Professional Documents
Culture Documents
IMPORTANT
Check Point recommends that customers stay up-to-date with the latest
service packs, HFAs and versions of security products, as they contain
security enhancements and protection against new and changing attacks.
In This Section
The ld option may cause high CPU usage. It is advised to use it for short session debugging
only.
To execute the kernel you can also use fw ctl zdebug to allocate the buffer (where the
buffer can only be 1024).
% fw ctl zdebug
% fw ctl kdebug -f > <output file>
Check Point Troubleshooting and Debugging Tools for Faster Resolution. Last Update — July 16, 2006 2
User Mode Processes debugging
Usage
% fw debug <process name> <on/off> TDERROR_ALL_ALL=<value 1-5>
CPD is treated differently from the other User Mode processes and will be executed
differently, see “Debugging CPD” on page 3.
Debugging CPD
CPD is a high in the hierarchichal chain and helps to execute many services, such as Secure
Internal Communcation (SIC), Licensing and status report.
For CPD debug, execute: % cpd_admin debug on TDERROR_ALL_ALL=5
The debug file is located under $CPDIR/log/cpd.elg
To stop the CPD debug, execute: % cpd_admin debug off TDERROR_ALL_ALL=1
Debugging FWM
The FWM process is responsible for the execution of the database activities of the
SmartCenter server. It is; therefore, responsible for Policy installation, Management High
Availability (HA) Synchronization, saving the Policy, Database Read/Write action, Log
Display, etc.
For FWM debug, execute:
% fw debug fwm on TDERROR_ALL_ALL=5
% fw debug fwm on OPSEC_DEBUG_LEVEL=9
Check Point Troubleshooting and Debugging Tools for Faster Resolution. Last Update — July 16, 2006 3
Security Server debugging
Debugging User Authentication
Usage
Debugging is done on the service itself (in.ahttpd, in.atelnetd, in.aftpd etc.)
% fw debug <process name> on TDERROR_ALL_ALL=5
Note - The setenv commands used above correlate with Unix environment. For other platforms,
execute the relevant command.
Check Point Troubleshooting and Debugging Tools for Faster Resolution. Last Update — July 16, 2006 4
% fw debug in.ahclientd on TDERROR_ALL_ALL=5
This command is equivalent to these two commands: vpn debug on, vpn debug ikeon.
To stop, execute:
% vpn debug off; vpn debug ikeoff .
Client Side
The Client side can only run under the root directory (C :/…)
To start, execute:
% sc debug on
To stop, execute:
% sc debug off
The debug file is located under sr_service_tde.log, under the SecuRemote installation
folder, for example: C:\Program files\CheckPoint\SecuRemote.
For packet capture from the Client side, execute:
% srfw monitor -e "accept;" -o <output file>
Provider-1 debugging
MDS Level
Most of the MDS actions are performed by the MDS’s fwm process, execute:
% mdsenv
% fw debug mds on TDERROR_ALL_ALL=5
% fw debug mds on OPSEC_DEBUG_LEVEL=9
Check Point Troubleshooting and Debugging Tools for Faster Resolution. Last Update — July 16, 2006 5
CMA Level
See “FireWall Common debugging” on page 2.
VPN-1 VSX debugging
See “FireWall Common debugging” on page 2, either refer to user mode or kernel, as
necessary.
ClusterXL debugging
For ClusterXL debugging for Clustering, Synchronization, High Availability, Fail-over,
execute:
% cphaprob state
% cphaprob -ia list
% cphaprob -a if
% fw ctl pstat
Connectra debugging
For Connectra debugging issues relating to Web, files, Webmail, OWA, iNotes, Citrix, the
httpd process should be debugged:
FireWall-1 GX debugging
See “FireWall Common debugging” on page 2.
Kernel debug for packet filter analysis
Check Point Troubleshooting and Debugging Tools for Faster Resolution. Last Update — July 16, 2006 6
% fw ctl debug –buf 12288
% fw ctl debug –m fw conn drop ld packet filter
InterSpect debugging
Kernel debug for packet filter analysis
% fw ctl debug –buf 12288
% fw ctl debug –m fw conn drop packet if
% fw ctl kdebug –f > <output file>
Client Side
For the service:
Type regedit at the command prompt and set:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cpextender\parameters\d
bg_level to 5
Check Point Troubleshooting and Debugging Tools for Faster Resolution. Last Update — July 16, 2006 7
% net stop cpextender
% net start cpextender (or kill slimsvc.exe)
For the ActiveX: (only when using ActiveX with Internet Explorer), type regedit at the
command prompt and set the following:
% set HKEY_CURRENT_USER\Software\CheckPoint\SSL Network
Extender\parameters\dbg_level to 5
Check Point Troubleshooting and Debugging Tools for Faster Resolution. Last Update — July 16, 2006 8
How to use fw monitor 10-Jul-2003
Abstract
Inspecting network traffic is an essential part of today’s deployment and troubleshooting tasks. With fw
monitor Check Point provides a powerful built-in tool to simplify this task. fw monitor captures
network packets at multiple capture points within the FireWall-1 chain. These packets can be inspected
using industry-standard tools later on. This documents describes how to use fw monitor and use it’s
features to simplify the capturing tasks and provide the information you need.
ABSTRACT ...................................................................................................................................................................1
ACKNOWLEDGMENTS ................................................................................................................................................4
OVERVIEW....................................................................................................................................................................6
Break Sequence........................................................................................................................................................7
Printing the UUID or the SUUID [-u|s] .......................................................................................................................7
Flush standard output [-i]...........................................................................................................................................7
Debugging fw monitor [-d] / [-D] ................................................................................................................................7
Filter fw monitor packets <{-e expr}+|-f <filter-file|->>................................................................................................7
Limit the packet length [-l len]....................................................................................................................................9
Capture masks [-m mask] .........................................................................................................................................9
Print packet/payload data [-x offset[,len]] ..................................................................................................................9
Write output to file [-o <file>] ...................................................................................................................................10
Insert fw monitor chain module at a specifc position <[-pi pos] [-pI pos] [-po pos] [-pO pos] | -p all > .....................10
Use absolute chain positions [-a] ............................................................................................................................10
Capture a specific number of packets [-ci count] [-co count] ...................................................................................11
Capture on a specific Virtual Router or Virtual Machine [-vs vsid or vsname] .........................................................11
RESOURCES ..............................................................................................................................................................66
REFERENCE ...............................................................................................................................................................69
Due to many questions and requests regarding fw monitor we developed the idea to write a “short”
paper about fw monitor. We thought 15-20 pages would be more than enough to cover all important
aspects of fw monitor …
As we started to collect information about fw monitor and related topics we soon discovered that there
was much more to write about than we initially thought. We had two choices: Writing a short note much
like a man page or choosing the long way and write a comprehensive manual. We decided for the second
and this paper is the result.
No way could we have completed this paper without the awesome help of many people who give us
invaluable feedback. We would like to thank Shaul Eizikovich for his fabulous CPEthereal; Misha Pak for
giving us deep insight in many fw monitor functionalities and mechanisms; Lior Cohen, Tal Manor and
Mark Wellins from Solutions Center for their great ongoing support; Joe Green for pointing us to missing
details we totally overlooked; our colleagues in the german Check Point Office who kept us working on
the paper by asking permanently for the final version; Alfred Köbler (ICON Systems GmbH) for initially
adding fw monitor decoding support to Ethereal, Manuela Menges (BASF IT Services GmbH) for
comments which where nearly as long as the whole document and to all others which provided comments
and suggestions.
The following table describes the typographic conventions used in this paper.
AaBbCc123 Book titles or words to be Please refer to the FireWall-1 Getting Started Guide for
emphasized. further information.
AaBbCc123 Text that appears on an Use CheckPoint/Decode as FW-1 Monitor file to enable
object in a window. decoding.
In many deployment and support scenarios capturing network packets is an essential functionality.
tcpdump or snoop are tools normally used for this task. fw monitor provides an even better
functionality but omits many requirements and risks of these tools.
‚ No Security Flaws
o tcpdump and snoop are normally used with network interface cards in promiscuous
mode. Unfortunately the promiscuous mode allows remote attacks against these tools
(see Snoop vulnerable to a remotely exploitable buffer overflow). fw monitor does not
use the promiscuous mode to capture packets.
In addition most FireWalls’ operating systems are hardened. In most cases this
hardening includes the removal of tools like tcpdump or snoop because of their security
risk.
‚ Available on all FireWall-1 installations
o fw monitor is a built-in firewall tool which needs no separate installation in case
capturing packets is needed. It is a functionality provided with the installation of the
FireWall package.
‚ Multiple capture positions within the FireWall-1 kernel module chain
o fw monitor allows you to capture packets at multiple capture positions within the
FireWall-1 kernel module chain; both for inbound and outbound packets. This enables
you to trace a packet through the different functionalities of the firewall.
‚ Same tool and syntax on all platforms
o Another important fact is the availability of fw monitor on different platforms. Tools like
snoop or tcpdump are often platform dependent or have specific “enhancements” on
certain platforms. fw monitor and all its’ related functionality and syntax is absolutely
identical across all platforms.
There is no need to learn any new “tricks” on an unknown platform.
Normally the Check Point kernel modules are used to perform several functions on packets (like filtering,
en- and decrypting, QoS …). fw monitor adds its own modules to capture packets. Therefore fw
monitor can capture all packets which are seen and/or forwarded by the FireWall.
fw monitor [-u|s] [-i] [-d] [-D] <{-e expr}+|-f <filter-file|->> [-l len] [-m
mask] [-x offset[,len]] [-o <file>] <[-pi pos] [-pI pos] [-po pos] [-pO pos]
| -p all > [-a] [-ci count] [-co count] [-vs vsid or vsname]
Figure 1: fw monitor command line options
Break Sequence
The option –u or –s is used to print UUIDs or SUUIDs for every packet. Please note that it is only
possible to print the UUID or the SUUID – not both. Please refer to Using UUIDs and SSIDs for further
information.
Use –i to make sure that captured data for each packet is at once written to standard output. This is
especially useful if you want to kill a running fw monitor process and want to be sure that all data is
written to a file.
The –d option is used to start fw monitor in debug mode. This will give you an insight into fw
monitor’s inner workings although this option is only rarely used outside Check Point. It’s also possible
to use –D to create an even more verbose output.
fw monitor has the ability to capture only packets in which you are interested in. It is possible to set the
filter expression on the command line (using the –e switch), read it from a file (-f) or to read it from
standard input (-f -). Please refer to fw monitor filters for a detailed description of the filter syntax.
In the following examples we are filtering for the 9th byte of the IP Header (‘accept [9:1]=1;’). The
9th byte is the IP protocol and we are only accepting IP protcol 1 which is ICMP.
Bas
When using filter expressions on the command line (using –e) you should make sure that they are
properly quoted. On Windows and UNIX Operating systems this can be done by surrounding the
! expression with single quote (' – ASCII Value 39) or double quotes (" – ASCII Value 34). Please
note that depending on your operating system and shell used there might be differences between
the two forms – especially when using special characters or (shell) variables in the filter expression.
[Expert@cpmodule]# fw monitor -f -
monitor: getting filter (from stdin)
accept [9:1]=1;
^D
monitor: compiling
monitorfilter:
Compiled OK.
monitor: loading
monitor: monitoring (control-C to stop)
eth0:i[84]: 172.16.1.1 -> 172.16.1.2 (ICMP) len=84 id=21307
ICMP: type=8 code=0 echo request id=7530 seq=256
eth0:I[84]: 172.16.1.1 -> 172.16.1.2 (ICMP) len=84 id=21307
ICMP: type=8 code=0 echo request id=7530 seq=256
eth0:o[84]: 172.16.1.2 -> 172.16.1.1 (ICMP) len=84 id=24623
ICMP: type=0 code=0 echo reply id=7530 seq=256
eth0:O[84]: 172.16.1.2 -> 172.16.1.1 (ICMP) len=84 id=24623
ICMP: type=0 code=0 echo reply id=7530 seq=256
^C
monitor: caught sig 2
monitor: unloading
Figure 4: fw monitor – reading filter expressions from standard input
fw monitor allow you to limit the packet data which will be read from the kernel with -l. Refer to Limit
the packet length for further information. This is especially useful if you have to debug high sensitive
communication. It allows you to capture only the headers of a packet (e.g. IP and TCP header) while
omitting the actual payload. Therefore you can debug the communication without seeing the actual data
transmitted. Another possibility is to keep the amount of data low. If you don't need the actual payload for
debugging you can decrease the file site by omitting the payload. It’s also very useful to reduce packet
loss on high-loaded machines. fw monitor uses a buffer to transfer the packets from kernel to user
space. If you reduce the size of a single packet this buffer won’t fill up so fast.
By default fw monitor captures packets before and after the virtual machine in both directions (these
positions can be changed. Refer to How to change the position of the fw monitor chain module for more
information). The option –m options allows you to specify in which of the four positions you are interested.
For further information refer to Capture masks.
In addition to the IP and Transport header fw monitor can also print the packets’ raw data. This can be
done using the –x option. Optionally it is also possible to limit the data written to the screen. Please refer
to Print packet/payload data for more information.
In addition to the ability to print out the packet’s information, fw monitor is also able to save the raw
packets’ data to a file. The file format used is the same format used by tools like snoop (Refer to Snoop
file format (RFC 1761) for further information). This file format can be examined using by tools like snoop,
tcpdump or Ethereal.
The snoop file format is normally used to store Layer 2 frames. For “normal” capture files this
means that the frame includes data like a source and a destination MAC address. fw monitor
! operates in the firewall kernel and therefore has no access to Layer 2 information like MAC
addresses anymore. Instead of writing random MAC addresses, fw monitor includes information
like interface name, direction and chain position as “MAC addresses”.
Insert fw monitor chain module at a specifc position <[-pi pos] [-pI pos] [-po pos] [-pO
pos] | -p all >
In addition to capture masks (which give you the ability to specify whether you are interested in packets in
a specific position) fw monitor has the ability to define where exactly (in the FireWall-1 chain) the
packets should be captured. This can be defined using –p[iIoO] [pos]. Please refer to How to
change the position of the fw monitor chain module for further information.
If you use fw monitor to output the capture into a file (option –o), one of the fields written down to the
capture file is the chain position of the fw monitor chain module. Together with an simultaneous
execution of fw ctl chain you can determine where the packet was captured (see How to change the
position of the fw monitor chain module for more information on this). Especially when using –p all you
will find the same packet captured multiples times at different chain positions.
The option –a changes the chain id from an relative value (which only makes sense with the matching fw
ctl chain output) to an absolute value. These absolute values are known to CPEthereal (see Using
CPEthereal to inspect fw monitor files) and can be displayed by it.
fw monitor enables you to limit the number of packets being captured. This is especially useful in
situations where the firewall is filtering high amounts of traffic. In such situations fw monitor may bind
so many resources (for writing to the console or to a file) that recognizing the break sequence (Control-C)
might take very long.
fw monitor counts "real" packets. In the example above we decided to capture just 3 packets. But the
packet counter was 12 and 14. This can be explained by the multiple capture positions. In the first
example we had three inbound and three outbound packets (six in sum). Each packet is counted to times
(preInbound/postInbound or preOutbund/postOutbound):
! Please note that it is possible to use the –ci and the –co switches together. fw monitor will stop
capturing packets if the number of packets for one of the two counters reaches it’s value.
FireWall-1 VSX enables you to run multiple Virtual Routers and FireWalls on one physical machine. Using
the option –vs you can specify on which virtual component the packets should be captured. This option is
only available on a FireWall-1 VSX module – not on a standard module. Please refer to fw monitor on
FireWall-1 VSX for more information.
Using fw monitor
The easiest way to use fw monitor is to invoke it without any parameter. This will output every packet
from every interface that passes (or at least reaches) the enforcement module. Please note that the same
packet is appearing several times (two times in the example below). This is caused by fw monitor
capturing the packets at different capture points. Please refer to Capture masks for a more detailed
explanation.
[cpmodule]# fw monitor
monitor: getting filter (from command line)
monitor: compiling
monitorfilter:
Compiled OK.
monitor: loading
monitor: monitoring (control-C to stop)
eth0:i[285]: 172.16.1.133 -> 172.16.1.2 (TCP) len=285 id=1075
TCP: 1050 -> 18190 ...PA. seq=bf8bc98e ack=941b05bc
eth0:I[285]: 172.16.1.133 -> 172.16.1.2 (TCP) len=285 id=1075
TCP: 1050 -> 18190 ...PA. seq=bf8bc98e ack=941b05bc
eth0:o[197]: 172.16.1.2 -> 172.16.1.133 (TCP) len=197 id=44599
TCP: 18190 -> 1050 ...PA. seq=941b05bc ack=bf8bca83
eth0:O[197]: 172.16.1.2 -> 172.16.1.133 (TCP) len=197 id=44599
TCP: 18190 -> 1050 ...PA. seq=941b05bc ack=bf8bca83
eth0:o[1500]: 172.16.1.2 -> 172.16.1.133 (TCP) len=1500 id=44600
TCP: 18190 -> 1050 ....A. seq=941b0659 ack=bf8bca83
^C
monitor: caught sig 2
monitor: unloading
Figure 7: Invoking fw monitor without parameters
This packet was captured on the first network interface (eth0) in inbound direction before the virtual
machine (lowercase i; see Capture masks for a more detailed explanation). The packet length is 285
bytes (in square parenthesis; repeated at the end of the line. Please not that these two values may be
different. Refer to the Virtual Defragmentation note for further information) and the packets ID is 1075.
The packet was sent from 172.16.1.133 to 172.16.1.2 and carries a TCP header/payload.
The second line tells us that this is an TCP payload inside the IP packet which was sent from port 1050 to
port 18190. The following element displays the TCP flags set (in this case PUSH and ACK). The last two
elements are showing the sequence number (seq=bf8bc98e) of the TCP packet and the acknowledged
sequence number (ack=941b05bc). You will see similar information for UDP packets.
You will only see a second line if the transport protocol used is known to fw monitor. Known
! protocols are for example TCP, UDP and ICMP. If the transport protocol is unknown or can not be
analyzed because it is encrypted (e.g. ESP or encapsulated (e.g. GRE) the second line is missing.
In contrast to other capturing tools like snoop or tcpdump, fw monitor does not use the promiscuous
mode on network interface cards. Based on the fact that FireWall-1 already receives all packets (due to
the FireWall-1 kernel module between NIC driver and IP stack) fw monitor uses it’s own kernel module
to capture packets (compared to filtering/encrypting them).
