Module "VPN" (Site-to-Site VPN and Remote Access VPN)

Syntax

• On the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. / each Cluster Member Security Gateway that is part of a cluster., run in the Expert mode:

  fw ctl debug -m VPN + {all | <List of Debug Flags>}

• On the Scalable Platform Security Group A logical group of Security Appliances (in Maestro) / Security Gateway Modules (on Scalable Chassis) that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances / Security Gateway Modules. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. In Maestro, each Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected., run in the Expert mode:

  g_fw ctl debug -m VPN + {all | <List of Debug Flags>}

Flag	Description
cluster	Events related to cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing.
comp	Compression for encrypted connections
counters	Various status counters (typically for real-time Monitoring)
cphwd	Traffic acceleration issues (in hardware)
driver	Check Point kernel attachment (access to kernel is shown as log entries)
err	Errors that should not happen, or errors that critical to the working of the VPN module
gtp	Processing of GPRS Tunneling Protocol (GTP) connections Note - In addition, see Module "gtp" (GPRS Tunneling Protocol)
ifnotify	Notifications about the changes in interface status - up or down (as received from OS)
ike	Enables all IKE kernel debug in respect to moving the IKE to the interface, where it will eventually leave and the modification of the source IP of the IKE packet, depending on the configuration
ike_trace	Processing of IKE Security Associations
iked	Processing of IKE packets in the IKED daemon
iked_trap	Processing of IKE packets in the IKED daemon
init	Initializes the VPN kernel and kernel data structures, when kernel is up, or when policy is installed (in addition, it prints the values of the flags that are set using the CPSET upon policy reload)
l2tp	Processing of L2TP connections
lsv	Large Scale VPN (LSV)
mem	Allocation of VPN pools and VPN contexts
mspi	Information related to creation and destruction of MSA / MSPI
multicast	VPN multicast
multik	Information related to interaction between VPN and CoreXL Performance-enhancing technology for Security Gateways on multi-core processing platforms. Multiple Check Point Firewall instances are running in parallel on multiple CPU cores. Notes: In a cluster, enable the debug flag "multik" in the Module "cluster" (ClusterXL). If you use the QoS Check Point Software Blade on a Security Gateway that provides policy-based traffic bandwidth management to prioritize business-critical traffic and guarantee bandwidth and control latency. Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities., enable the debug flag "multik" in the Module "fg" (FloodGate-1 - QoS).
nat	NAT issues , cluster IP manipulation (Cluster Virtual IP address <=> Member IP address)
om_alloc	Allocation of Office Mode IP addresses
osu	Cluster Optimal Service Upgrade (see sk107042)
packet	Events that can happen for every packet, unless covered by more specific debug flags
pcktdmp	Prints the encrypted packets before the encryption Prints the decrypted packets after the decryption
policy	Events that can happen only for a special packet in a connection, usually related to policy decisions or logs / traps
queue	Handling of Security Association (SA) queues
rdp	Processing of Check Point RDP connections
ref	Reference counting for MSA / MSPI, when storing or deleting Security Associations (SAs)
resolver	VPN Link Selection table and Certificate Revocation List (CRL), which is part of the peer resolving mechanism
route	Packet routing
rsl	Operations on Range Skip List
sas	Information about keys and Security Associations (SAs)
sr	SecureClient / SecureRemote related issues
tagging	Sets the VPN policy of a connection according to VPN communities, VPN Policy related information
tcpt	Information related to TCP Tunnel (Visitor mode - FireWall traversal on TCP port 443)
tnlmon	VPN tunnel monitoring
topology	VPN Link Selection
vin	Does not apply anymore Only on Security Gateway that runs on Windows OS: Information related to IPSec NIC interaction
warn	General warnings