kernel debug flags r77.10

Sergei Shir (Intl TAC) Kernel Debug flags (R77.10) 09 Sep 2014 21:29:00 page 1 of 16

Classification: [Protected]

Kernel Debug Flags (R77.10)

Table of Contents Usage ............................................................................................................................................................................ 1 Example ........................................................................................................................................................................ 1 Explanation for 'fw ctl debug' ........................................................................................................................................ 2 Explanation for 'fw ctl kdebug' ...................................................................................................................................... 2 Debug severity .............................................................................................................................................................. 2 Kernel debugging options for Firewall module: FW ...................................................................................................... 3 Kernel debugging options for VPN module: VPN ......................................................................................................... 4 Kernel debugging options for Check Point Active Streaming module: CPAS .............................................................. 5 Kernel debugging options for Cluster module: cluster .................................................................................................. 6 Kernel debugging options for Web Intelligence module: WS ....................................................................................... 6 Kernel debugging options for FloodGate-1 (QoS) module: FG-1 ................................................................................. 7 Kernel debugging options for VoIP H323 module: h323 .............................................................................................. 8 Kernel debugging options for Real Time Monitoring module: RTM.............................................................................. 8 Kernel debugging options for Kernel Infrastructure module: kiss ................................................................................. 9 Kernel debugging options for Kernel Infrastructure Flow module: kissflow .................................................................. 9 Kernel debugging options for Multi-Kernel Inspection (CoreXL) module: multik ........................................................ 10 Kernel debugging options for Content Inspection module: CI .................................................................................... 10 Kernel debugging options for Application Control Inspection module: APPI .............................................................. 11 Kernel debugging options for Context Management Interface/Infrastructure Loader module: cmi_loader ................ 11 Kernel debugging options for Next Rule Base module: NRB ..................................................................................... 12 Kernel debugging options for Resource Advisor module: RAD_KERNEL ................................................................. 12 Kernel debugging options for Struct Generator module: SGEN ................................................................................. 12 Kernel debugging options for Web Intelligence Infrastructure module: WSIS ........................................................... 13 Kernel debugging options for Web Intelligence SIP Parser module: WS_SIP ........................................................... 13 Kernel debugging options for Data Leak Prevention module: DLPK.......................................................................... 14 Kernel debugging options for Data Leak Prevention User module: DLPUK .............................................................. 14 Kernel debugging options for Identity Awareness module: IDAPI .............................................................................. 15 Kernel debugging options for Stream File Type module: SFT ................................................................................... 15 Kernel debugging options for UserCheck module: UC ............................................................................................... 15 Kernel debugging options for Internet Content Adaptation Protocol Client module: ICAP_CLIENT .......................... 16

Usage

# fw ctl debug -h : # fw ctl debug [x] [m ] [+ |]

# fw ctl debug [t (NONE | ERR | WRN | NOTICE | INFO)] [f (RARE | COMMON)]

# fw ctl kdebug [i | [f] o ] [b ] [t | T] [p

fld1[,fld2...] [m [s ]]

