No. I haven't opened a case. 

Only been updating some procedures and learning and testing. 

Can you give someone in RnD a nudge?

Hi Andy,

Did you do a zdebug with the -T and -F and a filter in quotes?

I've seen fw monitor not work because of quotes used around the actual filter but not zdebug.

Cheers,

Don

I did, yes.

OK, you will see I edited my post (I left off the + drop in my original post (but not in my testing lab!)).

This is the command to test, with IP addresses relevant to your lab of course.

fw ctl zdebug -T + drop -F "192.168.99.199,0,1.2.3.4,0,0"

And you know I am gonna ask for a screenshot 😄

For any Don or Steve out there, NO charge 😉

**********************************************

[Expert@CP-GW:0]# cpinfo -yfw1

This is Check Point CPinfo Build 914000250 for GAIA
[FW1]
HOTFIX_R80_40_MAAS_TUNNEL_AUTOUPDATE
HOTFIX_R82_JUMBO_HF_MAIN Take: 44
HOTFIX_UCA_SSH_TUNNELING_SERVICE_AUTOUPDATE
HOTFIX_UCA_SSH_TUNNELING_APP_AUTOUPDATE
HOTFIX_UCA_INFRA_MONITOR_SERVICE_AUTOUPDATE
HOTFIX_UCA_INFRA_LOG_SERVICE_AUTOUPDATE
HOTFIX_UCA_INFRA_AUTOUPDATE
HOTFIX_PUBLIC_CLOUD_CA_BUNDLE_AUTOUPDATE
HOTFIX_INEXT_NANO_EGG_AUTOUPDATE
HOTFIX_GOT_TPCONF_AUTOUPDATE

FW1 build number:
This is Check Point's software version R82 - Build 010
kernel: R82 - Build 008

[Expert@CP-GW:0]# fw ctl zdebug -T + drop -F "192.168.99.199,0,1.2.3.4,0,0"
Defaulting all kernel debugging options, may take a while
Debug state was reset to default.
PPAK 0: Get before set operation succeeded of simple_debug_filter_off
Initialized kernel debugging buffer to size 1023K
fw ctl set string simple_debug_filter_saddr_1 192.168.99.199 -a
PPAK 0: Get before set operation succeeded of simple_debug_filter_saddr_1
fw ctl set int simple_debug_filter_sport_1 0 -a
PPAK 0: Get before set operation succeeded of simple_debug_filter_sport_1
fw ctl set string simple_debug_filter_daddr_1 1.2.3.4 -a
PPAK 0: Get before set operation succeeded of simple_debug_filter_daddr_1
fw ctl set int simple_debug_filter_dport_1 0 -a
PPAK 0: Get before set operation succeeded of simple_debug_filter_dport_1
fw ctl set int simple_debug_filter_proto_1 0 -a
PPAK 0: Get before set operation succeeded of simple_debug_filter_proto_1
Kernel debugging buffer size: 1023KB
HOST:
Module: kiss
Enabled Kernel debugging options: error warning htab_bl_err
Messaging threshold set to type=Notice freq=Common

-----------------------------------------------------
SecureXL:
Module: kiss
Enabled Kernel debugging options: error warning htab_bl_err
Messaging threshold set to type=Notice freq=Common

-----------------------------------------------------
HOST:
Module: kissflow
Enabled Kernel debugging options: error warning
Messaging threshold set to type=Info freq=Common

-----------------------------------------------------
SecureXL:
Module: kissflow
Enabled Kernel debugging options: error warning
Messaging threshold set to type=Info freq=Common

-----------------------------------------------------
HOST:
Module: fw
Enabled Kernel debugging options: error warning
Messaging threshold set to type=Info freq=Common

-----------------------------------------------------
SecureXL:
Module: seqvalid
Enabled Kernel debugging options: error warning
Messaging threshold set to type=Info freq=Common

-----------------------------------------------------
HOST:
Module: h323
Enabled Kernel debugging options: error
Messaging threshold set to type=Info freq=Common

-----------------------------------------------------
SecureXL:
Module: synatk
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: cpcode
Enabled Kernel debugging options: error warning
Messaging threshold set to type=Info freq=Common

-----------------------------------------------------
SecureXL:
Module: fg
Enabled Kernel debugging options: error
Messaging threshold set to type=Info freq=Common

-----------------------------------------------------
HOST:
Module: upconv
Enabled Kernel debugging options: error warning info
Messaging threshold set to type=Info freq=Common

-----------------------------------------------------
HOST:
Module: WS_SIP
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: crypto
Enabled Kernel debugging options: error warning
Messaging threshold set to type=Info freq=Common

