cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

Debug

Is there a plan to simplify the debug processes / procedures in the main train products or would it be a good idea to consider adding this? In other words, will there ever be a single command, for example 'debug' to use for debugging anything (and everything) in the Security Management and MDSM and Security Gateway products. Reason for asking is that it seems to be sometimes complicated to run a debug, which a customer may want to do in order to resolve issues themselves without getting support involved. Debugging fwd or fwm for example is fairly straightforward but a full debug of a policy installation has become much more complicated since R80. Thanks, Don
0 Kudos
5 Replies
Highlighted

Re: Debug

@HeikoAnkenbrand has simplified the process of debugging policy installation on R80.x versions here:

https://community.checkpoint.com/t5/Policy-Management/R80-x-Debug-policy-installation-on-gateway/m-p...

Regarding a general debug, you can create a script consisting of several things to check which can then be run by the customer if needed.

*Please note that such a script however would place a tremendous load on the box's resources. If they warn of such consequences in the event of running a kernel debug you can appreciate what impact one could cause by debugging even more items at the same time.

0 Kudos
Highlighted

Re: Debug

Thanks. But I am not sure the fwm load <policy package name> <taget gw or cluster name> is still valid for a full policy install after R77.30 (so R80 and R80.x) - with or without -d for a onetime debug of the load/install task.

cpm_debug.sh may also be needed for a comprehensive debug of a policy compilation and installation.

Anyway, I am asking Check Point if they plan to in any way simplify the debug process in general.

I appreciate that they offer much more enhanced debug capabilities than competitors but if it can be made any easier then that would be a nice-to-have 'feature'. 

0 Kudos
Highlighted

Re: Debug

I would assume that CP tries to make debugs as simple as possible with a combination of very different products - if several different processes and daemons are each handling a part of the task chain it will get more complicated. To have one debug command fitting it all could be a valid RFE (you can suggest it here: https://rfe.checkpoint.com/rfe/rfe.htm), but it strongly reminds me of little childrens dreams of father Christmas 😉...

0 Kudos
Highlighted

Re: Debug

Ah, the old public RFE link 😀 😉

I appreciate what you have said and there are some interesting (good) things happening when doing debugs that you have to have a closer look to actually notice. An example is the ips debug (-o output.txt) command setting the fw kernel module flags vm drop spii cmi aspii advp ips in order to simplify the debug (I guess). Another example is setting flags on one kernel module can actually result in other kernel modules, but you have to run fw ctl debug to see those changes.

But then you wonder if that procedure will get forgotten about (not get updated) when updates to the software/product occur, which may not be the case if it was part of a global debug infrastructure (single root command or one repo). 

Maybe one script repo/director for all debug options (like we are seeing now in R80.x with the $FWDIR/scripts directory) for all processes would be good.

Of course fw ctl debug (zdebug) is always there/available but then we look at the user space processes and wonder why there are different commands for each daemon, apart from fw debug fwd and fw debug fwm of course...

 

0 Kudos
Highlighted

Re: Debug

I'm sure people would pay good money for a GUI app that allows you to step thru what you want to debug, then spit out the applicable commands. 😉

 

 

0 Kudos