Example

# fw ctl debug 0 // Setting kernel debug default options

# fw ctl debug -buf 32000 // Setting kernel debug buffer

# fw ctl debug -m fw + flags // FW debug

# fw ctl debug -m VPN + flags // VPN debug

# fw ctl debug -m cluster + flags // Cluster debug

# fw ctl debug -m h323 + flags // H.323 debug

# fw ctl debug -m CPAS + flags // CPAS debug

# fw ctl debug -m WS + flags // Web Intelligence debug

# fw ctl debug -m FG-1 + flags // FloodGate-1 (QoS) debug

# fw ctl debug -m RTM + flags // Real-Time Monitoring debug

# fw ctl debug -m kiss + flags // Kernel Infrastructure debug

# fw ctl debug -m kissflow + flags // Kernel Infrastructure Flow debug

# fw ctl debug -m multik + flags // Multi-Kernel Inspection debug

# fw ctl debug -m APPI + flags // Application Control debug

# fw ctl debug -m CI + flags // Content Inspection (AV) debug



# fw ctl debug -m cmi_loader + flags // IPS CMI debug

# fw ctl debug -m dlpk + flags // Data Leak Prevention (DLP) debug

# fw ctl debug -m IDAPI + flags // Identity Awareness debug

# fw ctl debug -m NRB + flags // Next Rule Base debug

# fw ctl debug -m RAD_KERNEL + flags // Resource Advisor debug

# fw ctl debug -m SGEN + flags // Struct Generator debug

# fw ctl debug -m WSIS + flags // Web Intelligence Infrastructure debug

# fw ctl debug -m SFT + flags // Stream File Type debug

# fw ctl debug -m WS_SIP + flags // Web Intelligence SIP Parser debug

# fw ctl debug -m ICAP_CLIENT + flags // Internet Content Adaptation Protocol client debug

# fw ctl debug -m UC + flags // UserCheck debug

# fw ctl kdebug -T -f > /var/log/kernel_debug.ctl // output file

Explanation for 'fw ctl debug'

# fw ctl debug 0 // defaults (clears) all kernel debugging options

# fw ctl debug -x // disables all kernel debugging options :

// de-allocatesthebuffer&automaticallykillsfwctldebugprocess # fw ctl debug -buf // allocates the buffer (OS will use maximal available buffer) :

// MIN value 128kB ; MAX value in NG is 16MB , // MAX value in VSX NGX is 16MB , MAX value in NGX is 32MB

# fw ctl debug // displays ALL kernel modules and their flags THAT WERE TURNED ON

# fw ctl debug -m // displays ALL kernel modules and their flags thatmachineunderstands

# fw ctl debug -m // displays the flags for this module THAT WERE TURNED ON

Explanation for 'fw ctl kdebug'

# fw ctl kdebug -t / -T // in NGX only - prints the timestamp (t = seconds ; T = microseconds) -

helps synchronize packets in debug with packets in FW Monitor # fw ctl kdebug -p // prints specific fields : all | proc | pid | date | mid | type |

freq | topic | time | ticks | tid | text | err | host

New in NGX : # fw ctl kdebug -f -o -m -s

file_name = name of the output file

num = maximum number of cyclic files to create

size = maximum size of each cyclic file in kilobytes

When given is reached (more or less), is renamed to , and a new

is created. If already exists, then is renamed to ,

and so on - until the limit is reached (then the rotation takes place - oldest files are just deleted).

Debug severity

# fw ctl kebug -m

List of debug severities:

info = informational purposes only

warning = warnings: may affect connection behavior

error = errors: the connection is probably rejected

fatal = fatal errors: may prevent policy installation, etc.

List of debug subjects:

See the debug flags below



Kernel debugging options for Firewall module: FW

If you want to make sure that the firewall accepted the flags, you need to run: fw ctl debug -m fw

Flag Explanation

acct Application Control accounting in Smart View Tracker log (also debug module 'APPI')

advp advanced patterns (signatures over port ranges) - runs under ASPII and CMI

aspii Accelerated Stateful Protocol Inspection Infrastructure (INPSECT streaming)

balance ConnectControl - logical servers in kernel , load balancing

bridge Bridge mode

chain cookie chain , chain modules

chainfwd chain forwarding - related to fwha_perform_chain_forwarding global kernel variable

cifs Common Internet File System (CIFS) - file sharing protocol in Windows-based networks

citrix Citrix processing

cmi Context Management Interface/Infrastructure - IPS signature manager

conn Connections Table issues

content AV content inspection

context operations on Memory context and CPU context in KISS module

cookie virtual de-fragmentation , cookie issues (cookies in the data structure holding the packets)

cptls CRYPTO-PRO Transport Layer Security (HTTPS inspection) - Russian VPN GOST

crypt encrypted / decrypted packets, algorithms and keys are printed in clear text and cipher text

cvpnd Mobile Access daemon

dfilter debug filter operations

dlp Data Leak Prevention

dnstun DNS tunnels

domain DNS queries

dos DDoS attack mitigation (part of IPS)

driver kernel attachment - access to kernel is shown as log entries

drop associates a reason for (almost) every dropped packet

dynlog dynamic log enhancement (INSPECT logs)