-----------------------------------------------------
HOST:
Module: multik
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: PSL
Enabled Kernel debugging options: error warning
Messaging threshold set to type=Info freq=Common

-----------------------------------------------------
HOST:
Module: CPAS
Enabled Kernel debugging options: error warning
Messaging threshold set to type=Info freq=Common

-----------------------------------------------------
HOST:
Module: UDP_IS
Enabled Kernel debugging options: error warning
Messaging threshold set to type=Info freq=Common

-----------------------------------------------------
HOST:
Module: seqvalid
Enabled Kernel debugging options: error warning
Messaging threshold set to type=Info freq=Common

-----------------------------------------------------
HOST:
Module: synatk
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: MUX
Enabled Kernel debugging options: error warning
Messaging threshold set to type=Info freq=Common

-----------------------------------------------------
HOST:
Module: CPSSH
Enabled Kernel debugging options: error warning
Messaging threshold set to type=Info freq=Common

-----------------------------------------------------
HOST:
Module: fg
Enabled Kernel debugging options: error
Messaging threshold set to type=Info freq=Common

-----------------------------------------------------
HOST:
Module: UC
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: dlpk
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: dlpuk
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: SDWAN
Enabled Kernel debugging options: error warning
Messaging threshold set to type=Info freq=Common

-----------------------------------------------------
HOST:
Module: cpconntim
Enabled Kernel debugging options: error warning
Messaging threshold set to type=Info freq=Common

-----------------------------------------------------
HOST:
Module: gtp
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: VPN
Enabled Kernel debugging options: err
Messaging threshold set to type=Info freq=Common

-----------------------------------------------------
HOST:
Module: WSIS
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: UPIS
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: cmi_loader
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: NRB
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: SGEN
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: RAD_KERNEL
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: WS
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: APPI
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: UP
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: MALWARE
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: UCA
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: CI
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: SFT
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: ICAP_CLIENT
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: FILEAPP
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: dlpda
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: FILE_SECURITY
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: TPUTILS
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: ZPH
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: DOMO
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: SDWANRB
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: IDAPI
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: RTM
Enabled Kernel debugging options: err
Messaging threshold set to type=Info freq=Common

-----------------------------------------------------
Kernel debugging buffer size: 1023KB
HOST:
Module: kiss
Enabled Kernel debugging options: error warning htab_bl_err
Messaging threshold set to type=Notice freq=Common

-----------------------------------------------------
HOST:
Module: kissflow
Enabled Kernel debugging options: error warning
Messaging threshold set to type=Info freq=Common

-----------------------------------------------------
HOST:
Module: fw
Enabled Kernel debugging options: error warning
Messaging threshold set to type=Info freq=Common

-----------------------------------------------------
HOST:
Module: h323
Enabled Kernel debugging options: error
Messaging threshold set to type=Info freq=Common

-----------------------------------------------------
HOST:
Module: cpcode
Enabled Kernel debugging options: error warning
Messaging threshold set to type=Info freq=Common

-----------------------------------------------------
HOST:
Module: upconv
Enabled Kernel debugging options: error warning info
Messaging threshold set to type=Info freq=Common

-----------------------------------------------------
HOST:
Module: WS_SIP
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: crypto
Enabled Kernel debugging options: error warning
Messaging threshold set to type=Info freq=Common

-----------------------------------------------------
HOST:
Module: multik
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: PSL
Enabled Kernel debugging options: error warning
Messaging threshold set to type=Info freq=Common

-----------------------------------------------------
HOST:
Module: CPAS
Enabled Kernel debugging options: error warning
Messaging threshold set to type=Info freq=Common

-----------------------------------------------------
HOST:
Module: UDP_IS
Enabled Kernel debugging options: error warning
Messaging threshold set to type=Info freq=Common

-----------------------------------------------------
HOST:
Module: seqvalid
Enabled Kernel debugging options: error warning
Messaging threshold set to type=Info freq=Common

-----------------------------------------------------
HOST:
Module: synatk
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: MUX
Enabled Kernel debugging options: error warning
Messaging threshold set to type=Info freq=Common

-----------------------------------------------------
HOST:
Module: CPSSH
Enabled Kernel debugging options: error warning
Messaging threshold set to type=Info freq=Common

-----------------------------------------------------
HOST:
Module: fg
Enabled Kernel debugging options: error
Messaging threshold set to type=Info freq=Common

-----------------------------------------------------
HOST:
Module: UC
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: dlpk
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: dlpuk
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: SDWAN
Enabled Kernel debugging options: error warning
Messaging threshold set to type=Info freq=Common

