SecureXL Debug Procedure

By default, SecureXL writes the output debug information to the /var/log/messages file.

To collect the applicable SecureXL debug and to make its analysis easier, perform the steps below.

Note - For more information, see the R80.20 Next Generation Security Gateway Guide - Chapter Kernel Debug on Security Gateway.

Important:

We strongly recommend to schedule a full maintenance window to minimize the impact on your production traffic.
We strongly recommend to connect over serial console to your Security Gateway.
This is to avoid a possible issue when you cannot work with the CLI because of a high load on the CPU.
In cluster, you must collect this debug from all Cluster Members in the same way.
Debug the specific SecureXL instance only when you are sure that only that SecureXL instance processes the traffic.

Procedure:

Step	Description
1	Connect to the command line on you Security Gateway.
2	Log in to the Expert mode.
3	Reset all kernel debug flags in all kernel debug modules: `fw ctl debug 0`
4	Reset all the SecureXL debug flags in all SecureXL debug modules. For all SecureXL instances: `fwaccel dbg resetall` For a specific SecureXL instance: `fwaccel -i` <SecureXL ID> `dbg resetall`
5	Allocate the kernel debug buffer: `fw ctl debug -buf 8200 [-v {"<`List of VSIDs`>" \| all}]`
6	Make sure the Security Gateway allocated the kernel debug buffer: `fw ctl debug \| grep buffer`
7	Configure the applicable kernel debug modules and kernel debug flags: `fw ctl debug -m <`Name of Kernel Debug Module`> {all \| + <`Kernel Debug Flags`>}`
8	Configure the applicable SecureXL debug modules and SecureXL debug flags. For all SecureXL instances: `fwaccel dbg -m <`Name of SecureXL Debug Module`> {all \| + <`SecureXL Debug Flags`>}` For a specific SecureXL instance: `fwaccel -i` <SecureXL ID> `dbg -m <`Name of SecureXL Debug Module`> {all \| + <`SecureXL Debug Flags`>}`
9	Examine the kernel debug configuration for kernel debug modules: `fw ctl debug`
10	Examine the SecureXL debug configuration for SecureXL debug modules. For all SecureXL instances: `fwaccel dbg list` For specific SecureXL instance: `fwaccel -i` <SecureXL ID> `dbg list`
11	Remove all entries from both the Firewall Connections table and SecureXL Connections table: `fw tab -t connections -x -y` Important: This step makes sure that you collect the debug of the real issue that is not affected by the existing connections. This command deletes all existing connections. This interrupts all connections, including the SSH. Run this command only if you are connected over a serial console to your Security Gateway.
12	Remove all entries from the Firewall Templates table: `fw tab -t cphwd_tmpl -x -y` Note - This command does not interrupt the existing connections. This step makes sure that you collect the debug of the real issue that is not affected by the existing connection templates.
13	Start the kernel debug: `fw ctl kdebug -T -f > /var/log/kernel_debug.txt`
14	Replicate the issue, or wait for the issue to occur.
15	Stop the kernel debug: Press CTRL+C.
16	Reset all kernel debug flags in all kernel debug modules: `fw ctl debug 0`
17	Reset all the SecureXL debug flags in all SecureXL debug modules. For all SecureXL instances: `fwaccel dbg resetall` For specific SecureXL instance: `fwaccel -i` <SecureXL ID> `dbg resetall`
18	Examine the kernel debug configuration to make sure it returned to the default: `fw ctl debug`
19	Examine the SecureXL debug configuration to make sure it returned to the default. For all SecureXL instances: `fwaccel dbg list` For specific SecureXL instance: `fwaccel -i` <SecureXL ID> `dbg list`
20	Collect and analyze the debug output file: `/var/log/kernel_debug.txt`