SecureXL Debug Procedure
By default, SecureXL Check Point product on a Security Gateway that accelerates IPv4 and IPv6 traffic that passes through a Security Gateway. writes the output debug information to the
/var/log/messages
file.
To collect the applicable SecureXL debug and to make its analysis easier, follow the steps below.
|
Note - For the complete debug procedure, see the R81.20 Quantum Security Gateway Guide - Chapter "Kernel Debug". |
|
Important:
|
Procedure
-
Connect to the command line on your Security Gateway / each Cluster Member / Scalable Platform Security Group
Use an SSH or a console connection.
Best Practice - Use a console connection.
Note - On Scalable Platforms (Maestro and Chassis), you must connect to the applicable Security Group.
-
Reset all kernel debug flags in all kernel debug modules
-
On the Security Gateway / each Cluster Member, run:
fw ctl debug 0
-
On the Scalable Platform Security Group, run:
g_fw ctl debug 0
-
-
Reset all the SecureXL debug flags in all SecureXL debug modules
-
On the Security Gateway / each Cluster Member:
fwaccel dbg resetall
-
On the Scalable Platform Security Group:
g_fwaccel dbg resetall
-
-
Allocate the kernel debug buffer
-
On the Security Gateway / each Cluster Member, run:
fw ctl debug -buf 8200 [-v {"<List of VSIDs>" | all}]
-
On the Scalable Platform Security Group, run:
g_fw ctl debug -buf 8200 [-v {"<List of VSIDs>" | all}]
Note - The optional part "
-v {"<List of VSIDs>" | all}
" is to specify the applicable Virtual Systems on a VSX GatewayPhysical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0. or VSX
Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. Cluster Member.
-
-
Make sure the Security Gateway allocated the kernel debug buffer
-
On the Security Gateway / each Cluster Member, run:
fw ctl debug | grep buffer
-
On the Scalable Platform Security Group, run:
g_fw ctl debug | grep buffer
-
-
Configure the applicable kernel debug modules and kernel debug flags
-
On the Security Gateway / each Cluster Member, run:
fw ctl debug -m <Name of Kernel Debug Module> {all | + <Kernel Debug Flags>}
-
On the Scalable Platform Security Group, run:
g_fw ctl debug -m <Name of Kernel Debug Module> {all | + <Kernel Debug Flags>}
-
-
Configure the applicable SecureXL debug modules and SecureXL debug flags
-
On the Security Gateway / each Cluster Member:
fwaccel dbg -m <Name of SecureXL Debug Module> {all | + <SecureXL Debug Flags>}
-
On the Scalable Platform Security Group:
g_fwaccel dbg -m <Name of SecureXL Debug Module> {all | + <SecureXL Debug Flags>}
-
-
Examine the kernel debug configuration for kernel debug modules
-
On the Security Gateway / each Cluster Member, run:
fw ctl debug
-
On the Scalable Platform Security Group, run:
g_fw ctl debug
-
-
Examine the SecureXL debug configuration for SecureXL debug modules
-
On the Security Gateway / each Cluster Member:
fwaccel dbg list
-
On the Scalable Platform Security Group:
g_fwaccel dbg list
-
-
Remove all entries from both the Firewall Connections table and SecureXL Connections table
Important:
-
This step makes sure that you collect the debug of the real issue that is not affected by the existing connections.
-
This command deletes all existing connections. This interrupts all connections, including the SSH.
Run this command only if you are connected over a serial console to your Security Gateway / each Cluster Member / Scalable Platform Security Group Members.
-
On the Security Gateway / each Cluster Member, run:
fw tab -t connections -x -y
-
On the Scalable Platform Security Group, run:
g_fw tab -t connections -x -y
-
-
Remove all entries from the Firewall Templates table
Note - This command does not interrupt the existing connections. This step makes sure that you collect the debug of the real issue that is not affected by the existing connection templates.
-
On the Security Gateway / each Cluster Member, run:
fw tab -t cphwd_tmpl -x -y
-
On the Scalable Platform Security Group, run:
g_fw tab -t cphwd_tmpl -x -y
-
-
Start the kernel debug
In Gateway mode:
-
On the Security Gateway / each Cluster Member, run:
fw ctl kdebug -T -f -o /var/log/kernel_debug.txt
-
On the Scalable Platform Security Group, run:
g_fw ctl kdebug -T -f -o /var/log/kernel_debug.txt
In VSX mode - for specific Virtual Systems:
-
On the VSX Gateway / each VSX Cluster Member, run:
fw ctl kdebug -v {"<List of VSIDs>" | all} -k -T -f -o /var/log/kernel_debug.txt
-
On the Scalable Platform Security Group in VSX mode, run:
g_fw ctl kdebug -v {"<List of VSIDs>" | all} -k -T -f -o /var/log/kernel_debug.txt
-
-
Replicate the issue, or wait for the issue to occur
Perform the steps that cause the issue to occur, or wait for it to occur.
-
Stop the kernel debug
Press CTRL+C.
-
Reset all kernel debug flags in all kernel debug modules
-
On the Security Gateway / each Cluster Member, run:
fw ctl debug 0
-
On the Scalable PlatformSecurity Group, run:
g_fw ctl debug 0
-
-
Reset all the SecureXL debug flags in all SecureXL debug modules
-
On the Security Gateway / each Cluster Member:
fwaccel dbg resetall
-
On the Scalable PlatformSecurity Group:
g_fwaccel dbg resetall
-
-
Examine the kernel debug configuration to make sure it returned to the default
-
On the Security Gateway / each Cluster Member, run:
fw ctl debug
-
On the Scalable Platform Security Group, run:
g_fw ctl debug
-
-
Examine the SecureXL debug configuration to make sure it returned to the default
-
On the Security Gateway / each Cluster Member:
fwaccel dbg list
-
On the Scalable Platform Security Group:
g_fwaccel dbg list
-
-
Analyze the debug output files
Transfer these files from the Security Gateway / each Cluster Member / each Security Group Member to your computer:
/var/log/kernel_debug.txt
/var/log/messages*
$FWDIR/log/fwk.elg*
/var/log/usim_x86.elg*
Best Practice - Compress these files with the "
tar -zxvf
" command and transfer the archive from the Security Gateway / each Cluster Member / each Security Group Member to your computer. If you transfer to an FTP server, do so in the binary mode.