Module 'fw' (Firewall)

Syntax

On the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. / each Cluster Member Security Gateway that is part of a cluster., run in the Expert mode:

fw ctl debug -m fw + {all | <List of Debug Flags>}

On the Scalable Platform Security Group, run in the Expert mode:

g_fw ctl debug -m fw + {all | <List of Debug Flags>}

Flag

Description

acct

Accounting data in logs for Application Control Check Point Software Blade on a Security Gateway that allows granular control over specific web-enabled applications by using deep packet inspection. Acronym: APPI. (in addition, enable the debug of Module 'APPI' (Application Control Inspection))

advp

Advanced Patterns (signatures over port ranges) - runs under ASPII and CMI

aspii

Accelerated Stateful Protocol Inspection Infrastructure (INPSECT streaming)

balance

ConnectControl - logical servers in kernel, load balancing

bridge

Bridge mode Security Gateway or Virtual System that works as a Layer 2 bridge device for easy deployment in an existing topology.

bypass_timer

Universal Bypass on CoreXL Performance-enhancing technology for Security Gateways on multi-core processing platforms. Multiple Check Point Firewall instances are running in parallel on multiple CPU cores. Firewall Instances during load

caf

Mirror and Decrypt feature - only mirror operations on all traffic

cgnat

Carrier Grade NAT (CGN/CGNAT)

chain

Connection Chain modules, cookie chain

chainfwd

Chain forwarding - related to cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. kernel parameter fwha_perform_chain_forwarding

cifs

Processing of Microsoft Common Internet File System (CIFS) protocol

citrix

Processing of Citrix connections

cmi

Context Management Interface (1) Interface on a Gaia Security Gateway or Cluster member, through which Management Server connects to the Security Gateway or Cluster member. (2) Interface on Gaia computer, through which users connect to Gaia Portal or CLI. / Infrastructure - IPS Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System). signature manager

conn

Processing of all connections

connstats

Connections statistics for Evaluation of Heavy Connections in CPView (see sk105762)

content

Anti-Virus Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV. content inspection

context

Operations on Memory context and CPU context in Module 'kiss' (Kernel Infrastructure)

cookie

Virtual de-fragmentation , cookie issues (cookies in the data structure that holds the packets)

corr

Correction layer

cpsshi

SSH Inspection

Important - In addition, enable all the debug flags in Module 'CPSSH' (SSH Inspection).

cptls

CRYPTO-PRO Transport Layer Security (HTTPS Inspection Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi.) - Russian VPN GOST

crypt

Encryption and decryption of packets (algorithms and keys are printed in clear text and cipher text)

cvpnd

Processing of connections handled by the Mobile Access Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB. daemon

dfilter

Operations in the debug filters (see Kernel Debug Filters)

dlp

Processing of Data Loss Prevention Check Point Software Blade on a Security Gateway that detects and prevents the unauthorized transmission of confidential information outside the organization. Acronym: DLP. connections

dnstun

DNS tunnels

domain

DNS queries

dos

DDoS attack mitigation (part of IPS)

driver

Check Point kernel attachment (access to kernel is shown as log entries)

drop

Reason for (almost) every dropped packet

drop_tmpl

Operations in Drop Templates

dynlog

Dynamic log enhancement (INSPECT logs)

epq

End Point Quarantine (and AMD)

error

General errors

event

Event App features (DNS, HTTP, SMTP, FTP)

ex

Expiration issues (time-outs) in dynamic kernel tables

fast_accel

Fast acceleration of connections

filter

Packet filtering performed by the Check Point kernel and all data loaded into kernel

ftp

Processing of FTP Data connections (used to call applications over FTP Data - i.e., Anti-Virus)

handlers

Operations related to the Context Management Interface / Infrastructure Loader

Note - In addition, see Module 'cmi_loader' (Context Management Interface / Infrastructure Loader).

highavail

Cluster configuration - changes in the configuration and information about interfaces during

traffic processing

hold

Holding mechanism and all packets being held / released

icmptun

ICMP tunnels

if

interface-related information (accessing the interfaces, installing a filter on an interfaces)

install

Driver installation - NIC attachment (actions performed by the "fw ctl install" and "fw ctl uninstall" commands)

integrity

Integrity Client (enforcement cooperation)

ioctl

IOCTL control messages (communication between kernel and daemons, loading and unloading of the FireWall)

ipopt

Enforcement of IP Options

ips

IPS logs and IPS IOCTL

ipv6

Processing of IPv6 traffic

kbuf

Kernel-buffer memory pool (for example, encryption keys use these memory allocations)

ld

Kernel dynamic tables infrastructure (reads from / writes to the tables)

Warning - Security Gateway can freeze or hang due to very high CPU load!.

leaks

Memory leak detection mechanism

link

Creation of links in Connections kernel table (ID 8158)

log

Everything related to calls in the log

machine

INSPECT Virtual Machine (actual assembler commands being processed)

