- Products
- Learn
- Local User Groups
- Partners
-
More
This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
- Products
- Learn
- Local User Groups
- Upcoming Events
- Americas
- EMEA
- Czech Republic and Slovakia
- Denmark
- Netherlands
- Germany
- Sweden
- United Kingdom and Ireland
- France
- Spain
- Norway
- Ukraine
- Baltics and Finland
- Greece
- Portugal
- Austria
- Kazakhstan and CIS
- Switzerland
- Romania
- Turkey
- Belarus
- Belgium & Luxembourg
- Russia
- Poland
- Georgia
- DACH - Germany, Austria and Switzerland
- Iberia
- Africa
- Adriatics Region
- Cloud Mates
- Eastern Africa
- Israel
- APAC
- Partners
- More
- ABOUT CHECKMATES & FAQ
- Sign In
- Leaderboard
- Events
Celebrate the New Year
With CheckMates!
Value of Security
Vendor Self-Awareness
Join Us for CPX 360
23-24 February 2021
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
How to Remediate Endpoint & VPN
Issues (in versions E81.10 or earlier)
Mobile Security
Buyer's Guide Out Now
Important! R80 and R80.10
End Of Support around the corner (May 2021)
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- CheckMates
- :
- Products
- :
- Network Security
- :
- Security Gateways
- :
- "fw ctl zdebug" Helpful Command Combinations
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
HeikoAnkenbrand
Champion
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2018-06-13
02:46 AM
"fw ctl zdebug" Helpful Command Combinations
"fw ctl zdebug" is a powertool that is not exhausted from being used with "fw ctl zdebug drop". There is not much to be found in Check Point KB or in the documentation. "fw ctl zdebug" is an R&D tool for testing software in development. Therefore, the insert should be used with care. It starts a debugging in the background until it is aborted with CTRL+C. On productive systems it can have a high performance impact. Furthermore, the debug buffer is not the largest.
What happens when you execute! It is a macro that executes the following commands:
fw ctl debug -buf 1024
fw ctl debug [The option behind "fw ctl zdebug"]
fw ctl kdebug -f
[Wait until CTRL+C is pressed]
fw ctl debug 0
Node:
A current list with kernel debug flags can be found here.
Here are some good examples for debugging:
fw ctl zdebug + packet
fw ctl zdebug + packet | grep -B 1 TCP |grep -B 1 "(SYN)" <<< change SYN-ACK,ACK,FIN,... and/or UDP,TCP...
fw ctl zdebug + all |grep -A 1 "Monitor" | grep "1.1.1.1" <<< change IP address
fw ctl zdebug + all |grep -A 2 "Monitor"
fw ctl zdebug + sync
fw ctl zdebug + conn |grep "After VM:" |grep "(SYN)"
fw ctl zdebug + xlate
fw ctl zdebug + monitorall <<< use with host IP "| grep 1.1.1.1" or network range "| grep 1.1."
fw ctl zdebug + monitor <<< use with host IP "| grep 1.1.1.1" or network range "| grep 1.1."
fw ctl zdebug + filter conn | grep -A 8 "rule 1" <<< change rule number - show connetions to rule xyz
fw ctl zdebug + filter monitor | grep -A 8 "rule 2" <<< change rule number - show connetions to rule xyz
Attention, if you turn on debugging, this will affect the performance of the firewall.
Regards,
12 Replies
Ariel_Soller
Explorer
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2018-06-13
05:26 AM
Hi Heiko,
That's super interesting!
Are there any other "fw ctl zdebug" commands?
GG27
Contributor
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2018-06-15
05:15 AM
Hello mates,
That's very useful post, but I don't understand what the reason is why there's no official documentation in SK
Thanks Heiko for your post
Reply
PhoneBoy
Admin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2018-06-15
07:04 AM
fw ctl zdebug options are documented in the topic-specific ATRGs in SecureKnowledge.
