Kernel Debug Flags R80.10

Kernel Debug Flags (R80.
10)
Table of Contents
Usage ............................................................................................................................................................................ 2
Explanation for 'fw ctl debug' ........................................................................................................................................ 2
Explanation for 'fw ctl kdebug' ...................................................................................................................................... 2
Debug severity .............................................................................................................................................................. 2
Example ........................................................................................................................................................................ 3
Kernel debugging options for Firewall module: fw ........................................................................................................ 4
Kernel debugging options for VPN module: VPN ......................................................................................................... 6
Kernel debugging options for Cluster module: cluster .................................................................................................. 7
Kernel debugging options for Kernel Infrastructure module: kiss ................................................................................. 8
Kernel debugging options for Kernel Infrastructure Flow module: kissflow .................................................................. 8
Kernel debugging options for Multi-Kernel Inspection (CoreXL) module: multik .......................................................... 9
Kernel debugging options for Context Management Interface/Infrastructure Loader module: cmi_loader .................. 9
Kernel debugging options for Data Loss Prevention Kernel module: dlpk .................................................................10
Kernel debugging options for Data Loss Prevention User module: dlpuk ..................................................................10
Kernel debugging options for DLP Download Agent - Content Awareness module: dlpda .......................................10
Kernel debugging options for Data Loss Prevention CPcode module: cpcode ..........................................................11
Kernel debugging options for Application Control Inspection module: APPI ..............................................................11
Kernel debugging options for Content Inspection module: CI ....................................................................................12
Kernel debugging options for Next Rule Base module: NRB .....................................................................................12
Kernel debugging options for Resource Advisor Kernel module: RAD_KERNEL......................................................13
Kernel debugging options for File Application module: FILEAPP ..............................................................................13
Kernel debugging options for Malware (Threat Prevention) module: MALWARE .....................................................14
Kernel debugging options for Unified Policy module: UP ...........................................................................................14
Kernel debugging options for Unified Policy Conversion module: upconv .................................................................15
Kernel debugging options for Unified Policy Infrastructure module: UPIS .................................................................15
Kernel debugging options for Identity Awareness module: IDAPI ..............................................................................16
Kernel debugging options for Struct Generator module: SGEN .................................................................................16
Kernel debugging options for UserCheck module: UC ...............................................................................................16
Kernel debugging options for Check Point Active Streaming module: CPAS ............................................................17
Kernel debugging options for Web Intelligence module: WS .....................................................................................18
Kernel debugging options for Web Intelligence Infrastructure module: WSIS ...........................................................19
Kernel debugging options for Web Intelligence SIP Parser‎module: WS_SIP ...........................................................20
Kernel debugging options for Stream File Type module: SFT ...................................................................................21
Kernel debugging options for FloodGate-1 (QoS) module: fg ....................................................................................21
Kernel debugging options for Real Time Monitoring module: RTM............................................................................22
Kernel debugging options for VoIP H323 module: h323 ............................................................................................22
Kernel debugging options for Internet Content Adaptation Protocol Client module: ICAP_CLIENT ..........................23
Kernel debugging options for GPRS Tunneling Protocol (GTP) module: gtp ............................................................23
Kernel debugging options for Boolean Analyzer for Web Intelligence (BOA) module: BOA ......................................24
Sergei Shir (Intl TAC) Kernel Debug flags (R80.10) 06 Nov 2018 15:52:00 page 1 of 24
Classification: [Protected]
Usage
# fw ctl debug -h :
# fw ctl debug [–x] [–m <module>] [+ |–] <options | all | 0>
# fw ctl debug [–t (NONE | ERR | WRN | NOTICE | INFO)] [–f (RARE | COMMON)]
# fw ctl kdebug [–i <file> | [–f] –o <file>] [–b <buffer size>] [–t | –T] [–p
fld1[,fld2...] [–m <num> [–s <size>]]
Explanation for 'fw ctl debug'
# fw ctl debug 0 // defaults (clears) all kernel debugging options

# fw ctl debug -x // disables all kernel debugging options :
// de-allocates‎the‎buffer‎&‎automatically‎kills‎“fw ctl debug”‎process
# fw ctl debug -buf <size> // allocates the buffer (OS will use maximal available buffer) :
// MIN value 128kB ; MAX value 32MB
# fw ctl debug // displays ALL kernel modules and their flags THAT WERE TURNED ON
# fw ctl debug -m // displays ALL kernel modules and their flags that‎machine‎“understands”
# fw ctl debug -m <module> // displays the flags for this module THAT WERE TURNED ON
Explanation for 'fw ctl kdebug'
# fw ctl kdebug -t / -T // prints the timestamp (t = seconds ; T = microseconds) -

helps synchronize packets in debug with packets in “FW Monitor”‎
# fw ctl kdebug -p <field> // prints specific fields : all | proc | pid | date | mid | type |
freq | topic | time | ticks | tid | text | err | host
New in NGX :
# fw ctl kdebug -f -o <file_name> -m <num> -s <size>
file_name = name of the output file
num = maximum number of cyclic files to create
size = maximum size of each cyclic file in kilobytes
When given <size> is reached (more or less), <file_name> is renamed to <file_name.0>, and a new
<file_name> is created. If <file_name.0> already exists, then <file_name> is renamed to <file_name.1>,
and so on - until the <number> limit is reached (then the rotation takes place - oldest files are just deleted).
Debug severity
# fw ctl debug -m <module> <severity list> <subject list>
List of debug severities:

info = informational purposes only
warning = warnings: may affect connection behavior
error = errors: the connection is probably rejected
fatal = fatal errors: may prevent policy installation, etc.
List of debug subjects:

