Kernel Debug Flags (R77.30) Table of Contents Usage ............................................................................................................................................................................ 2 Explanation for 'fw ctl debug' ........................................................................................................................................ 2 Explanation for 'fw ctl kdebug' ...................................................................................................................................... 2 Debug severity .............................................................................................................................................................. 2 Example ........................................................................................................................................................................ 3 Kernel debugging options for Firewall module: fw ........................................................................................................ 4 Kernel debugging options for VPN module: VPN ......................................................................................................... 6 Kernel debugging options for Cluster module: cluster .................................................................................................. 7 Kernel debugging options for Kernel Infrastructure module: kiss ................................................................................. 8 Kernel debugging options for Kernel Infrastructure Flow module: kissflow .................................................................. 8 Kernel debugging options for Multi-Kernel Inspection (CoreXL) module: multik .......................................................... 9 Kernel debugging options for Context Management Interface/Infrastructure Loader module: cmi_loader .................. 9 Kernel debugging options for Data Leak Prevention module: dlpk ............................................................................10 Kernel debugging options for Data Leak Prevention User module: dlpuk ..................................................................10 Kernel debugging options for Application Control Inspection module: APPI ..............................................................11 Kernel debugging options for Content Inspection module: CI ....................................................................................11 Kernel debugging options for Next Rule Base module: NRB .....................................................................................12 Kernel debugging options for Resource Advisor module: RAD_KERNEL .................................................................12 Kernel debugging options for Identity Awareness module: IDAPI ..............................................................................13 Kernel debugging options for Struct Generator module: SGEN .................................................................................13 Kernel debugging options for UserCheck module: UC ...............................................................................................13 Kernel debugging options for Check Point Active Streaming module: CPAS ............................................................14 Kernel debugging options for Web Intelligence module: WS .....................................................................................15 Kernel debugging options for Web Intelligence Infrastructure module: WSIS ...........................................................16 Kernel debugging options for Web Intelligence SIP Parsermodule: WS_SIP ...........................................................17 Kernel debugging options for Stream File Type module: SFT ...................................................................................18 Kernel debugging options for FloodGate-1 (QoS) module: fg ....................................................................................18 Kernel debugging options for Real Time Monitoring module: RTM............................................................................19 Kernel debugging options for VoIP H323 module: h323 ............................................................................................19 Kernel debugging options for Internet Content Adaptation Protocol Client module: ICAP_CLIENT ..........................20 Kernel debugging options for GPRS Tunneling Protocol (GTP) module: gtp ............................................................20 Kernel debugging options for Boolean Analyzer for Web Intelligence (BOA) module: BOA ......................................21 Sergei Shir (Intl TAC) 06 Nov 2018 15:50:00 Kernel Debug flags (R77.30) Classification: [Protected] page 1 of 21 Usage # fw ctl debug -h : # fw ctl debug [–x] [–m <module>] [+ |–] <options | all | 0> # fw ctl debug [–t (NONE | ERR | WRN | NOTICE | INFO)] [–f (RARE | COMMON)] # fw ctl kdebug [–i <file> | [–f] –o <file>] [–b <buffer size>] [–t | –T] [–p fld1[,fld2...] [–m <num> [–s <size>]] Explanation for 'fw ctl debug' # fw ctl debug 0 # fw ctl debug -x # fw ctl debug -buf <size> # fw ctl debug # fw ctl debug -m # fw ctl debug -m <module> // defaults (clears) all kernel debugging options // disables all kernel debugging options : // de-allocatesthebuffer&automaticallykills“fwctldebug”process // allocates the buffer (OS will use maximal available buffer) : // MIN value 128kB ; MAX value 32MB // displays ALL kernel modules and their flags THAT WERE TURNED ON // displays ALL kernel modules and their flags thatmachine“understands” // displays the flags for this module THAT WERE TURNED ON Explanation for 'fw ctl kdebug' # fw ctl kdebug -t / -T # fw ctl kdebug -p <field> // in NGX only - prints the timestamp (t = seconds ; T = microseconds) helps synchronize