epq End Point Quarantine (also AMD)

error various general error messages (enabled by default)

ex dynamic table expiration issues (time-out)

filter packet filtering performed by kernel and all data loaded into kernel

ftp FTP Data connections inspection (used to call applications over FTP Data - i.e., Anti-Virus)

highavail cluster configuration - changes in the configuration and information about interfaces during traffic processing

hold holding mechanism and all packets being held / released

icmptun ICMP tunnels

if interface-related information - accessing the interfaces, installing a filter on an interfaces

install driver installation - NIC attachment (fw ctl install and fw ctl uninstall)

integrity client integrity mechanics

ioctl IOCTL control messages - communication between kernel and daemons, un/loading of FW-1

ipopt IP options enforcement

ips IPS logs and IPS IOCTL

ipv6 IPv6 traffic debug

kbuf kernel-buffer memory pool - e.g., encryption keys use these memory allocations

ld kernel dynamic tables infrastructure - reads and writes to the tables (machine can hang!)

leaks memory leak detection mechanism

link Link creation in Connections Table

log everything related to calls in the log

machine INSPECT Virtual Machine - actual assembler commands being processed (FW can hang!)

mail e-mail issues - POP3, IMAP

malware Anti-Malware (Anti-Virus, Anti-Spam)

media Windows OS: Transport Driver Interface information (interface-related information)

memory memory allocation issues

mgcp Media Gateway Control Protocol (complementary to H.323 and SIP)

misc miscellaneous helpful information - not shown with other flags

misp ISP Redundancy

monitor printsoutputsimilartofwmonitorintothedebugbuffer (also enable the 'misc' flag) monitorall printsoutputsimilartofwmonitor -p allintothedebugbuffer (also enable the 'misc' flag) mrtsync synchronization (in kernel) between cluster members of Multicast Routes that are added



when working with Dynamic Routing Multicast protocols

msnms MSN over MSMS (MSN Messenger protocol) - always include sip flag

multik CoreXL related (enables all the flags except for flag 'packet' in the 'MULTIK' module)

nac Network Access Control (NAC) Blade (refer to Identity Awareness)

nat NAT issues - basic information

ndis Windows OS: Network Driver Interface Specification (interface-related information)

netquota Network Quota IPS protection

packet actions performed on packet - like accept, drop, fragment (esp. KFUNCs called by INSPECT)

packval stateless verifications - sequences, fragments, translations and other header verifications

portscan port scanning prevention mechanics

q driver queue - e.g., synchronization operations (crucial for ClusterXL debugging)

qos QoS (FloodGate-1)

rad Resource Advisor policy

route routing debugging (ISP Redundancy, fwcookie code)

sam Suspicious Activity Monitoring (OPSec)

scv SecureClient Verification

shmem shared memory - currently is not used

sip VoIP traffic - SIP and H323

smtp e-mail issues - SMTP

sock Sockstress TCP DoS attack (CVE-2008-4609)

span mirror port (duplicates the network traffic and records the activity in logs)

spii Stateful Protocol Inspection Infrastructure and INSPECT Streaming Infrastructure

synatk 'SYN Attack' (SYNDefender) IPS protection

sync synchronization operations in ClusterXL

tcpstr TCP streaming mechanism

te prints name of an interface for incoming connection from Threat Emulation Machine

ua VoIP traffic - Universal Alcatel "UA" Protocol

ucd UserCheck connections to other cluster members

user User Space communication with Kernel Space (most useful for configuration and VSX debug)

utest currently is not used

vm Virtual Machine chain decisions on traffic going through fw_filter_chain

wap Multimedia Messaging Service (Wireless Application Protocol)

warning various general warning messages (enabled by default)

wire wire-mode Virtual Machine chain module

xlate NAT issues - basic information

xltrc NAT issues - additional information - going through NAT rulebase

zeco Zero-Copy kernel module memory allocations

Kernel debugging options for VPN module: VPN

If you want to make sure that the firewall accepted the flags, you need to run: fw ctl debug -m VPN