See the debug flags below
Example
# fw ctl debug 0 // Setting kernel debug default options

# fw ctl debug -buf 32000 // Setting kernel debug buffer
# fw ctl debug -m fw + flags // FW debug
# fw ctl debug -m VPN + flags // VPN debug
# fw ctl debug -m cluster + flags // Cluster debug
# fw ctl debug -m kiss + flags // Kernel Infrastructure debug
# fw ctl debug -m kissflow + flags // Kernel Infrastructure Flow debug
# fw ctl debug -m multik + flags // Multi-Kernel Inspection (CoreXL) debug
# fw ctl debug -m cmi_loader + flags // IPS CMI debug
# fw ctl debug -m dlpk + flags // Data Loss Prevention (DLP) Kernel Module debug
# fw ctl debug -m dlpuk + flags // Data Loss Prevention (DLP) User Module debug
# fw ctl debug -m dlpda + flags // Data Loss Prevention (DLP) Download Agent debug
# fw ctl debug -m cpcode + flags // Data Loss Prevention (DLP) CPcode debug
# fw ctl debug -m APPI + flags // Application Control debug
# fw ctl debug -m CI + flags // Content Inspection (AV) debug
# fw ctl debug -m NRB + flags // Next Rule Base debug
# fw ctl debug -m RAD_KERNEL + flags // Resource Advisor debug
# fw ctl debug -m FILEAPP + flags // File Application debug
# fw ctl debug -m MALWARE + flags // Malware (Threat Prevention) debug
# fw ctl debug -m UP + flags // Unified Policy debug
# fw ctl debug -m upconv + flags // Unified Policy conversion debug
# fw ctl debug -m UPIS + flags // Unified Policy Infrastructure debug
# fw ctl debug -m IDAPI + flags // Identity Awareness debug
# fw ctl debug -m SGEN + flags // Struct Generator debug
# fw ctl debug -m UC + flags // UserCheck debug
# fw ctl debug -m CPAS + flags // CPAS debug
# fw ctl debug -m WS + flags // Web Intelligence debug
# fw ctl debug -m WSIS + flags // Web Intelligence Infrastructure debug
# fw ctl debug -m WS_SIP + flags // Web Intelligence SIP Parser debug
# fw ctl debug -m SFT + flags // Stream File Type debug
# fw ctl debug -m fg + flags // FloodGate-1 (QoS) debug
# fw ctl debug -m RTM + flags // Real-Time Monitoring debug
# fw ctl debug -m h323 + flags // H.323 debug
# fw ctl debug -m ICAP_CLIENT + flags // Internet Content Adaptation Protocol client debug
# fw ctl debug -m gtp + flags // GPRS Tunneling Protocol (GTP) debug
# fw ctl kdebug -T -f > /var/log/kernel_debug.txt // output file
Kernel debugging options for Firewall module: fw
Syntax: fw ctl debug -m fw + flag1 flag2 flag3 ... | fw ctl debug -m fw all
Flag Explanation
acct Application Control accounting in Smart View Tracker log (also debug module 'APPI')
advp advanced patterns (signatures over port ranges) - runs under ASPII and CMI
aspii Accelerated Stateful Protocol Inspection Infrastructure (INPSECT streaming)
balance ConnectControl - logical servers in kernel , load balancing
bridge Bridge mode
cgnat Carrier Grade NAT (CGN/CGNAT)
chain cookie chain , chain modules
chainfwd chain forwarding - related to cluster kernel parameter fwha_perform_chain_forwarding
cifs Common Internet File System (CIFS) - file sharing protocol in Windows-based networks
citrix processing of Citrix connections
cmi Context Management Interface/Infrastructure - IPS signature manager
conn Connections Table issues
connstats connections statistics for Evaluation of Heavy Connections in CPView (refer to sk105762)
content Anti-Virus content inspection
context operations on Memory context and CPU context in KISS module
cookie virtual de-fragmentation , cookie issues (cookies in the data structure holding the packets)
cptls CRYPTO-PRO Transport Layer Security (HTTPS inspection) - Russian VPN GOST
crypt encrypted / decrypted packets, algorithms and keys are printed in clear text and cipher text
cvpnd processing of connections handles by Mobile Access daemon
dfilter debug filter operations
dlp processing of Data Loss Prevention connections
dnstun DNS tunnels
domain DNS queries
dos DDoS attack mitigation (part of IPS)
driver kernel attachment - access to kernel is shown as log entries
drop associates a reason for (almost) every dropped packet
dynlog dynamic log enhancement (INSPECT logs)
epq End Point Quarantine (also AMD)
error various general error messages (enabled by default)
event Event App features (DNS, HTTP, SMTP, FTP)
ex dynamic table expiration issues (time-out)
filter packet filtering performed by kernel and all data loaded into kernel
ftp FTP Data connections inspection (used to call applications over FTP Data - i.e., Anti-Virus)
cluster configuration - changes in the configuration and information about interfaces during
highavail
traffic processing
hold holding mechanism and all packets being held / released
icmptun ICMP tunnels
if interface-related information - accessing the interfaces, installing a filter on an interfaces
install driver installation - NIC attachment (fw ctl install and fw ctl uninstall)
integrity client integrity mechanics
ioctl IOCTL control messages - communication between kernel and daemons, un/loading of FW-1
ipopt IP options enforcement
ips IPS logs and IPS IOCTL
ipv6 IPv6 traffic debug
kbuf kernel-buffer memory pool - e.g., encryption keys use these memory allocations
ld kernel dynamic tables infrastructure - reads from / writes to the tables (machine can hang!)
leaks memory leak detection mechanism
link creation of links in Connections kernel table (id 8158)
log everything related to calls in the log
machine INSPECT Virtual Machine - actual assembler commands being processed (FW can hang!)
mail e-mail issues - POP3, IMAP
malware Threat Prevention Layers (multiple rulebases) matching
media on Windows OS only: Transport Driver Interface information (interface-related information)
memory memory allocation issues
mgcp Media Gateway Control Protocol (complementary to H.323 and SIP)
misc miscellaneous helpful information - not shown with other flags
misp ISP Redundancy
monitor prints‎output‎similar‎to‎“fw monitor”‎command (also enable the 'misc' flag)
monitorall prints‎output‎similar‎to‎“fw monitor -p all”‎command (also enable the 'misc' flag)
synchronization (in kernel) between cluster members of Multicast Routes that are added
mrtsync
when working with Dynamic Routing Multicast protocols
msnms MSN over MSMS (MSN Messenger protocol) (also always enable the 'sip' flag)
multik CoreXL related (enables all the flags except for flag 'packet' in the 'MULTIK' module)
nac Network Access Control (NAC) Blade (refer to Identity Awareness)
nat NAT issues - basic information
nat64 NAT issues - 6in4 tunnels (IPv6 over IPv4) and 4in6 tunnels (IPv4 over IPv6)
netquota Network Quota IPS protection
ntup Non-TCP / Non-UDP traffic policy (traffic parser)
packet actions performed on packet - like accept, drop, fragment (esp. KFUNCs called by INSPECT)
packval stateless verifications - sequences, fragments, translations and other header verifications
portscan port scanning prevention mechanics
prof Firewall Priority Queues - connection profiler (refer to sk105762)
q driver queue - e.g., synchronization operations (crucial for ClusterXL sync debugging)
qos QoS (FloodGate-1)
rad Resource Advisor policy
route routing (ISP Redundancy, fwcookie code)
sam Suspicious Activity Monitoring (OPSec)
sctp Stream Control Transmission Protocol (SCTP)
scv SecureClient Verification
shmem currently is not used
sip VoIP traffic - SIP and H323
smtp e-mail issues - SMTP
sock Sockstress TCP DoS attack (CVE-2008-4609)
span mirror port (duplicates the network traffic and records the activity in logs)
