Module 'fw' (Firewall)

Syntax:

fw ctl debug -m fw + {all | <List of Debug Flags>}

Flag

Description

acct

Accounting data in logs for Application Control (also enable the debug of Module 'APPI' (Application Control Inspection))

advp

Advanced Patterns (signatures over port ranges) - runs under ASPII and CMI

aspii

Accelerated Stateful Protocol Inspection Infrastructure (INPSECT streaming)

balance

ConnectControl - logical servers in kernel, load balancing

bridge

Bridge mode

bypass_timer

Universal Bypass on CoreXL Firewall Instances during load

caf

Mirror and Decrypt feature - only mirror operations on all traffic

cgnat

Carrier Grade NAT (CGN/CGNAT)

chain

Connection Chain modules, cookie chain

chainfwd

Chain forwarding - related to cluster kernel parameter fwha_perform_chain_forwarding

cifs

Processing of Microsoft Common Internet File System (CIFS) protocol

citrix

Processing of Citrix connections

cmi

Context Management Interface / Infrastructure - IPS signature manager

conn

Processing of all connections

connstats

Connections statistics for Evaluation of Heavy Connections in CPView (see sk105762)

content

Anti-Virus content inspection

context

Operations on Memory context and CPU context in Module 'kiss' (Kernel Infrastructure)

cookie

Virtual de-fragmentation , cookie issues (cookies in the data structure that holds the packets)

corr

Correction layer

cpsshi

SSH Inspection

Important - Also enable all the debug flags in Module 'CPSSH' (SSH Inspection).

cptls

CRYPTO-PRO Transport Layer Security (HTTPS Inspection) - Russian VPN GOST

crypt

Encryption and decryption of packets (algorithms and keys are printed in clear text and cipher text)

cvpnd

Processing of connections handled by the Mobile Access daemon

dfilter

Operations in the debug filters (see Kernel Debug Filters)

dlp

Processing of Data Loss Prevention connections

dnstun

DNS tunnels

domain

DNS queries

dos

DDoS attack mitigation (part of IPS)

driver

Check Point kernel attachment (access to kernel is shown as log entries)

drop

Reason for (almost) every dropped packet

drop_tmpl

Operations in Drop Templates

dynlog

Dynamic log enhancement (INSPECT logs)

epq

End Point Quarantine (also AMD)

error

General errors

event

Event App features (DNS, HTTP, SMTP, FTP)

ex

Expiration issues (time-outs) in dynamic kernel tables

fast_accel

Fast acceleration of connections

filter

Packet filtering performed by the Check Point kernel and all data loaded into kernel

ftp

Processing of FTP Data connections (used to call applications over FTP Data - i.e., Anti-Virus)

handlers

Operations related to the Context Management Interface / Infrastructure Loader

Note - Also see Module 'cmi_loader' (Context Management Interface / Infrastructure Loader).

highavail

Cluster configuration - changes in the configuration and information about interfaces during

traffic processing

hold

Holding mechanism and all packets being held / released

icmptun

ICMP tunnels

if

interface-related information (accessing the interfaces, installing a filter on an interfaces)

install

Driver installation - NIC attachment (actions performed by the "fw ctl install" and "fw ctl uninstall" commands)

integrity

Integrity Client (enforcement cooperation)

ioctl

IOCTL control messages (communication between kernel and daemons, loading and unloading of the FireWall)

ipopt

Enforcement of IP Options

ips

IPS logs and IPS IOCTL

ipv6

Processing of IPv6 traffic

kbuf

Kernel-buffer memory pool (for example, encryption keys use these memory allocations)

ld

Kernel dynamic tables infrastructure (reads from / writes to the tables)

Warning - Security Gateway can freeze or hang due to very high CPU load!.

leaks

Memory leak detection mechanism

link

Creation of links in Connections kernel table (ID 8158)

log

Everything related to calls in the log

machine

INSPECT Virtual Machine (actual assembler commands being processed)

