     <<< change rule number - show connetions to rule xyz

    
Attention, if you turn on debugging, this will affect the performance of the firewall.

A list with kernel debug flags can be found here:

Kernel Debug Flags R80.10

Kernel Debug Flags R77

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Matlu
MVP Silver
MVP Silver
‎2025-09-02 09:35 AM
In response to HeikoAnkenbrand
Jump to solution

Hello, @HeikoAnkenbrand 

Is there a “debug” command for scenarios where you cannot view logs in real time with SmartConsole?

I need to “know” why a particular traffic is passing through the CLI, as I am now limited to viewing the logs in SmartConsole.

Source: 10.20.100.10
Destination: google.com

I already have a rule created, but I want to “capture” the traffic when the source tries to access google.com from the CLI, to know if the traffic exactly “MATCHES” the defined rule.

Is this possible?

Cheers

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events