spii Stateful Protocol Inspection Infrastructure and INSPECT Streaming Infrastructure
synatk 'SYN Attack' (SYNDefender) IPS protection
sync synchronization operations in ClusterXL
tcpstr TCP streaming mechanism
te prints name of an interface for incoming connection from Threat Emulation Machine
ua VoIP traffic - Universal Alcatel "UA" Protocol
ucd UserCheck connections to other cluster members
user User Space communication with Kernel Space (most useful for configuration and VSX debug)
utest currently is not used
vm Virtual Machine chain decisions on traffic going through fw_filter_chain
wap Multimedia Messaging Service (Wireless Application Protocol)
warning various general warning messages (enabled by default)
wire wire-mode Virtual Machine chain module
xlate NAT issues - basic information
xltrc NAT issues - additional information - going through NAT rulebase
zeco Zero-Copy kernel module memory allocations
Kernel debugging options for VPN module: VPN
Syntax: fw ctl debug -m VPN + flag1 flag2 flag3 ... | fw ctl debug -m VPN all
Flag Explanation
cluster cluster related events
comp compression for encrypted connections
counters various status counters (typically for SmartView Monitor)
cphwd hardware acceleration issues
err errors that should not happen, or errors that critical to the working of the VPN module
gtp GTP (GPRS Tunneling Protocol)
ifnotify debugs notification of changes in interface status - up or down (received from OS)
turns on all IKE kernel debug in respect to moving the IKE to the interface, where it will
ike eventually leave and the modification of the source IP of the IKE packet, depending on the
configuration
initializes the VPN kernel and kernel data structures, when kernel is up, or when policy is
init
installed - it will also print the values of the flags that are set using CPSET upon policy reload
l2tp L2TP protocol related events
lsv Large Scale VPN (LSV)
mem allocation of VPN pools and VPN contexts
mspi information related to creation and destruction of MSA / MSPI
multicast VPN multicast
multik information related to VPN and CoreXL interaction
nat NAT issues , cluster IP manipulation (Virtual_IP-to-Member_IP and backwards)
om_alloc allocation of Office Mode IP addresses
osu cluster Optimal Service Upgrade (sk107042)
packet events that can happen for every packet, unless covered by more specific debug flags
pcktdmp dumps the encrypted packets before encryption / decrypted packets after decryption
events that can happen only for a special packet in a connection,
policy
usually related to policy decisions or logs / traps
queue handling of Security Association (SA) queues
rdp handling of RDP packets
ref information regarding reference counting for MSA / MSPI when storing or deleting SAs
link selection table manipulation and Certificate Revocation List (CRL),
resolver
which is also part of the peer resolving mechanism
rsl operations on range skip list
sas printing of keys and SA information
sr SecureClient / SecureRemote related issues
tagging sets the VPN policy of a connection according to VPN communities, VPN Policy related info
tcpt TCP Tunnel (Visitor mode) related information (FW traversal on port 443)
tnlmon tunnel monitoring
topology information related to VPN Link Selection
vin on Windows OS only: information related to IPSec NIC interaction
warn warnings: may affect connection behavior
xl Accelerator cards interaction (AC II / III / IV)
Kernel debugging options for Cluster module: cluster
Syntax: fw ctl debug -m cluster + flag1 flag2 flag3 ... | fw ctl debug -m cluster all
 There is also the SYNC flag, which is in the “FW” module and shows debug that is related to SYNC only.
 Set this variable to print the contents of the packets in HEX format as "FW-1: fwha_print_packet: Buffer:"
# fw ctl set int fwha_dprint_io 1
 Set this variable to print all network checking printing
# fw ctl set int fwha_dprint_all_net_check 1
Flag Explanation
related to status and support of SecureXL
accel
(should be used together with 'conf' flag in 'cluster' module)
arp ARP Forwarding in ClusterXL R80.10 and above (sk111956)
ccp reception/transmission of Cluster Control Protocol (CCP) packets
conf configuration and policy installation
Connectivity Upgrade (sk107042) - translation of kernel tables, connection synchronization,
cu
connection rematch, etc.
df Decision Function - decides, which member will handle each packet in a Load Sharing mode
drop connections dropped by the CXL Decision Function (DF) module - excluding CCP packets
forward Forwarding Layer messages - when sending and receiving a forwarded packet
if interface tracking and validation - all the operations and checks on interfaces
creating and sending of logs by cluster‎
log
(should be used together with 'log' flag in 'fw' module)
mac related to current configuration of and detection of cluster interfaces
(should be used in parallel with 'conf' flag and 'if' flag in 'cluster' module)
mmagic operations on MAC magic (getting, setting, updating, initializing, dropping, etc.)
nokia related to cluster running on IPSO OS
pivot related to ClusterXL Load Sharing Unicast mode (Pivot mode)‎
pnote related to registering and monitoring of Critical Devices (pnotes)‎
select packet selection - including Decision Function (DF)
stat related to state of cluster members (state machine)‎
Subscriber module - set of APIs, which enable user space processes (by using a DLL) to be
subs aware of the current state of the ClusterXL state machine and other clustering configuration
parameters
timer reports of cluster internal timers
trap sending trap messages from ‎cluster kernel to RouteD daemon about ‎Master change
Kernel debugging options for Kernel Infrastructure module: kiss
Syntax: fw ctl debug -m kiss + flag1 flag2 flag3 ... | fw ctl debug -m kiss all
Flag Explanation
bench CPU benchmarker
dfa Pattern Matcher (Deterministic Finite Automaton) compilation and execution
driver when FW driver is loaded / unloaded
error different error messages (default)
flofiler FLow prOFILER
ghtab multi-threaded safe global hash tables
handles Memory Pool allocation for tables
htab multi-threaded safe hash tables
ioctl IOCTL control messages - communication between kernel and daemon
kqstats Kernel Worker thread statistics mechanism - resetting, initializing, turning off
kw Kernel Worker state and Pattern Matcher inspection
memprof memory allocation issues in memory profiler (when fw_conn_mem_prof_enabled=1)
misc CPU counters, Memory counters, getting/setting of global kernel parameters
mtctx multi-threaded context - memory allocation, reference count
pcre Perl Compatible Regular Expressions - execution, memory allocation
pm Pattern Matcher compilation and execution
pmdump Pattern Matcher DFA (dumping XMLs of DFAs)
pmint Pattern Matcher compilation
pools Memory Pool allocation issues
queue Kernel Worker thread queues
rem Regular Expression Matcher - Pattern Matcher 2nd tier (slow path)
salloc System Memory allocation
shmem shared memory allocation
sm String Matcher - Pattern Matcher 1st tier (fast path)
stat statistics for categories and maps
swblade registration of Software Blades
thinnfa currently is not used (Thin NFA)
thread kernel thread that supplies kernel thread low level APIs
timers internal timers
usrmem User Space platform memory usage
vbuf virtual buffer
warning warnings (default)
worker Kernel Worker - queuing and dequeuing
Kernel debugging options for Kernel Infrastructure Flow module: kissflow