Warning - Security Gateway can freeze or hang due to very high CPU load!.

mail

Issues with e-mails over POP3, IMAP

malware

Matching of connections to Threat Prevention Layers (multiple rulebases)

Note - Also see Module 'MALWARE' (Threat Prevention).

media

Does not apply anymore

Only on Security Gateway that runs on Windows OS:

Transport Driver Interface information (interface-related information)

memory

Memory allocation operations

mgcp

Media Gateway Control Protocol (complementary to H.323 and SIP)

misc

Miscellaneous helpful information (not shown with other debug flags)

misp

ISP Redundancy

monitor

Prints output similar to the "fw monitor" command (see fw monitor)

Note - Also enable the debug flag "misc" in this module.

monitorall

Prints output similar to the "fw monitor -p all" command (see fw monitor)

Note - Also enable the debug flag "misc" in this module.

mrtsync

Synchronization between cluster members of Multicast Routes that are added when working with Dynamic Routing Multicast protocols

msnms

MSN over MSMS (MSN Messenger protocol)

Also always enable the debug flag 'sip' in this module

multik

CoreXL-related

Note - This debug flag enables all the debug flags in the Module 'multik' (Multi-Kernel Inspection - CoreXL), except for the debug flag "packet".

nac

Network Access Control (NAC) feature in Identity Awareness

nat

NAT issues - basic information

nat_sync

NAT issues - NAT port allocation operations in Check Point cluster

nat64

NAT issues - 6in4 tunnels (IPv6 over IPv4) and 4in6 tunnels (IPv4 over IPv6)

netquota

IPS protection "Network Quota"

ntup

Non-TCP / Non-UDP traffic policy (traffic parser)

packet

Actions performed on packets (like Accept, Drop, Fragment)

packval

Stateless verifications (sequences, fragments, translations and other header verifications)

portscan

Prevention of port scanning

prof

Connection profiler for Firewall Priority Queues (see sk105762)

q

Driver queue (for example, cluster synchronization operations)

This debug flag is crucial for the debug of Check Point cluster synchronization issues

qos

QoS (FloodGate-1)

rad

Resource Advisor policy (for Application Control, URL Filtering, and others)

route

Routing issues

This debug flag is crucial for the debug of ISP Redundancy issues

sam

Suspicious Activity Monitoring

sctp

Processing of Stream Control Transmission Protocol (SCTP) connections

scv

SecureClient Verification

shmem

Currently is not used

sip

VoIP traffic - SIP and H.323

Note - Also see:

smtp

Issues with e-mails over SMTP

sock

Sockstress TCP DoS attack (CVE-2008-4609)

span

Monitor mode (mirror / span port)

spii

Stateful Protocol Inspection Infrastructure and INSPECT Streaming Infrastructure

synatk

IPS protection 'SYN Attack' (SYNDefender)

Note - Also see Module 'synatk' (Accelerated SYN Defender).

sync

Synchronization operations in Check Point cluster

Note - Also see the debug flag "sync" in Module 'CPAS' (Check Point Active Streaming).

tcpstr

TCP streaming mechanism

te

Prints the name of an interface for incoming connection from Threat Emulation Machine

tlsparser

Currently is not used

ua

Processing of Universal Alcatel "UA" connections

ucd

Processing of UserCheck connections in Check Point cluster

unibypass

Universal Bypass on CoreXL Firewall Instances during load

user

User Space communication with Kernel Space (most useful for configuration and VSX debug)

utest

Currently is not used

vm

Virtual Machine chain decisions on traffic going through the fw_filter_chain

wap

Processing of Wireless Application Protocol (WAP) connections

warning

General warnings

wire

Wire-mode Virtual Machine chain module

xlate

NAT issues - basic information

xltrc

NAT issues - additional information - going through NAT rulebase

zeco

Memory allocations in the Zero-Copy kernel module