Checkpoint Troubleshooting - Debugging

Checkpoint Common debugging


Kernel debugging

Usage

% fw ctl debug -buf [buffer size]
% fw ctl debug [-x] [-m ] [+|-]
% fw ctl kdebug –f >

To disable the Kernel debugging, execute:
% fw ctl debug –buf 0
% fw ctl debug x
Common Syntax
% fw ctl debug –buf 12288
% fw ctl debug –m fw conn drop ld packet if
% fw ctl kdebug –f >

The ld option may cause high CPU usage. It is advised to use it for short session debugging
only.
To execute the kernel you can also use fw ctl zdebug to allocate the buffer (where the
buffer can only be 1024).

% fw ctl zdebug
% fw ctl kdebug -f >

TDERROR_ALL_ALL=
CPD is treated differently from the other User Mode processes and will be executed
differently

Debugging CPD

CPD is a high in the hierarchichal chain and helps to execute many services, such as Secure
Internal Communcation (SIC), Licensing and status report.
For CPD debug, execute: % cpd_admin debug on TDERROR_ALL_ALL=5
The debug file is located under $CPDIR/log/cpd.elg
To stop the CPD debug, execute: % cpd_admin debug off TDERROR_ALL_ALL=1

Debugging FWM

The FWM process is responsible for the execution of the database activities of the
SmartCenter server. It is; therefore, responsible for Policy installation, Management High
Availability (HA) Synchronization, saving the Policy, Database Read/Write action, Log
Display, etc.

For FWM debug, execute:

% fw debug fwm on TDERROR_ALL_ALL=5
% fw debug fwm on OPSEC_DEBUG_LEVEL=9
The debug file is located under $FWDIR/log/fwm.elg
To stop the FWM debug, execute:
% fw debug fwm off TDERROR_ALL_ALL=1
% fw debug fwm off OPSEC_DEBUG_LEVEL=1

Debugging FWD

The FWD process is responsible for logging. It is executed in relation to logging, Security
Servers and communication with OPSEC applications.
For FWD debug, execute: % fw debug fwd debug on TDERROR_ALL_ALL=5
The debug file is located under $FWDIR/log/fwd.elg
To stop the FWD debug, execute: % fw debug fwd off TDERROR_ALL_ALL=1

FireWall Monitor Network Capturing

The FireWall Monitor is responsible for packet flow analysis.
To execute: % fw monitor –e “accept;” –o

Security Server debugging

Debugging User Authentication

Usage

Debugging is done on the service itself (in.ahttpd, in.atelnetd, in.aftpd etc.)
% fw debug on TDERROR_ALL_ALL=5
The debug file is located under: $FWDIR/log/ahttpd.elg* or $FWDIR/log/aftpd.elg* or
$FWDIR/log/atelnetd.elg* depending on the service that you are debugging.

HTTP Security Server

For HTTP Security Server debug, execute:
% fw debug in.ahttpd on TDERROR_ALL_ALL=5
% fw debug in.ahttpd on OPSEC_DEBUG_LEVEL=3
The debug file is located under: $FWDIR/log/ahttpd.elg*
If more than one HTTP Security Server process is running, execute:
% fw kill fwd
% setenv TDERROR_ALL_ALL=5
% setenv OPSEC_DEBUG_LEVEL=3
% fwd –d >&

&
Note - The setenv commands used above correlate with Unix environment. For other platforms, execute
the relevant command.

SMTP Security Server

To debug the SMTP Security Server, execute:
% fw debug in.asmtpd on TDERROR_ALL_ALL=5.
The debug file is located under $FWDIR/log/asmtpd.elg*
To debug the mdq, execute the following commands:
% fw debug mdq on TDERROR_ALL_ALL=5.
The debug file is located under $FWDIR/log/mdq.elg*

Debugging Session Authentication

To debug Session Authentication, execute:
% fw debug in.asessiond on TDERROR_ALL_ALL=5
The debug file is located under: $FWDIR/log/asessiond.elg*

Debugging Client Authentication

For HTTP to port 900, execute:
Check Point Troubleshooting and Debugging Tools for Faster Resolution. Last Update — January 24, 2006 5
% fw debug in.ahclientd on TDERROR_ALL_ALL=5
For Telnet to port 259, execute:
% fw debug in.aclientd on TDERROR_ALL_ALL=5
The debug file is located under: $FWDIR/log/ahclientd.elg*

VPN debugging

On the Module

To start, execute:

% vpn debug trunc.
This command is equivalent to these two commands: vpn debug on, vpn debug ikeon.
To stop, execute:
% vpn debug off; vpn debug ikeoff.
The debug file is located under $FWDIR/log/ike.elg and $FWDIR/log/vpnd.elg