Syntax: fw ctl debug -m kissflow + flag1 flag2 flag3 ... | fw ctl debug -m kissflow all
Flag Explanation
compile Pattern Matcher - pattern compilation
dfa Pattern Matcher (Deterministic Finite Automaton) compilation and execution
pm Pattern Matcher - general information
warning warnings (default)
Kernel debugging options for Multi-Kernel Inspection (CoreXL) module: multik
Syntax: fw ctl debug -m multik + flag1 flag2 flag3 ... | fw ctl debug -m multik all
When enabling the 'multik' flag in the 'FW' module, it enables all the flags in this module except for flag 'packet'
Flag Explanation
api registration and unregistration of cross-instance function calls
cache_tab cache table infrastructure
conn creation and deletion of connections in the dispatcher table
counter cross-instance counter infrastructure
error various error conditions in CoreXL infrastructure
event cross-instance event aggregation infrastructure
fwstats FW-1 statistics
ioctl distribution of IOCTLs to different instances
lock obtaining and releasing fw_lock on multiple instances
message cross-instance messages (used for local sync and port scanning)
packet per packet, shows the dispatching decision - instance and reason
packet_err invalid‎packets,‎for‎which‎dispatching‎decision‎can’t‎be‎made
prio Firewall Priority Queues (refer to sk105762)‎
queue packet queue
quota cross-instance quota table (used by the network quota feature)
state starting and stopping of instances, establishment of relationship between instances
temp_conns temporary connections
uid Cross-instance Unique IDs
vpn_multik MultiCore VPN (refer to sk118097)
Kernel debugging options for Context Management Interface/Infrastructure Loader module: cmi_loader
Syntax: fw ctl debug -m cmi_loader + flag1 flag2 flag3 ... | fw ctl debug -m cmi_loader all
Flag Explanation
address information about connection's IP address
connection currently is not used
coverage shows the coverage times - entering, blocking, and time spent
cpcode CPcode (refer to DLP Admin Guide)
error various general error messages
global_states user space global states structures
info general information
inspect cmi_loader INSPECT code
module cmi_loader module operations - initialization, module loading, calls to module, contexts, etc.
parsers_is cmi_loader parsers infrastructure
policy policy installation
sigload signatures, patterns, ranges
subject shows the debug subject of each message
timestamp a timestamp for each debug message (changes when 'coverage' is active)‎
verbose used with other flags - for additional information
vs prints VSID of the debugged Virtual System
warning warnings
Kernel debugging options for Data Loss Prevention Kernel module: dlpk
Syntax: fw ctl debug -m dlpk + flag1 flag2 flag3 ... | fw ctl debug -m dlpk all
Flag Explanation
cmi HTTP Proxy, connection redirection, identity information, Async
drv DLP inspection
identity user identity, connection identity, Async
rulebase DLP rulebase match
stat counters statistics
warning warnings
Kernel debugging options for Data Loss Prevention User module: dlpuk
Syntax: fw ctl debug -m dlpuk + flag1 flag2 flag3 ... | fw ctl debug -m dlpuk all
Flag Explanation
buffer currently is not used
module initiating / removing of DLPUK debug infrastructure
policy currently is not used
serialize data buffers and data sizes
timestamp a timestamp for each debug message (changes when 'coverage' flag is enabled)‎
warning warnings
Kernel debugging options for DLP Download Agent - Content Awareness module: dlpda
Syntax: fw ctl debug -m dlpda + flag1 flag2 flag3 ... | fw ctl debug -m dlpda all
Flag Explanation
cmi Context Management Interface/Infrastructure operations
ctx operations on DLP context
engine Content Awareness engine module
filecache Content Awareness file caching
mngr currently is not used
module initiating / removing of Content Awareness infrastructure
observer Classification Object (CLOB) observer (data classification)
policy Content Awareness operations
‎ ‎policy
slowpath currently is not used
warning warnings
Kernel debugging options for Data Loss Prevention CPcode module: cpcode
Syntax: fw ctl debug -m cpcode + flag1 flag2 flag3 ... | fw ctl debug -m cpcode all
Flag Explanation
cplog resolving of names and IP addresses for Check Point log
csv creating of CSV file
echo prints the function that called the CPcode module
init initializing of CPcode system
io Input / Output functionality for CPcode
ioctl IOCTL control messages to kernel
kisspm Kernel Infrastructure Pattern Matcher
persist operations on persistence domains
policy some policy operations
run some policy operations
url operations on URLs
vm Virtual Machine execution
warning warnings
Kernel debugging options for Application Control Inspection module: APPI

