Using System Tools

On the Tools page you can perform various actions to diagnose problems with the appliance.

The same Tools page is available in:

The Home view > Troubleshooting section.
The Device view > System section.
The Logs & Monitoring view > Diagnostics section.

Action

Available From

Description

Monitor System Resources

R81.10.00

Opens a popup windows that shows:

CPU Usage History

The information is refreshed automatically.
Memory Usage History

Memory usage is calculated without memory that was allocated in advance to handle traffic and without cache memory.

This gives a more accurate picture of the actual memory usage in the appliance but it may differ from figures you receive from Linux tools.

The information is refreshed automatically.
Disk Usage

Click the Refresh button for the most updated disk usage information.

Click the names of column to sort the output.

Show Routing Table

R81.10.00

Opens a popup window that shows this information for each route:

Source
Destination
Service
Gateway
Metric
Interface
Origin

Show Router Configuration

R81.10.05

Opens a popup window where you select one of the categories, and the window shows the corresponding Gaia Clish The default shell of the Gaia CLI commands:

BGP
OSPF
Inbound route filters
Route redistribution

Run Command

R81.10.10

Opens a popup window in which you can select a predefined CLI command and see its output:

Policy status (shows the status of different security policies)
Scan network (shows the connected IoT devices)
Show diagnostics (runs the Gaia Clish command "show diag").)

Test Cloud Services Ports

R81.10.00

Opens a popup window that shows the result of the Cloud Services Connectivity Test

(the output of the Gaia Clish command "test cloud-connectivity").

Tcpdump Tool

R81.10.00

Opens a popup window, in which you can capture traffic that passes through appliance interfaces.

Warning - When you use this tool, the CPU load increases. Schedule a maintenance window.

Notes:

The appliance runs the "tcpdump" command with the specified parameters.
Compared to the Firewall Monitor Tool:
- This tool shows how each packet arrives to an interface and goes out of an interface.
- This tool saves the captured traffic in one of these formats:
  - plain-text format (filename is "tcpdump.log")
  - Wireshark format (filename is "pkt_cap_<YYYYMMDDHHMM>.cap")
You can view the captured traffic in real time or save it into a file.
When you start a new traffic capture and save it into a file, the appliance overwrites the previous capture file (if it exists).

WebUI shows a note with the date of the existing file and you can download it before you start a new traffic capture.
The appliance captures traffic only on interfaces with a configured IP address.
You can start the traffic capture and go to other WebUI pages while the packet capture runs in the background.

However, the packet capture stops automatically if the WebUI session ends.

Make sure you return to the traffic capture page, stop the capture, and download the capture result file before you end the WebUI session.
For a deeper analysis, use the Check Point traffic capture tool in one of these ways:
- The Firewall Monitor Tool available on this WebUI page.
- The "fw monitor" command. See the:
  - R81.10.X Quantum Spark CLI Reference Guide for 1500, 1600, 1800, 1900, 2000 Appliances > Chapter "Miscellaneous Commands" > Section "fw commands".
  - R81.10 CLI Reference Guide > Chapter "Security Gateway A dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. Commands" > Section "fw" > Section "fw monitor".

Procedure:

Click the Tcpdump Tool button.
In the top left corner, select the applicable interface - All interfaces (default), WAN, LAN1, and so on.
Optional: Configure the applicable filters:
1. In the Host field, enter the applicable IP address.
2. In the Port field, enter the applicable port number (see IANA Service Name and Port Number Registry).
3. In the Count field, enter the applicable number of packets to capture.
4. On the right end of the Advanced section, click the downward arrow to open this section.
  1. In the Protocol field, enter the applicable protocol name (see IANA Protocol Numbers).
  2. In the Source field, enter the applicable IP address.
  3. In the Destination field, enter the applicable IP address or hostname.
  4. In the Length field, enter the applicable number of bytes to capture in each packet.
    
    Value 0 does not limit the number of bytes.
  5. Select Verbose to see more data in real time.
    
    This option applies only to the data you see in real time.
    
    When you download the capture file in the Wireshark format "*.cap", it contains all data.
  6. Select HEX to see the captured data in the Hexadecimal format.
  7. Select NS resolution to resolve Layer 4 port numbers to their names (for example, port '53' to 'domain').
After a short delay, the command automatically restarts with the new filter expression, and you can see its output in real time.
To save the captured traffic into a plain-text file:
1. Click Save to download the file.
2. Your web browser saves this file (tcpdump.log) in the default download folder.
To save the captured traffic into a Wireshark file:

If a file already exists on the appliance, WebUI shows the date of the saved file ("File exists since").

You can download it before you start a new capture that overwrites the existing file.
1. Click Start to begin a packet capture.
2. Click Stop to end the packet capture.
3. Click Download File.
4. Your web browser saves this file (pkt_cap_<YYYYMMDDHHMM>.cap) in the default download folder.
5. Use Wireshark or similar tool to analyze the downloaded capture file.

Firewall Monitor Tool

R81.10.10

Opens a popup window, in which you can capture traffic that passes through appliance interfaces.

Warnings:

When you use this tool, the CPU load increases. Schedule a maintenance window.
When you select the option "-p all", the CPU load increases significantly because this tool shows the information for each inspection chain module.

Notes:

The appliance runs the "fw monitor" command with the specified parameters.