Flag Explanation

cluster cluster related events

comp compression for encrypted connections

counters various status counters (typically for SmartView Monitor)

cphwd hardware acceleration issues


err errors that should not happen, or errors that critical to the working of the VPN module

gtp GTP (GPRS Tunneling Protocol)

ifnotify debugs notification of changes in interface status - up or down (received from OS).

ike turns on all IKE kernel debug in respect to moving the IKE to the interface, where it will eventually leave and the modification of the source IP of the IKE packet, depending on the configuration.

init initializes the VPN kernel and kernel data structures, when kernel is up, or when policy is installed - it will also print the values of the flags that are set using CPSET upon policy reload

l2tp L2TP protocol related events

mem allocation of VPN pools and VPN contexts

mspi information related to creation and destruction of MSA / MSPI

multicast VPN multicast

multik information related to VPN and CoreXL interaction



nat NAT issues , cluster IP manipulation (Virtual_IP-to-Member_IP and backwards)

om_alloc allocation of Office Mode IP addresses

osu Optimal Service Upgrade

packet events that can happen for every packet, unless covered by more specific debug flags

pcktdmp dumps the encrypted / decrypted packets (before encryption / after decryption)

policy events that can happen only for a special packet in a connection, usually related to policy decisions or logs / traps

queue handling of Security Association (SA) queues

rdp handling of RDP packets

ref information regarding reference counting for MSA / MSPI when storing or deleting SAs

resolver link selection table manipulation and Certificate Revocation List (CRL), which is also part of the peer resolving mechanism

sas printing of keys and SA information

sr SecureClient/SecureRemote related issues

tagging sets the VPN policy of a connection according to VPN communities, VPN Policy related info

tcpt TCP Tunnel (Visitor mode) related information (FW traversal on port 443)

tnlmon tunnel monitoring

topology information related to VPN Link Selection

vin information related to IPSec NIC interaction (on Windows OS only)

warn warnings: may affect connection behavior

xl Accelerator cards interaction (AC II / III / IV)

Kernel debugging options for Check Point Active Streaming module: CPAS

If you want to make sure that the firewall accepted the flags, you need to run: fw ctl debug -m CPAS

Flag Explanation

api interface layer messages

conns detailed description of connections, and connection's limit-related messages

error errors: the connection is probably rejected

events event-related messages

ftp messages of the FTP example server

glue glue layer messages

http messages of the HTTP example server

icmp messages of the ICMP example server

notify e-mail Messaging Security application

pkts packets handling messages (allocation, splitting, resizing, etc.)

skinny SCCP (Skinny Client Control Protocol - Cisco proprietary VoIP protocol)

sync synchronization operations in cluster

tcp TCP processing messages

tcpinfo TCP processing messages - more detailed description

timer reports of timer ticks (pours many messages, without real content)

warning warnings: may affect connection behavior



Kernel debugging options for Cluster module: cluster

If you want to make sure that the firewall accepted the flags, you need to run: fw ctl debug -m cluster

There is also the SYNC flag, which is in the FW module and shows debug that is related to SYNC only. Set this variable to print the contents of the packets in HEX format as "FW-1: fwha_print_packet: Buffer:"

# fw ctl set int fwha_dprint_io 1

Set this variable to print all network checking printing # fw ctl set int fwha_dprint_all_net_check 1

Flag Explanation

accel related to status and support of SecureXL (should be used in parallel with 'conf' flag)

ccp reception/transmission of Cluster Control Protocol (CCP) packets

conf configuration and policy installation

df Decision Function - decides, which member will handle each packet in a Load Sharing mode

drop connections dropped by the CXL Decision Function (DF) module (only in NGX) - excluding CCP packets

forward Forwarding Layer messages - when sending and receiving a forwarded packet

if interface tracking and validation - all the operations and checks on interfaces

log creating and sending of logs by cluster (should be used in parallel with 'log' flag in 'fw' module) mac related to current configuration of and detection of cluster interfaces (should be used in

parallel with 'conf' flag and 'if' flag)

nokia related to cluster running on Nokia IPSO platform

pivot related to ClusterXL Load Sharing Unicast mode (Pivot mode) pnote related to registering and monitoring of critical devices (pnotes) select packet selection - including Decision Function (DF)

stat related to state of cluster members (state machine)

subs Subscriber module - set of APIs, which enable user space processes (by using a DLL) to be aware of the current state of the ClusterXL state machine and other clustering configuration parameters.