Unlike snoop or tcpdump, fw monitor has the ability to capture packets at different positions (refer to
Capture position for more information about the four locations) in the FireWall-1 kernel module chain.
snoop and tcpdump are capturing packets when they enter or leave the computer. Especially when NAT
with FireWall-1 is involved fw monitor offers the possibility to capture packets at multiple locations (e.g.
after the FireWall Virtual in inbound direction). This can help you to see how the packets are translated by
the firewall and on which IP address the routing decission is made.
Capture masks
fw monitor is able to capture packets at four different positions in the FireWall-1 chain:
‚ on the inbound interface before the Virtual Machine (pre-inbound)
‚ on the inbound interface after the Virtual Machine (post-inbound)
‚ on the outbound interface before the Virtual Machine (pre-outbound)
‚ on the outbound interface after the Virtual Machine (post-outbound)
App. App.
TCP TCP
IP Routing IP
post-inbound (I) pre-inbound (o)
VM VM
pre-inbound (i) post-outbound (O)
NIC NIC
! The picture above is a simplified figure of the actual implementation. To find out more please refer to
How to change the position of the fw monitor chain module for more information.
Using fw monitor masks it’s easily possible to capture only packets before they are inspected by the
firewall in inbound direction and after they have been inspected by the firewall in outbound direction.
In the example below we are capturing a communication between a client (10.2.4.12) and a web server
(172.16.1.1). The client address is translated to 172.16.1.3 and the server address is translated to
10.2.253.2. You can easily see how the non-translated packet enters the firewall and how the translated
packet (source and destination) is leaving the firewall:
[Expert@cpmodule]# fw monitor -m iO
monitor: getting filter (from command line)
monitor: compiling
monitorfilter:
Compiled OK.
monitor: loading
monitor: monitoring (control-C to stop)
eth1:i[60]: 10.2.4.12 -> 10.2.254.2 (TCP) len=60 id=41817
TCP: 34762 -> 80 .S.... seq=e8527fe7 ack=00000000
eth0:O[60]: 172.16.1.3 -> 172.16.1.1 (TCP) len=60 id=41817
TCP: 34762 -> 80 .S.... seq=e8527fe7 ack=00000000
eth0:i[60]: 172.16.1.1 -> 172.16.1.3 (TCP) len=60 id=41818
TCP: 80 -> 34762 .S..A. seq=e7c90e3e ack=e8527fe8
eth1:O[60]: 10.2.254.2 -> 10.2.4.12 (TCP) len=60 id=41818
TCP: 80 -> 34762 .S..A. seq=e7c90e3e ack=e8527fe8
eth1:i[52]: 10.2.4.12 -> 10.2.254.2 (TCP) len=52 id=41819
TCP: 34762 -> 80 ....A. seq=e8527fe8 ack=e7c90e3f
eth0:O[52]: 172.16.1.3 -> 172.16.1.1 (TCP) len=52 id=41819
TCP: 34762 -> 80 ....A. seq=e8527fe8 ack=e7c90e3f
^C
monitor: caught sig 2
monitor: unloading
Figure 12: Using fw monitor capture masks
Using the right combination of capture masks it’s very easy to find out when the firewall applies which
NAT rules (Hide NAT, Static Destination NAT or Static Source NAT). This is especially useful when you
need to know which packets the routing of the operating system is using to do the routing decision.
Using –x it’s possible to print the packet’s raw data. You have to specify a specific offset (e.g. used to
jump over the IP/TCP header) from which the packet data is printed. It’s also possible to limit the length of
the raw data:
In the following example we are skipping the IP and TCP header (offset 52) and are using a length of 96:
^C
monitor: caught sig 2
monitor: unloading
Figure 13: fw monitor – printing packet raw data
fw monitor can limit the amount of packet data which will be read from the kernel. The option –l is
used for this purpose. fw monitor will only read as many bytes from the kernel as you specified for the
–l option. Please make sure to capture as least as many bytes so that the IP and transport headers are
included.
UUIDs (universal-unique-identifiers) are a new feature in NG. The firewall assigns an UUID to every
connection passing the firewall. This UUID is kept through all firewall operations. Therefore you can follow
a connection through the firewall even if the packet content is NAT’ed. The UUID is also kept in the
connection table entry for the connection.
Additionally there is the concept of an SUUID (Session UUID). For services which are using several
connections (e.g. FTP) every connection has a unique UUID but the SUUID is equal for all the
connections (it’s the same as the first/control connection’s UUID).
UUIDs and SUIDs are very helpful for tracking connection through different chain modules of the firewall.
Even if a connection is NAT’ed the UUID or SUID remains the same. Therefore filtering for the UUID or
SUID helps you to find all packets belonging to a connection or session, even if the packets change.
Please note that the first packet of a connection or session as no UUID or SUID assigned yet (SUID/SUID
is all zero). After the first packet has been processed by the firewall a UUID or SUID is assigned and will
remain the same for the whole connection/session.
An UUID is built from four 32bit values using a timestamp, a counter, the firewall IP address and a
process ID. From this 128bit value a smaller 32bit value is constructed which is printed as well. Please
refer to UUID format for detailed information.
The UUID/SUUID is printed in front of the IP information. The first value is the striped UUID (32bit). The
second value is the complete UUID (128bit).
! Please note that new connections are using a UUID of 0x0000…. Once they have been “seen” by
the firewall module a UUID is assigned and maintained.
In Capture masks we described fw monitor capture masks. The positions were defined to be before
the virtual machine and after the virtual machine. Although not wrong it is not completely right.
Check Point uses a so called “kernel module chain” for different kernel modules which are working with
the packets. The different modules (Firewall, VPN , FloodGate … ) are passing on a packet to the next
module and building up a kind of chain this way.
The example below shows how the packets is processed by different chain modules while entering and
leaving the firewall machine:
TCP/IP TCP/IP
Outbound
Inbound
Accounting FG Policy
Virtual Reass
Wire Side Acct RTM/E2E
NIC NIC
You can take a look at the actual chain using the fw ctl chain command. This will show you the chain
modules actually loaded on your machine and their order. Please note that there are more kernel
modules in the chain which are not visible by fw ctl chain and also cannot be used for fw monitor
kernel module positioning.
The output of fw ctl chain is platform, version and product dependent. There is no reason to
! worry if your fw ctl chain output looks different. The number and kind of modules displayed here
may vary based on the platform used and products installed. Please note that even the offsets
shown here are version dependent and may change.
fw monitor inserts its own modules in this module chain and is capturing packets there. By default this
is not the first and last position in the chain. Therefore the original meaning of before and after needs to
be redefined:
‚ Without changing the position of the kernel module everything is quite simple:
o Before can be interpreted as being before any firewall, VPN or NAT action.
o After is defined as being after and NAT or VPN operation has occurred.
‚ If you change the kernel module position using –p (see How to change the position of the fw
monitor chain module) but do not capture at all positions (see All positions):
o Before (pre-inbound /pre-outbound) describes the first instance of the fw monitor
kernel module (although it may be after the VM!)
o After (post-inbound/post-outbound) describes the second instance of the fw monitor
kernel module (although in fact, like above, it may be before the VM).
‚ If you are using –p all to capture packets between every kernel module (see All positions):
o All packets captured between the kernel module before the VM are marked as being pre-
inbound/pre-outbound
o All packets captured after the VM are marked as being post-inbound/post-outbound.
Due to the fact that the fw monitor chain module is a “normal” chain module there are some
! issues one should be aware of. All chain modules are working on already (virtual) defragmented
packets. Even if a packet is fragmented fw monitor will show the defragmented packet, not the
fragments.
1. If you are printing fw monitor output to standard output you may see two different size
values:
In this example here the first length (square parenthesis) is 828 Bytes. This is the length of
the defragmented packet. The second size (len=) is 420 Bytes. This is the size of the first
IP Fragment. This may also cause “invalid packets” in Ethereal because the size in the IP
header (430 bytes here) is different from the size of the actual packet.
2. In addition it may be that the “more fragments” bit is set in the IP header, although the
packet itself is already defragmented.
If fw monitor is active you can see the fw monitor chain modules using fw ctl chain:
In inbound direction all chain positions before the firewall are considered to be preInbound. All chain
modules after the firewall VM are postInbound.
In outbound direction all chain position before the firewall VM are considered to be preOutbound. All
chain modules after the VM are postOutbound.
The –p[iIoO] switch allows you to insert the fw monitor module at different positions in the chain.
The letters “iIoO” are used with the same meaning like the fw monitor capture masks. There are four
possibilities to define the position of the fw monitor module in the chain:
The chain modules are ordered with an ascending number starting with zero: You can use this number to
specify the position where the fw monitor module should be inserted. The fw monitor module does
no replace the module with this number. The previous module (and all following modules) are moved by
one position:
Please note that the relative positions, the number and the order of the modules is in no way fixed.
Every change of the configuration or installed products may change this. If you are using relative
! number you should use fw ctl chain to verify the positions you intended to use. Another
possibility is to use aliases for the modules. Even if the position of the module may change the alias
remains the same.
Another possibility to specify the position of the fw monitor module is to use a modules alias (shown in
parenthesis). Compared to the relative positioning by numbers you have the additional possibility to
decide whether you want to insert the fw monitor module before or after the module you specified. This
can be done using + or – in front of the module alias:
Although in most cases the use of aliases for positioning is recommended it is also possible to use
absolute positioning. This allows you to specify the position to insert the fw monitor module using its
absolute position. Every chain module as such a position and the kernel sorts them according to this
position. The absolute position is printed in hex after the relative position. Please note that chain positions
before the virtual machine are negative values:
! Please note that the absolute position is a property of the kernel module assigned by Check Point
R&D: This value may change in future versions.
! fw ctl chain does not show the preceding 0x to specify hex numbers. Nevertheless you have to
add a preceding 0x in front of the number to use it with fw monitor.
A new option in NG with Application Intelligence (FP4) allows you to insert fw monitor modules
between all modules. This gives you the ability to follow a packet through the FireWall-1 kernel module
chain. The position where the packet was captured is printed after the direction (module in parenthesis)
and also written down to the capture file if the –o option is used..
! specific filters to reduce the output. Without a filter it may output more than 15 captured packets (in
this example 8 packets inbound and 9 packets outbound) per packet passing the firewall.
fw monitor filters
fw monitor filters are using a subset of INSPECT to specify the packets to be captured. The general
syntax is:
accept expression;
Figure 26: fw monitor filter expression – general syntax
“accept” in fw monitor filters does not mean that packets are actually accepted by the firewall.
! fw monitor captures all packets which are accepted by the filter and discards the rest. A filter like
accept; (capturing all packets) will in no way change the behavior of the FireWall and its rulebase.
The complexity of an expression can vary from a simple test (checking for a specific value at a specific
offset) to a complex expression using different checks and logical operators.
Simple Checks
Simple checks are used to check for a value at a specific offset in the packet:
offset specifies the offset relative to the beginning of the IP packet from where the value should be
read.
length specifies the number of bytes and can be 1 (byte), 2 (word) or 4 (dword). If length is not
specified fw monitor assumes 4 (dword).
order is used to specify the byte order. Possible values are b (big endian) or l (little endian, or host
order). If order is not specified little endian byte order is assumed.
relational-operator is a relational operator to express the relation between the packet data and the
value.
value is one of the data types known to INSPECT (e.g. an IP address or an integer).
Big Endian order means that the most significant byte as the lowest address (the word is stored ‘big-
endian-first’)
Little Endian order means that bytes at lower addresses have lower significance (the word is stored ‘little-
endian-first’)
Please note that the byte order is proccessor architecture dependent. On proccessors like Motorla 68xxx
big endian byte order is used. Little endian byte order is used e.g. by Intel 386 and compatible
processors. There are also processors which are able to work with both byte orders (e.g. PowerPC). You
can find more information about byte orders at An Essay on Endian Order.
0 8 16 24 32
header
version type of service (TOS) total length
length
source IP address
destination IP address
IP payload
0 8 16 24 32
0 8 16 24 32
SYN
RST
FYN
header
reserved TCP window size
length
Simple Checks can be used for a wide variety of checks. Some examples:
Filter on source or destination IP address. The IP addresses are stored as dwords at offset 12 (source
address) and 16 (destination address):
Please note the use of IP addresses instead of simple numbers in the example above. INSPECT
! “knows” IP addresses and converts them automatically to an integer. There is no need to do this
manually although this is possible. Please refer to the Check Point Reference Guide for more
information.
Filter on the IP protocol. The IP protocol is stored as a byte at offset 9 in the IP packet:
Network checks
INSPECT allows you to check whether a specific IP address belongs to a specified network. There are
two possibilities to achieve this:
Although this is very easy to use and to remember it has one limitation: It is not possible to define the
subnet mask to be used. Instead the subnet mask is automatically determined by the IP address.
The second possibility allows you to specify an IP range – therefore enabling you to filter not only for
none-implied subnet masks but even for IP address ranges:
Please note the it is possible to include multiple networks in a list. This allows you e.g. to define all your
internal networks and use the resulting list in the filter expression.
Data types
INSPECT knows several native data types. Just some of them are useful for fw monitor:
In addition to the single expressions testing for equality it is possible to combine different expressions
using several logical and relational operators
, Logical AND
or Logical Or
xor Logical XOR
not Logcial NOT
Figure 43: fw monitor – Logical Operators
Please note that INSPECT uses another operator precedence than e.g. C. In INSPECT the
Using relational and logical operators it is easily possible to build complex capture filters:
Even if fw monitor filters allow you to specify complex filters it’s normally not advisable. In many
cases a too complex filter might not capture packets you are interested in. It’s normally better to just
! filter out bulk traffic you’re not interested in (e.g. HTTP) and do the granular filtering later on (e.g.
using Ethereal on files generated with -o). An exception is using fw monitor on high-loaded
gateways. There you might have simply no choice but to reduce the amiunt of traffic being captured.
Because all offsets, lengths and orders are hard to remember fw monitor offers an more intuitive way of
specifying the desired field:
Using these macros it very easy to define filters (and understanding them again a few weeks later!):
These macros are not a part of INSPECT. INSPECT (and therefore fw monitor as well) uses a C
preprocessor to replace named macros with their low-level equivalents. If you are using filters on the
command line (using –e) fw monitor creates a new file with the definitions above and appends your
filter expression. The file is called $FWDIR/tmp/monitorfilter.pf:
The last line of monitorfilter.pf is your filter expression (or multiple expressions if you used multiple
–e expressions). The first four lines are defining src, dst, sport and dport. These are defined using
macros agin. This macros are defined in tcpip.def. The fifth line includes something called
“tcpip.def”.
As mentioned earlier INSPECT uses a C preprocessor. Therefore you can use C preprocessor directives
overall in your fw monitor scripts (on the command line as well as in files).
If you use fw monitor you can create your own “library” and include it (e.g. using the –f option). This
allows you to define your own definitions of commands and expressions you are using on a regular basis.
Take a look at Useful macros in tcpip.def for a collection of useful expressions.
Please note that predefined macros (like src, dport, sport …) are only automatically defined if
! you are using expressions on the command line. If you are using files or standard input for providing
filter expressions you have to define the macros for yourself or include them using the #include
directive manually.
! Please note that this is just a small amount of macros defined in tcpip.def. Take a look at
tcpip.def for yourself to find other useful expressions you may want to use.
Do not modify anything in tcpip.def or in any other *.def file in $FWDIR/lib by yourself. Check
! Point does not support any configuration with changed *.def files.
An exception are modifications done together with Check Point Support (according to a Service
Request) or found on SecureKnowldege.
Refer to the Check Point Reference Guide for a complete overview about INSPECT. Reading the *.def
files in $FWDIR/lib will give you a good overview about the possibilities as well.
The recommended tool for analyzing fw monitor capture files is Ethereal (Using Ethereal to inspect fw
monitor files) or CPEthereal (Using CPEthereal to inspect fw monitor files). Nevertheless fw monitor
capture files can be inspected with every tool which is able to read the snoop file format (Snoop file
format (RFC 1761)).
snoop is a tool normally found on Sun Solaris machines. snoop allows you to capture packets and to
examine them. As described in Write output to file fw monitor writes its capture files in the file format
used by snoop. This allows us to use snoop to decode the files later on. This means you can generate
the fw monitor files on one machine and examine them on another machine using all of snoop’s
functions including verbose output and filtering.
! snoop is only available on Sun Solaris. For other platforms refer to Using tcpdump to inspect fw
monitor files or Using Ethereal to inspect fw monitor files.
The following example shows how an fw monitor capture file (two ICMP Echo Request and ICMP Echo
Replies, PreIn/PostIn and PreOut/PostOut) which was generated on a Linux machine is inspected on a
Sun:
1 packets captured
bash-2.03#
Especially when working in verbose mode (-v) it is recommended to display only a few packets.
! Use –c to limit the number of packets or use filter expressions. snoop filter expressions are not
discussed in this paper. Refer to the snoop man page for further information.
! This paper does not cover advanced snoop usage including things like filtering, converting etc. You
can find further information at The Secrets of Snoop.
tcpdump has a similar functionality like snoop. Compared to snoop it runs on many platforms including
Linux, IPSO, FreeBSD …. tcpdump uses a slightly different file format than snoop. Therefore it is not
possible to open fw monitor files with tcpdump directly:
This means we have to convert the fw monitor capture file to a file format which tcpdump is able to
read. One possibility is to use editcap (see editcap for further information). editcap is a tool from the
Ethereal package which is able to convert between different capture file formats. By default editcap
converts any input file to an output file in tcpdump format (tcpdump actually uses the libpcap file format.
Visit the tcpdump/libpcap homepage for further information).
This will give you a capture file named tcpdump.cap with the same content as fwmonitor.cap which
can be read by tcpdump:
Like snoop, tcpdump offers the possibility to output the data in an even more detailed was. This can be
achieved by using verbose options. tcpdump offers three verbose options – -v, -vv and –vvv – with
different verbose levels:
! This paper does not cover advanced tcpdump usage including things like filtering, converting etc.
You can find further information at tcpdump man page.