See the:
- R81.10.X Quantum Spark CLI Reference Guide for 1500, 1600, 1800, 1900, 2000 Appliances > Chapter "Miscellaneous Commands" > Section "fw commands".
- R81.10 CLI Reference Guide > Chapter "Security Gateway Commands" > Section "fw" > Section "fw monitor".
Compared to the Tcpdump Tool:
- This tool shows how each packet passes through the Security Gateway inspection chain modules.
- This tool saves the captured traffic only in the plain-text format (filename is "fw_monitor.log").
You can view the captured traffic in real time or save it into a plain-text file.
When you start a new traffic capture and save it into a file, and a file with such name already exists, the appliance adds a running number to the default filename (this way, it does not overwrite an existing file).
The appliance captures traffic only on interfaces with a configured IP address.
The packet capture stops automatically if the WebUI session ends.

Procedure:

Click the Firewall Monitor Tool button.

Optional: Configure the applicable filters:

In the Monitor outgoing packets field, enter how many outgoing packets to capture before the tool must stop the traffic capture.
In the Monitor incoming packets field, enter how many incoming packets to capture before the tool must stop the traffic capture.

Select "-p all" to see the information for each inspection chain module.

Warning - The CPU load increases significantly.

Select "grep" to enter a free text filter.
- This field is case-sensitive.
- If the text must contains spaces, then you must enclose it in single quotes or double quotes.
- The tool captures the specified number of packets, and then filters the output to show only the relevant lines.

To save the captured traffic into a plain-text file:

Note - If you selected "grep", then the saved file contains only the relevant lines you see on the screen.
1. Click Save to download the file.
2. Your web browser saves this file (fw_monitor.log) in the default download folder.

Firewall Ctl Tool

R81.10.10

Opens a popup window, in which you can see the kernel debug that shows which packets the Security Gateway drops.

Warning - When you use this tool, the CPU load increases. Schedule a maintenance window.

Notes:

The appliance runs the "fw ctl zdebug -m fw + drop" command.

See the R81.10 Quantum Security Gateway Guide > Chapter "Kernel Debug".
You can view the kernel debug output in real time or save it into a plain-text file.
When you start a new kernel debug and save it into a file, and a file with such name already exists, the appliance adds a running number to the default filename (this way, it does not overwrite an existing file).
The kernel debug stops automatically if the WebUI session ends.

Procedure:

Click the Firewall Ctl Tool button.
Optional: In the Command timeout field, enter the duration (in seconds) of the kernel debug.
Optional: In the "grep" field, enter the applicable filter:
- This field is case-sensitive.
- If the text must contains spaces, then you must enclose it in single quotes or double quotes.
- The tool captures the specified number of packets, and then filters the output to show only the relevant lines.
To save the kernel debug output into a plain-text file:

Note - If you entered a "grep" filter, then the saved file contains only the relevant lines you see on the screen.
1. Click Save to download the file.
2. Your web browser saves this file (fw_ctl_zdebug_drop.log) in the default download folder.

VPN Debug Tool

R81.10.10

Opens a popup window, in which you can start a VPN debug.

Warning - When you use this tool, the CPU load increases. Schedule a maintenance window.

Notes:

The appliance runs the "fw ctl zdebug -m fw + drop" command.

See the R81.10 Quantum Security Gateway Guide > Chapter "".
- R81.10.X Quantum Spark CLI Reference Guide for 1500, 1600, 1800, 1900, 2000 Appliances > Chapter "Miscellaneous Commands" > Section "fw commands".
- R81.10 CLI Reference Guide > Chapter "Security Gateway Commands" > Section "fw" > Section "fw monitor".
You can view the kernel debug output in real time or save it into a plain-text file.
When you start a new kernel debug and save it into a file, the appliance adds a running number to the default filename (this way, it does not overwrite and existing debug file).
The kernel debug stops automatically if the WebUI session ends.

Procedure:

Click the VPN Debug Tool button.
Click the Start Debugging button.
Wait until you see the line "VPN debugging in progress".
Do not close this popup window (it will stop the VPN debug).
Replicate the VPN issue:
- Remote Access VPN An encrypted tunnel between remote access clients (such as Endpoint Security VPN) and a Security Gateway. connection to this appliance.
- Site to Site VPN An encrypted tunnel between two or more Security Gateways. Synonym: Site-to-Site VPN. Contractions: S2S VPN, S-to-S VPN. connection to / from this appliance.
Click the Stop Debugging button.
Click Download File to download the archive with the required log files.
Your web browser saves the archive file (vpn_<YYYYMMDDHHMM>.tgz) in the default download folder.
To have more information, also collect the CPinfo file - see the Generate CPInfo File below.

For the complete debug procedure, refer to sk62482.

Display DSL Statistics

R81.10.00

Opens popup window that shows the DSL statistics.

Available only on DSL models.

Generate CPInfo File

R81.10.00

Collects outputs of many commands and contents of various log files into an archive package.

This data helps Check Point Support understand the configuration and troubleshoot issues.

Procedure:

Click Generate CPInfo File.

A message next to the button shows the progress.
When the task completes, the button changes to Download CPInfo File.
Click Download CPInfo File to download the file.
Your web browser saves this file (R81.10<Build>_<MMDDHHMM>.cpinfo.gz) in the default download folder.
When the download completes, the button changes to Generate CPInfo File.

Ping

R81.10.00

Opens a popup window that shows the result of the ping command to the specified IP address / hostname.

The appliance sends ICMP Requests to the specified destination.

Trace

R81.10.00

Opens a popup window that shows the result of the traceroute command to the specified IP address / hostname.

The appliance sends ICMP Requests to the specified destination.

Lookup

R81.10.00

Opens a popup window that shows the result of the DNS lookup for the specified IP address / hostname (the output of the Gaia Clish command "nslookup").

Download

R81.10.00

Opens sk159712 to download the Windows driver for a USB-C console socket.

Explanation:

When the mini-USB is used as a console connector, Windows OS does not automatically detect and download the driver needed for serial communication.

You must manually install the driver.

For more information, see sk182035.