fwaccel dbg

In the R81.10.X releases, this command is available starting from the R81.10.00 version.

Description

The "fwaccel dbg" command controls the SecureXL debug.

Warning - Debug increases the load on the CPU on the Security Gateway / Cluster Members.

We recommend you schedule a maintenance window to debug the SecureXL.

Important - In a Cluster, you must configure all the Cluster Members in the same way.

Syntax in the Expert mode:

fwaccel dbg

-h

-m <Name of SecureXL Debug Module>

all

+ <Debug Flags>

- <Debug Flags>

reset

-f {"<5-Tuple Debug Filter>" | reset}

list

resetall

Parameters

Parameter

Description

-h

Shows the applicable built-in help.

-m <Name of SecureXL Debug Module>

Specifies the name of the SecureXL debug module.

To see the list of available debug modules, run:

fwaccel dbg

all

Enables all debug flags for the specified debug module.

+ <Debug Flags>

Enables the specified debug flags for the specified debug module:

Syntax:

+ Flag1 [Flag2 Flag3 ... FlagN]

Note - You must press the space bar key after the plus (+) character.

- <Debug Flags>

Disables all debug flags for the specified debug module.

Syntax:

- Flag1 [Flag2 Flag3 ... FlagN]

Note - You must press the space bar key after the minus (-) character.

reset

Resets all debug flags for the specified debug module to their default state.

-f "<5-Tuple Debug Filter>"

Configures the debug filter to show only debug messages that contain the specified connection.

The filter is a string of five numbers separated with commas:

"<Source IP Address>,<Source Port>,<Destination IP Address>,<Destination Port>,<Protocol Number>"

Notes:

You can configure only one debug filter at one time.
You can use the asterisk "*" as a wildcard for an IP Address, Port number, or Protocol number.
For more information, see IANA Service Name and Port Number Registry and IANA Protocol Numbers.

-f reset

Resets the current debug filter.

list

Shows all enabled debug flags in all debug modules.

resetall

Reset all debug flags for all debug modules to their default state.

Examples

Example 1 - Default output

[Expert@MyGW:0]# fwaccel dbg
Usage: fwaccel dbg [-m <...>] [resetall | reset | list | all | +/- <flags>]
   -m <module>             - module of debugging
   -h                      - this help message
   resetall                - reset all debug flags for all modules
   reset                   - reset all debug flags for module
   all                     - set all debug flags for module
   list                    - list all debug flags for all modules
   -f reset | "<5-tuple>"  - filter debug messages
   + <flags>               - set the given debug flags
   - <flags>               - unset the given debug flags
 
List of available modules and flags:

Module: default (default)
init drv tag lock cpdrv routing kdrv tcp_sv svm iter conn htab del update acct conf stat queue ioctl corr util rngs relations ant conn_app rngs_print infra_ids offload nat

Module: db
get save del tmpl tmo init ant profile nmr nmt warning

Module: api
init add update del acct conf stat vpn notif tmpl sv pxl qos gtp infra tmpl_info upd_conf upd_if_inf add_sa del_sa del_all_sas misc get_features get_tab get_stat reset_stat tag long_ver del_all_tmpl get_state upd_link_sel

Module: pkt
f2f frag spoof acct notif tcp_state tcp_state_pkt sv cpls routing drop pxl qos user deliver vlan pkt nat wrp corr caf nsxt sctp

Module: infras
reorder pm (null)

Module: tmpl
dtmpl_get dtmpl_notif tmpl

Module: vpn
vpnpkt linksel routing vpn ls

Module: nac
db db_get pkt pkt_ex signature offload idnt ioctl nac

Module: cpaq
init client server exp cbuf opreg transport transport_utils broadcast

Module: synatk
init conf conn log pkt proxy state msg

Module: adp
rt nh eth heth wrp inf mbs bpl bplinf mbeinf if drop bond xmode ipsctl ac_print cpfifo qconf qcomm filter packet mcast hw_offload hw_expn rte_api netfilter

Module: dos
fw1-cfg fw1-pkt sim-cfg sim-pkt detailed-pkt detailed-cfg drop cache

Module: gtp
pkt policy tables api drop notif general

Module: sdwan
tabsync transports general

Module: usdisp
(null) conn packet api msg state packet_err counter event quota ioctl lock clb uid queue fwstats cachetab vpn temp_conns prio route

Module: bfm
control data drop dump_pkt

Module: dpdk_lib


Module: dpdk_pmd


Module: dpdk_other 
[Expert@MyGW:0]#

SecureXL Debug Procedure

By default, SecureXL writes the output debug information to the /var/log/messages file.

To collect the applicable SecureXL debug and to make its analysis easier, follow the steps below.

Important:

We strongly recommend to schedule a full maintenance window to minimize the impact on your production traffic.
We strongly recommend to connect over serial console to your Security Gateway / each Cluster Member.

This is to prevent a possible issue when you cannot work with the CLI because of a high load on the CPU.
In cluster, you must collect this debug from all Cluster Members in the same way.

Connect to the command line on your Security Gateway / each Cluster Member.

Use an SSH or a console connection.

Best Practice - Use a console connection.

If the default shell is Gaia Clish, then go to the Expert mode:

expert

Reset all kernel debug flags in all kernel debug modules:

fw ctl debug 0

Reset all the SecureXL debug flags in all SecureXL debug modules:

fwaccel dbg resetall

Allocate the kernel debug buffer:

fw ctl debug -buf 8200

Make sure the Security Gateway allocated the kernel debug buffer:

fw ctl debug | grep buffer

Configure the applicable kernel debug modules and kernel debug flags:

Check Point Support will provide the required debug modules and debug flags.

fw ctl debug -m <Name of Kernel Debug Module> {all | + <Kernel Debug Flags>}

Configure the applicable SecureXL debug modules and SecureXL debug flags:

Check Point Support will provide the required debug modules and debug flags.

fwaccel dbg -m <Name of SecureXL Debug Module> {all | + <SecureXL Debug Flags>}

Examine the kernel debug configuration for kernel debug modules:

fw ctl debug

Examine the SecureXL debug configuration for SecureXL debug modules:

fwaccel dbg list

Remove all entries from both the Firewall Connections table and SecureXL Connections table:

Important:

This step makes sure that you collect the debug of the real issue that is not affected by the existing connections.
This command deletes all existing connections. This interrupts all connections, including the SSH.

Run this command only if you are connected over a serial console to your Security Gateway / each Cluster Member.

fw tab -t connections -x -y

Remove all entries from the Firewall Templates table:

Note - This command does not interrupt the existing connections.

This step makes sure that you collect the debug of the real issue that is not affected by the existing connection templates.

fw tab -t cphwd_tmpl -x -y

Start the kernel debug:

fw ctl kdebug -T -f -o /var/log/kernel_debug.txt

Replicate the issue, or wait for the issue to occur.

Perform the steps that cause the issue to occur, or wait for it to occur.
Stop the kernel debug:

Press CTRL+C.

Reset all kernel debug flags in all kernel debug modules:

fw ctl debug 0

Reset all the SecureXL debug flags in all SecureXL debug modules:

fwaccel dbg resetall

Examine the kernel debug configuration to make sure it returned to the default:

fw ctl debug

Examine the SecureXL debug configuration to make sure it returned to the default:

fwaccel dbg list

Analyze the debug output files:

Transfer these files from the Security Gateway / each Cluster Member to your computer:

/var/log/kernel_debug.txt

/var/log/messages*

Best Practice - Compress these files with the "tar -zxvf" command and transfer the archive from the Security Gateway / each Cluster Member to your computer. If you transfer to an FTP server, do so in the binary mode.