Thanks. But I am not sure the fwm load <policy package name> <taget gw or cluster name> is still valid for a full policy install after R77.30 (so R80 and R80.x) - with or without -d for a onetime debug of the load/install task.

cpm_debug.sh may also be needed for a comprehensive debug of a policy compilation and installation.

Anyway, I am asking Check Point if they plan to in any way simplify the debug process in general.

I appreciate that they offer much more enhanced debug capabilities than competitors but if it can be made any easier then that would be a nice-to-have 'feature'. 

I would assume that CP tries to make debugs as simple as possible with a combination of very different products - if several different processes and daemons are each handling a part of the task chain it will get more complicated. To have one debug command fitting it all could be a valid RFE (you can suggest it here: https://rfe.checkpoint.com/rfe/rfe.htm), but it strongly reminds me of little childrens dreams of father Christmas 😉...

Ah, the old public RFE link 😀 😉

I appreciate what you have said and there are some interesting (good) things happening when doing debugs that you have to have a closer look to actually notice. An example is the ips debug (-o output.txt) command setting the fw kernel module flags vm drop spii cmi aspii advp ips in order to simplify the debug (I guess). Another example is setting flags on one kernel module can actually result in other kernel modules, but you have to run fw ctl debug to see those changes.

But then you wonder if that procedure will get forgotten about (not get updated) when updates to the software/product occur, which may not be the case if it was part of a global debug infrastructure (single root command or one repo). 

Maybe one script repo/director for all debug options (like we are seeing now in R80.x with the $FWDIR/scripts directory) for all processes would be good.

Of course fw ctl debug (zdebug) is always there/available but then we look at the user space processes and wonder why there are different commands for each daemon, apart from fw debug fwd and fw debug fwm of course...

Sounds good 🙂

A bash script will do. Maybe it is already out there or in here. Always impressed with the information available on Check Mates and great to see the sharing going on.

Otherwise I always refer to memory or saved debug procedures, or do what TAC tells me when it is not obvious and is broken.

Thanks Dameon,

I understand what you are saying. But...

We are seeing things change so fast these days that we have to relearn many things. Check Point is not excluded.
That is not a bad thing because of all the changes in technology. That does bring more technology and so it seems to make the unified debug option more important.
There's that word unified 🙂

In R77 and older if I wanted to debug a policy install I would run:
fwm -d load PolicyName GatewayName or ClusterName
That was it.
Maybe an fw debug fwm on TDERROR_ALL_ALL=5 etc. but not much else.

This is the way it has been recommended (by Check Point) for me to do the policy install bug now.
There are at least a dozen steps:
Connect to the command line on the management server.
Backup the current $FWDIR/conf/tdlog.cpm file.
Edit the current file: vi $FWDIR/conf/tdlog.cpm
Change the logLevelInstalPolicy line to logLevelInstalPolicy=debug
Save the changes and exit the Vi editor.
Run commands to set and verify the required debug environment variable:
Export INTERNAL_POLICY_LOADING=1
ECHO $INTERNAL_POLICY_LOADING
Start the fwm debug: fw debug fwm on TDERROR_ALL_ALL=5
Use the appropriate syntax to verify the policy under debug.
Take all relevant outputs and screenshots.
Stop the fwm debug (fw debug fwm off).
unset INTERNAL_POLICY_LOADING environment variable (was set with =1).
Revert the original $FWDIR/conf/tdlog.cpm file.
cp –v $FWDIR/conf/tdlog.cpm $FWDIR/conf/tdlog.cpm_DEBUG
cp –vf $FWDIR/conf/tdlog.cpm_ORIGINAL $FWDIR/conf/tdlog.cpm
Send files to Check Point Support for analysis.

UPDATE:

Replying to my own reply here.

This is to acknowledge that Heiko has indeed posted the post (link pasted in below) regarding command line policy install in R80.x.

It is also mentioned above, in this thread. Thanks Nick 🙂

The procedure is 'one extra line' before the old version style command for CLI policy installation (fwm load)  and that will then also allow for us to run it in debug mode (fwm load -d) on the CLI.