timer reports of cluster internal timers

Kernel debugging options for Web Intelligence module: WS

If you want to make sure that the firewall accepted the flags, you need to run: fw ctl debug -m WS

Set this variable to debug specific Virtual System: # fw ctl set int ws_debug_vs VSID

Set this variable to 0 (zero) to debug all Virtual Systems (default): # fw ctl set int ws_debug_vs 0

Set this variable to debug specific IP address: # fw ctl set int ws_debug_vs XXX.XXX.XXX.XXX

Set this variable to 0 (zero) to debug all IP addresses (default): # fw ctl set int ws_debug_vs 0

Flag Explanation

address information about connection's IP address

body HTTP body (content) layer

connection connection layer

cookie HTTP cookie header

coverage shows the coverage times - entering, blocking, and time spent


event events

fatal fatal errors: may prevent policy installation, etc.

global global structure handling (usually policy related)

info informational purposes only

ioctl IOCTL control messages - communication between kernel and daemon, un/loading of FW-1

mem_pool memory pool related


module module related

parser HTTP header parser layer



parser_err HTTP header parsing errors

pfinder pattern finder related

pkt_dump traffic packet dump (requires connection)

policy policy (installation and enforcement)

regexp regular expression library

report_mgr report manager (errors and logs)

session session layer

spii Stateful Protocol Inspection Infrastructure (INSPECT streaming)

ssl_insp HTTPS SSL Inspection

sslt SSLT library

stat memory usage statistics

stream stream virtualization

subject shows the debug subject of each message

timestamp a timestamp for each debug message (changes when 'coverage' is active)

uuid session UUID related

vs prints VSID of the debugged Virtual System


Kernel debugging options for FloodGate-1 (QoS) module: FG-1

If you want to make sure that the firewall accepted the flags, you need to run: fw ctl debug -m FG-1

Flag Explanation

auth authenticated QoS feature

automatch report matching process (debug version only)

autosched report scheduling process (debug version only) - a good way to report the rates on rules

chain tracing each packet through FloodGate-1 points in the cookie chain

chainq holding and releasing packets during critical actions (policy install / uninstall) - internal Chain Q mechanism

citrix Citrix processing

conn connection information and identification processing

dns DNS classification mechanism


drops dropped packets due to WFRED policy

dropsv dropped packets due to WFRED policy - with additional debug information (verbose version)

error different error messages (default)

fwrate report rate statistics per interface and direction

general currently unused

install policy installation and building internal data structure (for future use)

llq low latency queuing

log everything related to calls in the log

ls Load Sharing


multik CoreXL related

pkt packet recording mechanism

policy QoS policy rules matching classification mechanism

qosaccel QoS acceleration

rates reporting rule / connection rates - IQ Engine behaviour and status

registry failed to open a key from Check Point Registry ($CPDIR/registry/HKLM_registry.data)

rtm failures in information gathering in RTM module (SmartView Monitor)

sched basic scheduling information

tcp TCP streaming (re-transmission detection) mechanism

time currently unused

timers reports of timer ticks (pours many messages, without real content)

url URL and URI for QoS classification mechanism

verbose used with other flags - for additional information



Kernel debugging options for VoIP H323 module: h323

If you want to make sure that the firewall accepted the flags, you need to run: fw ctl debug -m h323

Flag Explanation

align VoIP debug general messages (for example, VOIP infrastructure)

cpas CPAS TCP debug messages - since H323 : H225 and H245 are over TCP ; this flag is not included when debug is run with "all" flag ( # fw ctl debug -m h323 all )

decode H323 decoder messages


h225 H225 call signaling messages (SETUP, CONNECT, RELEASE COMPLETE, etc.)

h245 H245 control signaling messages (OPEN LOGICAL CHANNEL, END SESSION COMMAND, etc.)

init used for internal errors

ras H225 RAS messages (REGISTRATION, ADMISSION, and STATUS REQUEST / RESPONSE)

