Kernel Debug Syntax

Description:

During a kernel debug session, Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. / Cluster Member Security Gateway that is part of a cluster. / Scalable Platform Security Group Member prints special debug messages that help Check Point Support and R&D understand how it processes the applicable connections.

Important:

In Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., you must configure and perform the kernel debug procedure on all cluster members in the same way.
On Scalable Platforms (Maestro and Chassis), you must connect to the applicable Security Group.

Action plan to collect a kernel debug:

Note - See the Kernel Debug Procedure, or the Kernel Debug Procedure with Connection Life Cycle.

Step	Action	Instructions
1	Configure the applicable debug settings: Restore the default settings. Allocate the debug buffer.	In this step, you prepare the kernel debug options: Restore the default debug settings, so that any other debug settings do not interfere with the kernel debug. Allocate the kernel debug buffer, in which Security Gateway / Cluster Member / each Security Group Member holds the applicable debug messages.
2	Configure the applicable kernel debug modules and their debug flags.	In this step, you prepare the applicable kernel debug modules and their debug flags, so that Security Gateway / Cluster Member / each Security Group Member collects only applicable debug messages.
3	Start the collection of the kernel debug into an output file.	In this step, you configure Security Gateway / Cluster Member / each Security Group Member to write the debug messages from the kernel debug buffer into an output file.
4	Stop the kernel debug.	In this step, you configure Security Gateway / Cluster Member / each Security Group Member to stop writing the debug messages into an output file.
5	Restore the default kernel debug settings.	In this step, you restore the default kernel debug options.

To restore the default kernel debug settings

To reset all debug flags and enable only the default debug flags in all kernel modules:

On the Security Gateway / each Cluster Member, run in the Expert mode:

fw ctl debug 0

On the Scalable Platform Security Group, run in the Expert mode:

g_fw ctl debug 0

To disable all debug flags including the default flags in all kernel modules:

Best Practice - Do not run this command, because it disables even the basic default debug messages.

Syntax for the Security Gateway / each Cluster Member:

fw ctl debug -x

Syntax for the Scalable Platform Security Group:

g_fw ctl debug -x

To allocate the kernel debug buffer

On the Security Gateway / each Cluster Member, run in the Expert mode:

fw ctl debug -buf 8200 [-v {"<List of VSIDs>" | all} -k]

On the Scalable Platform Security Group, run in the Expert mode:

g_fw ctl debug -buf 8200 [-v {"<List of VSIDs>" | all} -k]

Notes:

Security Gateway / Cluster Member / each Security Group Member allocates the kernel debug buffer with the specified size for each CoreXL Performance-enhancing technology for Security Gateways on multi-core processing platforms. Multiple Check Point Firewall instances are running in parallel on multiple CPU cores. Firewall instance.
The maximal supported buffer size is 8192 kilobytes..

To configure the debug modules and debug flags

General syntax:

On the Security Gateway / each Cluster Member, run in the Expert mode:

fw ctl debug [-d <Strings to Search>] [-v {"<List of VSIDs>" | all} -k] [-k] -m <Name of Debug Module> {all | + <List of Debug Flags> | - <List of Debug Flags>}

fw ctl debug [-s "<String to Stop Debug>"] [-v {"<List of VSIDs>" | all} -k] [-k] -m <Name of Debug Module> {all | + <List of Debug Flags> | - <List of Debug Flags>}

On the Scalable Platform Security Group, run in the Expert mode:

g_fw ctl debug [-d <Strings to Search>] [-v {"<List of VSIDs>" | all} -k] [-k] -m <Name of Debug Module> {all | + <List of Debug Flags> | - <List of Debug Flags>}

g_fw ctl debug [-s "<String to Stop Debug>"] [-v {"<List of VSIDs>" | all} -k] [-k] -m <Name of Debug Module> {all | + <List of Debug Flags> | - <List of Debug Flags>}

To see a list of all debug modules and their flags:

Note - The list of kernel modules depends on the Software Blades you enabled on the Security Gateway / ClusterXL / Security Group.

On the Security Gateway / each Cluster Member, run in the Expert mode:

fw ctl debug -m

On the Scalable Platform Security Group, run in the Expert mode:

g_fw ctl debug -m

To see a list of debug flags that are already enabled:

On the Security Gateway / each Cluster Member, run in the Expert mode:

fw ctl debug

On the Scalable Platform Security Group, run in the Expert mode:

g_fw ctl debug

To enable all debug flags in the specified kernel module:

On the Security Gateway / each Cluster Member, run in the Expert mode:

fw ctl debug -m <Name of Debug Module> all

On the Scalable Platform Security Group, run in the Expert mode:

g_fw ctl debug -m <Name of Debug Module> all

To enable the specified debug flags in the specified kernel module:

On the Security Gateway / each Cluster Member, run in the Expert mode:

fw ctl debug -m <Name of Debug Module> + <List of Debug Flags>

On the Scalable Platform Security Group, run in the Expert mode:

g_fw ctl debug -m <Name of Debug Module> + <List of Debug Flags>

To disable the specified debug flags in the specified kernel module:

On the Security Gateway / each Cluster Member, run in the Expert mode:

fw ctl debug -m <Name of Debug Module> - <List of Debug Flags>

On the Scalable Platform Security Group, run in the Expert mode:

g_fw ctl debug -m <Name of Debug Module> - <List of Debug Flags>

To collect the kernel debug output in Gateway mode

General syntax (only supported parameters are listed):

On the Security Gateway / each Cluster Member, run in the Expert mode:

fw ctl kdebug [-p <List of Fields>] [-k] [-T] -f -o /<Path>/<Name of Output File> -m <Number of Cyclic Files> [-s <Size of Each Cyclic File in KB>]

On the Scalable Platform Security Group, run in the Expert mode:

g_fw ctl kdebug [-p <List of Fields>] [-k] [-T] -f -o /<Path>/<Name of Output File> -m <Number of Cyclic Files> [-s <Size of Each Cyclic File in KB>]

To start the collection of the kernel debug into an output file:

On the Security Gateway / each Cluster Member, run in the Expert mode:

fw ctl kdebug [-k] -T -f > /<Path>/<Name of Output File>

On the Scalable Platform Security Group, run in the Expert mode:

g_fw ctl kdebug [-k] -T -f > /<Path>/<Name of Output File>

To start collecting the kernel debug into cyclic output files:

On the Security Gateway / each Cluster Member, run in the Expert mode:

fw ctl kdebug [-k] -T -f -o /<Path>/<Name of Output File> -m <Number of Cyclic Files> [-s <Size of Each Cyclic File in KB>]

On the Scalable Platform Security Group, run in the Expert mode:

g_fw ctl kdebug [-k] -T -f -o /<Path>/<Name of Output File> -m <Number of Cyclic Files> [-s <Size of Each Cyclic File in KB>]

To collect the kernel debug output in VSX mode - from specific Virtual Systems

General syntax (only supported parameters are listed):

On the VSX Gateway Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0. / each VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. Cluster Member, run in the Expert mode:

fw ctl kdebug [-p <List of Fields>] -v {"<List of VSIDs>" | all} -k [-T] -f -o /<Path>/<Name of Output File> -m <Number of Cyclic Files> [-s <Size of Each Cyclic File in KB>]

On the Scalable Platform Security Group in VSX mode, run in the Expert mode:

g_fw ctl kdebug [-p <List of Fields>] -v {"<List of VSIDs>" | all} -k [-T] -f -o /<Path>/<Name of Output File> -m <Number of Cyclic Files> [-s <Size of Each Cyclic File in KB>]

To start the collection of the kernel debug into an output file:

On the VSX Gateway / each VSX Cluster Member, run in the Expert mode:

fw ctl kdebug -v {"<List of VSIDs>" | all} -k -T -f > /<Path>/<Name of Output File>

On the Scalable Platform Security Group in VSX mode, run in the Expert mode:

g_fw ctl kdebug -v {"<List of VSIDs>" | all} -k -T -f > /<Path>/<Name of Output File>

To start collecting the kernel debug into cyclic output files:

On the VSX Gateway / each VSX Cluster Member, run in the Expert mode:

fw ctl kdebug -v {"<List of VSIDs>" | all} -k -T -f -o /<Path>/<Name of Output File> -m <Number of Cyclic Files> [-s <Size of Each Cyclic File in KB>]

On the Scalable Platform Security Group in VSX mode, run in the Expert mode:

g_fw ctl kdebug -v {"<List of VSIDs>" | all} -k -T -f -o /<Path>/<Name of Output File> -m <Number of Cyclic Files> [-s <Size of Each Cyclic File in KB>]

Parameters

Note - Only supported parameters are listed.

Parameter

Description

0 | -x

Controls how to disable the debug flags:

0

Resets all debug flags and enables only the default debug flags in all kernel modules.

-x

Disables all debug flags, including the default flags in all kernel modules.

Best Practice - Do not use the "-x" parameter, because it disables even the basic default debug messages.

-d <Strings to Search>

When you specify this parameter, the Security Gateway / Cluster Member / Security Group:

Examines the applicable debug messages based on the enabled kernel debug modules and their debug flags.
Collects only debug messages that contain at least one of the specified strings into the kernel debug buffer.
Writes the entire kernel debug buffer into the output file.

Notes:

These strings can be any plain text (not a regular expression) that you see in the debug messages.

Separate the applicable strings by commas without spaces:

-d String1,String2,...,StringN

You can specify up to 10 strings, up to 250 characters in total.

-s "<String to Stop Debug>"

When you specify this parameter, the Security Gateway / Cluster Member / Security Group:

Collects the applicable debug messages into the kernel debug buffer based on the enabled kernel debug modules and their debug flags.
Does not write any of these debug messages from the kernel debug buffer into the output file.
Stops collecting all debug messages when it detects the first debug message that contains the specified string in the kernel debug buffer.
Writes the entire kernel debug buffer into the output file.

Notes:

This one string can be any plain text (not a regular expression) that you see in the debug messages.
String length is up to 50 characters.