The 'one extra line':

export INTERNAL_POLICY_LOADING=1

to be followed by (non-debug, which includes about a dozen lines of output):

fwm load <policy-name> <gateway/cluster-name>

The debug version (fwm load -d) gives us over 15,000 lines of output, which is great, but the question is - does that debug the whole procedure of policy install on the SMS?

For example, does that cover the CPM involvment (cpm debug) in the policy install (the DB dump part), in case that is relevant, without invoking the cpm_debug.sh debug script

I am sure TAC and R&D have procedures.

I am asking for clarity regarding the recommended debug procedure for policy installation (if an official recommendation is possible) and out of curiosity.

I can't give a use case. I just know that in the past and fwm load -d has given enough info to help out with diagnostics on site.

https://community.checkpoint.com/t5/Policy-Management/R80-x-Debug-policy-installation-on-gateway/m-p...

I would open an informational TAC case if this is very important to you 8)

@Don_Paterson I am not sure which question you want Check Point to answer. Any chance we ask it again, please?

Hi Val,

How about this:

Will there ever be a single command, for example 'debug' to use for debugging anything (and everything) in the Security Management and MDSM and Security Gateway products?

Justification:

The product has increased in complexity and is changing fast.

A structured debug process would surely help.

More info:

Take for example the debug procedure above, as one example of a more complicated debug procedure compared to R77 (older versions)

Another example is if we consider the number of software architectural changes in recent versions and looking at SecureXL and the Kernel workings in general (UMFW and new fwaccel paths added) and how complex it might become to debug various aspects of those. Maybe that is not a good example but having a common debug procedure change with the software development and not the other way around seems to make sense.

Hope that helps.

Regards,

Don

Not an official answer, but a personal opinion: very unlikely. 

I understand the growing complexity argument, and I think you need to adjust your approach . For myself, I have given up my thrive to debug R80.x management since it first appeared. It becomes way too heavy for deal with for a regular customer, and even for a trained engineer. 

Here is my argument:

1. On the field, one needs to troubleshoot, not to debug
2. The main purpose of troubleshooting is to understand where the problem is coming from
   1. If it is a config issue, one can probably fix it
   2. If not a config issue, support should fix it
3. In case troubleshooting is above one's skills, move the case to TAC

For TAC support engineers, mastering debugging tools is much easier for mane reasons: they do it on a daily basis, they are very close to the source code, they have internal know-how and documentation. 

For customers, I do not think debugging skills should be a priority. Maintaining those skills require practice, lots of training and hands-on time, and also poses lots of risks, if done in production.

I have been teaching troubleshooting courses for a decade, and my firm belief is that customers do not need 90% of debugging techniques they are exposed to.

Most importantly, from liability and risk management perspective, it is much better to let your support partner or TAC engineer to  debug than doing it yourself. If something goes wrong... 🙂

One need a good understanding of architecture and dependancies to troubleshoot. Java debug level 6 is too much to ask from a network engineer, let TAC and developers to give you a hand here.

I understand this is not an answer you would like to get. 

Fair enough, @Don_Paterson. 

From a development point of view, we are talking about a mixture of different codes, software layers and programming languages. Unification of debug commands would require a huge all-through R&D project, and as I tried to explain, this effort is too much it terms of actual field need.

I would rather have my developers producing new secure features 🙂

Well well, look at that. More new daemons and unique debug commands to go with it 🙂

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_CLI_ReferenceGuide/Topics-CL...

ike debug

Attention, quoting from Important security update - stay protected against VPN Information Disclosure (CVE-2024-24919)

In R81.10 we added a feature to improve VPN performance - named CCCD

This feature is disabled by default, and we know about few advanced customers who are using it.

Customers who enable CCCD are still vulnerable to CVE-2024-24919 even after installing the Hotfix!

YOU MUST DISABLE CCCD TO BECOME PROTECTED!

Instructions below and also on SK182336:

Run the command: vpn cccd status
The expected output is: vpn: 'cccd' is disabled.

If the output differs, stop the CCCD process by running the vpn cccd disable command.

More info by the link above.