Kernel Debug Filters

By default, kernel debug output contains information about all processed connections.

You can configure filters for kernel debug to collect debug messages only for the applicable connections.

There are three types of debug filters:

• By connection tuple parameters

• By an IP address parameter

• By a VPN peer parameter

To configure these kernel debug filters, assign the desired values to the applicable kernel parameters before you start the kernel debug. You assign the values to the applicable kernel parameters temporarily with the "g_fw ctl set" command.

Notes:

• The Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. supports up to five debug filters in total (from all types).

• The Security Gateway applies these debug filters to both the non-accelerated and accelerated traffic.

• The Security Gateway applies these debug filters to Kernel Debug Procedure with Connection Life Cycle.

To configure debug filter of the type "By connection tuple parameters":

The Security Gateway processes connections based on the 5-tuple:

• Source IP address

• Source Port (see IANA Service Name and Port Number Registry)

• Destination IP address

• Destination Port (see IANA Service Name and Port Number Registry)

• Protocol Number (see IANA Protocol Numbers)

This debug filter lets you filter by these tuple parameters:

Tuple Parameter	Syntax for Kernel Parameters
Source IP address	g_fw ctl set str simple_debug_filter_saddr_<N> "<IPv4 or IPv6 Address>"
Source Ports	g_fw ctl set int simple_debug_filter_sport_<N> <1-65535>
Destination IP address	g_fw ctl set str simple_debug_filter_daddr_<N> "<IPv4 or IPv6 Address>"
Destination Ports	g_fw ctl set int simple_debug_filter_dport_<N> <1-65535>
Protocol Number	g_fw ctl set int simple_debug_filter_proto_<N> <0-254>

Notes:

• <N> is an integer between 1 and 5. This number is an index for the configured kernel parameters of this type.

• When you specify IP addresses, you must enclose them in double quotes.

• You can configure one or more (up to 5) of these kernel parameters at the same time.

  Example 1:

  Configure one Source IP address (simple_debug_filter_saddr_1), one Destination IP address (simple_debug_filter_daddr_1), and one Protocol Number (simple_debug_filter_proto_1).

  Example 2:

  Configure one Source IP address (simple_debug_filter_saddr_1), two Destination IP addresses (simple_debug_filter_daddr_2 and simple_debug_filter_daddr_3), and two Destination Ports (simple_debug_filter_dport_2 and simple_debug_filter_dport_3).

• When you configure kernel parameters with the same index <N>, the debug filter is a logical "AND" of these kernel parameters.

  In this case, the final filter matches only one direction of the processed connection.

  Example 1:

  simple_debug_filter_saddr_1 <Value X> AND simple_debug_filter_daddr_1 <Value Y>

  Example 2:

  simple_debug_filter_saddr_1 <Value X> AND simple_debug_filter_dport_1 <Value Y>

• When you configure kernel parameters with the different indices <N>, the debug filter is a logical "OR" of these kernel parameters.

  This means that if it is necessary for the final filter to match both directions of the connection, you must configure the applicable debug filters for both directions.

  Example 1:

  simple_debug_filter_saddr_1 <Value X> OR simple_debug_filter_daddr_2 <Value Y>

  Example 2:

  simple_debug_filter_saddr_1 <Value X> OR simple_debug_filter_dport_2 <Value Y>

• For information about the Port Numbers, see IANA Service Name and Port Number Registry.

• For information about the Protocol Numbers, see IANA Protocol Numbers.

To configure debug filter of the type "By an IP address parameter":

This debug filter lets you filter by one IP address.

Syntax for Kernel Parameters:

g_fw ctl set str simple_debug_filter_addr_<N> "<IPv4 or IPv6 Address>"

Notes:

• <N> is an integer between 1 and 3. This number is an index for the configured kernel parameters of this type.

• You can configure one, two, or three of these kernel parameters at the same time.

  Example 1:

  Configure one Source IP address (simple_debug_filter_addr_1).

  Example 2:

  Configure one Source IP address (simple_debug_filter_addr_1) and one Destination IP address (simple_debug_filter_addr_2).

• You must enclose the IP addresses in double quotes.

To configure debug filter of the type "By a VPN peer parameter":

This debug filter lets you filter by one IP address.

Syntax for Kernel Parameters:

g_fw ctl set str simple_debug_filter_vpn_<N> "<IPv4 or IPv6 Address>"

Notes:

• <N> is an integer - 1 or 2. This number is an index for the configured kernel parameters of this type.

• You can configure one or two of these kernel parameters at the same time.

  Example 1:

  Configure one VPN peer (simple_debug_filter_vpn_1).

  Example 2:

  Configure two VPN peers (simple_debug_filter_vpn_1 and simple_debug_filter_vpn_2).

• You must enclose the IP addresses in double quotes.

To disable all debug filters:

You can disable all the configured debug filters of all types.

Syntax for Kernel Parameter:

g_fw ctl set int simple_debug_filter_off 1

Usage Example

The kernel debug must show the information about the connection from Source IP address 192.168.20.30 from any Source Port to Destination IP address 172.16.40.50 to Destination Port 80 (192.168.20.30:<Any> --> 172.16.40.50:80).

Run these commands before you start the kernel debug:

g_fw ctl set int simple_debug_filter_off 1   g_fw ctl set str simple_debug_filter_saddr_1 "192.168.20.30"   g_fw ctl set str simple_debug_filter_daddr_2 "172.16.40.50"   g_fw ctl set int simple_debug_filter_dport_1 80

Important - In the above example, the indexes <N> of the kernel parameters simple_debug_filter_saddr_<N> and simple_debug_filter_daddr_<N>are different, because we want the debug filter to match both directions of this connection.