Kernel Debug Filters
By default, kernel debug output contains information about all processed connections.
You can configure filters for kernel debug to collect debug messages only for the applicable connections.
There are three types of debug filters:
-
By connection tuple parameters
-
By an IP address parameter
-
By a VPN peer parameter
To configure these kernel debug filters, assign the applicable values to the applicable kernel parameters before you start the kernel debug.
You assign the values to the applicable kernel parameters temporarily with the "fw ctl set
" command.
|
Notes:
|
|
Best Practice - It is usually simpler to set the Connection Tuple and Host IP Address filters from within the " |
To configure debug filter of the type "By connection tuple parameters":
A Security Gateway processes connections based on the 5-tuple:
-
Source IP address
-
Source Port (see IANA Service Name and Port Number Registry)
-
Destination IP address
-
Destination Port (see IANA Service Name and Port Number Registry)
-
Protocol Number (see IANA Protocol Numbers)
With this debug filter you can filter by these tuple parameters:
Tuple Parameter |
Syntax for Kernel Parameters |
---|---|
Source IP address |
|
Source Ports |
|
Destination IP address |
|
Destination Ports |
|
Protocol Number |
|
|
Notes:
|
To configure debug filter of the type "By an IP address parameter":
With this debug filter you can filter by one IP address, which is either the source or the destination IP address of the packet.
Syntax for Kernel Parameters:
|
|
Notes:
|
To configure debug filter of the type "By a VPN peer parameter":
With this debug filter you can filter by one IP address.
Syntax for Kernel Parameters:
|
|
Notes:
|
To disable all debug filters:
You can disable all the configured debug filters of all types.
Syntax for Kernel Parameter:
|
Usage Example
It is necessary to show in the kernel debug the information about the connection from Source IP address 192.168.20.30 from any Source Port to Destination IP address 172.16.40.50 to Destination Port 80 (192.168.20.30:<Any> --> 172.16.40.50:80).
Run these commands before you start the kernel debug:
|
|
Important - In the above example, two Connection Tuple filters are used (" |