Ethereal is a graphical tool to analyze and capture network traffic. Ethereal is available on a wide range of
platforms and operating systems including all major UNIX flavors (Solaris, Linux, *BSD …), Windows
(Windows 9x, ME, NT 4, 2000 and XP), Mac OS X and many more. The screenshots in this paper were
taken on a Linux machine (for Ethereal). Ethereal reads a wide variety of capture formats including the
format used by fw monitor (which is in fact the same format as snoop). This means you can simply
open a fw monitor file in Ethereal:
As you can see, Ethereal displays four “lines” per packet (preIn, postIn, preOut and postOut). Please not
that depending on the –m and/or –p switches there might be more or less lines per packet. The
information about the direction and the interface is not visible at first. This information is “hidden” in the
MAC addresses:
Alfred Köbler (Alfred.Koebler@icon.de) wrote an addition to Ethereal which enables Ethereal to display
not MAC addresses but the fw monitor information. This addition is part of the standard Ethereal
distribution since version 0.9.9. It can be activated using Edit/Preferences/Protocols/Ethernet/Interpret
as FireWall-1 monitor file:
The summary line (which can also be displayed as an additional column in the overview pane) lists all
encountered interfaces and the packet’s direction. For a packet entering the gateway through eth0 and
leaving the gateway through eth1 the summary line will show:
The interface and direction information described above can also be displayed as an additional column in
the overview pane. To activate the chain column go to Edit/Preferences/Protocols/Columns and add a
new column like showed below:
Ethereal offers the possibility to display only specific packets and/or to display them with different colors.
The easiest way to display only specific packets is to select a packet in the overview pane and select
Follow TCP Stream from the context menu. This will automatically set a display filter to only display
packets of this specific connection (based on source/destination IP addresses and ports). You can see
this filter below the raw data pane. Additionally it displays the data exchanged between client and server
in a separate dialog box:
(ip.addr eq 10.2.4.12 and ip.addr eq 172.16.1.1) and (tcp.port eq 41748 and tcp.port eq 80)
Please note that this filter only uses IP addresses and ports. Therefore you will still have all four
! lines per packet in the overview pane. An exception might be if you are using NAT (where the
addresses might change inbound and/or outbound) or if you used capture masks (Capture masks)
while creating the capture file.
How to use fw monitor Page 51 of 70
Revision: 1.01
Another possibility is to select a value in the decode pane and select Match or Prepare together with an
logical operator. This is especially useful to discover how the property is called and which data types it
accepts:
The filter above would only list packets in the overview pane which where captured postOut (outbound
interface, after the VM).
Ethereal filters require no special syntax to check whether an IP address belongs to a specific
subnet. Instead you can use an IP address with Classless Inter Domain Routing (CIDR) notation
You can find a list with all known properties under Help/Help/Display Filters.
Based on the standard Ethereal Pedro Paixão and Shaul Eizikovich created an enhanced version of
Ethereal. This “Check Point flavor of Ethereal” (reference as CPEthereal on the following pages) extends
the standard Ethereal in many areas to cover Check Point (an fw monitor) specific needs and
functions. CPEthereal is available in two versions. A public version with slightly improved fw monitor
decoding (public CPEthereal) and a enhanced CSP version with all the features covered below (CSP
Ethereal).
Block coloring
Because fw monitor may capture multiple samples of the same packet passing through the firewall it is
sometimes hard to differentiate between the different packets. CPEthereal can group samples of the
same packets by colorizing them. This can be activated using CheckPoint/Colorize:
Following a connection through the firewall can be simplified by using Display Filters (refer to Using
display and color filters on fw monitor parameters). However, once you are using NAT things might get
more complicated. To simplify this task CPEthereal recognizes NATted packets and marks them red in
the overview pane. Additionally it provides some more information about the NAT type in the decode
pane:
Many environments have problems with malformed FTP transfers. Although not directly Check Point
related, CPEthereal provides enhanced FTP features.
First of all CPEthereal provides a more detailed FTP control connection decomposing than the standard
Ethereal. This includes things like an explicit test for an ending <CR><LF> and a decoding and counting
of replied lines (banners in most cases):
Using CheckPoint/Find… it is possible to search packets according to their Check Point specific
properties:
The Check Point enhanced search dialog consists of three search areas.
The top area allows you to find packets based on connection properties:
‚ NAT: Find packets which where NATed
‚ SEQT Find packets where the sequence number or the acknowledge number was changes
‚ UUID: Find packets belonging to specific connection based on their UUID
The pane in the middle allow you to filter the packets based on their capture position in the chain.
In addition it’s possible to specify additional restrictions using Ethereal filters (refer to Using display and
color filters on fw monitor parameters for an overview about Ethereal filter syntax) in the bottom pane.
Please note that the chain positions in the enhanced search do only make sense for capture files
! captured with NG with Application Intelligence (FP4) or higher. This feature requires absolute chain
positions (Use absolute chain positions [-a]) which are only available since NG with Application
Intelligence.
Block filters allow you to find packet blocks (see Block coloring for further details) based on specific
packet chain positions based or absent in these blocks. It’s also possible to additionally specifiy an
Ethereal filter (refer to Using display and color filters on fw monitor parameters for an overview about
Ethereal filter syntax):
Since FP3 fw monitor is able to write the connection UUID to the capture file (Using UUIDs and
SSIDs). First of all CPEthereal is able to display the UUID in the decode pane. Additionally it’s possible to
follow a connection based on the UUID. Select a packet of a connection you’re interested in and choose
CheckPoint/Track UUID. This will show you only packets with the same UUID like the UUID of the
selected packet:
CPEthereal includes an improved fw monitor decoding. This includes the possibility to use display or
color filters on additional packet properties:
SecuRemote/SecureClient since Feature Pack 3 includes an utility named “srfw” which provides some
functionality of the fw command on the client side. One functionality is to capture packets on the client
side with srfw monitor like it is possible on the gateway side with fw monitor. The binary
(srfw.exe) is located under $SRDIR\bin (normally C:\Program
Files\CheckPoint\SecuRemote\bin). The general syntax is:
srfw monitor [-d] <{-e expr}+ | -f <filterfile | ->> [-l len] [-m mask]
[-x offset[,length]] [-o file]
Figure 79: srfw monitor syntax
The usage of srfw monitor (e.g. the Break Sequence) and the options are the same as the fw
monitor options.
Figure 80: srfw monitor example – four ICMP echo requests/replies on a german Windows XP
Please note that although srfw monitor understands most of the fw monitor command line
! switches not every switch is implemented. You can use some switches (e.g. –e and –f) with srfw
monitor (srfw monitor isn’t even complaining about it!), but they simply perform no actual
function. But this can change in future versions of SecuRemote/SecureClient.
If you are using FireWall-1 VSX you have multiple virtual routers and firewalls on one physical machine.
Each router and each firewall has it’s own IP stack and also it’s own kernel module chain. On a VSX
module each firewall command has the ability to specify on which VS (virtual System) this command
should be executed. Each VS has a name and number. You can find out this number using fw vsx
stat:
fw monitor, when used with –vs option, monitors Virtual System traffic. It does not show any traffic
passing through Virtual Routers.
! fw monitor on a Virtual Router will only show packets which are inspected by the Virtual Router
(which are packet which are targeted to the Virtual Router’s virtual IP stack only).
How to run the "fw monitor" command in FireWall-1 4.0 SP3 and above and FireWall-1 4.1
https://support.checkpoint.com/csp/idsearch.jsp?resultStart=1&id=10022.0.1862930.2481845
What license feature is needed to run the command "fw monitor" on a VPN-1/FireWall-1 module?
https://support.checkpoint.com/csp/idsearch.jsp?resultStart=1&id=10022.0.2594497.2500363
How to avoid the error: "Failed to Load Security Policy: Bad file number"
https://support.checkpoint.com/csp/idsearch.jsp?resultStart=1&id=sk336
Error when running 'fw monitor' command: "unknown interface (255): Interrupted system call"
https://support.checkpoint.com/csp/idsearch.jsp?resultStart=1&id=55.0.12289624.2846374
snoop
tcpdump
tcpdump/libpcap homepage
http://www.tcpdump.org/
Ethereal
Ethereal homepage
http://www.ethereal.com/
editcap
http://www.ethereal.com/editcap.1.html
Public Version
http://www.checkpoint.com/techsupport/csp/downloads.html - cpethereal
CSP Version
http://www.checkpoint.com/techsupport/downloadsng/utilities.html - CPethereal
Miscellaneous
Some tools are not able to decode fw monitor Layer 2 header information properly. fw monitor
stores it’s own information in the header fields designed for MAC addresses (Refer to fw monitor file
format). This can be misinterpreted in some cases as Multicast MAC addresses.
Although fw monitor capture files are using the snoop file format the content is slightly different. fw
monitor does not write down MAC addresses (12 bytes; 6 per MAC address) in the Layer 2 Frame
header. Instead fw monitor writes down information about the interface and chain position where the
packet was captured.
If you do not use the –u or –s option or an older version of fw monitor the fields for the MAC
addresses are used as follows:
Byte 0 1 2 3 4 5 6 7 8 9 10 11
snoop
Source MAC address Destination MAC address
file
fw Packet
chain
monitor direction Interface Name
positon
file (i/I/o/o)
Byte 0 1 2 3 4 5 6 7 8 9 10 11
snoop
Source MAC address Destination MAC address
file
fw Packet
chain
monitor direction Interface Name UUID / SUUID
positon
file (i/I/o/o)
As described in Using UUIDs and SSIDs the firewall assigns a UUID to each connection passing through
it. This UUID is a 128 bit value built from four 32 bit value where only the first two are relevant.
When using the –o option together with the –u or –s option, fw monitor does not write the full length
128 bit value to the capture file. Instead fw monitor writes down a stripped down 32 bit value. This
value is composed of the two least significant bytes of the second UUID value (counter) and the two least
significant bytes of the first UUID (timestamp).
29 August 2011
© 2011 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and distributed under
licensing restricting their use, copying, distribution, and decompilation. No part of this product or related
documentation may be reproduced in any form or by any means without prior written authorization of Check
Point. While every precaution has been taken in the preparation of this book, Check Point assumes no
responsibility for errors or omissions. This publication and features described herein are subject to change
without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph
(c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR
52.227-19.
TRADEMARKS:
Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks.
Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of
relevant copyrights and third-party licenses.
Important Information
Latest Software
We recommend that you install the most recent software release to stay up-to-date with the latest functional
improvements, stability fixes, security enhancements and protection against new and evolving attacks.
Latest Documentation
The latest version of this document is at:
http://supportcontent.checkpoint.com/documentation_download?ID=12312
For additional technical information, visit the Check Point Support Center
(http://supportcenter.checkpoint.com).
Revision History
Date Description
Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments
(mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on How To Configure Templates for fw
monitor Technical Reference Guide).
Contents
Supported Versions
Supported on all versions.
Supported OS
Supported on all OS platforms.
Supported Appliances
Supported on all appliances and open servers.
Assumed Knowledge
· Working knowledge of network technology
· General knowledge of TCP / IP.
· General knowledge of packet flow through Check Point Gateway.
· General usage of packet protocol analyzers like snoop, tcpdump, Wireshark or Ethereal.
· General knowledge about Firewall chain modules + INSPECT filter.
fw monitor is able to capture packets at four different positions in the Firewall: There are four inspection
points as a packet passes through the virtual machine
· on the inbound interface before the Virtual Machine (pre-inbound)
Using fw monitor
The easiest way to use fw monitor is to invoke it without any parameter. This will output every packet from
every interface that passes (or at least reaches) the enforcement module. Please note that the same packet
is appearing several times (two times in the example below). This is caused by fw monitor capturing the
packets at different capture points.
Break Sequence
Use ^C (that is Control + C) to stop fw monitor from capturing packets.
The above packet was captured on the first network interface (eth0) in inbound direction before the virtual
machine (lowercase i)
The second line tells us that this is an TCP payload inside the IP packet which was sent from port 1050 to
port 18190. The following element displays the TCP flags set (in this case PUSH and ACK). The last two
elements are showing the sequence number (seq=bf8bc98e) of the TCP packet and the acknowledged
sequence number (ack=941b05bc). You will see similar information for UDP packets.
You will only see a second line if the transport protocol used is known to fw monitor. Known protocols are for
example TCP, UDP and ICMP. If the transport protocol is unknown or cannot be analyzed because it is
encrypted (e.g. ESP or encapsulated (e.g. GRE) the second line will be missing.
Argument Explanation
-u|s Printing the UUID or the SUUID: The option –u or –s is used to print UUIDs or
SUUIDs for every packet. Please note that it is only possible to print the UUID or the
SUUID – not both.
-i Flushing the standard output: Use to make sure that captured data for each packet is
at once written to standard output. This is especially useful if you want to kill a running
fw monitor process and want to be sure that all data is written to a file.
[-d] [-D] Debugging fw monitor: The -d option is used to start fw monitor in debug mode. This
will give you an insight into fw monitor’s inner workings. This option is only rarely used
outside Check Point. It is also possible to use –D to create an even more verbose
output.
<{-e expr}+|-f <filter- Filtering fw monitor packets: fw monitor has the ability to capture only packets in
file|->> which you are interested. fw monitor filters use a subset of INSPECT to specify the
packets to be captured. Set the filter expression • on the command line using the –e
switch • by reading it from a file using the -f switch. • by reading it from standard input
using the -f - switch.
-l len Limiting the packet length: fw monitor allow you to limit the packet data which will be
read from the kernel with -l. This is especially useful if you have to debug high sensitive
communication. It allows you to capture only the headers of a packet (e.g. IP and TCP
header) while omitting the actual payload. Therefore you can debug the communication
without seeing the actual data transmitted. Another possibility is to keep the amount of
data low. If you don't need the actual payload for debugging you can decrease the file
site by omitting the payload. It’s also very useful to reduce packet loss on high-loaded
machines. fw monitor uses a buffer to transfer the packets from kernel to user space. If
you reduce the size of a single packet this buffer won’t fill up so fast.
m mask Setting capture masks: By default fw monitor captures packets before and after the
virtual machine in both directions. These positions can be changed. This option allows
you to specify in which of the four positions you are interested.
-x offset[,len] Printing packet/payload data: In addition to the IP and Transport header fw monitor
can also print the packets’ raw data using the –x option. Optionally it is also possible to
send all data that is written only to the screen the data written.
-o <file> Write output to file: Save the raw packet data to a file in a standard (RFC 1761)
format. The file can be examined using by tools like snoop, tcpdump or Ethereal. Note -
The snoop file format is normally used to store Layer 2 frames. For "normal" capture
files this means that the frame includes data like a source and a destination MAC
address. fw monitor operates in the firewall kernel and therefore has no access to Layer
2 information like MAC addresses. Instead of writing random MAC addresses, fw
monitor includes information like interface name, direction and chain position as "MAC
addresses".
-T Print time stamp in microseconds. -T is needed only when -o is not used. When -o is
used the exact time is written to the snoop file by default as of Corsica.
<[-pi pos] [-pI pos] Insert fw monitor chain module at a specific position: In addition to capture masks
[-po pos] [-pO pos] | (which give the ability to look at packets in a specific position) fw monitor has the ability
-p all > to define where exactly in the firewall chain the packets should be captured. This can
be defined using these options.
-a Use absolute chain positions: If you use fw monitor to output the capture into a file
(option –o), one of the fields written down to the capture file is the chain position of the
fw monitor chain module. Together with a simultaneous execution of fw ctl chain you
can determine where the packet was captured. Especially when using –p all you will
find the same packet captured multiples times at different chain positions. The option –a
changes the chain id from an relative value (which only makes sense with the matching
fw ctl chain output) to an absolute value. These absolute values are known to
CPEthereal and can be displayed by it.
[-ci count] [-co Capture a specific number of packets: fw monitor enables you to limit the number of
count] packets being captured. This is especially useful in situations where the firewall is
filtering high amounts of traffic. In such situations fw monitor may bind so many
resources (for writing to the console or to a file) that recognizing the break sequence
(Control-C) might take very long.
[-vs vsid or vsname] Capture on a specific Virtual Router or Virtual Machine: VPN-1 Power VSX enables
you to run multiple Virtual Routers and Firewalls on one physical machine. Using the
option –vs you can specify on which virtual component the packets should be captured.
This option is only available on a VPN-1 Power VSX module. Please refer to fw monitor
on FireWall-1 VSX for more information.
pre-inbound i (lowercase i)
post-inbound I (uppercase i)
pre-outbound o (lowercase o)
post-outbound O (uppercase o)
Using fw monitor masks it is easily possible to capture only packets before they are inspected by the firewall
in inbound direction and after they have been inspected by the firewall in outbound direction.
In the example below we are capturing traffic between a client (10.2.4.12) and a web server (172.16.1.1).
The client address is translated to 172.16.1.3 and the server address is translated to 10.2.253.2. You can
easily see how the non-translated packet enters the firewall and how the translated packet (source and
destination) is leaving the firewall:
Using the right combination of capture masks it’s very easy to find out when the firewall applies which NAT
rules (Hide NAT, Static Destination NAT or Static Source NAT). This is especially useful when you need to
know which packets the routing of the operating system is using to do the routing decision.
fw monitor Filters
fw monitor filters use a subset of INSPECT to specify the packets to be captured. The general syntax is the
accept expression:
"accept" in fw monitor filters does not mean that packets are actually accepted by the firewall. fw monitor
captures all packets which are accepted by the filter and discards the rest. A filter like accept; (capturing all
packets) will in no way change the behavior of the Firewall and its rule base.
The complexity of an expression can vary from a simple test (checking for a specific value at a specific
offset) to a complex expression using different checks and logical operators.
Data Types
INSPECT knows several native data types. Just some of them are useful for fw monitor:
= or is Equal
, Logical AND
or Logical Or
Macros
fw monitor offers an more intuitive way of specifying the desired field:
Using these macros it very easy to define filters. Here are some examples:
Captures everything except http traffic. #fw "accept not ( sport=80 or dport=80);"
All TCP packets sent between host #fw monitor "accept [9:1]=9 , ((src=10.2.4.12 ,
10.2.4.12 and 172.16.1.2 dst=172.16.1.2) or (src=172.16.1.2 , dst=10.2.4.12));"
Captures all traffic from and to the host #fw monitor –e "accept src=172.29.109.1 or
172.29.109.1 dst=172.29.109.1;"
Captures all http traffic on port 80 only #fw monitor –e "accept dport==80;"
rd
3 filter will capture only inbound direction
before and after the virtual machine (i and #fw monitor –m iI –e "accept;" –o monitor.out
I), and redirects the output to a file.
You can see the actual chain using the fw ctl chain command. This shows you the chain modules actually
loaded on your machine and their order. fw monitor can be inserted in any position in the chain. Note that
there are more kernel modules in the chain which are not visible by fw ctl chain and which cannot be used
for fw monitor kernel module positioning.
The output of fw ctl chain is platform, version and product dependent. There is no reason to worry if your fw
ctl chain output looks different to the above. The number and kind of modules displayed here may vary
based on the platform used and products installed.
fw monitor inserts its own modules in this module chain and captures packets. By default this is not the first
and last position in the chain. Therefore the original meaning of before and after needs to be redefined.