Kernel debugging options for Real Time Monitoring module: RTM

If you want to make sure that the firewall accepted the flags, you need to run: fw ctl debug -m rtm

Flag Explanation

accel displays SecureXL information regarding accelerated packets, connections, etc.

chain displays information about chain registering, and about the E2E chain function actions; this important flag helps you know if the E2E (VL) is identifying VL packets.

con_conn displaysthesameinformationasper_connflag


err different error messages (default)

import displays information about RTM importing functions from other modules (FW-1, FG-1)

init rarely used

ioctl RTM IOCTL control messages

netmasks displays information about how the RTM handles netmasks, if you are monitoring network object, which is a network

per_conn messages per connection (when a new connection is handled by RTM)

per_pckt messages per packet (when a new packet arrives) - use it with care

performance currently unused

policy displays FireWall-1 load/unload messages (indicates that the RTM received the FW-1 callback)

rtm displays information about RTM monitoring

s_err displays various error messages (regarding tables info and other failures)

sort debugging the RTM top X monitoring sorting

special display information about how E2E modifies E2ECP protocol packets

tabs currently unused

topo display information about how the RTM calculates network topography

view_add when Views are added or deleted

view_update when Views are updated with new information

view_update1 when Views are updated with new information

wd displays information regarding WebDefense views



Kernel debugging options for Kernel Infrastructure module: kiss

If you want to make sure that the firewall accepted the flags, you need to run: fw ctl debug -m kiss

Flag Explanation

bench CPU benchmarker

dfa Pattern Matcher (Deterministic Finite Automaton) compilation and execution

driver when FW driver is loaded / unloaded


flofiler FLow prOFILER

ghtab multi-threaded safe global hash tables

handles Memory Pool allocation for tables

htab multi-threaded safe hash tables

ioctl IOCTL control messages - communication between kernel and daemon

kqstats Kernel Worker thread statistics mechanism - resetting, initializing, turning off

kw Kernel Worker state and Pattern Matcher inspection


misc CPU counters, Memory counters, getting/setting of global kernel parameters

mtctx multi-threaded context - memory allocation, reference count

pcre Perl Compatible Regular Expressions - execution, memory allocation

pm Pattern Matcher compilation and execution

pmdump Pattern Matcher DFA (dumping XMLs of DFAs)

pmint Pattern Matcher compilation

pools Memory Pool allocation issues

queue Kernel Worker thread queues

rem Regular Expression Matcher - Pattern Matcher 2nd tier (slow path)

salloc System Memory allocation

shmem shared memory allocation

sm String Matcher - Pattern Matcher 1st tier (fast path)

stat statistics for categories and maps

swblade registration of Software Blades

thinnfa currently unused (Thin NFA)

thread kernel thread that supplies kernel thread low level APIs

usrmem User Space platform memory usage

vbuf virtual buffer

warning warnings (default)

worker Kernel Worker - queuing and dequeuing

Kernel debugging options for Kernel Infrastructure Flow module: kissflow

If you want to make sure that the firewall accepted the flags, you need to run: fw ctl debug -m kissflow

Flag Explanation

compile Pattern Matcher - pattern compilation

dfa Pattern Matcher (Deterministic Finite Automaton) compilation and execution



pm Pattern Matcher - general information

warning warnings (default)



Kernel debugging options for Multi-Kernel Inspection (CoreXL) module: multik

If you want to make sure that the firewall accepted the flags, you need to run: fw ctl debug -m multik

When enabling the 'multik' flag in the 'FW' module, it enables all the flags in this module except for flag 'packet'

Flag Explanation

api registration and unregistration of cross-instance function calls

clb statistics collection for the core load balancer utility

conn creation and deletion of connections in the dispatcher table

counter cross-instance counter infrastructure

error various error conditions in CoreXL infrastructure

event cross-instance event aggregation infrastructure

fwstats FW-1 statistics

ioctl distribution of IOCTLs to different instances

lock obtaining and releasing fw_lock on multiple instances

message cross-instance messages (used for local sync and port scanning)

packet per packet, shows the dispatching decision - instance and reason

packet_err invalidpackets,forwhichdispatchingdecisioncantbemade queue packet queue

quota cross-instance quota table (used by the network quota feature)

state starting and stopping of instances, establishment of relationship between instances

uid Cross-instance Unique IDs

Kernel debugging options for Content Inspection module: CI

If you want to make sure that the firewall accepted the flags, you need to run: fw ctl debug -m CI