Syntax: fw ctl debug -m APPI + flag1 flag2 flag3 ... | fw ctl debug -m APPI all
Flag Explanation
account accounting information
btime browse time
connection APPI connections
global global policy operations
limit APPI limits
module APPI module operations - initialization, module loading, calls to module, policy loading, etc.
observer Classification Object (CLOB) observer (data classification)
policy information about APPI policy
referrer Application Control referrer
urlf_ssl Application Control / URL Filtering for SSL
warning warnings
Kernel debugging options for Content Inspection module: CI
Syntax: fw ctl debug -m CI + flag1 flag2 flag3 ... | fw ctl debug -m CI all
Flag Explanation
address shows connection address [Source_IP:Source_Port -> Dest_IP:Dest_Port]
av Anti-Virus inspection
crypto basic information about encryption and decryption
fatal fatal errors‎
filter basic information about URL filters
ioctl currently is not used
module CI module operations - initialization, module loading, calls to module, policy loading, etc.
policy information about Content Inspection policy
profile very basic information about CI module - initialization, destroying, freeing
regexp regular expression library
session session layer
stat Content Inspection ‎statistics
track use only for very limited important debug prints, so it can be used in a loaded environment -
Content-Disposition, Content-Type, extension validation, extension matching
uf URL filters and URL cache
warning warnings
Kernel debugging options for Next Rule Base module: NRB