Appendix .............................................................................................................................................. 15
How to Determine if the Kernel Module on Solaris is 32 or 64 Bit.................................................... 15
Core Files Locations on the Different Platforms ............................................................................... 15
SPLAT/Linux................................................................................................................................. 15
Solaris........................................................................................................................................... 15
IPSO ............................................................................................................................................. 16
What to do with the Extracted Stack................................................................................................. 16
Which Debugger Should be Used for which OS?............................................................................. 17
Solaris Kernel Panic example........................................................................................................... 18
Kernel Panic on Splat\Linux.............................................................................................................. 19
A user process core dump can result in a variable size file - fwd process, which may only
show 28 MB of RAM. Whereas a kernel panic is dumped into a file which is the size of the
machine's total available RAM.
You can use a core file to analyze the memory state at the time the crash occurred. A
debugger generates a file that holds a representation of a stack from the memory which is
populated with function names and addresses.
The stack that is generated is read in an LIFO (Last In, First Out) style. The top most
function represented in the stack is last function running in the memory before the crash
occurred.
The Debugger
The debugger reads symbols from "symbol files" which contain: names of variables,
functions, and types (i.e. C language structures). The information in these files is inherent
to the text of the program and does not change as it executes. When you debug a
program, the debugger finds the appropriate symbol table to translate the data that is in the
core file. Symbol tables only contain the memory addresses of the symbols, but not the
variables and functions names. For example, we use function names like main(), whereas
computers use addresses like 0x804b64d or 0xbffff784.
The program's code is also compiled with debugging information (what we call the
"Unstripped version") which tells the debugger two things:
What is KDB?
KDB is a machine's "kernel debugger" and the machine runs in a state similar to Windows
safe mode. We can use KDB to access the machines memory and look at the functions
that are running at a specific time for all the processes.
FW.exe Contact Check Point Technical Support FW executable with debug information
Getting Started
To debug a Windows executable:
1. Open a DOS window.
2. Change the directory to where the data files are: C:\data.
3. Confirm that you have installed WinDbg in directory D:\dbg, and then enter the
following command: D:\dbg\bin\windbg -z user.dmp .
4. The debugger prompts you for a DLL file – you should ignore it.
5. You are prompted for a source file. You may ignore it, or provide the exact path.
Note: The source must be of the same revision as the fw.exe that the customer has.
6. The source file is displayed with a yellow marker on the source code line where the
application crashed.
If the source code line is not displayed, then you have chosen the wrong source file.
You should repeat this procedure.
The first column signifies the Frame number. A frame with a higher number calls a
frame with a lower number. The crash is always in frame 0.
The next two columns are Frame pointer and Return address respectively.
The next column is read as follows:
Application!function+offset (function parameters) [Source file @
source line]
SPLAT/Linux
In SPLAT the core files are not located in the regular place, even if your core-dump-size is
defined to be "unlimited".
To show the location (and name pattern) of core files:
1. Type: cat /proc/sys/kernel/core_pattern .
2. The SPLAT output is:
/var/log/dump/usermode/%e.%p.core
3. The core files are located in /var/log/dump/usermode/.
%e.%p – combines the process name and pid to the name of the core file.
In other Linux systems, the content of the "core_pattern" file is usually just "core".
Solaris
This section gives examples of how to configure the settings for a core dump on a Solaris
machine.
To verify that the Solaris machine is enabled for core dump:
̇ Enter the following commands:
IPSO
The location of the core dump files on an IPSO machine is: /var/crash. You must also
confirm that the IPSO machine can produce core files.
To confirm if the machine can produce core files:
1. Type the command: limit.
2. The following output is displayed:
cputime unlimited
filesize unlimited
datasize 262144 kbytes
stacksize 8192 kbytes
coredumpsize unlimited
memoryuse 122772 kbytes
memorylocked 81850 kbytes
maxproc 40
openfiles 64
3. If the value of coredumpsize is not "unlimited", then you should change the value.
Type the following command:
limit coredumpsize unlimited
For example, if the executable that caused the core file is cpd (verified issuing file
cpd.core command), you should find the build number of that executable.
physmem 3df6e
adb: warning: dump is from SunOS 5.9 Generic_118558-19; dcmds and
macros may not match kernel implementation
(Usually you can ignore this message.)
The adb debugger is waiting for information in the following format:
$<msgbuf
0x30001549522: pseudo-device: devinfo0
0x30001279623: devinfo0 is /pseudo/devinfo@0
0x300020d4d9f: NOTICE: bge2: link down (advertised capabilities changed)
0x300032d085f: NOTICE: bge2: link up 10Mbps Full-Duplex (forced)
0x300020b5020: /pci@1c,600000/scsi@2 (glm0):
Cmd (0x32bade0) dump for Target 0 Lun 0:
0x300020b9620: /pci@1c,600000/scsi@2 (glm0):
cdb=[ 0x2a 0x0 0x2 0x3 0x32 0xc0 0x0 0x1 0x0 0x0 ]
0x300020b49e0: /pci@1c,600000/scsi@2 (glm0):
pkt_flags=0x4000 pkt_statistics=0x60 pkt_state=0x7
0x300020b80e0: /pci@1c,600000/scsi@2 (glm0):
pkt_scbp=0x0 cmd_flags=0x1860
There are many lines of output, but we are only interested in the following:
0x30276d37660: sched:
0x30276d3e0e0: trap type = 0x31
0x300020b5de0: addr=0x3039168f617
The phrase sp=0x788e2c91 is called the ‘Stack Pointer’ and is needed in order to get the
stack from the dump file.
Now issue 788e2c91$c at the command line and the following stack is displayed:
788e2c91$c
psv_spii_str_process_data+0x7d4(3000279cff8, 787924fc, 0, 2000, 0, 0)
fwtcpstr_add_packet+0xcc4(3000279cff8, 787924f4, 300026bbb50, 0, 78924a28,
300027250b0)
fwtcpstr_handle_packet+0x308(3000279cff8, 3000279d118, 788e3d4c, 788e3d48,
2, a46)
fw_conn_inspect+0x17c8(1c001, 3000279d12c, ffffffffffffffff, 0,
3000279d120, 3000279d124)
fw_filter_chain+0xde4(20000000, 7882db78, 86c00000, 50, 2a10004b9d8,
12ccb60)
fwchain_do_+0x698(3000279cff8, 0, 0, 787a5800, 787a5a18, 0)
fw_stack_call+0x1c(788e3701, 7812e274, 3000279cff8, 0, 0, 0)
fwstack_call+0x1a8(78796188, 7812e274, 3000279cff8, 0, 0, 0)
fwchain_do_ex+0x108(3000279cff8, 1, 0, 2a10004b720, 0, fffe)
fw_filter+0x400(30038dfdc80, 7, 0, 0, 2a10004b720, 3000157e550)
fwstrmod_filter+0x434(3000157e550, 30038dfdc80, 3000157e550, 16,
3000005d3b8, 80)
fwstrmodrput+0x2d8(3000157e550, 30038dfdc80, 20, 50, 1860,
8000000000000000)
putnext+0x21c(0, 30038dfdc80, 86c00000, 50, 2a10004b9d8, 12ccb60)
qferead_dvma+0x32c(5400, 50, 300382a3600, 96, 2a10004b9d8, 12ccb60)
qfe_intr+0x150(5508, fffeffff, 300029474c8, 30002942428, 10000, 54c8)
pci_intr_wrapper+0x7c(300002b1208, 793, 1400000, 1400468, f260, 12cfb88)
intr_thread+0x130(b, 0, 0, 2a10007dd40, 0, fffe)
disp_getwork+0x38(1400000, 1400000, 30005f60050, 1438788, 16, 0)
idle+0xc8(0, 0, 1438788, 1438788, 2a10016bd40, 0)
thread_start+4(0, 0, 0, 0, 0, 0)
)LUH:DOO.HUQHO'HEXJ2SWLRQV
7KH)LUH:DOONHUQHOPRGXOHPD\EHSXWLQWRGHEXJPRGHZLWKWKHIROORZLQJFRPPDQG
QRNLDBIZ>DGPLQ@IZFWOGHEXJGHEXJRSWLRQ!
7KHIROORZLQJDUHYDOLGGHEXJRSWLRQV
WXUQGHEXJJLQJRIIIZFWOGHEXJ
DOO'212786(
DOOGHEXJIHDWXUHV
7KHRXWSXWLVH[FHVVLYHPDNLQJWKHV\VWHPXQUHVSRQVLYH2IWHQRQO\DFROGUHERRWZLOOUHVWRUHDFFHVVWRWKH
V\VWHP
FRRNLHFRRNLHDEVWUDFWGDWDW\SHRIUHSUHVHQWLQJSDFNHWVUHODWHGPHVVDJHV
FU\SWHQFU\SWLRQUHODWHGLQIRUPDWLRQ
GRPDLQGRPDLQTXHULHV
GULYHUGHYLFHGULYHURSHUDWLRQV
ILOWHUILOWHUORDGLQJDQGXQORDGLQJ
KROGSDFNHWVKHOGDQGUHOHDVHGUHODWHGDPRQJRWKHUWKLQJVWRHQFU\SWLRQ
LILQWHUIDFHELQGLQJ
LQVWDOOGULYHULQVWDOODWLRQ
LRFWOLRFWOFRPPDQGVIURPWKHGDHPRQ
NEXINHUQHOEXIIHUVEXIIHUVDOORFDWHGE\WKHNHUQHOIRUHQFU\SWLRQSXUSRVHV
OGRSHUDWLRQVRQG\QDPLFWDEOHV
ORJORJPHVVDJHVVHQWWRWKHGDHPRQ
PDFKLQHYLUWXDOPDFKLQHRSHUDWLRQWKHYLUWXDOPDFKLQHZKLFKH[HFXWHVWKH,163(&7FRGHFRPSLOHGIURPSIILOHV
PHPRU\PHPRU\XVDJH
PLVFDOORWKHUV
SDFNHWSDFNHWKDQGOLQJ
SURILOHSHUIRUPDQFHPRQLWRULQJ
TVWUHDPVDQGTXHXHVRSHUDWLRQV
V\QDWNRSHUDWLRQVUHODWHGWRV\QDWWDFNSURWHFWLRQ
WFSVHT7&3VHTXHQFHQXPEHUVFKDQJHG
ZLQQWZLQGRZV17VSHFLILFRSHUDWLRQV
[ODWHDGGUHVVWUDQVODWLRQIRUQHZFRQQHFWLRQV
[OWUFDGGUHVVWUDQVODWLRQIRUWHOQHWDQGIWS
5HGLUHFWLQJ2XWSXWWRD)LOH
7KHLQIRUPDWLRQLVVHQWE\GHIDXOWWRWKHFRQVROH,WFDQDOVREHVHQWWRDNHUQHOEXIIHU7KLVLVQHFHVVDU\EHFDXVHWKHRXWSXW
RIWHQLVWRJUHDWWRSURFHVVUHDOWLPH+HUHDUHVRPHH[DPSOHVRIKRZWRUHGLUHFWWKHRXWSXWWRDILOHIRUH[DPLQDWLRQODWHU
QRNLDBIZ>DGPLQ@IZFWOGHEXJEXI>@
7KHGHIDXOWVL]HLV.E\WHV$WWKLVSRLQW\RXKDYHRQO\HQDEOHGWKHUHGLUHFWLRQRIVWGRXWWRDEXIIHUEXWWKHQH[WVWHSLV
UHWULHYHWKHFRQWHQWVRIWKLVEXIIHU7KLVLVGRZQZLWKWKHIROORZLQJFRPPDQG
QRNLDBIZ>DGPLQ@IZFWONGHEXJI
GH 30
7KH)LUH:DOO KWWSGOFKHFNSRLQWFRPSDLGIQNBIZBGHEXJKWPO"+DVK.H\
7KLVZLOOQRZGXPSWKHEXIIHUWRVWGRXWEXWWKLVLVVLPLODUWREHIRUH7KHIROORZLQJDUHWKHVWHSVWRUHGLUHFWWKHEXIIHUWRD
ILOH
QRNLDBIZ>DGPLQ@IZFWOGHEXJEXI
QRNLDBIZ>DGPLQ@IZFWOGHEXJRSWLRQ!
QRNLDBIZ>DGPLQ@IZFWONGHEXJI!ILOHVSHF
QRNLDBIZ>DGPLQ@WDLOIILOHVSHF
:KHQ\RXKDYHJDWKHUHGHQRXJKLQIRUPDWLRQSUHVV&75/&!WRVWRSWKHRXWSXWWRWKHILOH<RXZLOOKDYHWRLVVXH
CIZFWOGHEXJCLQRUGHUWRDFWXDOO\UHVWRUHWKHNHUQHOWRQRUPDORSHUDWLRQ
'HEXJJLQJ+7736HFXULW\6HUYHU
:HXVHGWKHVHEHORZZKHQZHGHEXJJHG+7736HFXULW\6HUYHUSUREOHPV2QHRIWKHYXOQHUDELOLWLHVLQWKH+7736HFXULW\
6HUYHULVWKDWLWZLOOEORFNDOOQHWZRUNFRQQHFWLRQVLWLVFKHFNLQJLID85/LVQRWUHVROYDEOH7KLVLVVHULRXVLQWKDWD'26RI
'16WR\RXUILUHZDOOFDQFULSSOHLW)RUH[DPSOHLI\RXFUHDWHD85,UHVRXUFHREMHFWWRH[SOLFLWO\EORFN+773WR
ZZZVRPHGRPDLQFRPDQGWKLVGRHVQRWUHVROYHWRDQ,3DGGUHVVWKHQDOO+773WKDWLVVXEMHFWWR&RQWHQW6HFXULW\ZLOOEH
EORFNHG
QRNLDBIZ>DGPLQ@VHWHQY+773B'(%8*
QRNLDBIZ>DGPLQ@VHWHQY):$+773'B'(%8*
QRNLDBIZ>DGPLQ@VHWHQY):B'(%8*B(9(17
QRNLDBIZ>DGPLQ@VHWHQY):7B'(%8*DOO
QRNLDBIZ>DGPLQ@IZNLOOIZGIZGCFDW):',5FRQIPDVWHUVC
7KHODWHUYHUVLRQVRI)LUH:DOOHQDEOH6073B'(%8*DQG0'4B'(%8*LQDQRWKHUZD\7KHVHYDULDEOHVVKRXOGEH
GHILQHGLQWKH):',5FRQIVPWSFRQIILOHDQGWKHQWKHIZGSURFHVVVKRXOGEHNLOOHGXVLQJWKH±865VZLWFKZKHQWKLVLV
GRQHWKHGHEXJJLQJLQIRUPDWLRQZLOOVWDUWLPPHGLDWHO\ZLWKRXWWKHQHHGWRUHVWDUWWKHGDHPRQV
7RUHPRYHWKHVHHQYLURQPHQWDOYDULDEOHVH[HFXWHXQVHWHQYHQYBYDULDEOH7KHRXWSXWLVGLUHFWHGWR):',5ORJ
DKWWSGORJ7KLVSDUWLFXODUSUREOHPSURGXFHGQXPHURXVGXSOLFDWHHQWULHVLQWKHORJILOHWKDWZHUHRIWKLVIRUP
>#QRNLDBIZLSUJQRNLDFRP@FDOOLQJDV\QFUHVROYHIRUZZZXQUHVROYHDEOHFRP
>SRUW&RQQHFWLRQUHIXVHG7KX$XJ@>SLG @
)DLOHGWRFRQQHFWWRVHUYHUIRUVLGH DW>7KX$XJ@
>SLG @ZULWHBIURPBTXHXHVLGH FOQW
EXI
GDWD
UHVROYHGBQDPHZZZXQUHVROYHDEOHFRP
W\SHGQVBUHVROYHBE\QDPH
FKDLQBQDPHUHVROYHUBOLVW
FDOOBIXQFWLRQFDFKHGBUHVROYHUBJHWKRVWE\QDPH
UHWXUQBIXQFWLRQ
VHULDOBQXPEHUBUHVROYHUBOLVW
FXUUHQWBVLGH
7KHVSHFXODWLRQZDVWKDW)LUH:DOOZDVDWWHPSWLQJRYHUDQGRYHUWRUHVROYHZZZXQUHVROYHDEOHFRPWRDQ,3DGGUHVV,W
GH 30
7KH)LUH:DOO KWWSGOFKHFNSRLQWFRPSDLGIQNBIZBGHEXJKWPO"+DVK.H\
ZDVYHULILHGWKDWWKLVSDUWLFXODUGHVWLQDWLRQZDVQRWUHVROYDEOH2QFHWKHUXOHXVLQJD85,UHVRXUFHREMHFWRIW\SH:LOGFDUG
ZKLFKH[SOLFLWO\VSHFLILHGWKLVVLWHZDVUHPRYHGHYHU\WKLQJZDVUHVWRUHG7KLVEXJZDVYHULILHGWREHLQ63IRU6RODULV
RQ$XJWK7KHLPPHGLDWHVROXWLRQLVWRQRWXVHD85,UHVRXUFHREMHFWRIW\SH:LOGFDUGWRGURSRUUHMHFW+773EXWWR
RQO\$FFHSW+773
'HEXJJLQJ60736HFXULW\6HUYHU
:HXVHWKHIROORZLQJWRGHEXJ60736HFXULW\6HUYHU$WWKLVSRLQWLQWLPHZHGRQRWKDYHDJRRGGHILQLWLRQRIZKDWWKHVH
YDULDEOHVGRZLWKWKHH[FHSWLRQWKDWWKH\DOOLQFUHDVHWKHRXWSXWRIGHEXJLQIRUPDWLRQ7KHYDULDEOHVZLWK0'4SXWWKHVSRRO
GHTXHXHUSURFHVVLQWRGHEXJPRGH7KH6073B'(%8*HQYLURQPHQWDOYDULDEOHLVVKRZQZLWKWKUHHOHYHOV&KRRVHRQH
):7B'(%8*LVDVVRFLDWHGZLWKWKHIZGGDHPRQ236(&B'(%8*B/(9(/
QRNLDBIZ>DGPLQ@VHWHQY0'4B'(%8*
QRNLDBIZ>DGPLQ@VHWHQY):0'4B'(%8*
QRNLDBIZ>DGPLQ@VHWHQY6073B'(%8*>@
QRNLDBIZ>DGPLQ@VHWHQY):'B'(%8*FYS
QRNLDBIZ>DGPLQ@VHWHQY):7B'(%8*FYS
QRNLDBIZ>DGPLQ@VHWHQY236(&B'(%8*B/(9(/>@
QRNLDBIZ>DGPLQ@IZNLOOIZGIZGCFDW):',5FRQIPDVWHUVC
7RUHPRYHWKHVHHQYLURQPHQWDOYDULDEOHVH[HFXWHXQVHWHQYHQYBYDULDEOH
'HEXJJLQJ6HFX5HPRWH(QFDSVXODWLRQSUREOHP
QRNLDBIZ>DGPLQ@IZFWOGHEXJFRRNLH
QRNLDBIZ>DGPLQ@IZFWOGHEXJEXI
QRNLDBIZ>DGPLQ@IZFWONGHEXJIILOHVSHF
QRNLDBIZ>DGPLQ@WDLOIILOHVSHF
:HVKRXOGVHHPHVVDJHVRIWKHIRUPFRRNLHGDWDFRXOGQRW;;;7KHUHZLOOEHPHVVDJHVWKDWVSHFLILFDOO\FRPSODLQDERXW
IUDJPHQWDWLRQ
6HFX5HPRWHPD\EHSODFHGLQWRGHEXJPRGHE\FUHDWLQJWKHILOHIZHQFORJDWWKHURRWRI\RXUV\VWHPGULYH)RUH[DPSOH
WKLVPLJKWEHF?IZHQFORJ
'HEXJJLQJWKHLQSLQJGGDHPRQ
QRNLDBIZ>DGPLQ@VHWHQY):3,1*B'(%8*
7KHRXWSXWRIIZWDEWFKHFNBDOLYHLVDOVRDQDO\]HG
GH 30
Technical Support Files Needed for Troubleshooting
Abstract
Check Point Technical Services requests files or information to help facilitate problem resolution. The following
document is provided to customers and partners may anticipate what information or files will be requested based on
the type of problem they are experiencing.
