SecureXL Debug Procedure

Procedure

1. Connect to the command line on your Security Gateway

   Use an SSH or a console connection.

   Best Practice - Use a console connection.

2. Log in to the Expert mode

   If the default shell is Gaia Clish, then run:

   expert

3. Reset all kernel debug flags in all kernel debug modules

   Run:

   fw ctl debug 0

4. Reset all the SecureXL debug flags in all SecureXL debug modules

   • For all SecureXL instances, run:

     fwaccel dbg resetall

   • For a specific SecureXL instance, run:

     fwaccel -i <SecureXL ID> dbg resetall

5. Allocate the kernel debug buffer

   Run:

   fw ctl debug -buf 8200 [-v {"<List of VSIDs>" | all}]

   Note - The optional part "-v {"<List of VSIDs>" | all}" is to specify the applicable Virtual Systems on a VSX Gateway or VSX Cluster Member.

6. Make sure the Security Gateway allocated the kernel debug buffer

   Run:

   fw ctl debug | grep buffer

7. Configure the applicable kernel debug modules and kernel debug flags

   Run:

   fw ctl debug -m <Name of Kernel Debug Module> {all | + <Kernel Debug Flags>}

8. Configure the applicable SecureXL debug modules and SecureXL debug flags

   • For all SecureXL instances, run:

     fwaccel dbg -m <Name of SecureXL Debug Module> {all | + <SecureXL Debug Flags>}

   • For a specific SecureXL instance, run:

     fwaccel -i <SecureXL ID> dbg -m <Name of SecureXL Debug Module> {all | + <SecureXL Debug Flags>}

   See SecureXL Debug Modules and Debug Flags.

9. Examine the kernel debug configuration for kernel debug modules

   Run:

   fw ctl debug

10. Examine the SecureXL debug configuration for SecureXL debug modules

    • For all SecureXL instances, run:

      fwaccel dbg list

    • For a specific SecureXL instance, run:

      fwaccel -i <SecureXL ID> dbg list

11. Remove all entries from both the Firewall Connections table and SecureXL Connections table

    Run:

    fw tab -t connections -x -y

    Important: This step makes sure that you collect the debug of the real issue that is not affected by the existing connections. This command deletes all existing connections. This interrupts all connections, including the SSH. Run this command only if you are connected over a serial console to your Security Gateway.

12. Remove all entries from the Firewall Templates table

    Run:

    fw tab -t cphwd_tmpl -x -y

    Note - This command does not interrupt the existing connections. This step makes sure that you collect the debug of the real issue that is not affected by the existing connection templates.

13. Start the kernel debug

    Run:

    fw ctl kdebug -T -f > /var/log/kernel_debug.txt

14. Replicate the issue, or wait for the issue to occur

    Perform the steps that cause the issue to occur, or wait for it to occur.

15. Stop the kernel debug

    Press CTRL+C.

16. Reset all kernel debug flags in all kernel debug modules

    Run:

    fw ctl debug 0

17. Reset all the SecureXL debug flags in all SecureXL debug modules

    • For all SecureXL instances, run:

      fwaccel dbg resetall

    • For a specific SecureXL instance, run:

      fwaccel -i <SecureXL ID> dbg resetall

18. Examine the kernel debug configuration to make sure it returned to the default

    Run:

    fw ctl debug

19. Examine the SecureXL debug configuration to make sure it returned to the default

    • For all SecureXL instances, run:

      fwaccel dbg list

    • For a specific SecureXL instance, run:

      fwaccel -i <SecureXL ID> dbg list

20. Collect and analyze the debug output file

    Path to the debug output file:

    /var/log/kernel_debug.txt

    Best Practice - Compress this file with the "tar -zxvf" command and transfer it from the Security Gateway to your computer. If you transfer to an FTP server, do so in the binary mode.