Syntax: fw ctl debug -m NRB + flag1 flag2 flag3 ... | fw ctl debug -m NRB all
Flag Explanation
appi rules and applications
dlp Data Loss Prevention
match rule matching
module NRB module operations - initialization, module loading, calls to module, contexts, etc.
policy policy installation
sec_rb security rulebase
ssl_insp HTTPS SSL Inspection
warning warnings
Kernel debugging options for Resource Advisor Kernel module: RAD_KERNEL
Syntax: fw ctl debug -m RAD_KERNEL + flag1 flag2 flag3 ... | fw ctl debug -m RAD_KERNEL all
Flag Explanation
cache RAD kernel malware cache
global RAD global contexts
warning warnings
Kernel debugging options for File Application module: FILEAPP

Syntax: fw ctl debug -m FILEAPP + flag1 flag2 flag3 ... | fw ctl debug -m FILEAPP all
Flag Explanation
filetype some information about processing a file type
global allocation and creation of global object
memory currently is not used
module FILEAPP module operations
normalize file normalization operations (internal operations)
parser file parsing
upload file upload operations
warning warnings
Kernel debugging options for Malware (Threat Prevention) module: MALWARE
Syntax: fw ctl debug -m MALWARE + flag1 flag2 flag3 ... | fw ctl debug -m MALWARE all
Flag Explanation
av currently is not used
global prints parameters read from the $FWDIR/conf/mail_security_config file
ioc currently is not used
memory currently is not used
module currently, prints a message about removing the malware debug infrastructure
policy currently is not used
te currently is not used
warning warnings
Kernel debugging options for Unified Policy module: UP

Syntax: fw ctl debug -m UP + flag1 flag2 flag3 ... | fw ctl debug -m UP all
Flag Explanation
account currently is not used
btime currently is not used (browse time)
clob data classification - Classification Object (CLOB)
connection information about connections, transactions
limit Unified Policy download / upload limits
log some logging operations
mab Mobile Access handler
manager Unified Policy manager operations
match data classification - Classification Object (CLOB)
memory memory operations
module Unified Policy module operations
policy Unified Policy internal operations
prob currently is not used (system probing)
prob_impl currently is not used
rulebase Unified Policy rulebase
sec_rb secondary NRB rulebase operations
stats statistics about connections, transactions
urlf_ssl currently is not used
vpn VPN classifier
warning warnings
Kernel debugging options for Unified Policy Conversion module: upconv
Syntax: fw ctl debug -m upconv + flag1 flag2 flag3 ... | fw ctl debug -m upconv all
Flag Explanation
map UTF-8 and UTF-16 characters conversion
mem shows how much memory is used for character sets
tree lookup of characters
utf7 conversion of UTF-7 characters to a Unicode characters
utf8 conversion of UTF-8 characters to a Unicode characters
warning warnings
Kernel debugging options for Unified Policy Infrastructure module: UPIS

Syntax: fw ctl debug -m UPIS + flag1 flag2 flag3 ... | fw ctl debug -m UPIS all
Flag Explanation
clob data classification - Classification Object (CLOB)
cpdiag CPDiag operations
crumbs currently is not used
db SQLite Database operations
fwapp information about policy installation for FireWall application
memory memory operations
mgr policy installation manager
module Unified Policy Infrastructure module operations
mutex Unified Policy internal mutex operations
policy Unified Policy Infrastructure internal operations
report various reports about Unified Policy installations
sna operations on SnA objects ("Services and Application")
tables operations on kernel tables
topo information about topology and Anti-Spoofing of interfaces; about Address Range objects
upapp information about policy installation for Unified Policy application
update information about policy installation for CMI Update application
vpn VPN classifier
warning warnings
Kernel debugging options for Identity Awareness module: IDAPI
Syntax: fw ctl debug -m IDAPI + flag1 flag2 flag3 ... | fw ctl debug -m IDAPI all
Flag Explanation
async checking known network
data Portal, IP address matching for Terminal Servers Identity Agent, session handling
htab checking for network IP address, working with kernel tables
module removing of IDAPI debug infrastructure, failed to convert to Base64,
failed to append Source to Destination, etc.
test IP test, IDAPI sync
warning warnings
Kernel debugging options for Struct Generator module: SGEN

Syntax: fw ctl debug -m SGEN + flag1 flag2 flag3 ... | fw ctl debug -m SGEN all
Flag Explanation
engine Struct Generator ‎engine operations on objects
field operations on fields
general general types macros
load loading of macros
serialize serialization during loading of macros
warning warnings
Kernel debugging options for UserCheck module: UC