ABSTRACT ...................................................................................................................................................................1
OVERVIEW....................................................................................................................................................................3
FIREWALL-1 .................................................................................................................................................................4
General .....................................................................................................................................................................4
CORE Crash .............................................................................................................................................................4
Dr. Watson ................................................................................................................................................................4
INSPECT...................................................................................................................................................................4
Kernel Crashes..........................................................................................................................................................4
LOG...........................................................................................................................................................................4
Network Address Translation ....................................................................................................................................4
Resources: CVP........................................................................................................................................................5
Rule Base Problems..................................................................................................................................................5
Security Server..........................................................................................................................................................5
APPLIANCE PRODUCTS .............................................................................................................................................5
ClusterXL ..................................................................................................................................................................6
Rainfinity Rainwall .....................................................................................................................................................6
Stonesoft Stonebeat Full Cluster...............................................................................................................................6
Reporting Module ......................................................................................................................................................6
FloodGate-1 ..............................................................................................................................................................7
ENTERPRISE PRODUCTS ...........................................................................................................................................7
General .....................................................................................................................................................................7
Provider-1..................................................................................................................................................................7
SiteManager-1...........................................................................................................................................................7
User Authority............................................................................................................................................................7
FireWall-1 GX (Wireless)...........................................................................................................................................8
Customer Logging Module ........................................................................................................................................8
Management Logging Module ...................................................................................................................................8
LDAP Account Management .....................................................................................................................................8
VSX ...........................................................................................................................................................................8
ENCRYPTION PRODUCTS...........................................................................................................................................8
‚" FireWall-1
‚" Appliance Products
‚" High Availability Products
‚" Enterprise Products
‚" Encryption Products
Additionally, this document will detail how a customer or partner can provide information about
troubleshooting steps he or she may have already done prior to contacting support.
CORE Crash
‚" Core File
Dr. Watson
‚" Dr. Watson file (drwtsn32.log)
‚" User.dmp file (system.dmp in case of a blue screen).
INSPECT
‚" If a specific SERVICE was mentioned, specify the following:
o How does the service work
o On which protocol does the service work
o On which ports does the service work
‚" fwmonitor + a list of the relevant IPs (client, server, FireWall).
Kernel Crashes
‚" vmcore.x file
‚" unix.x file
LOG
‚" If the problem is related to the Log Viewer, issue the command ‘fw logexport’ in order to see if all
the columns are full.
‚" If the log records are not written to the log file (‘fw log’ and ‘fw logexport’ show no new records), you may
want to run “fw d –d –D”, which includes special debugging option for FW1_LOG connections for VPN-
1/FireWall-1 v4.1.
o fw debug fwd on --> log/fwd.elg
o fw debug fwm on --> log/fwm.elg
Resources: CVP
‚" Issue the command ‘snoop’ on port 18181
‚" fwopsec.conf file
‚" cvp.conf file on the CVP side
‚" Set the environment variable OPSEC_DEBUG_LEVEL to 3, and restart fwd. Send the output received in
fwd.log.
Security Server
‚" fwmonitor + a list of the relevant IPs (client, server, FireWall).
‚" Run the Authentication daemon in Debug and send the log/ahttpd.elg file.
‚" If the problem is related to SMTP, send the spool directory and run the mail dequeuer and the
asmtpd in debug mode.
Appliance Products
CVP & UFP Problems
‚" cpinfo from FireWall-1 Enforcement module
‚" cpinfo from SmartCenter Management module
‚" CVP or UFP product name and version
‚" URL of web site if the problem is with accessing a certain web site
‚" ahttpd, aftp etc. debug (in case it's http related issue)
‚" fw monitor (including the IP addresses of all parties)
‚" Web/FTP site trying to be accessed
‚" fw.log file (when there are error messages in the log viewer.) or an export of the relevant log
records
‚" Important: Make sure you verify whether the problem occurs with/without UFP/CVP
Nokia
‚" ipsoinfo from FireWall-1 Enforcement module
‚" ipsoinfo from SmartCenter Management module
OSE
‚" cpinfo from SmartCenter Management module
‚" Router type and OS version
‚" For Cisco and Nortel (Bay), obtain a copy of the routers configuration (*cfg file)
SecurePlatform
‚" cpinfo from FireWall-1 Enforcement module
‚" cpinfo from SmartCenter Management module
‚" For user mode crash - send the user dump
o Use the 'ulimit -c unlimited' command to configure the machine to generate cores.
‚" For kernel mode crashes:
Files Needed for Troubleshooting Page 5 of 11
Revision: 2
o Send the crash dump file located in: /var/log/dump/x (where x is the crash number)
o Send the /var/log/dump/analysis file
‚" Did customer add patches? Which ones?
‚" Hardware
‚" NIC Drivers (if the problem related to NIC)
OPSEC Application
‚" Vendor and version of OPSEC application
‚" cpinfo from management and module
‚" Log files from the OPSEC vendor application (when available)
‚" OPSEC debug on the Application side (when available)
o Usually to run it simultaneously with FireWall-1 OPSEC debug (on the FireWall-1 module
side)
High Availability
ClusterXL
‚" cpinfos from the SmartCenter Server and Enforcement points
‚" fw ctl debug –buf 4096
‚" fw ctl debug –m cluster all
‚" fw ctl kdebug –f > <file name>
Rainfinity Rainwall
‚" cpinfo
‚" Rainfinity version
‚" *.cfg files from Rainwall
‚" fw ctl debug –buf 4096
‚" fw ctl debug misc
‚" fw ctl kdebug –f > <file name>
Reporting Module
‚" cpinfo (from SmartCenter only)
Files Needed for Troubleshooting Page 6 of 11
Revision: 2
‚" reporting server directory (Program Files/Checkpoint/Reporting Module or
‚" /opt/CPrt-50 directory disregarding the database directory)
‚" rtserver debug
‚" log consolidator debug
‚" The fw log files $FWDIR/log directory
FloodGate-1
‚" cpinfo
‚" fw ctl debug -m FG-1
Enterprise Products
General
‚" Latest cpinfo file
Provider-1
‚" cpinfos from MDS environment and CMA environment
‚" SIC problems
o cpd debug on MDS
o cpd debug on individual CMA
‚" Copy of $MDSDIR/conf/mdsdb directory (the latest cpinfo includes it)
‚" fwd debug for logging/status/connectivity issues
‚" fwm debug for gui/management issues
‚" mds_backup
SiteManager-1
‚" cpinfos from MDS environment and CMA environment
‚" SIC problems
o cpd debug on MDS
o cpd debug on individual CMA
‚" Copy of $MDSDIR/con/mdsdb directory
‚" fwd debug for logging issues
‚" fwm debug for GUI/management issues
‚" mds_backup
User Authority
‚" cpinfo from management and gateway
‚" netsod debug on gateway
‚" SIC problems
o cpd debug on domain controller
‚" Information from Domain Controller for authentication problems:
‚" cpinfo, netsod debug, ipconfig /all output
‚" Netcat between Domain controller and Secure Agent.
‚" Netcat between Module and Domain Controller
VSX
‚" mds_backup from Provider-1 VSX MDS
‚" cpinfo from the problematic CMA environment (mdsenv <cma name>)
‚" output of fw vsx stat –v command on the VSX Gateway
‚" cpd.elg (cpd_admin debug on) from the VSX MDS and Gateway for virtual system creation, policy
installation and SIC issues
‚" fw monitor –vs <vsid> from problematic Virtual System
‚" cpinfo –c <vsid> -o <file> from the VSX Gateway
‚" fw ctl debug with necessary flags
Encryption Products
VPN-1 Pro
‚" Monitor from VPN-1 Enforcement modules involved in VPN
‚" vpnd.elg file from VPN-1 Enforcement modules involved in VPN (vpn debug on)
‚" IKE.elg file from VPN-1 Enforcement modules involved in VPN (vpn debug ikeon)
‚" Any error messages seen in log viewer
‚" cpinfo from VPN-1 Enforcement modules involved in VPN
Files Needed for Troubleshooting Page 8 of 11
Revision: 2
‚" cpinfo from SmartCenter Management module(s) of the above VPN-1 Enforcement modules
‚" Network description
‚" Core files if any
VPN-1 Net
‚" Monitor from VPN-1 Enforcement modules involved in VPN
‚" vpnd.elg file from VPN-1 Enforcement modules involved in VPN (vpn debug on)
‚" IKE.elg file from VPN-1 Enforcement modules involved in VPN (vpn debug ikeon)
‚" Any error messages seen in log viewer
‚" cpinfo from VPN-1 Enforcement modules involved in VPN
‚" cpinfo from SmartCenter Management module(s) of the above VPN-1 Enforcement modules
‚" Network description
‚" Core files if any
VPN-1 Edge
‚" http://my.firewall/pub/test.html
‚" diagnostics output from http://my.firewall, setup> firmware> diagnostics
‚" exported configuration (.cfg) from http://my.firewall, setup> tools> export
‚" cpinfo from central site VPN-1 Enforcement module(s) and SmartCenter Server involved in VPN
‚" vpnd.elg and ike.elg from central site VPN-1 Enforcement modules involved in VPN (vpn debug
on, vpn debug ikeon)
SecuRemote
‚" Monitor from VPN-1 Enforcement modules involved in client to FireWall VPN
‚" Monitor (or anlz) output from client involved in client to FireWall VPN
‚" vpnd.elg file from VPN-1 Enforcement modules involved in VPN (vpn debug on)
‚" IKE.elg file from VPN-1 Enforcement modules involved in VPN (vpn debug ikeon)
‚" IKE.elg file from client involved in client to FireWall VPN
‚" Any error messages seen in log viewer
‚" cpinfo from VPN-1 Enforcement modules involved in VPN
‚" cpinfo from SmartCenter Management module(s) of the above FireWalls
‚" srinfo from client
‚" *.log files form log directory
‚" Network description
SecureClient
‚" Monitor from VPN-1 Enforcement modules involved in client to FireWall VPN
‚" Monitor (or anlz) output from client involved in client to FireWall VPN
o The command "srfw monitor.." - starting from NG FP2
‚" vpnd.elg file from VPN-1 Enforcement modules involved in VPN (vpn debug on)
‚" IKE.elg file from VPN-1 Enforcement modules involved in VPN (vpn debug ikeon)
‚" IKE.elg file from client involved in client to FireWall VPN
‚" Any error messages seen in log viewer
‚" cpinfo from VPN-1 Enforcement modules involved in VPN
‚" cpinfo from SmartCenter Management Module(s) of the above FireWalls
‚" srinfo from client
o If it's a problem getting the policy, or logging onto the Policy Server, we'll need the
dtpsd.elg file (dtps debug on)
‚" *.log files from log directory
‚" Network description
‚" vpnd.elg file from VPN-1 Enforcement modules involved in VPN (vpn debug on)
SecureXL TurboCard
‚" Output of ‘fwaccel stat’
‚" Output of ‘fwaccel conns’
‚" Output of ‘vpn accel stat ‘ for encryption issues
‚" fw ctl debug –buf 4096
‚" fwaccel dbg <flag>
‚" fw ctl debug –f > <file>
PKI
‚" output of vpn crlview –d –obj <fw object name> -cert <cert nickname>
‚" vpnd.elg (with vpn debug on)
‚" ike.elg with (vpn debug ikeon)
‚" cpinfos
‚" Certificate authority product name and version and output of any relevant logs or error messages
from the server.
Check Point encourages customers and partners to provide any troubleshooting information they may
have done prior to contacting Check Point. To help our technical advisors easily determine what a
customer or partner may have already reviewed, please be ready to provide or document the as much of
the following information as possible:
If you believe you have discovered a bug, please provide the following information:
Bug information:
IKEVIEW is a Checkpoint Partner tool available for VPN troubleshooting purposes. It is a Windows executable that can be
downloaded from Checkpoint.com. Ikeview was originally only available to Checkpoint's CSP partners however they will
gladly supply you a copy of thie file if you have a licensed Checkpoint product. This file parses the IKE.elg file located on the
firewall.
http://pingtool.org/downloads/IKEView.exe
2. Attempt to establish the VPN tunnel. All phases of the connection will be logged to the IKE.elg file.
All Phase I packets will either be labeled Main Mode or Aggressive Mode.
An arrow pointing to the left (<) indicates IPSEC packets that the Checkpoint firewall (local) receives from the remote Peer.
An arrow pointing to the right (>) represent IPSEC packets that the Checkpoint firewall is sending to the remote peer.
If your encryption fails in Main Mode Packet 1, then you need to check your VPN proposal (encryption/hash/lifetime).
Packet 2 ( MM Packet 2 in the trace ) is from the responder to agree on one encryption and hash algorithm
Packets 3 and 4 aren’t usually used when troubleshooting. They perform key exchanges and include a large number called
a NONCE. The NONCE is a set of never before used random numbers sent to the other part, signed and returned to prove
the parties identity.
Packets 5 and 6 perform the authentication between the peers. The peers IP address shows in the ID field under MM
packet 5. Packet 6 shows that the peer has agreed to the proposal and has authorised the host initiating the key
exchange.
If your encryption fails in Main Mode Packet 5, then you need to check the authentication - Certificates or pre-shared
secrets
In the example below, we see that Phase I is failing after the first packet (Main mode Phase I takes 6 packets to complete).
After the first packet (the initial proposal packet), we see that the remote peer responds with No Proposal Chosen. In this
example, the remote peer rejected the local proposal of AES/SHA1 with a lifetime of 86400 seconds and the provided
Preshared key.
http://check-point-firewall.blogspot.com.br/2012/03/roubleshooting-checkpoint-vpns-with.html 1/3
19/07/2017 Check Point Firewall: Troubleshooting Checkpoint VPNs with IKEVIEW
Next is Phase II - the IPSec Security Associations (SAs) are negotiated, the shared secret key material used for the SA is
determined and there is an additional DH exchange. Phase II failures are generally due to a misconfigured VPN domain.
Phase II occurs in 3 stages:
1. Peers exchange key material and agree encryption and integrity methods for IPSec.
2. The DH key is combined with the key material to produce the symmetrical IPSec key.
3. Symmetric IPSec keys are generated.
In IkeView under the IP address of the peer, expand Quick Mode packet 1:
> "P2 Quick Mode ==>" for outgoing or "P2 Quick Mode <==" for incoming > QM Packet 1
You should be able to see the SA life Type, Duration, Authentication Alg, Encapsulation Mode and Key length.
If your encryption fails here, it is one of the above Phase II settings that needs to be looked at.
> QM Packet 1
> ID
You should be able to see the initiators VPN Domain configuration including the type (ID_IPV4_ADDR_SUBNET) and data (ID
Data field).
Under the second ID field you should be able to see the peers VPN Domain configuration.
Packet 2 from the responder agrees to its own subnet or host ID, encryption and hash algorithm.
Below is a screenshot of a failed VPN connection for Phase II. From this example, we can see that Phase I(Main Mode)
completed successfully. Phase II (Quick Mode) shows a Failed status.
As indicated below, there is an Outgoing proposal (local peer) for AES/SHA1 with a lifetime of 3600 seconds. After the failed
Phase II packet, there is an Info packet from the remote peer indicating “Invalid ID Information”. This is an indication that
the remote peer rejected our proposal. If the tunnel were being initiated on the Remote End, we would also see the
remote peer’s proposal and can compare that to the local proposal.
http://check-point-firewall.blogspot.com.br/2012/03/roubleshooting-checkpoint-vpns-with.html 2/3
19/07/2017 Check Point Firewall: Troubleshooting Checkpoint VPNs with IKEVIEW
No Proposal Chosen:
A common error that can be easily identified in IKEVIEW is “No Proposal Chosen”.
In the Quick Mode section that is followed by the info line displaying the “No Proposal Chosen” message should display the
network mask used for the VPN handshake. Compare the mask used in the local encryption domain with the mask sent by
the remote peer. This is a common error when establishing tunnels with non-Checkpoint firewalls. Checkpoint, by default,
supernets networks contained in the encryption domain. The method for resolving this issue on the Checkpoint firewall
differs depending on if the firewall is R55, R61 simple mode, or R61 classic mode. In R55 there is an option in the VPN
section of the Interoperable firewall object that tells the Firewall for “One tunnel per pair of hosts, or one tunnel per pair of
subnets”. In R61 Simple mode, there is an option in the VPN Community that says “exchange key per host”. In R61 Classic
mode you will need to do the following during non-business hours:
CP Stop
CP start.
Aggressive mode uses 3 packets instead of 6 during the Phase I negotiations. Therefore if 1 side of the tunnel is configured
for Aggressive Mode and the other side is configured for Main Mode, the 2 peers will not agree with the contents of the first
packet during the exchange. If the local peer is mistakenly configured to use Aggressive Mode (which is a less secure
method), the outgoing packet will be labeled Aggressive Mode.