-m <Name of Debug Module>

Specifies the name of the kernel debug module, for which you print or configure the debug flags.

{all | + <List of Debug Flags> | - <List of Debug Flags>}

Specifies which debug flags to enable or disable in the specified kernel debug module:

all

Enables all debug flags in the specified kernel debug module.

+ <List of Debug Flags>

Enables the specified debug flags in the specified kernel debug module.

You must press the space bar key after the plus (+) character:

+ <Flag1> [<Flag2> ... <FlagN>]

Example: + drop conn

- <List of Debug Flags>

Disables the specified debug flags in the specified kernel debug module.

You must press the space bar key after the minus (-) character:

- <Flag1> [<Flag2> ... <FlagN>]

Example: - conn

-v {"<List of VSIDs>" | all -k}

Specifies the list of Virtual Systems.

A VSX Gateway automatically filters the collected kernel debug information for debug messages only for these Virtual Systems.

-v "<List of VSIDs>"

Monitors the messages only from the specified Virtual Systems.

To specify the Virtual Systems, enter their VSID number separated with commas and without spaces:

"VSID1[,VSID2,VSID3,...,VSIDn]"

Example: -v "1,3,7"

-v all

Monitors the messages from all configured Virtual Systems.

Notes:

This parameter is supported only in VSX mode.
If you use this parameter "-v", you must also uses the parameter "-k" (see below).

-e <Expression>

-i <Name of Filter File>

-i -

-u

Specifies the INSPECT filter for the debug:

-e <Expression>

Specifies the INSPECT filter. See the R81 CLI Reference Guide > section "fw monitor".
-i <Name of Filter File>

Specifies the file that contains the INSPECT filter.
-i -

Specifies that the INSPECT filter arrives from the standard input.

The Security Gateway / Cluster Member / Security Group prompts to enter the INSPECT filter on the screen.
-u - Removes the INSPECT debug filter.

Notes:

These are legacy parameters ("-e" and "-i").
When you use these parameters ("-e" and "-i"), the Security Gateway / Cluster Member / Security Group cannot apply the specified INSPECT filter to the accelerated traffic.
For new debug filters, see Kernel Debug Filters.

-z

The Security Gateway / Cluster Member / Security Group processes some connections in both SecureXL Check Point product on a Security Gateway that accelerates IPv4 and IPv6 traffic that passes through a Security Gateway. code and in the Host appliance code (for example, Passive Streaming Library (PSL) - an IPS Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System). infrastructure, which transparently listens to TCP traffic as network packets, and rebuilds the TCP stream out of these packets.).

The Security Gateway / Cluster Member / Security Group processes some connections in only in the Host appliance code.

When you use this parameter, kernel debug output contains the debug messages only from the Host appliance code.

-k

The Security Gateway / Cluster Member / Security Group processes some connections in both kernel space code and in the user space code (for example, Web Intelligence).

The Security Gateway / Cluster Member / Security Group processes some connections only in the kernel space code.

When you use this parameter, kernel debug output contains the debug messages only from the kernel space.

Note - You must use this parameter to collect the SecureXL debug messages in VSX mode.

-p <List of Fields>

By default, when the Security Gateway / Cluster Member / Security Group prints the debug messages, the messages start with the applicable CPU ID and CoreXL Firewall instance ID.

You can print additional fields in the beginning of each debug message.

Notes:

These fields are available:

all, proc, pid, date, mid, type, freq, topic, time, ticks, tid, text, errno, host, vsid, cpu.
When you specify the applicable fields, separate them with commas and without spaces:

Field1,Field2,...,FieldN
The more fields you specify, the higher the load on the CPU and on the hard disk.

-T

Prints the time stamp in microseconds in front of each debug message.

Best Practice - Always use this parameter to make the debug analysis easier.

-f

Collects the debug data until you stop the kernel debug in one of these ways:

When you press the CTRL+C keys.
When you run the "fw ctl debug 0" command.
When you run the "fw ctl debug -x" command.
When you kill the "fw ctl kdebug" process.

-o /<Path>/<Name of Output File>

Specifies the path and the name of the debug output file.

Best Practice - Always use the largest partition on the disk - /var/log/. The Security Gateway / Cluster Member / Security Group can generate many debug messages within short time. As a result, the debug output file can grow to large size very fast.

-o /<Path>/<Name of Output File> -m <Number of Cyclic Files> [-s <Size of Each Cyclic File in KB>]

Saves the collected debug data into cyclic debug output files.

When the size of the current <Name of Output File> reaches the specified <Size of Each Cyclic File in KB> (more or less), the Security Gateway / Cluster Member / Security Group renames the current <Name of Output File> to <Name of Output File>.0 and creates a new <Name of Output File>.

If the <Name of Output File>.0 already exists, the Security Gateway renames the <Name of Output File>.0 to <Name of Output File>.1, and so on - until the specified limit <Number of Cyclic Files>. When the Security Gateway reaches the <Number of Cyclic Files>, it deletes the oldest files.

The valid values are:

<Number of Cyclic Files> - from 1 to 999
<Size of Each Cyclic File in KB> - from 1 to 2097150