Syntax: fw ctl debug -m UC + flag1 flag2 flag3 ... | fw ctl debug -m UC all
Flag Explanation
htab hash table
module UC module initializing, UC table hits, finding User ID in cache, removing of UC debug IS
warning warnings
webapi URL patterns, UC incidents, connection redirection
Kernel debugging options for Check Point Active Streaming module: CPAS
Syntax: fw ctl debug -m CPAS + flag1 flag2 flag3 ... | fw ctl debug -m CPAS all
Flag Explanation
api interface layer messages
conns detailed description of connections, and connection's limit-related messages
error errors: the connection is probably rejected
events event-related messages
ftp messages of the FTP example server
glue glue layer messages
http messages of the HTTP example server
icmp messages of the ICMP example server
notify e-mail Messaging Security application
pkts packets handling messages (allocation, splitting, resizing, etc.)
skinny SCCP (Skinny Client Control Protocol - Cisco proprietary VoIP protocol)
sync synchronization operations in cluster
tcp TCP processing messages
tcpinfo TCP processing messages - more detailed description
timer reports of timer ticks (pours many messages, without real content)
warning warnings: may affect connection behavior
Kernel debugging options for Web Intelligence module: WS
Syntax: fw ctl debug -m WS + flag1 flag2 flag3 ... | fw ctl debug -m WS all
 Set this variable to debug specific Virtual System:

# fw ctl set int ws_debug_vs <VSID>
 Set this variable to 0 (zero) to debug all Virtual Systems (default):
# fw ctl set int ws_debug_vs 0
 Set this variable to debug specific IPv4 address:
# fw ctl set int ws_debug_ip XXX.XXX.XXX.XXX
 Set this variable to 0 (zero) to debug all IPv4 addresses (default):
# fw ctl set int ws_debug_ip 0
Flag Explanation
body HTTP body (content) layer
connection connection layer
cookie HTTP cookie header
crumb currently is not used
event events
fatal fatal errors: may prevent policy installation, etc.
flow currently is not used
global global structure handling (usually policy related)
info informational purposes only
ioctl IOCTL control messages - communication between kernel and daemon, un/loading of FW-1
mem_pool memory pool related
module module related
parser HTTP header parser layer
parser_err HTTP header parsing errors
pfinder pattern finder related
pkt_dump traffic packet dump (requires connection)
policy policy (installation and enforcement)
report_mgr report manager (errors and logs)
spii Stateful Protocol Inspection Infrastructure (INSPECT streaming)
sslt SSLT library
stat memory usage statistics
stream stream virtualization
uuid session UUID related
Kernel debugging options for Web Intelligence Infrastructure module: WSIS
Syntax: fw ctl debug -m WSIS + flag1 flag2 flag3 ... | fw ctl debug -m WSIS all

Flag Explanation
cipher currently is not used
common prints a message when parameters are invalid
datastruct data structure tree
decoder decoder for content transfer encoding (UUEncode, UTF-8, HTML encoding &#)
warning warnings
Kernel debugging options for Web Intelligence SIP Parser‎module: WS_SIP
Syntax: fw ctl debug -m WS_SIP + flag1 flag2 flag3 ... | fw ctl debug -m WS_SIP all

Flag Explanation
body HTTP body (content) layer
connection connection layer
cookie HTTP cookie header
event events
fatal fatal errors: may prevent policy installation, etc.
global global structure handling (usually policy related)
info informational purposes only
ioctl IOCTL control messages - communication between kernel and daemon, un/loading of FW-1
mem_pool memory pool related
module module related
parser_err HTTP header parsing errors
pfinder pattern finder related
pkt_dump traffic packet dump (requires connection)
policy policy (installation and enforcement)
report_mgr report manager (errors and logs)
spii Stateful Protocol Inspection Infrastructure (INSPECT streaming)
sslt SSLT library
stat memory usage statistics
stream stream virtualization
uuid session UUID related
Kernel debugging options for Stream File Type module: SFT
Syntax: fw ctl debug -m SFT + flag1 flag2 flag3 ... | fw ctl debug -m SFT all
Flag Explanation
mgr rule match, database, connection processing, classification
warning warnings
Kernel debugging options for FloodGate-1 (QoS) module: fg

Syntax (sk41585): fw ctl debug -m fg + flag1 flag2 flag3 ... | fw ctl debug -m fg all
Flag Explanation
auth authenticated QoS feature
automatch report matching process (debug version only)
autosched report scheduling process (debug version only) - a good way to report the rates on rules
chain tracing each packet through FloodGate-1 points in the cookie chain
holding and releasing packets during critical actions (policy install / uninstall) -
chainq
internal Chain Queue mechanism
citrix processing of Citrix connections
conn connection information and identification processing
dns DNS classification mechanism
drops dropped packets due to WFRED policy
dropsv dropped packets due to WFRED policy - with additional debug information (verbose version)
fwrate report rate statistics per interface and direction
general currently is not used
install policy installation and building internal data structure (for future use)
llq low latency queuing
log everything related to calls in the log
ls ClusterXL Load Sharing
multik CoreXL related
pkt packet recording mechanism
policy QoS policy rules matching classification mechanism
qosaccel QoS acceleration
rates reporting rule / connection rates - IQ Engine behaviour and status
rtm failures in information gathering in RTM module (SmartView Monitor)
sched basic scheduling information
tcp TCP streaming (re-transmission detection) mechanism
time currently is not used
timers reports of timer ticks (pours many messages, without real content)
url URL and URI for QoS classification mechanism
Kernel debugging options for Real Time Monitoring module: RTM
Syntax: fw ctl debug -m RTM + flag1 flag2 flag3 ... | fw ctl debug -m RTM all
Flag Explanation
accel displays SecureXL information regarding accelerated packets, connections, etc.
displays information about chain registering, and about the E2E chain function actions;
chain
this important flag helps you know if the E2E (VL) is identifying VL packets
con_conn displays‎the‎same‎information‎as‎“per_conn”‎flag
err different error messages (default)
import displays information about RTM importing functions from other modules (FW-1, FG-1)
init rarely used
ioctl RTM IOCTL control messages
displays information about how the RTM handles netmasks,
netmasks
if you are monitoring network object, which is a network
per_conn messages per connection (when a new connection is handled by RTM)
per_pckt messages per packet (when a new packet arrives) - use it with care
performance currently is not used
displays FireWall-1 load/unload messages
policy
(indicates that the RTM received the FW-1 callback)
rtm displays information about RTM monitoring
s_err displays various error messages (regarding tables info and other failures)
sort debugging the RTM top X monitoring sorting
special display information about how E2E modifies E2ECP protocol packets
tabs currently is not used
topo display information about how the RTM calculates network topography
view_add when Views are added or deleted
view_update when Views are updated with new information
view_update1 when Views are updated with new information
wd displays information regarding WebDefense views
Kernel debugging options for VoIP H323 module: h323