FireWall Monitor for packet flow analysis
% fw monitor –e “accept;” –o

Client Side

The Client side can only run under the root directory (C :/…)
To start, execute:
% sc debug on
To stop, execute:
% sc debug off
The debug file is located under sr_service_tde.log, under the SecuRemote installation
folder, for example: C:\Program files\CheckPoint\SecuRemote.
For packet capture from the Client side, execute:
% srfw monitor -e "accept;" -o

Provider-1 debugging

MDS Level

Most of the MDS actions are performed by the MDS’s fwm process, execute:
% mdsenv
% fw debug mds on TDERROR_ALL_ALL=5
% fw debug mds on OPSEC_DEBUG_LEVEL=9
The debug file is located under /opt/CPsuit-R60/fw1/log/mds.elg
Check Point Troubleshooting and Debugging Tools for Faster Resolution. Last Update — January 24, 2006 6

ClusterXL debugging

For ClusterXL debugging for Clustering, Synchronization, High Availability, Fail-over,
execute:
% cphaprob state
% cphaprob -ia list
% cphaprob -a if
% fw ctl pstat
Kernel debug for packet filter analysis
% fw ctl debug –buf 12288
% fw ctl debug –m fw conn drop packet if sync
% fw ctl debug –m cluster all
% fw ctl kdebug –f >

Connectra debugging

For Connectra debugging issues relating to Web, files, Webmail, OWA, iNotes, Citrix, the
httpd process should be debugged:
To turn the debug on, under: $CVPNDIR/conf/httpd.conf change LogLevel to debug.
You should execute the process: cvpnrestart
The output is located at: $CVPNDIR/log/httpd.log
For debugging authentication issues, execute: Debug cvpnd
Run: cvpnd_admin debugset TDERROR_ALL_ALL=5
To start, execute: % cvpnrestart
The debug file is located under $CVPNDIR/log/cvpnd.elg
To stop debug, run:
% cvpnd_admin debug off

FireWall-1 GX debugging

Kernel debug for packet filter analysis
Check Point Troubleshooting and Debugging Tools for Faster Resolution.

% fw ctl debug –buf 12288
% fw ctl debug –m fw conn drop ld packet filter
% fw ctl kdebug –T –f >

InterSpect debugging

Kernel debug for packet filter analysis
% fw ctl debug –buf 12288
% fw ctl debug –m fw conn drop packet if
% fw ctl kdebug –f >

Additional kernel debug options for InterSpect:
• portscan, for port scanning issues
• dynlog, for dynamic logging
• mail, for mail security in the kernel
• sam, for SAM IP address blocking
Kernel debug for Packet Drop, execute:
% fw ctl zdebug + drop
Kernel debug for SmartDefense TCP Streaming, execute:
% fw ctl zdebug + tcpstr + cifs
Kernel debug for Dynamic list (SAM), execute:
% fw tab -t sam_requests_v2 -u -f
% fw samp

SNX – SSL Network Extender debugging

Server Side

% vpn debug trunc
% vpn debug on slim=5
Debug can be found at $FWDIR/log/vpnd.elg.
You should execute vpn debug on [DEBUG_TOPIC=5]. The relevant debug topics are:
proxy, rasta, rasta_protocol and slim.)

Client Side

For the service:
Type regedit at the command prompt and set:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cpextender\parameters\d
bg_level to 5
Open the Command Line interface window and execute:
Check Point Troubleshooting and Debugging Tools for Faster Resolution. Last Update — January 24, 2006 8
% net stop cpextender
% net start cpextender (or kill slimsvc.exe)
The debug file is located under:
%Program Files%\CheckPoint\SSL Network Extender\slimsvc.log
For the ActiveX: (only when using ActiveX with Internet Explorer), type regedit at the
command prompt and set the following:
% set HKEY_CURRENT_USER\Software\CheckPoint\SSL Network
Extender\parameters\dbg_level to 5
The debug file is located under %APPDATA%\Check Point\extender\activex.log.
For the Applet: (when using the Applet version) SNX can be used by Microsoft JVM or by
other vendors (SUN, IBM…). To view the Java console when using Microsoft JVM you
need to check Java console enabled (requires restart) in the Internet Options Advanced tab
and restart Internet Explorer. You can also switch between the different JVMs (in case you
have two or more) in the same tab.

Further Debugging – Memory Diagnostics

The following utilities applies to all non-Windows systems supported by Check Point:
% free
% vmstat 2 10
% sar –k 2 10
% top
% ps -auxw
% cat /proc/meminfo
% cat /proc/slabinfo

Routing information

% arp –a
% netstat –ie