Flag Explanation

address shows connection address [Source_IP:Source_Port -> Dest_IP:Dest_Port]

av Anti-Virus inspection


crypto basic information about encryption and decryption

error various general error messages

fatal fatal errors filter basic information about URL filters

info general information

ioctl currently unused


module CI module operations - initialization, module loading, calls to module, policy loading, etc

policy information about CI policy

profile very basic information about CI module - initialization, destroying, freeing



stat Content Inspection statistics subject shows the debug subject of each message


uf URL filters and URL cache


warning warnings



Kernel debugging options for Application Control Inspection module: APPI

If you want to make sure that the firewall accepted the flags, you need to run: fw ctl debug -m APPI

Flag Explanation

account accounting information


btime browse time

connection APPI connections



global global policy operations


limit APPI limits


module APPI module operations - initialization, module loading, calls to module, policy loading, etc

policy information about APPI policy




urlf_ssl URL Filtering for SSL



warning warnings

Kernel debugging options for Context Management Interface/Infrastructure Loader module: cmi_loader

If you want to make sure that the firewall accepted the flags, you need to run: fw ctl debug -m cmi_loader

Flag Explanation


connection currently unused



global_states user space global states structures


inspect cmi_loader INSPECT code


module cmi_loader module operations - initialization, module loading, calls to module, contexts, etc

policy policy installation

sigload signatures, patterns, ranges


timestamp a timestamp for each debug message (changes when 'coverage' is active) verbose used with other flags - for additional information


warning warnings



Kernel debugging options for Next Rule Base module: NRB

If you want to make sure that the firewall accepted the flags, you need to run: fw ctl debug -m NRB

Flag Explanation


appi rules and applications


dlp Data Leak Prevention



match rule matching


module NRB module operations - initialization, module loading, calls to module, contexts, etc

policy policy installation

sec_rb security rulebase






warning warnings

Kernel debugging options for Resource Advisor module: RAD_KERNEL

If you want to make sure that the firewall accepted the flags, you need to run: fw ctl debug -m RAD_KERNEL

Flag Explanation


cache RAD kernel malware cache



global RAD global contexts






warning warnings

Kernel debugging options for Struct Generator module: SGEN

If you want to make sure that the firewall accepted the flags, you need to run: fw ctl debug -m SGEN

Flag Explanation

engine Struct Generator engine operations error various general error messages

fatal fatal errors field operations on fields

general general types macros


load loading of macros

serialize serialization during loading of macros

warning warnings



Kernel debugging options for Web Intelligence Infrastructure module: WSIS

If you want to make sure that the firewall accepted the flags, you need to run: fw ctl debug -m WSIS





Flag Explanation


common prints a message when parameters are invalid


datastruct data structure tree

decoder decoder for content transfer encoding (UUEncode, UTF-8, HTML encoding )








warning warnings

Kernel debugging options for Web Intelligence SIP Parser module: WS_SIP

If you want to make sure that the firewall accepted the flags, you need to run: fw ctl debug -m WS_SIP





Flag Explanation


body HTTP body (content) layer

connection connection layer

cookie HTTP cookie header



event events

fatal fatal errors: may prevent policy installation, etc.

global global structure handling (usually policy related)

info informational purposes only

ioctl IOCTL control messages - communication between kernel and daemon, un/loading of FW-1

mem_pool memory pool related


module module related


parser_err HTTP header parsing errors

pfinder pattern finder related

pkt_dump traffic packet dump (requires connection)



policy policy (installation and enforcement)


report_mgr report manager (errors and logs)


spii Stateful Protocol Inspection Infrastructure (INSPECT streaming)


sslt SSLT library

stat memory usage statistics

stream stream virtualization



uuid session UUID related



Kernel debugging options for Data Leak Prevention module: DLPK

If you want to make sure that the firewall accepted the flags, you need to run: fw ctl debug -m dlpk