Invalid ID-Information:
This is an indication that the remote peer rejected either the Phase I or Phase II proposal from the local peer.
http://check-point-firewall.blogspot.com.br/2012/03/roubleshooting-checkpoint-vpns-with.html 3/3
How To Troubleshoot SIC-
related Issues
11 January 2011
© 2011 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and distributed under
licensing restricting their use, copying, distribution, and decompilation. No part of this product or related
documentation may be reproduced in any form or by any means without prior written authorization of Check
Point. While every precaution has been taken in the preparation of this book, Check Point assumes no
responsibility for errors or omissions. This publication and features described herein are subject to change
without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph
(c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR
52.227-19.
TRADEMARKS:
Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks.
Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of
relevant copyrights and third-party licenses.
Important Information
Latest Software
We recommend that you install the most recent software release to stay up-to-date with the latest functional
improvements, stability fixes, security enhancements and protection against new and evolving attacks.
Latest Documentation
The latest version of this document is at:
http://supportcontent.checkpoint.com/documentation_download?ID=11880
For additional technical information, visit the Check Point Support Center
(http://supportcenter.checkpoint.com).
Revision History
Date Description
Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments
(mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on How To Troubleshoot SIC-related
Issues ).
Contents
Supported Versions
· NGX R65 and oldest versions
· NGX R70
· NGX R71
Supported OS
· SecurePlatform
Supported Appliances
· Relevant for every appliance and open server
· For Open servers, refer to the Hardware Compatibility List in Check Point public site at:
· http://www.checkpoint.com/services/techsupport/hcl/all.html
(http://www.checkpoint.com/services/techsupport/hcl/all.html -
http://www.checkpoint.com/services/techsupport/hcl/all.html)
Troubleshooting Procedures
In this section:
Checking Connectivity
Ensure that the SIC ports are open. As previously mentioned, the SIC ports are:
· Port 18209 is used for communication between the VPN-1/FireWall-1 Module and the Certificate
Authority (status, issue, revoke).
· Port 18210 is used to pull certificates from the CA.
· Port 18211 is the port used by the cpd daemon on the Module to receive the certificate (when clicking
Initialize in the Policy Editor).
To determine if SIC is listening to its network ports on your Check Point device (can be Security Gateway
server or Security Management Server), use the following command:
· On Windows platforms:
· Open CMD and execute: > netstat -na | findstr 18211
· On Linux platforms:
· # netstat -na | grep 18211
· The output should be:
· TCP 0.0.0.0:18211 0.0.0.0:0 LISTENING
A NAT device between the SmartCenter Server and Security Gateway will not have any effect on the ability
of a Check Point enabled entity to communicate using SIC, since the protocol is based on Certificates and
SIC names (and not IPs).
To verify the Gateway is listening for the SmartCenter Server for getting certificates, the CPD debug output
should be as follows:
[CPD ID]@cpmodule[Date] Get_SIC_KeyHolder: SIC certificate read successfully
[CPD ID]@cpmodule[Date] SIC initialization started
[CPD ID]@cpmodule[Date] get_my_sicname_from_registry: Read the machine's sic
name: CN=member_1,O=cpmodule..6vxoys
[CPD ID]@cpmodule[Date] Initialized sic infrastructure
[CPD ID]@cpmodule[Date] SIC certificate read successfully
[CPD ID]@cpmodule[Date] Initialized SIC authentication methods
Usually, when the server suffers from high memory consumption, the affected process will eventually crash,
since (due to Linux limitation) it can only reach a memory consumption of ~2GB.
To create the core file, enable the option of a core dump creation, as follows:
On the server where the process crashes:
# um_core enable
# ulimit –c unlimited
# reboot
which provides the core file that will be generated after the next crash.
· The core file name should be similar to: <proc_name>.<core_serial_number>.core
· File should be created under /var/log/dump/usermode.
The process can crash immediately after performing the operation which is related for that process (means it
it is not necessarily a leak, just large enough to cause a crash at a specific point). In such cases, the core
dump file size can take few hundred MB, or after some time on which the memory usage for this process
reaches the highest limit it is capable of, where the core dump file can take more than 2 GB.
Many high memory consumptions issues are solved on the HFA releases, therefore, if you encounter such
an issue, try to install the latest HFA. If it is a known issue, the HFA will probablyovercome it.
If the issue was not solved during the latest HFA, collect the core file (if it was created), together with the
TOP command output that shows the high usage and send this information to Check Point support.
Since SIC operations are performed by the CPD daemon, the monitored process should be the CPD on
both the Security Management server and the Security Gateway server.
Refer to sk35496 (http://supportcontent.checkpoint.com/solutions?id=sk35496 ) for instructions how to
detect high memory consumption (memory leak) on your Security Gateway server.
Option 1
1. Clean the old log file(s), by issuing:
· # rm $CPDIR/log/cpd.elg.*
· # echo ' ' > $CPDIR/log/cpd.elg
2. Start the debugging:
· # echo ‘===debug_start===’ >> $CPDIR/log/cpd.elg
· # cpd_admin debug on TDERROR_ALL_ALL=5
· # cpd_admin debug on OPSEC_DEBUG_LEVEL=9
3. Replicate the problem
4. Stop the debugging:
· # echo ‘===debug_stop===’ >> $CPDIR/log/cpd.elg
· # cpd_admin debug off TDERROR_ALL_ALL=0
· # cpd_admin debug off OPSEC_DEBUG_LEVEL=0
5. Debug output files, located at:
· $CPDIR/log/cpd.elg*
Option 2
1. Stop the CPD process:
· # cpwd_admin stop -name CPD -path "$CPDIR/bin/cpd_admin" -command
"cpd_admin stop"
2. Enable the debug flags:
· # export TDERROR_ALL_ALL=5
· # export OPSEC_DEBUG_LEVEL=9
3. Start CPD on debug level:
· # cpd –d > cpd_debug.txt 2>&1
4. Replicate the problem.
5. Issue CTRL+C to stop the ‘cpd -d‘ debug.
6. Disable the debug flags:
· # unset TDERROR_ALL_ALL
· # unset OPSEC_DEBUG_LEVEL
The debug output file is cpd_debug.txt which is located on your current directory.These should provide
an indication about the issue that causes the SIC failure. When finding a suspicious log entry within these
files (look for error, fail, etc.), it is necessary to look for it on Secure Knowledge database (Check Point
public site). If nothing similar is found, open a new Service Request with Check Point support and provide
the information you collected.
For further debug information, please refer to sk41513
(http://supportcontent.checkpoint.com/solutions?id=sk41513 ) - How to debug SIC problems.
Verifying
To verify that the issue you encountered has been solved:
1. Check that SIC is established with the Security gateway. Go to the gateway object in SmartDashboard.
2. In the General Properties tab, under the Secure Internal Communication section, click Communicate.
3. In the opened window, click Test SIC Status.
The most typical status is Communicating. Any other status indicates that the SIC communication is
problematic. If the SIC status is Not Communicating, the Security Management server is able to
contact the gateway, but SIC communication cannot be established.
If after going over the steps in this guide the SIC status is anything other than Communicating, contact
Check Point support and open a new Service Request with all the relevant information collected in this
procedure.
29 August 2011
© 2011 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and distributed under
licensing restricting their use, copying, distribution, and decompilation. No part of this product or related
documentation may be reproduced in any form or by any means without prior written authorization of Check
Point. While every precaution has been taken in the preparation of this book, Check Point assumes no
responsibility for errors or omissions. This publication and features described herein are subject to change
without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph
(c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR
52.227-19.
TRADEMARKS:
Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks.
Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of
relevant copyrights and third-party licenses.
Important Information
Latest Software
We recommend that you install the most recent software release to stay up-to-date with the latest functional
improvements, stability fixes, security enhancements and protection against new and evolving attacks.
Latest Documentation
The latest version of this document is at:
http://supportcontent.checkpoint.com/documentation_download?ID=12298
For additional technical information, visit the Check Point Support Center
(http://supportcenter.checkpoint.com).
Revision History
Date Description
Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments
(mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on How to Troubleshoot Logging Issues
).
Contents
Supported Appliances
All supported appliances.
Supported Versions
All supported versions, including R70 and higher.
Troubleshooting Procedures
Preliminary Questions
These are some questions that you should ask before troubleshooting logging issues:
· Is this a new installation?
· Were the logs operating correctly before the issue started?
· What recent changes could possibly cause this issue?
· Does the Security Management server receive logs from many Security Gateways or from one Security
Gateway?
· If the Security Management server receives logs from many Security Gateways, is the issue with all or
only one Security Gateway?
The answers to these questions can help determine which troubleshooting steps are appropriate.
Note - You can resolve many logging issues simply by rebooting the Security
Gateway or the Security Management server. You should always try rebooting
before doing more complex troubleshooting procedures. Of course, if logging issues
occur frequently, you should try these troubleshooting procedures.
Network Connectivity
To Make Sure that you Have Basic Network Connectivity:
1. Ping the Security Gateways from the Security Management server and the Security Management server
from the Security Gateways.
2. Make that your firewall rules allow connectivity between the Security Gateways, intermediate Security
Gateways and the Security Management server.
3. Make sure that you have connectivity over port 257 and that firewall rules are not blocking this port. You
can run telnet mgmt_ip_address 257 to do this verification.
If you cannot ping or use telnet successfully, the traffic is probably being dropped or is incorrectly routed.
You can use SmartView Tracker to identify dropped traffic or tcpdump ("Using tcpdump to Verify Network
Connections" on page 7) to troubleshoot routing issues.
Installing a Policy
Make sure that you can install a policy on, or fetch a policy from the Security Gateway. If you cannot install
or fetch a policy, make sure that SIC trust is operational between the Security Gateway and the Security
Management server. Try reconfiguring SIC Trust.
To fetch a policy from the Security Management server, run fw fetch <Security Management
server host name or IP address>.
Using Debug
If none of these procedures helped you to resolve the issue, you can use the debug command to collect
troubleshooting information. We recommend that you use debug with the fwd and cpd process on the
Security Gateways and the Security Management server. Debugging the cpd process is useful for resolving
SIC trust issues.
Suggested Workflow for Using Debug:
1. Run debug on the Security Gateway.
cpd_admin debug on TDERROR_ALL_ALL=5
fw debug fwd on TDERROR_ALL_ALL=5
2. Run debug on the Security Gateway.
cpd_admin debug on TDERROR_ALL_ALL=5
fw debug fwm on TDERROR_ALL_ALL=5
fw debug fwd on TDERROR_ALL_ALL=5
3. Let debug run for 1 to 2 minutes and then stop the debug.
cpd_admin debug off TDERROR_ALL_ALL=1
fw debug fwm off TDERROR_ALL_ALL=1
fw debug fwd off TDERROR_ALL_ALL=1
4. Run cpinfo on the Security Gateways and the Security Management server. See sk30567
(http://supportcontent.checkpoint.com/solutions?id=sk30567) to get instructions for downloading and
installing cpinfo.
5. Send this information to customer support.
Verification
After each procedure, run SmartView Tracker to see if logs are received correctly from the Security
Gateways.
Verification Page 8
Index
D
Doing a Log Switch • 8
H
How To Troubleshoot Logging Issues • 5
I
Impact on the Environment and Warnings • 5
Important Information • 3
Incorrectly Configured Standalone Deployments
•6
Installing a Policy • 7
M
Making Sure that Logs are Sent • 7
N
Network Connectivity • 6
O
Objective • 5
P
Preliminary Questions • 5
R
Removing Possible Corrupted Files • 8
S
Supported Appliances • 5
Supported Operating Systems • 5
Supported Versions • 5
T
The Security Management server is not in the
Listening State • 6
Troubleshooting Procedures • 5
U
Using Debug • 8
Using tcpdump to Verify Network Connections •
7
V
Verification • 8
Verifying the Masters File • 7
How to Troubleshoot
Identity Awareness Issues
18 September 2011
© 2011 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and distributed under
licensing restricting their use, copying, distribution, and decompilation. No part of this product or related
documentation may be reproduced in any form or by any means without prior written authorization of Check
Point. While every precaution has been taken in the preparation of this book, Check Point assumes no
responsibility for errors or omissions. This publication and features described herein are subject to change
without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph
(c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR
52.227-19.
TRADEMARKS:
Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks.
Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of
relevant copyrights and third-party licenses.
Important Information
Latest Software
We recommend that you install the most recent software release to stay up-to-date with the latest functional
improvements, stability fixes, security enhancements and protection against new and evolving attacks.
Latest Documentation
The latest version of this document is at:
http://supportcontent.checkpoint.com/documentation_download?ID=12625
For additional technical information, visit the Check Point Support Center
(http://supportcenter.checkpoint.com).
Revision History
Date Description
Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments
(mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on How to Troubleshoot Identity
Awareness Issues ).
Contents
Supported OS
· SecurePlatform
· IPSO
Supported Appliances
· UTM-270 and higher
Assumed Knowledge
· Use of Identity Awareness
· Use of Active Directory
Troubleshooting General AD
Integration
User Groups and Access Roles are Not
Enforced or Logged
Issue
Users are identified successfully, but their user groups and Access Roles are not enforced or logged
correctly.
Solution
1. Make sure that there is one LDAP Account Unit for each AD domain. If you must configure domain
controllers for each gateway (for AD Query for example), see the Advanced AD Query section in the
R75.20 Identity Awareness Administration Guide
(http://supportcontent.checkpoint.com/documentation_download?ID=12268).
2. If the configured user group is the primary group for the user account, there is no solution. Workaround:
Change the AD account to be a member of the group.
Troubleshooting AD Query
Users are Not Detected
Issue
AD Query is connected successfully to all domain controllers, but users are not detected. Furthermore, there
are some events in SmartView Monitor.
Solution
Make sure that the necessary auditing logs are generated on the Security Event log of the domain
controllers.
· On 2003 domain controllers the events are 672, 673, and 674.
· On 2008 domain controllers the events are 4624, 4768, 4769, and 4770.
Solution
See sk58881 (http://supportcontent.checkpoint.com/solutions?id=sk58881).
Slow AD Tree
Issue
The AD tree is slow to show results.
Solution
This occurs when there are many sibling folders in the AD tree. There is no solution for this issue.
Solution
1. Prevent this type of environment when possible.
2. Add the Captive Portal as an exception in the browser proxy settings.
Solution
1. Close and reopen ALL open browser windows (to make sure the browsing session no longer exists).
Browsing sessions that were open while changes were being made, continue to work with previous
settings.
2. Clear the browser cache.
3. If the problem is only for one computer, make sure the DNS settings and network configuration are
correct.
4. Reset Agent settings:
a) Double-click the umbrella icon.
b) Go to Advanced > Reset to defaults and try to connect.
5. Restart the service:
a) Open a command line with computer administrator credentials.
b) Enter sc stop madservice and then sc start madservice
6. If no users can connect with the Identity Agent, make sure the gateway uses an internal interface to
communicate with the client. It not, change this setting from Identity Awareness gateway properties >
Identity Agent Settings.
Troubleshooting Distributed
Environments
User Access Based on Identity Agent
Works But Not AD Query
Issue
A user is authenticated based on Identity Agent but not with AD Query.
Solution
1. Make sure that AD Query is configured correctly (adlog utility).
2. Make sure the user is in the AD Query database using the adlog utility.
3. Make sure communication has been established between the Identity Server and Identity Gateway (use
pdp and pep commands).
4. If the user is in the AD Query database but is not in the Identity Gateway database (use pep show user
all)
a) Issue a "sync" between the Identity Server and Identity Gateway (use pdp control sync).
b) Make sure the user is in the Identity Gateway (use pep show user all).
E U
Endless Redirect Loop • 11 User Access Based on Identity Agent Works
But Not AD Query • 15
H User Groups and Access Roles are Not
Enforced or Logged • 6
How to Troubleshoot Identity Awareness Issues Users are Not Detected • 6
•5 Users Fail to Authenticate • 6
I Using the Wizard Again to Create Other
Domains • 9
Identities are Not Propagated to the Identity
Server • 15 W
Identity Agent is Installed But Get the Captive WMI (DCE-RPC) Test Failed • 8
Portal • 13
Impact on the Environment and Warnings • 5
Important Information • 3
K
Kerberos Does Not Work • 14
Kerberos Does Not Work for All Users • 14
Kerberos Does Not Work for One User • 14
L
LDAP Connectivity Failed • 9
Login DN and AD Forest Errors • 9
M
Multiple Users are Connected to Same IP
Address • 8
N
Not All Users are Detected • 7
O
Objective • 5
Performance Tuning
R77
Administration Guide
7 May 2015
Classification: [Protected]
© 2015 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and distributed under
licensing restricting their use, copying, distribution, and decompilation. No part of this product or related
documentation may be reproduced in any form or by any means without prior written authorization of Check
Point. While every precaution has been taken in the preparation of this book, Check Point assumes no
responsibility for errors or omissions. This publication and features described herein are subject to change
without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph
(c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR
52.227-19.
TRADEMARKS:
Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks.
Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of
relevant copyrights and third-party licenses.
Important Information
Latest Software
We recommend that you install the most recent software release to stay up-to-date with the latest functional
improvements, stability fixes, security enhancements and protection against new and evolving attacks.
Latest Documentation
The latest version of this document is at:
(http://supportcontent.checkpoint.com/documentation_download?ID=24808)
To learn more, visit the Check Point Support Center (http://supportcenter.checkpoint.com).
For more about this release, see the R77 home page
(http://supportcontent.checkpoint.com/solutions?id=sk92965).
Revision History
Date Description
Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments
(mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on Performance Tuning R77
Administration Guide).
