Module "VPN" (Site-to-Site VPN and Remote Access VPN)
Syntax
-
On the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. / each Cluster Member Security Gateway that is part of a cluster., run in the Expert mode:
fw ctl debug -m VPN + {all | <List of Debug Flags>}
-
g_fw ctl debug -m VPN + {all | <List of Debug Flags>}
Flag |
Description |
||
---|---|---|---|
|
Events related to cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. |
||
|
Compression for encrypted connections |
||
|
Various status counters (typically for real-time Monitoring) |
||
|
Traffic acceleration issues (in hardware) |
||
|
Check Point kernel attachment (access to kernel is shown as log entries) |
||
|
Errors that should not happen, or errors that critical to the working of the VPN module |
||
|
Processing of GPRS Tunneling Protocol (GTP) connections
|
||
|
Notifications about the changes in interface status - up or down (as received from OS) |
||
|
Enables all IKE kernel debug in respect to moving the IKE to the interface, where it will eventually leave and the modification of the source IP of the IKE packet, depending on the configuration |
||
|
Processing of IKE Security Associations |
||
|
Processing of IKE packets in the IKED daemon |
||
|
Processing of IKE packets in the IKED daemon |
||
|
Initializes the VPN kernel and kernel data structures, when kernel is up, or when policy is installed (in addition, it prints the values of the flags that are set using the |
||
|
Processing of L2TP connections |
||
|
Large Scale VPN (LSV) |
||
|
Allocation of VPN pools and VPN contexts |
||
|
Information related to creation and destruction of MSA / MSPI |
||
|
VPN multicast |
||
|
Information related to interaction between VPN and CoreXL Performance-enhancing technology for Security Gateways on multi-core processing platforms. Multiple Check Point Firewall instances are running in parallel on multiple CPU cores. |
||
|
NAT issues , cluster IP manipulation (Cluster Virtual IP address <=> Member IP address) |
||
|
Allocation of Office Mode IP addresses |
||
|
Cluster Optimal Service Upgrade (see sk107042) |
||
|
Events that can happen for every packet, unless covered by more specific debug flags |
||
|
Prints the encrypted packets before the encryption Prints the decrypted packets after the decryption |
||
|
Events that can happen only for a special packet in a connection, usually related to policy decisions or logs / traps |
||
|
Handling of Security Association (SA) queues |
||
|
Processing of Check Point RDP connections |
||
|
Reference counting for MSA / MSPI, when storing or deleting Security Associations (SAs) |
||
|
VPN Link Selection table and Certificate Revocation List (CRL), which is part of the peer resolving mechanism |
||
|
Packet routing |
||
|
Operations on Range Skip List |
||
|
Information about keys and Security Associations (SAs) |
||
|
SecureClient / SecureRemote related issues |
||
|
Sets the VPN policy of a connection according to VPN communities, VPN Policy related information |
||
|
Information related to TCP Tunnel (Visitor mode - FireWall traversal on TCP port 443) |
||
|
VPN tunnel monitoring |
||
|
VPN Link Selection |
||
|
Does not apply anymore Only on Security Gateway that runs on Windows OS: Information related to IPSec NIC interaction |
||
|
General warnings |