Module "fw" (Firewall)
Syntax
-
On the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. / each Cluster Member Security Gateway that is part of a cluster., run in the Expert mode:
fw ctl debug -m fw + {all | <List of Debug Flags>}
-
g_fw ctl debug -m fw + {all | <List of Debug Flags>}
Flag |
Description |
||
---|---|---|---|
|
Accounting data in logs for Application Control Check Point Software Blade on a Security Gateway that allows granular control over specific web-enabled applications by using deep packet inspection. Acronym: APPI. (in addition, enable the debug of Module "APPI" (Application Control Inspection)) |
||
|
Advanced Patterns (signatures over port ranges) - runs under ASPII and CMI |
||
|
Accelerated Stateful Protocol Inspection Infrastructure (INPSECT streaming) |
||
|
ConnectControl - logical servers in kernel, load balancing |
||
|
|||
|
Universal Bypass on CoreXL Performance-enhancing technology for Security Gateways on multi-core processing platforms. Multiple Check Point Firewall instances are running in parallel on multiple CPU cores. Firewall Instances during load |
||
|
Mirror and Decrypt feature - only mirror operations on all traffic |
||
|
Carrier Grade NAT (CGN/CGNAT) |
||
|
Connection Chain modules, cookie chain |
||
|
Chain forwarding - related to cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. kernel parameter |
||
|
Processing of Microsoft Common Internet File System (CIFS) protocol |
||
|
Processing of Citrix connections |
||
|
Context Management Interface (1) Interface on a Gaia Security Gateway or Cluster member, through which Management Server connects to the Security Gateway or Cluster member. (2) Interface on Gaia computer, through which users connect to Gaia Portal or CLI. / Infrastructure - IPS Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System). signature manager |
||
|
Processing of all connections |
||
|
Connections statistics for Evaluation of Heavy Connections in CPView (see sk105762) |
||
|
|||
|
Operations on Memory context and CPU context in Module "kiss" (Kernel Infrastructure) |
||
|
Virtual de-fragmentation , cookie issues (cookies in the data structure that holds the packets) |
||
|
Correction layer |
||
|
SSH Inspection
|
||
|
CRYPTO-PRO Transport Layer Security (HTTPS Inspection Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi.) - Russian VPN GOST |
||
|
Encryption and decryption of packets (algorithms and keys are printed in clear text and cipher text) |
||
|
Processing of connections handled by the Mobile Access Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB. daemon |
||
|
Operations in the debug filters (see Kernel Debug Filters) |
||
|
Processing of Data Loss Prevention Check Point Software Blade on a Security Gateway that detects and prevents the unauthorized transmission of confidential information outside the organization. Acronym: DLP. connections |
||
|
Information about offloading of connections from the Firewall FWK process to the DMD (Dual Mode Job Dispatcher) process |
||
|
DNS tunnels |
||
|
DNS queries |
||
|
DDoS attack mitigation (part of IPS) |
||
|
Check Point kernel attachment (access to kernel is shown as log entries) |
||
|
Reason for (almost) every dropped packet |
||
|
Operations in Drop Templates |
||
|
Dynamic log enhancement (INSPECT logs) |
||
|
End Point Quarantine (and AMD) |
||
|
General errors |
||
|
Event App features (DNS, HTTP, SMTP, FTP) |
||
|
Expiration issues (time-outs) in dynamic kernel tables |
||
|
Fast acceleration of connections |
||
|
Packet filtering performed by the Check Point kernel and all data loaded into kernel |
||
|
Processing of FTP Data connections (used to call applications over FTP Data - i.e., Anti-Virus) |
||
|
Operations related to the Context Management Interface / Infrastructure Loader
|
||
|
Cluster configuration - changes in the configuration and information about interfaces during traffic processing |
||
|
Holding mechanism and all packets being held / released |
||
|
ICMP tunnels |
||
|
interface-related information (accessing the interfaces, installing a filter on an interfaces) |
||
|
Driver installation - NIC attachment (actions performed by the " |
||
|
Integrity Client (enforcement cooperation) |
||
|