Flag Explanation


cmi HTTP Proxy, connection redirection, identity information, Async

drv DLP inspection

identity user identity, connection identity, Async

rulebase DLP rulebase match

stat counters statistics

warning warnings

Kernel debugging options for Data Leak Prevention User module: DLPUK

If you want to make sure that the firewall accepted the flags, you need to run: fw ctl debug -m dlpuk

Flag Explanation


buffer currently unused





module initiating / removing of DLPUK debug infrastructure policy currently unused serialize data buffers and data sizes subject shows the debug subject of each message timestamp a timestamp for each debug message (changes when 'coverage' is active) verbose used with other flags - for additional information


warning warnings



Kernel debugging options for Identity Awareness module: IDAPI

If you want to make sure that the firewall accepted the flags, you need to run: fw ctl debug -m IDAPI

Flag Explanation


async checking known network


data Portal, IP address matching for Terminal Servers Identity Agent, session handling


htab checking for network IP address, working with kernel tables



module removing of IDAPI debug IS, failed to convert to Base64, failed to append src to dst

subject shows the debug subject of each message test IP test, IDAPI sync



warning warnings

Kernel debugging options for Stream File Type module: SFT

If you want to make sure that the firewall accepted the flags, you need to run: fw ctl debug -m SFT

Flag Explanation


fatal fatal errors info general information mgr rule match, database, connection processing, classification warning warnings

Kernel debugging options for UserCheck module: UC

If you want to make sure that the firewall accepted the flags, you need to run: fw ctl debug -m UC

Flag Explanation




htab hash table info general information memory memory allocation issues

module UC module initializing, UC table hits, finding User ID in cache, removing of UC debug IS subject shows the debug subject of each message timestamp a timestamp for each debug message (changes when 'coverage' is active)



warning warnings webapi URL patterns, UC incidents, connection redirection



Kernel debugging options for Internet Content Adaptation Protocol Client module: ICAP_CLIENT

If you want to make sure that the firewall accepted the flags, you need to run: fw ctl debug -m ICAP_CLIENT

Flag Explanation




global global client



module kernel handler, user mode handler,

policy policy

subject shows the debug subject of each message timestamp a timestamp for each debug message (changes when 'coverage' is active)



warning warnings

UsageExampleExplanation for 'fw ctl debug'Explanation for 'fw ctl kdebug'Debug severityKernel debugging options for Firewall module: FWKernel debugging options for VPN module: VPNKernel debugging options for Check Point Active Streaming module: CPASKernel debugging options for Cluster module: clusterKernel debugging options for Web Intelligence module: WSKernel debugging options for FloodGate-1 (QoS) module: FG-1Kernel debugging options for VoIP H323 module: h323Kernel debugging options for Real Time Monitoring module: RTMKernel debugging options for Kernel Infrastructure module: kissKernel debugging options for Kernel Infrastructure Flow module: kissflowKernel debugging options for Multi-Kernel Inspection (CoreXL) module: multikKernel debugging options for Content Inspection module: CIKernel debugging options for Application Control Inspection module: APPIKernel debugging options for Context Management Interface/Infrastructure Loader module: cmi_loaderKernel debugging options for Next Rule Base module: NRBKernel debugging options for Resource Advisor module: RAD_KERNELKernel debugging options for Struct Generator module: SGENKernel debugging options for Web Intelligence Infrastructure module: WSISKernel debugging options for Web Intelligence SIP Parser module: WS_SIPKernel debugging options for Data Leak Prevention module: DLPKKernel debugging options for Data Leak Prevention User module: DLPUKKernel debugging options for Identity Awareness module: IDAPIKernel debugging options for Stream File Type module: SFTKernel debugging options for UserCheck module: UCKernel debugging options for Internet Content Adaptation Protocol Client module: ICAP_CLIENT

kernel debug flags r77.10

Documents

kernel infrastructure

vpn module

cluster module

options fo

qos module

firewall module

content inspection module

voip h323 module