Syntax (sk95369): fw ctl debug -m h323 + flag1 flag2 flag3 ... | fw ctl debug -m h323 all
Flag Explanation
align VoIP debug general messages (for example, VOIP infrastructure)
CPAS TCP debug messages - since H323 : H225 and H245 are over TCP ;
cpas
this flag is not included when debug running # fw ctl debug -m h323 all
decode H323 decoder messages
h225 H225 call signaling messages (SETUP, CONNECT, RELEASE COMPLETE, etc.)
h245 H245 control signaling messages (OPEN LOGICAL CHANNEL, END SESSION COMMAND, etc.)
init used for internal errors
ras H225 RAS messages (REGISTRATION, ADMISSION, and STATUS REQUEST / RESPONSE)
Kernel debugging options for Internet Content Adaptation Protocol Client module: ICAP_CLIENT
Syntax: fw ctl debug -m ICAP_CLIENT + flag1 flag2 flag3 ... | fw ctl debug -m ICAP_CLIENT all
References: sk108135, sk111305
Flag Explanation
global global client
module kernel handler, user mode handler,
policy policy
warning warnings
Kernel debugging options for GPRS Tunneling Protocol (GTP) module: gtp
Syntax: fw ctl debug -m gtp + flag1 flag2 flag3 ... | fw ctl debug -m gtp all
Flag Explanation
create GTPv0 / GTPv1 ‎create PDP context
create2 GTPv2 ‎create session
dbg GTP debug mechanism
delete GTPv0 / GTPv1 ‎delete PDP context
delete2 GTPv2 ‎delete session
error GTP errors
ioctl GTP IOCTL commands
ld GTP table operations
log GTPv0 / GTPv1 logging
log2 GTPv2 logging
modify GTPv2 modify bearer
other GTPv0 / GTPv1 other messages
other2 GTPv2 other messages
packet GTP main packet flow
parse GTPv0 / GTPv1 parsing
parse2 GTPv2 parsing
policy GTP policy installation
state GTPv0 / GTPv1 dispatching
state2 GTPv2 dispatching
sxl GTP processing by SecureXL
tpdu GTP T-PDU
update GTPv0 / GTPv1 ‎update PDP context
Kernel debugging options for Boolean Analyzer for Web Intelligence (BOA) module: BOA
Syntax: fw ctl debug -m BOA + flag1 flag2 flag3 ... | fw ctl debug -m BOA all
Flag Explanation
analyzer BOA module operations
disasm some disassembler information
fatal fatal errors and failures
flow BOA module operations
lock information about internal locks in FireWall kernel
memory memory allocation information
spider information about internal hash tables
stat statistics information
stream memory allocation when processing streamed data
warning warnings

Kernel Debug Flags R80.10

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Kernel Debug Flags R80.10

Uploaded by

Copyright:

Available Formats

Kernel Debug Flags (R80.

Explanation for 'fw ctl debug'

# fw ctl debug 0 // defaults (clears) all kernel debugging options

Explanation for 'fw ctl kdebug'

# fw ctl kdebug -t / -T // prints the timestamp (t = seconds ; T = microseconds) -

# fw ctl debug -m <module> <severity list> <subject list>

List of debug severities:

List of debug subjects:

# fw ctl debug 0 // Setting kernel debug default options

Kernel debugging options for Kernel Infrastructure Flow module: kissflow

Kernel debugging options for Application Control Inspection module: APPI

Kernel debugging options for Next Rule Base module: NRB

Kernel debugging options for File Application module: FILEAPP

Kernel debugging options for Unified Policy module: UP

Kernel debugging options for Unified Policy Infrastructure module: UPIS

Kernel debugging options for Struct Generator module: SGEN

Kernel debugging options for UserCheck module: UC

 Set this variable to debug specific Virtual System:

 Set this variable to debug specific Virtual System:

 Set this variable to debug specific Virtual System:

Kernel debugging options for FloodGate-1 (QoS) module: fg

Kernel debugging options for VoIP H323 module: h323

References: sk108135, sk111305

You might also like