Create a Post
Showing results for 
Search instead for 
Did you mean: 
Jump to solution

Troubleshooting dropped packets in Checkpoint using zdebug

Ever wished you had more insight into the traffic getting dropped by your Checkpoint Firewall?

Read on to learn a very powerful tool you to your rescue known as zdebug.

The fw ctl zdebug drop command lists all dropped packets in real time and explains the reasons for the drop

Use the expert mode fw ctl zdebug drop  CLI command to set all the debugs flags and get an output on the command line.

The syntax for the command is:

[Expert@hostname]# fw ctl zdebug + <flags>


where <flags> could be any fw module flag.


For Example: The most common usage is the drop command:

[Expert@hostname]# fw ctl zdebug + drop


If you want to see drops only for a single IP use the grep filter:

[Expert@hostname]# fw ctl zdebug + drop | grep X.X.X.X


Replace X.X.X.X with the IP you want to filter for.


If you still cannot see the traffic, then most likely traffic is not even hitting the firewall. To verify, you can use tcmdump utility to capture packets:

Open a new session and:

[Expert@hostname]# tcpdump -nni any host x.x.x.x -s0 -w /var/log/tcpdump1.pcap


Note: The zdebug starts a debug in the background until it is stopped using CTRL + C.


Note: When I did CTRL +C to stop the captures, I got the following notification:



 Next time perform for exit: "fw ctl debug 0"


 Cannot unset debug filter

 Cannot unset debug filter


So you might need to do this as well to completely stop all debugs:

[Expert@hostname]# fw ctl debug 0


Defaulting all kernel debugging options

Debug state was reset to default.

PPAK 0: Get before set operation succeeded of simple_debug_filter_off

30 Replies

I think it works as on regular Gaia, just tried it this week and was fine.

0 Kudos