HeikoAnkenbrand
Champion
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2018-06-16
04:07 AM
Principle all debug modules are possible for debugging with „fw ctl zdebug“.
„fw ctl debug -h“ shows all current kernel debugging options for modules and instances.
You can use various combinations.
Unfortunately, the commands are only mentioned in few SK's. Try it out here. I have described the most important ones above.
I would be pleased about new interesting combinations.
Regards,
Kai_O_
Participant
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2018-06-18
05:29 AM
It's a great tool. I didn't know you could do so much with it. I have only worked with "fw ctl zdebug drop" and did not recognize the potentiality.
Thanks for the info.
JozkoMrkvicka
Leader
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2018-08-12
07:26 AM
fw ctl zdebug drop = debug of IPv4 connections
fw6 ctl zdebug drop = debug of IPv6 connections.
all flags and options listed here should be also valid for IPv6 (fw6).
Kind regards,
Jozko Mrkvicka
Jozko Mrkvicka
Don_Paterson
Advisor
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2018-12-05
08:11 AM
Nice post. Thanks Heiko.
In the original post there is this line:
fw ctl debug [The option behind "fw ctl zdebug"]
Is that not more like a fw ctl debug -m fw [options/flags] ?
I think I remember the zdebug focuses on the fw kernel module but I think I also remember that some other kernel module debug flags may also be set.
I know that the (DON'T DO THIS IN PRODUCTION) option of 'fw ctl zdebug all' adds debug flags to three or four other kernel modules but not all.
The fw module gets all debug flags set in that case.
fw ctl zdebug -m CPAS all would be required if, for example, the CPAS module was interesting for a full debug. The command above would not then be of use.
What is the monitorall option doing?
Regards,
Don
PhoneBoy
Admin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2018-12-05
10:18 AM
I think it's just turning up the debug level a bit.
Achilles_Tagg
Participant
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2019-03-27
07:35 PM
This is very useful! Thanks for sharing... .
Maarten_Sjouw
Champion
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2019-03-28
09:16 AM
Very nice Heiko.
I think that the most useful part of using the command is that when you stop the debug you are running it really stops all debugging, so you cannot forget to turn it off again.
I think that the most useful part of using the command is that when you stop the debug you are running it really stops all debugging, so you cannot forget to turn it off again.
Regards, Maarten
Yoel_Maaravi
Participant
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2019-09-05
11:04 PM
fw ctl zdebug + monitorall -> shows many fw chain modules
Reply
Solo
Explorer
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2019-12-11
06:31 PM
so helpful,thanks.
Reply
"fw ctl zdebug" Helpful Command Combinations
"fw ctl zdebug" is a powertool that is not exhausted from being used with "fw ctl zdebug drop". There is not much to be found in Check Point KB or in the documentation. "fw ctl zdebug" is an R&D tool for testing software in development. Therefore, the insert should be used with care. It starts a debugging in the background until it is aborted with CTRL+C. On productive systems it can have a high performance impact. Furthermore, the debug buffer is not the largest.
What happens when you execute! It is a macro that executes the following commands:
fw ctl debug -buf 1024
fw ctl debug [The option behind "fw ctl zdebug"]
fw ctl kdebug -f
[Wait until CTRL+C is pressed]
fw ctl debug 0
Node:
A current list with kernel debug flags can be found here.
Here are some good examples for debugging:
fw ctl zdebug + packet
fw ctl zdebug + packet | grep -B 1 TCP |grep -B 1 "(SYN)" <<< change SYN-ACK,ACK,FIN,... and/or UDP,TCP...
fw ctl zdebug + all |grep -A 1 "Monitor" | grep "1.1.1.1" <<< change IP address
fw ctl zdebug + all |grep -A 2 "Monitor"
fw ctl zdebug + sync
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY
©1994-2020 Check Point Software Technologies Ltd. All rights reserved.
Copyright
Privacy Policy
Facts at a Glance
User Center