In This Section: |
During a kernel debug session, Security Gateway prints special debug messages that help Check Point Support and R&D understand how the Security Gateway processes the applicable connections.
Important - In Cluster, you must configure perform the kernel debug procedure on all cluster members in the same way.
Action plan to collect a kernel debug:
Note - See the Kernel Debug Procedure, or the Kernel Debug Procedure with Connection Life Cycle.
Step |
Action |
Description |
---|---|---|
1 |
Configure the applicable debug settings:
|
In this step, you prepare the kernel debug options:
|
2 |
Configure the applicable kernel debug modules and their debug flags. |
In this step, you prepare the applicable kernel debug modules and their debug flags, so that Security Gateway collects only applicable debug messages. |
3 |
Start the collection of the kernel debug into an output file. |
In this step, you configure Security Gateway to write the debug messages from the kernel debug buffer into an output file. |
4 |
Stop the kernel debug. |
In this step, you configure Security Gateway to stop writing the debug messages into an output file. |
5 |
Restore the default kernel debug settings. |
In this step, you restore the default kernel debug options. |
To see the built-in help for the kernel debug:
|
To restore the default kernel debug settings:
|
Note - We do not recommend this because it disables even the basic default debug messages.
|
To allocate the kernel debug buffer:
fw ctl debug -buf 8200 [-v {"<List of VSIDs>" | all}] [-k] |
Notes:
To configure the debug modules and debug flags:
fw ctl debug [-d <Strings to Search>] [-v {"<List of VSIDs>" | all}] -m <Name of Debug Module> {all | + <List of Debug Flags> | - <List of Debug Flags>}
fw ctl debug [-s "<String to Stop Debug>"] [-v {"<List of VSIDs>" | all}] -m <Name of Debug Module> {all | + <List of Debug Flags> | - <List of Debug Flags>} |
Note - The list of kernel modules depends on the Software Blades you enabled on the Security Gateway.
|
|
|
|
|
To collect the kernel debug output:
fw ctl kdebug [
fw ctl kdebug [ |
fw ctl kdebug -T -f > |
fw ctl kdebug -T -f -o |
Parameters:
Note - Only supported parameters are listed.
Parameter |
Description |
---|---|
|
Controls how to disable the debug flags:
|
|
When this parameter is specified, the Security Gateway:
Notes:
|
|
When this parameter is specified, the Security Gateway:
Notes:
|
|
Specifies the name of the kernel debug module, for which you print or configure the debug flags. |
|
Specifies which debug flags to enable or disable in the specified kernel debug module:
|
|
Specifies the list of Virtual Systems. A VSX Gateway automatically filters the collected kernel debug information for debug messages only for these Virtual Systems.
Notes:
|
|
Specifies the INSPECT filter for the debug:
Notes:
|
|
The Security Gateway processes some connections in both SecureXL code and in the Host appliance code (for example, Passive Streaming Library (PSL) - an IPS infrastructure, which transparently listens to TCP traffic as network packets, and rebuilds the TCP stream out of these packets.). The Security Gateway processes some connections in only in the Host appliance code. When you use this parameter, kernel debug output contains the debug messages only from the Host appliance code. |
|
The Security Gateway processes some connections in both kernel space code and in the user space code (for example, Web Intelligence). The Security Gateway processes some connections only in the kernel space code. When you use this parameter, kernel debug output contains the debug messages only from the kernel space. Notes:
|
|
By default, when the Security Gateway prints the debug messages, the messages start with the applicable CPU ID and CoreXL FW instance ID. You can print additional fields in the beginning of each debug message. Notes:
|
|
Prints the time stamp in microseconds in front of each debug message. |
|
Collects the debug data until you stop the kernel debug in one of these ways:
|
|
Specifies the path and the name of the debug output file. Important - Always use the largest partition on the disk - |
|
Saves the collected debug data into cyclic debug output files. When the size of the current <Name of Output File> reaches the specified <Size of Each Cyclic File in KB> (more or less), the Security Gateway renames the current <Name of Output File> to <Name of Output File.0>, and creates a new <Name of Output File>. If the <Name of Output File.0> already exists, the Security Gateway renames the <Name of Output File.0> to <Name of Output File.1>, and so on - until the specified limit <Number of Cyclic Files>. When the Security Gateway reaches the <Number of Cyclic Files>, it deletes the oldest files. The valid values are:
|