Contents
Important Information............................................................................................................ 3
Terms...................................................................................................................................... 7
Performance Pack.................................................................................................................. 8
Introduction to Performance Pack........................................................................................ 8
Supported Features ........................................................................................................ 8
Preparing the Performance Pack .................................................................................... 9
Installing during a SecurePlatform Gateway Installation.................................................. 9
Installing on SecurePlatform Gateway ............................................................................ 9
Installing on Installed SecurePlatform Gateway with HFA............................................... 9
Upgrading with SmartUpdate ........................................................................................ 10
Upgrading with the Command Line ............................................................................... 10
Command Line .................................................................................................................. 10
fwaccel ......................................................................................................................... 10
fwaccel6........................................................................................................................ 11
fwaccel stats and fwaccel6 stats ................................................................................... 13
cpconfig ........................................................................................................................ 15
sim affinity..................................................................................................................... 15
proc entries................................................................................................................... 16
Performance Tuning and Measurement............................................................................. 16
Setting the Maximum Concurrent Connections ............................................................. 16
Increasing the Number of Concurrent Connections....................................................... 16
SecureXL Templates .................................................................................................... 16
SecureXL NAT templates ............................................................................................. 17
Delayed Notification...................................................................................................... 17
Connection Templates .................................................................................................. 17
Delayed Synchronization .............................................................................................. 18
Multi-Core Systems ...................................................................................................... 18
Performance Measurement........................................................................................... 19
CoreXL Administration........................................................................................................ 20
Supported Platforms and Unsupported Features............................................................... 20
Default Configuration......................................................................................................... 21
CoreXL for IPv6................................................................................................................. 21
Configuring IPv4 and IPv6 Firewall Instances.................................................................... 21
Performance Tuning .......................................................................................................... 23
Processing Core Allocation ........................................................................................... 23
Allocating Processing Cores ......................................................................................... 23
Performance Tuning .......................................................................................................... 26
Processing Core Allocation ........................................................................................... 26
Allocating Processing Cores ......................................................................................... 26
Configuring CoreXL ........................................................................................................... 29
Command Line Reference................................................................................................. 29
Affinity Settings ............................................................................................................. 29
fwaffinity.conf ................................................................................................................ 29
fwaffinty_apply .............................................................................................................. 30
fw ctl affinity .................................................................................................................. 30
fw ctl multik stat ............................................................................................................ 32
Multi-Queue.......................................................................................................................... 33
Introduction to Multiple Traffic Queues .............................................................................. 33
Multi-Queue Requirements and Limitations .................................................................. 33
Deciding if Multi-Queue is needed ................................................................................ 33
Basic Multi-Queue Configuration ....................................................................................... 36
Multi-Queue Administration ............................................................................................... 37
Advanced Multi-Queue settings ......................................................................................... 38
Adding more Interfaces................................................................................................. 40
Special Scenarios and Configurations ............................................................................... 40
Troubleshooting................................................................................................................. 41
Index ..................................................................................................................................... 43
Terms
Affinity
The assignment of a specified process, Firewall
instance, VSX Virtual System, interface or IRQ
with one or more CPU cores.
CoreXL
A performance-enhancing technology for Security
Gateways on multi-core processing platforms.
Firewall Instance
On a Security Gateway with CoreXL enabled, the
Firewall kernel is replicated multiple times. Each
replicated copy, or firewall instance, runs on one
processing core. These instances handle traffic
concurrently, and each instance is a complete
and independent inspection kernel.
IPv4
Internet Protocol Version 4 IP address. A 32-bit
number - 4 sets of numbers, each set can be from
0 - 255.
IPv6
Internet Protocol Version 6 IP address. 128-bit
number - 8 sets of hexadecimal numbers, each
set can be from 0 - ffff.
IRQ Affinity
A state of binding an IRQ to one or more CPUs.
Multi-queue
An acceleration feature that lets you assign more
than one packet queue and CPU to an interface.
Rx Queue
Receive packet queue
SND
Secure Network Distributor. A CPU that runs
SecureXL and CoreXL.
Traffic
The flow of data between network resources.
Tx queue
Transmit packet queue
Chapter 1
Performance Pack
In This Section:
Introduction to Performance Pack............................................................................. 8
Command Line........................................................................................................ 10
Performance Tuning and Measurement ................................................................. 16
Supported Features
These security functions are enhanced by Performance Pack:
‚ Access control
‚ Encryption
‚ NAT
‚ Accounting and logging
‚ Connection/session rate
‚ General security checks
‚ IPS features
‚ CIFs resources
‚ ClusterXL High Availability and Load Sharing
‚ TCP Sequence Verification
‚ Dynamic VPN
‚ Anti-Spoofing verifications
‚ Passive streaming
‚ Drop rate
BIOS Settings
‚ If your BIOS supports CPU clock setting, make sure that the BIOS is set to the actual CPU speed.
‚ For Hyper-threading, see sk93000 (http://supportcontent.checkpoint.com/solutions?id=sk93000).
Command Line
fwaccel
Description Lets you dynamically enable or disable acceleration for IPv4 traffic while a Security
Gateway is running. The fwaccel6 has the same functionality for IPv6 traffic. The default
setting is determined by the setting configured with cpconfig. This setting reverts to the
default after reboot.
Works with the IPv4 kernel.
fwaccel [on|off|stat|stats|conns|templates]
Syntax
stat Shows the acceleration device status and the status of the
Connection Templates on the local Security Gateway.
fwaccel6
Description Lets you enable or disable acceleration dynamically while a Security Gateway is running.
The default setting is determined by the setting configured using cpconfig. This setting
goes back to the default after reboot.
Works with the IPv6 kernel.
stat Shows the acceleration device status and the status of the
Connection Templates on the local Security Gateway.
Output
Accelerator Status : on
Accept Templates : enabled
Accelerator Features : Accounting, NAT, Routing, HasClock, Templates,
Synchronous, IdleDetection, Sequencing, TcpStateDetect, AutoExpire,
DelayedNotif, TcpStateDetectV2, CPLS, WireMode, DropTemplates
TCP violations Number of packets which are in violation of the TCP state
delayed nonTCP conns Number of delayed non TCP connections currently handled
F2F bytes Number of traffic bytes handled by the VPN kernel in slow-
path
cpconfig
Check Point products are configured using the cpconfig utility. This utility shows the configuration options of
the installed configuration and products. You can use cpconfig to enable or disable Performance Pack.
When you select an acceleration setting, the setting remains configured until you change it.
For an alternative method to enable or disable acceleration, see fwaccel (on page 10).
Run: cpconfig
A menu shows Enable/Disable Check Point SecureXL.
sim affinity
Description The sim affinity utility controls various Performance Pack driver features for
SecurePlatform and Gaia.
Affinity is a general term for binding Network Interface Card (NIC) interrupts to processors.
By default, SecurePlatform does not set Affinity to the NIC interrupts. Therefore, each NIC
is handled by all processors. For optimal network performance, make sure each NIC is
individually bound to one processor.
sim affinity [-a|-s|-l]
Syntax
proc entries
Description Performance Pack supports proc entries. These read-only entries show data about
Performance Pack. The proc entries are in /proc/ppk.
cat /proc/ppk/[conf|ifs|statistics|drop_statistics]
Syntax
SecureXL Templates
Verify that templates are not disabled using the fwaccel stat command.
For further information regarding SecureXL Templates, see sk32578
(http://supportcontent.checkpoint.com/solutions?id=sk32578).
Performance Tuning Administration Guide R77 | 16
Performance Pack
Delayed Notification
In the ClusterXL configuration, the Delayed Notification feature is disabled by default. Enabling this feature
improves performance (at the cost of connections' redundancy, which can be tuned using delayed
notifications expiration timeout).
The fwaccel stats command indicates the number of delayed connections.
The fwaccel templates command indicates the delayed time for each template under the DLY entry.
Connection Templates
Connection templates are generated from active connections according to the policy rules. The connection
template feature accelerates the speed at which a connection is established by matching a new connection
to a set of attributes. When a new connection matches the template, connections are established without
performing a rule match and therefore are accelerated. Connection templates are generated from active
connections according to policy rules. Currently, connection template acceleration is performed only on
connections with the same destination port.
Examples:
‚ A connection from 10.0.0.1/2000 to 11.0.0.1/80 — established through Firewall and then accelerated.
‚ A connection from 10.0.0.1/2001 to 11.0.0.1/80 — fully accelerated (including connection
establishment).
‚ A connection from 10.0.0.1/8000 to 11.0.0.1/80 — fully accelerated (including connection
establishment).
HTTP GET requests to specific server will be accelerated since the connection has the same source IP
address.
Restrictions
In general, Connections Templates will be created only for plain UDP or TCP connections. The following
restrictions apply for Connection Template generation:
Global restrictions:
‚ SYN Defender — Connection Templates for TCP connections will not be created
‚ VPN connections
‚ Complex connections (H323, FTP, SQL)
‚ NetQuotas
‚ ISN Spoofing
If the Rule Base contains a rule regarding one of the following components, the Connection Templates will
be disabled for connections matching this rule, and for all of the following rules:
‚ Security Server connections.
‚ Time objects in the rules.
‚ Dynamic Objects and/or Domain Objects.
‚ Services of type "other" with a match expression.
‚ User/Client/Session Authentication actions.
‚ Services of type RPC/DCERPC/DCOM.
Performance Tuning Administration Guide R77 | 17
Performance Pack
When installing a policy containing restricted rules, you will receive console messages indicating that
Connection Templates will not be created due to the rules that have been defined. The warnings should be
used as a recommendation that will assist you to fine-tune your policy in order to optimize performance.
Testing
To verify that connection templates are enabled, use the fwaccel stat command. To verify that connection
templates are generated, use fwaccel templates. This should be done while traffic is running, in order to
obtain a list of currently defined templates.
Delayed Synchronization
The synchronization mechanism guarantees High Availability. In a cluster configuration, if one cluster
member fails, the other recognizes the connection failure and takes over, so the user does not experience
any connectivity issue. However, there is an overhead per synchronized operation, which can occasionally
cause a system slow-down when there are short sessions.
Delayed synchronization is a mechanism based upon the duration of the connection, with the duration itself
used to determine whether or not to perform synchronization. A time range can be defined per service. The
time range indicates that connections terminated before a specified expiration time will not be synchronized.
As a result, synchronized traffic is reduced and overall performance increases. Delayed Synchronization is
performed only for connections matching a connection template.
Currently, delayed synchronization is allowed only for services of type HTTP or None. In order to configure
delayed synchronization, proceed as follows:
1. In SmartDashboard, right click on the Service tab.
2. Either edit an existing service or click New and select TCP. The TCP service properties window is
shown.
3. After defining TCP parameters, click Advanced in the TCP service properties window. The Advanced
TCP Service Properties window is shown.
4. Select the HTTP or None protocol from the Protocol Type list.
5. Check Start synchronizing.
6. Define the duration value Seconds after connection initiation. The duration value is specified in
seconds.
Multi-Core Systems
Running Performance Pack on multi-core systems may require more advanced configurations to account for
core affinity and IRQ behavior. For more information, see sk33250
(http://supportcontent.checkpoint.com/solutions?id=sk33250).
Performance Measurement
There are various ways to monitor and measure the performance of a Security Gateway.
To disable this type of TCP state check, perform the following operations in
SmartDashboard:
1. In the IPS tab, select Protections > By Protocol > Network Security > TCP > Sequence Verifier.
2. Select the profile assigned to your gateway and click Edit.
3. In the Action field, select Inactive.
4. Click OK to close the Protections Settings window.
5. Click OK to close the Protections Details window.
6. Click Install Policy to apply the changes.
Performance Troubleshooting
Additional CLI commands, such as ethtool, are available to monitor the performance of the gateway. For a
list of these commands and explanation of their usage, see sk33781
(http://supportcontent.checkpoint.com/solutions?id=sk33781).
Unsupported Features:
CoreXL does not support these Check Point Suite features:
‚ Check Point QoS (Quality of Service)
‚ Route-based VPN
‚ Overlapping NAT
To enable a non-supported feature in the Check Point Suite, disable CoreXL using cpconfig and reboot the
gateway (see Configuring CoreXL (on page 29)).
Default Configuration
When you enable CoreXL, the number of kernel instances is based on the total number of CPU cores.
Number of Cores Number of Kernel Instances
1 1
2 2
4 3
The default affinity setting for all interfaces is automatic when Performance Pack is installed. See
Processing Core Allocation (on page 23). Traffic from all interfaces is directed to the core running the
Secure Network Distributor (SND).
(4) Exit
The Configuring Check Point CoreXL menu shows how many IPv4 and IPv6 firewall instances are
running on the processing cores.
4. Enter option 2: Change the number of IPv6 firewall instances.
The menu shows how many cores are available on the gateway.
5. Enter the total number of IPv6 firewall instances to run.
You can only select a number from within the range shown.
6. Reboot the gateway.
Note - In a clustered deployment, changing the number of kernel instances should be treated as a
version upgrade.
Example:
A gateway that has four cores and is running three IPv4 instances of the firewall kernel and two IPv6
instances of the firewall kernel can be represented like this:
Core Firewall instances IPv6 Firewall instances
CPU 0
CPU 1 fw4_2
‚ The minimum allowed number of IPv4 instances is two and the maximum four
‚ The minimum allowed number of IPv6 instances is two and the maximum is three
To increase the number of IPv6 instances to four, you must first increase the number of IPv4 firewall
instances to the maximum of four:
How many firewall instances would you like to enable (2 to 4)[3] ? 4
CPU 0 fw4_3
CPU 1 fw4_2
Performance Tuning
The following sections are relevant only for SecurePlatform and Gaia.
To allocate a processing core to the fwd daemon, you need to do two things:
1. Reduce the number of kernel instances using cpconfig.
2. Set the fwd daemon affinity, as detailed below.
Affinities for Check Point daemons (such as the fwd daemon), if set, are loaded at boot from the
fwaffinity.conf configuration text file located at: $FWDIR/conf . Edit the file by adding the following line:
n fwd <cpuid>
where <cpuid> is the number of the processing core to be set as the affinity of the fwd daemon. For
example, to set core #2 as the affinity of the fwd daemon, add to the file:
n fwd 2
Reboot for the fwaffinity.conf settings to take effect.
Performance Tuning
The following sections are relevant only for SecurePlatform and Gaia.
number of kernel instances was previously manually changed from the default. Use cpconfig to reconfigure
the number of kernel instances.
In a clustered deployment, changing the number of kernel instances (such as by reinstalling CoreXL) should
be treated as a version upgrade. Follow the instructions in the R77 Installation and Upgrade Guide
(http://supportcontent.checkpoint.com/documentation_download?ID=24831).
See the "Upgrading ClusterXL Deployments" chapter, and perform either a Minimal Effort Upgrade (using
network downtime) or a Zero Downtime Upgrade (no downtime, but active connections may be lost),
substituting the instance number change for the version upgrade in the procedure. A Full Connectivity
Upgrade cannot be performed when changing the number of kernel instances in a clustered environment.
If you are allocating only one processing core to the SND, it is best to have that core selected
automatically by leaving the default interface affinity set to automatic, and having no explicit core
affinities for any interfaces. To do this, make sure fwaffinity.conf contains the following line:
i default auto
In addition, make sure that fwaffinity.conf contains no other lines beginning with i, so that no explicit
interface affinities are defined. All interface traffic will be directed to the remaining core.
If you are allocating two processing cores to the SND, you need to explicitly set interface affinities to the
two remaining cores. If you have multiple interfaces, you need to decide which interfaces to set for each
of the two cores. Try to achieve a balance of expected traffic between the cores (you can later check the
balance by using the top command).
To allocate a processing core to the fwd daemon, you need to do two things:
1. Reduce the number of kernel instances using cpconfig.
2. Set the fwd daemon affinity, as detailed below.
n fwd 2
Reboot for the fwaffinity.conf settings to take effect.
Configuring CoreXL
To enable/disable CoreXL:
1. Log in to the Security Gateway.
2. Run cpconfig
3. Select Configure Check Point CoreXL.
4. Enable or disable CoreXL.
5. Reboot the Security Gateway.
Note - In a clustered deployment, changing the number of kernel instances should be treated
as a version upgrade.
Note - If Performance Pack is running, interface affinities are only defined by the Performance
Pack sim affinity command. The fwaffinity.conf interface affinity settings are ignored.
fwaffinity.conf
fwaffinity.conf is located in the $FWDIR/conf directory.
Syntax
Each line in the text file uses the same format: <type> <id> <cpu>
<type> i interface
k kernel instance
all all processing cores are available to the interface traffic, daemon or
kernel instance
auto Automatic mode See also Processing Core Allocation (on page 23).
Note - Interfaces that share an IRQ cannot have different cores as their affinities, including
when one interface is included in the default affinity setting. Either set both interfaces to the
same affinity, or use ignore for one of them. To view the IRQs of all interfaces, run: fw ctl
affinity -l -v -a .
fwaffinty_apply
fwaffinity_apply is located in the $FWDIR/scripts directory. Use the following syntax to execute the
command: $FWDIR/scripts/fwaffinity_apply <option>
where <option> is one of the following parameters:
Parameter Description
fw ctl affinity
The fw ctl affinity command controls affinity settings. However, fw ctl affinity settings will not persist through
a restart of the Security Gateway.
To set affinities, execute fw ctl affinity -s.
To list existing affinities, execute fw ctl affinity -l.
fw ctl affinity -s
Use this command to set affinities.
fw ctl affinity -s settings are not persistent through a restart of the Security Gateway. If you want the settings
to be persistent, either use sim affinity or edit the fwaffinity.conf configuration file.
To set interface affinities, you should use fw ctl affinity only if Performance Pack is not running. If
Performance Pack is running, you should set affinities by using the Performance Pack sim affinity command.
These settings will be persistent. If the Performance Pack sim affinity is set to Automatic mode (even if
Performance Pack was subsequently disabled), you will not be able to set interface affinities by using fw ctl
affinity -s.
Syntax
fw ctl affinity -s <proc_selection> <cpuid>
<proc_selection> is one of the following parameters:
Parameter Description
-p <pid> Sets affinity for a particular process, where <pid> is the process ID#.
-n <cpdname> Sets affinity for a Check Point daemon, where <cpdname> is the Check
Point daemon name (for example: fwd).
-k <instance> Sets affinity for a kernel instance, where <instance> is the instance's
number.
<cpuid> should be a processing core number or a list of processing core numbers. To have no affinity to
any specific processing core, <cpuid> should be: all.
Note - Setting an Interface Affinity will set the affinities of all interfaces sharing the same IRQ to
the same processing core.
To view the IRQs of all interfaces, run: fw ctl affinity -l -v -a
Example
To set kernel instance #3 to run on processing core #5, run:
fw ctl affinity -s -k 3 5
fw ctl affinity -l
Use this command to list existing affinities. For an explanation of kernel, daemon and interface affinities, see
CoreXL Administration (on page 20).
Syntax
fw ctl affinity -l [<proc_selection>] [<listtype>]
If <proc_selection> is omitted, fw ctl affinity -l lists affinities of all Check Point daemons,
kernel instances and interfaces. Otherwise, <proc_selection> is one of the following parameters:
Parameter Description
-p <pid> Displays the affinity of a particular process, where <pid> is the process ID#.
-n <cpdname> Displays the affinity of a Check Point daemon, where <cpdname> is the
Check Point daemon name (for example: fwd).
-k <instance> Displays the affinity of a kernel instance, where <instance> is the instance's
number.
If <listtype> is omitted, fw ctl affinity -l lists items with specific affinities, and their affinities.
