Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Achilles_Tagg
Participant
Jump to solution

useful debug command in checkpoint

Please share useful debug command in checkpoint cli if any.

1 Solution

Accepted Solutions
HeikoAnkenbrand
Champion Champion
Champion

"fw ctl zdebug" is a powertool that is not exhausted from being used with "fw ctl zdebug drop". There is not much to be found in Check Point KB or in the documentation. "fw ctl zdebug" is an R&D tool for testing software in development. Therefore, the insert should be used with care. It starts a debugging in the background until it is aborted with CTRL+C. On productive systems it can have a high performance impact. Furthermore, the debug buffer is not the largest.

fw ctl zdebug" Helpful Command Combinations

fw ctl zdebug + packet
fw ctl zdebug + packet | grep -B 1 TCP |grep -B 1 "(SYN)"      <<< change SYN-ACK,ACK,FIN,... and/or UDP,TCP...
fw ctl zdebug + all |grep -A 1 "Monitor" | grep "1.1.1.1"            <<< change IP address
fw ctl zdebug + all |grep -A 2 "Monitor"
fw ctl zdebug + sync                     
fw ctl zdebug + conn |grep "After  VM:" |grep "(SYN)"
fw ctl zdebug + xlate
fw ctl zdebug + monitorall                                                     <<< use with host IP "| grep 1.1.1.1" or network range "| grep 1.1."
fw ctl zdebug + monitor                                                            <<< use with host IP "| grep 1.1.1.1" or network range "| grep 1.1."
fw ctl zdebug + filter conn | grep -A 8 "rule 1"                          <<< change rule number - show connetions to rule xyz
fw ctl zdebug + filter monitor  | grep -A 8 "rule 2"                     <<< change rule number - show connetions to rule xyz

    
Attention, if you turn on debugging, this will affect the performance of the firewall.

A list with kernel debug flags can be found here:

Kernel Debug Flags R80.10

Kernel Debug Flags R77

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

9 Replies
G_W_Albrecht
Legend Legend
Legend

Debug command for which blade ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
G_W_Albrecht
Legend Legend
Legend
G_W_Albrecht
Legend Legend
Legend

And do not forget that fw ctl zdebug - this is wrong...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
jordi_Torres_Ba
Explorer

thanks for your time and help

0 Kudos
Timothy_Hall
Legend Legend
Legend

How can this epic CheckMates thread not be included:

My Top 3 Check Point CLI commands

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
HeikoAnkenbrand
Champion Champion
Champion

"fw ctl zdebug" is a powertool that is not exhausted from being used with "fw ctl zdebug drop". There is not much to be found in Check Point KB or in the documentation. "fw ctl zdebug" is an R&D tool for testing software in development. Therefore, the insert should be used with care. It starts a debugging in the background until it is aborted with CTRL+C. On productive systems it can have a high performance impact. Furthermore, the debug buffer is not the largest.

fw ctl zdebug" Helpful Command Combinations

fw ctl zdebug + packet
fw ctl zdebug + packet | grep -B 1 TCP |grep -B 1 "(SYN)"      <<< change SYN-ACK,ACK,FIN,... and/or UDP,TCP...
fw ctl zdebug + all |grep -A 1 "Monitor" | grep "1.1.1.1"            <<< change IP address
fw ctl zdebug + all |grep -A 2 "Monitor"
fw ctl zdebug + sync                     
fw ctl zdebug + conn |grep "After  VM:" |grep "(SYN)"
fw ctl zdebug + xlate
fw ctl zdebug + monitorall                                                     <<< use with host IP "| grep 1.1.1.1" or network range "| grep 1.1."
fw ctl zdebug + monitor                                                            <<< use with host IP "| grep 1.1.1.1" or network range "| grep 1.1."
fw ctl zdebug + filter conn | grep -A 8 "rule 1"                          <<< change rule number - show connetions to rule xyz
fw ctl zdebug + filter monitor  | grep -A 8 "rule 2"                     <<< change rule number - show connetions to rule xyz

    
Attention, if you turn on debugging, this will affect the performance of the firewall.

A list with kernel debug flags can be found here:

Kernel Debug Flags R80.10

Kernel Debug Flags R77

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events