SecureXL Debug Procedure
By default, SecureXL Check Point product on a Security Gateway that accelerates IPv4 and IPv6 traffic that passes through a Security Gateway. writes the output debug information to the
/var/log/messages
file.
To collect the applicable SecureXL debug and to make its analysis easier, follow the steps below.
|
Note - For more information, see the R81 Quantum Security Gateway Guide - Chapter Kernel Debug on Security Gateway. |
|
Important:
|
Procedure
-
Connect to the command line on your Security Gateway
Use an SSH or a console connection.
Best Practice - Use a console connection.
-
Reset all kernel debug flags in all kernel debug modules
Run:
fw ctl debug 0
-
Reset all the SecureXL debug flags in all SecureXL debug modules
-
For all SecureXL instances, run:
fwaccel dbg resetall
-
For a specific SecureXL instance, run:
fwaccel -i <SecureXL ID> dbg resetall
-
-
Allocate the kernel debug buffer
Run:
fw ctl debug -buf 8200 [-v {"<List of VSIDs>" | all}]
-
Make sure the Security Gateway allocated the kernel debug buffer
Run:
fw ctl debug | grep buffer
-
Configure the applicable kernel debug modules and kernel debug flags
Run:
fw ctl debug -m <Name of Kernel Debug Module> {all | + <Kernel Debug Flags>}
-
Configure the applicable SecureXL debug modules and SecureXL debug flags
-
For all SecureXL instances, run:
fwaccel dbg -m <Name of SecureXL Debug Module> {all | + <SecureXL Debug Flags>}
-
For a specific SecureXL instance, run:
fwaccel -i <SecureXL ID> dbg -m <Name of SecureXL Debug Module> {all | + <SecureXL Debug Flags>}
-
-
Examine the kernel debug configuration for kernel debug modules
Run:
fw ctl debug
-
Examine the SecureXL debug configuration for SecureXL debug modules
-
For all SecureXL instances, run:
fwaccel dbg list
-
For a specific SecureXL instance, run:
fwaccel -i <SecureXL ID> dbg list
-
-
Remove all entries from both the Firewall Connections table and SecureXL Connections table
Run:
fw tab -t connections -x -y
Important:
-
This step makes sure that you collect the debug of the real issue that is not affected by the existing connections.
-
This command deletes all existing connections. This interrupts all connections, including the SSH.
Run this command only if you are connected over a serial console to your Security Gateway.
-
-
Remove all entries from the Firewall Templates table
Run:
fw tab -t cphwd_tmpl -x -y
Note - This command does not interrupt the existing connections. This step makes sure that you collect the debug of the real issue that is not affected by the existing connection templates.
-
Start the kernel debug
Run:
fw ctl kdebug -T -f > /var/log/kernel_debug.txt
-
Replicate the issue, or wait for the issue to occur
Perform the steps that cause the issue to occur, or wait for it to occur.
-
Stop the kernel debug
Press CTRL+C.
-
Reset all kernel debug flags in all kernel debug modules
Run:
fw ctl debug 0
-
Reset all the SecureXL debug flags in all SecureXL debug modules
-
For all SecureXL instances, run:
fwaccel dbg resetall
-
For a specific SecureXL instance, run:
fwaccel -i <SecureXL ID> dbg resetall
-
-
Examine the SecureXL debug configuration to make sure it returned to the default
-
For all SecureXL instances, run:
fwaccel dbg list
-
For a specific SecureXL instance, run:
fwaccel -i <SecureXL ID> dbg list
-
-
Collect and analyze the debug output file
Path to the debug output file:
/var/log/kernel_debug.txt
Best Practice - Compress this file with the "
tar -zxvf
" command and transfer it from the Security Gateway to your computer. If you transfer to an FTP server, do so in the binary mode.