Otherwise, <listtype> is one or more of the following parameters:
Parameter Description
-a All: includes items without specific affinities.
-r Reverse: lists each processing core and the items that have it as their affinity.
Example
To list complete affinity information for all Check Point daemons, kernel instances and interfaces, including
items without specific affinities, and with additional information, run:
fw ctl affinity -l -a -v
Igb 4
Ixgbe 16
In this example:
‚ The SND is running on CPU 0 and CPU1
‚ CoreXL firewall instances are running on CPUs 2-5
If you run the command on a VSX gateway:
[Expert@gw-30123d:0]# fw ctl affinity -l
Mgmt: CPU 0
eth1-05: CPU 0
eth1-06: CPU 1
VS_0 fwk: CPU 2 3 4 5
VS_1 fwk: CPU 2 3 4 5
In this example:
‚ The SND is running on CPU 0-1
‚ CoreXL firewall instances (part of fwk processes) of all the Virtual System are running on CPUs 2-5.
This shows the usage and idle percentage for each CPU. For example:
In this example:
‚ SND CPUs (CPU0 and CPU1) are approximately 30% idle
‚ CoreXL firewall instances CPUs are approximately 70% idle
You can use the Sim affinity utility to change an interface's IRQ affinity to use more CPUs for the SND. You
can do this:
‚ Even before the Multi-Queue feature is activated
‚ If you have more network interfaces handling traffic than CPUs assigned to the SND
Security Appliance Multi-Queue is supported on these expansion cards for 4000, 12000, and 21000
appliances:
‚ CPAC-ACC-4-1C
‚ CPAC-ACC-4-1F
‚ CPAC-ACC-8-1C
‚ CPAC-ACC-2-10F
‚ CPAC-ACC-4-10F
IP appliance The XMC 1Gb card is supported on:
‚ IP1280
‚ IP2450
Open server Network cards that use igb (1Gb) or ixgbe (10Gb) drivers
Recommendation
We recommend configuring Multi-Queue when:
‚ CPU load for SND is high (idle is less than 20%) and
‚ CPU load for CoreXL firewall instances are low (idle is greater than 50%)
‚ You cannot assign more CPUs to the SND by changing interface IRQ affinity
Configuring Multi-Queue
The cpmq set command lets you to configure Multi-Queue on supported interfaces.
To configure Multi-Queue:
‚ On the gateway, run: cpmq set
This command:
‚ Shows all supported interfaces that are active
‚ Lets you change the Multi-Queue configuration for each interface.
Network interfaces that are down are not in the output.
Note -
̇ Multi-Queue lets you configure a maximum of five interfaces
̇ You must reboot the gateway after changing the Multi-Queue configuration
Status messages
Status Meaning
Pending On Multi-Queue currently disabled. Multi-Queue will be enabled on this interface only after
rebooting the gateway.
Note: Pending on can also indicate bad configuration or system errors. For more, see
the section on troubleshooting (on page 41).
Pending Off Multi-Queue enabled. Multi-Queue will be disabled on this interface only after rebooting
the gateway.
In this example:
‚ Two interfaces are up with Multi-Queue enabled
(eth1-05, eth1-04)
‚ Three interfaces are up with Multi-Queue disabled
(eth1-06, eth1-01, eth1-03)
‚ One interface that supports Multi-Queue is down
(eth1-02)
Running the command without the -a option shows the active interfaces only.
Multi-Queue Administration
There are two main roles for CPUs applicable to SecureXL and CoreXL:
‚ SecureXL and CoreXL dispatcher CPU (the SND - Secure Network Distributor)
You can manually configure this using the sim affinity -s command.
‚ CoreXL firewall instance CPU
You can manually configure this using the fw ctl affinity command.
For best performance, the same CPU should not work in both roles. During installation, a default CPU role
configuration is set. For example, on a twelve core computer, the two CPUs with the lowest CPU ID are set
as SNDs and the ten CPUs with the highest CPU IDs are set as CoreXL firewall instances.
Without Multi-Queue, the number of CPUs allocated to the SND is limited by the number of network
interfaces handling the traffic. Since each interface has one traffic queue, each queue can be handled by
only one CPU at a time. This means that the SND can use only one CPU at a time per network interface.
When most of the traffic is accelerated, the CPU load for SND can be very high while the CPU load for
CoreXL firewall instances can be very low. This is an inefficient utilization of CPU capacity.
Multi-Queue lets you configure more than one traffic queue for each supported network interface, so that
more than one SND CPU can handle the traffic of a single network interface at a time. This balances the
load efficiently between SND CPUs and CoreXL firewall instances CPUs.
Performance Tuning Administration Guide R77 | 37
Multi-Queue
IRQ Affinity
The IRQ affinity of the queues is set automatically when the operating system boots, as shown (rx_num set
to 3):
rxtx-0 -> CPU 0
rxtx-1 -> CPU 1
rxtx-2 -> CPU 2
and so on. This is also true in cases where rx and tx queues are assigned with a separated IRQ:
rx-0 -> CPU 0
tx-0 -> CPU 0
rx-1 -> CPU 1
tx-1 -> CPU 1
and so on.
‚ You cannot use the sim affinity or the fw ctl affinity commands to change and query the
IRQ affinity for Multi-Queue interfaces.
‚ You can reset the affinity of Multi-Queue IRQs by running: cpmq set affinity
‚ You can view the affinity of Multi-Queue IRQs by running: cpmq get -v
Important - Do not change the IRQ affinity of queues manually. Changing the IRQ affinity of the
queues manually can affect performance.
eth1-05:
eth1-04:
In this example:
‚ Multi-Queue is enabled on two igb interfaces (eth1-05 and eth1-04)
‚ The number of active rx queues is configured to 2 (for igb, the number of queues is calculated by the
number of active rx queues).
‚ The IRQs for both interfaces are assigned to CPUs 0-1.
2. Run: top
3. Press 1 to toggle to the SMP view.
In the above example, CPU utilization of Multi-Queue CPUs is approximately 50%, as CPU0 and CPU1
are handling the queues (as shown in step 1).
In this example
‚ The number of active rx queues is set to 2.
‚ This configuration is set automatically when configuring Multi-Queue.
‚ It will not automatically update when changing the affinity of the Virtual System. When changing the
affinity of the Virtual System, make sure to follow the instructions in Advanced Multi-Queue settings
(on page 38).
To set the static affinity of Multi-Queue interfaces again, run: cpmq set affinity.
Troubleshooting
‚ After reboot, the wrong interfaces are configured for Multi-Queue
This can happen after changing the physical interfaces on the gateway. To solve this issue:
a) Run: cpmq reconfigure
b) Reboot.
Or configure Multi-Queue again.
‚ After configuring Multi-Queue and rebooting the gateway, some of the configured interfaces are
shown as down. These interfaces were up before the gateway reboot. The cpmq get –a
command shows the interface status as Pending on.
This can happen when not enough IRQs are available on the gateway. To resolve this issue do one of
these:
‚ Disable some of the interfaces configured for Multi-Queue
‚ Manually reduce the number of active rx queues (rx_num) using the cpmq set rx_num command,
and reboot the gateway
‚ When changing the status of interfaces, all the interface IRQs are assigned to CPU 0 or to all of
the CPUs
This can happen when an interface status is changed to UP after the automatic affinity procedure runs
(the affinity procedure runs automatically during boot).
To solve this issue, run: cpmq set affinity
This problem does not occur if you are running automatic sim affinity (sim affinity -s). Automatic
sim affinity runs by default, and has to be manually canceled using the sim affinity -s command.
‚ In VSX mode, an fwk process runs on the same CPU as some of the interface queues
This can happen when the affinity of the Virtual System was manually changed but Multi-Queue was not
reconfigured accordingly.
To solve this issue, configure the number of active rx queues manually or run: cpmq reconfigure and
reboot.
‚ In Security Gateway mode – after changing the number of instances Multi-Queue is disabled on
all interfaces
When changing the number of CoreXL firewall instances, the number of active rx queues automatically
changes according to this rule (if not configured manually):
Active rx queues = Number of CPUs – number of CoreXL firewall instances
If the number of instances is equal to the number of CPUs, or if the difference between the number of
CPUs and the number of CoreXL firewall instances is 1, Multi-Queue will be disabled. To solve this
issue, configure the number of active rx queues manually by running:
cpmq set rx_num <igb/ixgbe> <value>
flavour]
'
*
&
*
K8
sar -n EDEV +
>
"
'
#$#%
&'
(
sar -u -f /var/log/sa/sa04
+
E
"
$
<app_flag>
8
K0
C@"D
$ )
*
+
, '
'
"
cpstat fw -f policy L
0&
'
cpsizeme 7
#$:
"
8
*M*
0'
"
%-%%
)
*
+
./
"
cpstat os -f cpu
L
E
*M*
** 8
,.
M8
*
$CPMDIR <8"
0
*
' show commands ,
""
'
ecst >,H
?8:
8:
"
8
?
$FGDIR 7 +%
*
' show asset all !'
8
"* fw ctl zdebug drop 2
*"
*8
$MDSDIR <!,
*
'
,"
=79!>2
<!,
0 show sysenv all !'
' "
"
3:
'4 cpwd_admin list !'
>!:
*8
*"
9 !8
!
"
fw tab –t <tbl> [–s]
ipsctl -a .
1
cat /var/etc/.nvram
.
&
<
-s
Expert Mode GAiA clish SPLAT cpshell IPSO clish IPSO shell
0&
&
fw tab -s
C@"D
1
@
"
""
0&
11
5@ &$' fw tab -t connections -s
L
.
*
&
""6
.
"
""
5show extended commands6 cp_conf lic get .
fw ctl multik stat ,
*
**
#
$$ cplic print !'
"
"* fw ctl pstat !'
**
8
"*
&
""':
cpstop fw lichosts
"
:
*:
'M*
/1
,
0
@
cprid
A
?
0
&'
8
*
cpstop
7
dtps lic fw ctl chain !'
"
E
8
fw
,
'
,0
""'
cpstop
79%
79+%;./+%
cpstop WebAccess
monitor
-p
*
cp_conf sic state !'
,>
34*M
,>
1
-
"
*
cpstop cplic get <ip host|-all> 2 0
"
8 '
8 '
fwm sic_reset 2
>
*?
1 '
3>14
cprestart "&
cpstop
cpstart
"
'M
,"
'
834 2*M
>1
cpconfig
cp_conf ca init
cpridstop cplic put <-l file> >
"
file
"
cpca_client <8
>1
.:
0
*? :
, :
cprid:
2"
fw kill [-t sig] proc B
7
>!
?
$FWDIR/tmp/
"
&
cpca_client search <searchstring>
cprlic 2"
"8"
8
%
3,>C2<4 fwaccel <off|on> !&;&
,J
contract_util mgmt
"
<8"
,0
C@"D
fw kill -t 9 fwm cpmonitor , **
'
snoop/tcpdump/fw monitor
O
8
?
M $
+
)
*
+
, '
'
"
# %
fwm logexport C@ ;'
fw.log stdout.
L
B
!&8
fw ver [-k] ,
"F
"
0
&
"&
!7
+
&
/1+
>
fwm [mds] ver
G@
"
,
fw repairlog <logfile> 2&
?
<logfile>
"%-%
L
&8
>
""
vpn ver [-k] *
0
"*
+
fw logswitch [-audit] '
3 4
8?
YY-MM-DD-HHMMSS.log
fgate ver
fw.log fw monitor)$
ver ,
0
&
fw log -c <action>
P
0'
79+%
*
7
"
,
'
*
<action>8accept
cpshared_ver ,
0
,./
7* dropreject
,
"
8:
-t
"'
3ID;;& ';"
4
!&
,J
3fwaccel off4
O8
cpview
!'
O
%#%%%#
,2
!,
>!
#
"&8
0
@
""
8
@
&
08
&
H,
fw log -f -t
8
?
"
8
9
3
8
>!
fw ctl iflist
(
&
"*
,
%-%
-t
"
&88 fw monitor -e 'accept host(192.168.1.12) and ifid=2;'
fw stat ,
"
'
&
fw log -b <starttime> .
'N
8
&
<starttime> !'
"
%#%%%#
%#%
fw stat <-l|--long>
E
-l
-s
"
8
cpstat <endtime> <endtime>. fw monitor -e 'accept src=192.168.1.12 and dst=192.168.3.3;'
fw stat <-s|--short> fw
-l
-s
&I
"I
fw fetchlogs -f <file> 7
8?
"
"
"
/HCD
8
E!
3!/,4
:
+
*
&
N Q N
fw ctl iflist !'
module
&
"
"
"
!
fw monitor -pi ipopt_strip -e 'accept udpport(53);'
fw.log
,
"
w
" * "N
!<,
E
-m
'
<!,
set backup restore local <TAB>
cp_admin_convert C@
"
?*
cpconfig
set backup restore scp ip <ip> path </pa/th/> file cpinfo -c <dms>
cpinfo
"
!<,<dms>2""&
," !& <file> username <user> interactive
mdsenv <dms>
0
fwm lock_admin -v .
" show backups
'
& mcd <dir> 8
'
$FWDIR/<dir>
!<,
fwm lock_admin -u <user> E
"userE
-ua add snapshot 1
' "
C@" mdsstop_customer <dms> ,
8
!<,<dms>
cp_conf admin del <user> !
"
user delete snapshot add snapshot <name> [descr <”my destription”>]
mdsstart_customer <dms> ,
8
!<,<dms>
fwm expdate <dd-mmm-yyy> ,
@*
-f
set snapshot revert C@ ;"
0
' "
C8D
set snapshot export set snapshot revert <name> mds_backup [-l] [-d )
&
'
8
cp_conf client add <ip> show snapshots ,
1;
E>
A
"*
$MDSDIR/conf/mds_exclude.dat
cp_conf client del <ip> upgrade_export <file>
"
$FWDIR/bin/upgrade_tools
,0
'
./mds_restore <file> 2
<!,
&
"file/*D
'
"'
migrate export <file>
?8*
3':
&F 4
H,
S8
cpca_client <8
>1
.:
0
'
mds_backup"$MDSDIR/scripts/
*? :
>1
9&
upgrade_import <file> >"
?8
8
8
"8
gtargzip"$MDS_SYSTEM/shared/
0
3;(;G 4
1
$%--
C@"D cma_migrate >"
'
8
export_database
backup [-f <file>]
"8"
0
!<,
&
8
show users ,
?8
":
E>!;>!
backup --scp <ip> <user> <pass> [-path </pa/th/>
mdscmd <subcmds> [-m mds
3" 4
<!,
<>
?8
<file>]
-u user -p pass]
"8
,
mdscmd
add user <user> 1
"
<user> restore 2
&
"
8
0
;(;G
!
vsx_util <subcommand> "
.,J
"
"
"
!<,
,
set user <user> shell ,
8
<user>
<shell>
,S8
&
8
<
&
vsx_util -h
&""
<shell>
/bin/bash
8
<user>
'
@
" snapshot
*
' "
9
*
N
"
&
*
+cpstop,C@"D #
L
10
2
D
<*+!"
, '
<8"
set user <user> password ,
<user> #-
+
&8
79<
"
0+%
!<,
;
<1
snapshot --file <file>
set selfpasswd 8
'
snapshot --scp <ip> <user> <pass> <file>
(-3
4%
$$
!57
!9:;<=>
set expert-password ,
8
8
@
" revert 2&
' "
"
,"
' @
snapshot vsx stat [-v] [-l] [id] ,
.,J
.&
-v:
8
'
fw hastat .
1
" vsenv <id>
.,J
2 $-.,
passwd 8
@
@
"
,1
' "
cp_conf ha enable| C&
&
1 set virtual-system <id> ,
@
.,
>!
<id>
start transaction ,
*
"
1
8
"
&
disable [norestart]
fw -vs <id> unloadlocal E
'
"
.,
.,
'
@
*
"
commit
cphastart C&
;
!&
J
""&
H
vsenv <id>; fw unloadlocal fw vsx unloadall
,
-
'
@
rollback
cphastop 1
8'
<
cphastop
"8
*
show version os edition vsx sic reset <id> 2
,>
.,
<id>
7
$-
,
H,
*
3#
$+& 4
8
,
$$
*
vpn shell ,
./
<broadcast|multicast>
"*
"8
)'
"*
vsenv <id>; fw tab -t <table>
.,J
2 $-.,
vpn debug ikeon|ikeoff !&8
>BC
$FWDIR/log/ike.elg1'M
ike.elg
cphaconf debug_data .
"*
<1
vsx vspurge 2"0
.,J
' "
.,
?8
>BC.
,
-$ clusterXL_admin [-p] "
8
"
0
&'
8 8
fw monitor -v <id> -e .
O
0
' "
>!
<id>
vpn debug on|off !&8
./
$FWDIR/log/vpnd.elg1'M
vpnd.elg
<up|down> 0
,00
&
-p
'accept;'
1ID
fw monitor
-v
-vs.
>BC.
,
-$ show vrrp interfaces !
.22
7
&
00
cphaprob -vs <id> state .
1
.
,' "
5
.
./+%
" cphaprob tablestat .
>
>!
""& cphaprob -vs <id> register 28
0
.,
<id>
@
vpn overlap_encdom ,:
':
08
./
" cphaprob igmp .
><
"*
"
""&
3'
.,
1;.,,4
vpn macutil <user> ,
<1
,
2"
<user> -
+
10
2
D
J
2@
2 @ $linux_command -z <id> >
2
@
ifconfigiparpping
#-#
+
&
0
J
traceroute -Z <id> netstatEZtraceroute.
-%
+
&
./
,
,
$-
+
&8
./!
" # -
+
&
0
J
+
10 1
N
""
2
-vs <id>
9
#
+
8
0
./
&8:
>BC
&8
79
<
$$
+
>
K8
8
0
0
'
(
0
8
@
vsenv <id>
&
8
""
*0
""
)A+/+,1
,G":
,9:
," :
J:
,J:
7+ +%:
0+%:
.,J:
>,H:
./+%;E<+%
C8
11
8
"
,(
8:
BSDVWHG,PDJHBSQJ31*,PDJHîSL[HOV6FDOHG KWWSVFRPPXQLW\FKHFNSRLQWFRPOHJDF\IVRQOLQHFKHFNSRLQWBSDVWHG,PDJHBSQJ
RI
BSDVWHG,PDJHBSQJ31*,PDJHîSL[HOV6FDOHG KWWSVFRPPXQLW\FKHFNSRLQWFRPOHJDF\IVRQOLQHFKHFNSRLQWBSDVWHG,PDJHBSQJ
RI