Warning - Security Gateway can freeze or hang due to very high CPU load!.

mail

Issues with e-mails over POP3, IMAP

malware

Matching of connections to Threat Prevention Layers (multiple rulebases)

Note - In addition, see Module 'MALWARE' (Threat Prevention).

media

Does not apply anymore

Only on Security Gateway that runs on Windows OS:

Transport Driver Interface information (interface-related information)

memory

Memory allocation operations

mgcp

Media Gateway Control Protocol (complementary to H.323 and SIP)

misc

Miscellaneous helpful information (not shown with other debug flags)

misp

ISP Redundancy

monitor

Prints output similar to the "fw monitor" command (see fw monitor)

Note - In addition, enable the debug flag "misc" in this module.

monitorall

Prints output similar to the "fw monitor -p all" command (see fw monitor)

Note - In addition, enable the debug flag "misc" in this module.

mrtsync

Synchronization between cluster members of Multicast Routes that are added when working with Dynamic Routing Multicast protocols

msnms

MSN over MSMS (MSN Messenger protocol)

In addition, always enable the debug flag 'sip' in this module

multik

Processing of connections in CoreXL Firewall instances

Notes:

This debug flag enables all the debug flags in the Module 'multik' (Multi-Kernel Inspection - CoreXL), except for the debug flag "packet".
In a cluster, enable the debug flag "multik" in the Module 'cluster' (ClusterXL).
If you use the IPsec VPN Check Point Software Blade on a Security Gateway that provides a Site to Site VPN and Remote Access VPN access. Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities., enable the debug flag "multik" in the Module 'VPN' (Site-to-Site VPN and Remote Access VPN).
If you use the QoS Check Point Software Blade on a Security Gateway that provides policy-based traffic bandwidth management to prioritize business-critical traffic and guarantee bandwidth and control latency. Software Blade, enable the debug flag "multik" in the Module 'fg' (FloodGate-1 - QoS).

nac

Network Access Control (NAC) feature in Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA.

nat

NAT issues - basic information

nat_hitcount

Hit Count in NAT Rule Base All rules configured in a given Security Policy. Synonym: Rulebase.

nat_sync

NAT issues - NAT port allocation operations in Check Point cluster

nat64

NAT issues - 6in4 tunnels (IPv6 over IPv4) and 4in6 tunnels (IPv4 over IPv6)

netquota

IPS protection "Network Quota"

ntup

Non-TCP / Non-UDP traffic policy (traffic parser)

packet

Actions performed on packets (like Accept, Drop, Fragment)

packval

Stateless verifications (sequences, fragments, translations and other header verifications)

portscan

Prevention of port scanning

prof

Connection profiler for Firewall Priority Queues (see sk105762)

q

Driver queue (for example, cluster synchronization operations)

This debug flag is crucial for the debug of Check Point cluster synchronization issues

qos

QoS (FloodGate-1)

rad

Resource Advisor policy (for Application Control, URL Filtering Check Point Software Blade on a Security Gateway that allows granular control over which web sites can be accessed by a given group of users, computers or networks. Acronym: URLF., and others)

route

Routing issues

This debug flag is crucial for the debug of ISP Redundancy issues

sam

Suspicious Activity Monitoring

sctp

Processing of Stream Control Transmission Protocol (SCTP) connections

scv

SecureClient Verification

shmem

Currently is not used

sip

VoIP traffic - SIP and H.323

Note - In addition, see:

smtp

Issues with e-mails over SMTP

sock

Sockstress TCP DoS attack (CVE-2008-4609)

span

Monitor mode (mirror / span port)

spii

Stateful Protocol Inspection Infrastructure and INSPECT Streaming Infrastructure

synatk

IPS protection 'SYN Attack' (SYNDefender)

Note - In addition, see Module 'synatk' (Accelerated SYN Defender).

sync

Synchronization operations in Check Point cluster

Note - In addition, see the debug flag "sync" in Module 'CPAS' (Check Point Active Streaming).

tcpstr

TCP streaming mechanism

te

Prints the name of an interface for incoming connection from Threat Emulation Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE. Machine

tlsparser

Currently is not used

tp_container

Operations in the Threat Prevention container

ua

Processing of Universal Alcatel "UA" connections

ucd

Processing of UserCheck connections in Check Point cluster

unibypass

Universal Bypass on CoreXL Firewall Instances during load

user

User Space communication with Kernel Space (most useful for configuration and VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. debug)

utest

Currently is not used

vm

Virtual Machine chain decisions on traffic going through the fw_filter_chain

wap

Processing of Wireless Application Protocol (WAP) connections

warning

General warnings

wire

Wire-mode Virtual Machine chain module

xlate

NAT issues - basic information

xltrc

NAT issues - additional information - going through NAT rulebase

zeco

Memory allocations in the Zero-Copy kernel module