-----------------------------------------------------
HOST:
Module: cpconntim
Enabled Kernel debugging options: error warning
Messaging threshold set to type=Info freq=Common

-----------------------------------------------------
HOST:
Module: gtp
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: VPN
Enabled Kernel debugging options: err
Messaging threshold set to type=Info freq=Common

-----------------------------------------------------
HOST:
Module: WSIS
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: UPIS
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: cmi_loader
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: NRB
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: SGEN
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: RAD_KERNEL
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: WS
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: APPI
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: UP
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: MALWARE
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: UCA
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: CI
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: SFT
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: ICAP_CLIENT
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: FILEAPP
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: dlpda
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: FILE_SECURITY
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: TPUTILS
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: ZPH
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: DOMO
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: SDWANRB
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: IDAPI
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: RTM
Enabled Kernel debugging options: err
Messaging threshold set to type=Info freq=Common

-----------------------------------------------------
SecureXL Debug Flags

Module: default (0)

Module: db (0)

Module: api (0)

Module: pkt (0)

Module: infras (0)

Module: tmpl (0)

Module: vpn (0)

Module: nac (0)

Module: cpaq (0)

Module: synatk (0)

Module: adp (0)

Module: dos (0)

Module: gtp (0)

Module: sdwan (0)

Module: usdisp (0)

Module: exl (0)

Module: dpdk_lib (0)

Module: dpdk_pmd (0)

Module: dpdk_other (0)

-----------------------------------------------------
VPN Simple Debug Filter Not Activated
-----------------------------------------------------
Simple Debug Filter Is Activated
Tuple Protocol Source:Port Destination:Port
(1) * 192.168.99.199:* 1.2.3.4:*
(2) NOT DEFINED
(3) NOT DEFINED
(4) NOT DEFINED
(5) NOT DEFINED

Number IP Address
(1) NOT DEFINED
(2) NOT DEFINED
(3) NOT DEFINED
-----------------------------------------------------
@;0.0;kiss_debug_report: start
@;0.0;kiss_debug_report: start
@;0.0;kiss_debug_report: start
@;0.0;kiss_debug_report: start
@;0.0;kiss_debug_report: start
@;0.0;kiss_debug_report: start
@;0.0;kiss_debug_report: start
@;0.0;kiss_debug_report: start
@;0.0;kiss_debug_report: start
@;0.0;kiss_debug_report: start
@;0.0;kiss_debug_report: start
@;0.0;kiss_debug_report: start
@;0.0;kiss_debug_report: start
@;0.0;kiss_debug_report: start
@;0.0;kiss_debug_report: start
@;1.0;kiss_debug_report: start
@;1.0;kiss_debug_report: start
@;1.0;kiss_debug_report: start
@;1.0;kiss_debug_report: start
@;1.0;kiss_debug_report: start
@;1.0;kiss_debug_report: start
@;1.0;kiss_debug_report: start
@;1.0;kiss_debug_report: start
@;1.0;kiss_debug_report: start
@;1.0;kiss_debug_report: start
@;1.0;kiss_debug_report: start
@;1.0;kiss_debug_report: start
@;1.0;kiss_debug_report: start
@;1.0;kiss_debug_report: start
@;1.0;kiss_debug_report: start
@;1.0;kiss_debug_report: start
^C
Next time perform for exit: "fw ctl debug 0"

cpdev_wait_ioctl_done_mq: ack select failed 17, Interrupted system call

cpdev_user_ioctl_mq: failed to receive ack, Interrupted system call, op 3222829798

cpdev_user_ioctl: ioctl failed to device /vs0/dev/fw0
: Interrupted system call
Defaulting all kernel debugging options, may take a while
Debug state was reset to default.
PPAK 0: Get before set operation succeeded of simple_debug_filter_off
[Expert@CP-GW:0]#

The end goal is to get a dropped packet and see the debug output for it.

That's the part I am not seeing unless I remove the filter all together.

This is not happening unless I do the long multi-command debug or zdebug without -F:

@;160127.214;20Nov2025 12:33:30.690271;[vs_0];[tid_0];[fw4_0];fw_log_drop_ex: Packet proto=1 192.168.99.199:1 -> 1.2.3.4:0 dropped by fw_send_log_drop Reason: Rulebase drop - dropped due to 'drop optimization';

If I test with an IP thats blocked, I do get results as expected.

I still recall lively discussion we had about this back in 2023 lol

https://community.checkpoint.com/t5/Security-Gateways/Troubleshooting-dropped-packets-in-Checkpoint-...