IOCTL control messages (communication between kernel and daemons, loading and unloading of the FireWall) |
||
|
Enforcement of IP Options |
||
|
IPS logs and IPS IOCTL |
||
|
Processing of IPv6 traffic |
||
|
Kernel-buffer memory pool (for example, encryption keys use these memory allocations) |
||
|
Kernel dynamic tables infrastructure (reads from / writes to the tables)
|
||
|
Memory leak detection mechanism |
||
|
Creation of links in Connections kernel table (ID 8158) |
||
|
Everything related to calls in the log |
||
|
INSPECT Virtual Machine (actual assembler commands being processed)
|
||
|
Issues with e-mails over POP3, IMAP |
||
|
Matching of connections to Threat Prevention Layers (multiple rulebases)
|
||
|
Management Data Plane Separation (sk138672) |
||
|
Does not apply anymore Only on Security Gateway that runs on Windows OS: Transport Driver Interface information (interface-related information) |
||
|
Memory allocation operations |
||
|
Media Gateway Control Protocol (complementary to H.323 and SIP) |
||
|
Miscellaneous helpful information (not shown with other debug flags) |
||
|
ISP Redundancy |
||
|
Prints output similar to the "
|
||
|
Prints output similar to the "
|
||
|
Synchronization between cluster members of Multicast Routes that are added when working with Dynamic Routing Multicast protocols |
||
|
MSN over MSMS (MSN Messenger protocol) In addition, always enable the debug flag ' |
||
|
Processing of connections in CoreXL Firewall instances
|
||
|
Network Access Control (NAC) feature in Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. |
||
|
NAT issues - basic information |
||
|
Hit Count in NAT Rule Base All rules configured in a given Security Policy. Synonym: Rulebase. |
||
|
NAT issues - NAT port allocation operations in Check Point cluster |
||
|
NAT issues - 6in4 tunnels (IPv6 over IPv4) and 4in6 tunnels (IPv4 over IPv6) |
||
|
IPS protection "Network Quota" |
||
|
Non-TCP / Non-UDP traffic policy (traffic parser) |
||
|
Actions performed on packets (like Accept, Drop, Fragment) |
||
|
Stateless verifications (sequences, fragments, translations and other header verifications) |
||
|
Prevention of port scanning |
||
|
Connection profiler for Firewall Priority Queues (see sk105762) |
||
|
Driver queue (for example, cluster synchronization operations) This debug flag is crucial for the debug of Check Point cluster synchronization issues |
||
|
QoS (FloodGate-1) |
||
|
Resource Advisor policy (for Application Control, URL Filtering Check Point Software Blade on a Security Gateway that allows granular control over which web sites can be accessed by a given group of users, computers or networks. Acronym: URLF., and others) |
||
|
Routing issues This debug flag is crucial for the debug of ISP Redundancy issues |
||
|
Suspicious Activity Monitoring |
||
|
Processing of Stream Control Transmission Protocol (SCTP) connections |
||
|
SecureClient Verification |
||
|
Currently is not used |
||
|
VoIP traffic - SIP and H.323
|
||
|
Issues with e-mails over SMTP |
||
|
Sockstress TCP DoS attack (CVE-2008-4609) |
||
|
Monitor mode (mirror / span port) |
||
|
Stateful Protocol Inspection Infrastructure and INSPECT Streaming Infrastructure |
||
|
IPS protection 'SYN Attack' (SYNDefender)
|
||
|
Synchronization operations in Check Point cluster
|
||
|
TCP streaming mechanism |
||
|
Prints the name of an interface for incoming connection from Threat Emulation Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE. Machine |
||
|
Currently is not used |
||
|
Operations in the Threat Prevention container |
||
|
Processing of Universal Alcatel "UA" connections |
||
|
Processing of UserCheck connections in Check Point cluster |
||
|
Universal Bypass on CoreXL Firewall Instances during load |
||
|
User Space communication with Kernel Space (most useful for configuration and VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. debug) |
||
|
Virtual Machine chain decisions on traffic going through the |
||
|
Processing of Wireless Application Protocol (WAP) connections |
||
|
General warnings |
||
|
Wire-mode Virtual Machine chain module |
||
|
NAT issues - basic information |
||
|
NAT issues - additional information - going through NAT rulebase |