packets in debug with packets in “FW Monitor” // prints specific fields : all | proc | pid | date | mid | type | freq | topic | time | ticks | tid | text | err | host New in NGX : # fw ctl kdebug -f -o <file_name> -m <num> -s <size> file_name = name of the output file num = maximum number of cyclic files to create size = maximum size of each cyclic file in kilobytes When given <size> is reached (more or less), <file_name> is renamed to <file_name.0>, and a new <file_name> is created. If <file_name.0> already exists, then <file_name> is renamed to <file_name.1>, and so on - until the <number> limit is reached (then the rotation takes place - oldest files are just deleted). Debug severity # fw ctl debug -m <module> <severity list> <subject list> List of debug severities: info = informational purposes only warning = warnings: may affect connection behavior error = errors: the connection is probably rejected fatal = fatal errors: may prevent policy installation, etc. List of debug subjects: See the debug flags below Sergei Shir (Intl TAC) 06 Nov 2018 15:50:00 Kernel Debug flags (R77.30) Classification: [Protected] page 2 of 21 Example # # # # # # # # # # # # # # # # # # # # # # # # # # # # # fw fw fw fw fw fw fw fw fw fw fw fw fw fw fw fw fw fw fw fw fw fw fw fw fw fw fw fw fw ctl ctl ctl ctl ctl ctl ctl ctl ctl ctl ctl ctl ctl ctl ctl ctl ctl ctl ctl ctl ctl ctl ctl ctl ctl ctl ctl ctl ctl debug 0 // Setting kernel debug default options debug -buf 32000 // Setting kernel debug buffer debug -m fw + flags // FW debug debug -m VPN + flags // VPN debug debug -m cluster + flags // Cluster debug debug -m kiss + flags // Kernel Infrastructure debug debug -m kissflow + flags // Kernel Infrastructure Flow debug debug -m multik + flags // Multi-Kernel Inspection debug debug -m cmi_loader + flags // IPS CMI debug debug -m dlpk + flags // Data Leak Prevention (DLP) debug debug -m dlpuk + flags // Data Leak Prevention User module (DLP) debug debug -m APPI + flags // Application Control debug debug -m CI + flags // Content Inspection (AV) debug debug -m NRB + flags // Next Rule Base debug debug -m RAD_KERNEL + flags // Resource Advisor debug debug -m IDAPI + flags // Identity Awareness debug debug -m SGEN + flags // Struct Generator debug debug -m UC + flags // UserCheck debug debug -m CPAS + flags // CPAS debug debug -m WS + flags // Web Intelligence debug debug -m WSIS + flags // Web Intelligence Infrastructure debug debug -m WS_SIP + flags // Web Intelligence SIP Parser debug debug -m SFT + flags // Stream File Type debug debug -m fg + flags // FloodGate-1 (QoS) debug debug -m RTM + flags // Real-Time Monitoring debug debug -m h323 + flags // H.323 debug debug -m ICAP_CLIENT + flags // Internet Content Adaptation Protocol client debug debug -m gtp + flags // GPRS Tunneling Protocol (GTP) debug kdebug -T -f > /var/log/kernel_debug.txt // output file Sergei Shir (Intl TAC) 06 Nov 2018 15:50:00 Kernel Debug flags (R77.30) Classification: [Protected] page 3 of 21 Kernel debugging options for Firewall module: fw Syntax: fw ctl debug -m fw + flag1 flag2 flag3 ... | fw ctl debug -m fw all Flag acct advp aspii balance bridge cgnat chain chainfwd cifs citrix cmi conn connstats content context cookie cptls crypt cvpnd dfilter dlp dnstun domain dos driver drop dynlog epq error ex filter ftp highavail hold icmptun if install integrity ioctl ipopt ips ipv6 kbuf ld leaks link log machine mail malware media memory mgcp misc Explanation Application Control accounting in Smart View Tracker log (also debug module 'APPI') advanced patterns (signatures over port ranges) - runs under ASPII and CMI Accelerated Stateful Protocol Inspection Infrastructure (INPSECT streaming) ConnectControl - logical servers in kernel , load balancing Bridge mode Carrier Grade NAT (CGN/CGNAT) cookie chain , chain modules chain forwarding - related to fwha_perform_chain_forwarding global kernel variable Common Internet File System (CIFS) - file sharing protocol in Windows-based networks Citrix processing Context Management Interface/Infrastructure - IPS signature manager Connections Table issues connections statistics for Evaluation of Heavy Connections in CPView (refer to sk105762) AV content inspection operations on Memory context and CPU context in KISS module virtual de-fragmentation , cookie issues (cookies in the data structure holding the packets) CRYPTO-PRO Transport Layer Security (HTTPS inspection) - Russian VPN GOST encrypted / decrypted packets, algorithms and keys are printed in clear text and cipher text Mobile Access daemon debug filter operations Data Leak Prevention DNS tunnels DNS queries DDoS attack mitigation (part of IPS) kernel attachment - access to kernel is shown as log entries associates a reason for (almost) every dropped packet dynamic log enhancement (INSPECT logs) End Point Quarantine (also AMD) various general error messages (enabled by default) dynamic table expiration issues (time-out) packet filtering performed by kernel and all data loaded into kernel FTP Data connections inspection (used to call applications over FTP Data - i.e., Anti-Virus) cluster configuration - changes in the configuration and information about interfaces during traffic processing holding mechanism and all packets being held / released ICMP tunnels interface-related information - accessing the interfaces, installing a filter on an interfaces driver installation - NIC attachment (fw ctl install and fw ctl uninstall) client integrity mechanics IOCTL control messages - communication between kernel and daemons, un/loading of FW-1 IP options enforcement IPS logs and IPS IOCTL IPv6 traffic debug kernel-buffer memory pool - e.g., encryption keys use these memory allocations kernel dynamic tables infrastructure - reads and writes to the tables (machine can hang!) memory leak detection mechanism Link creation in Connections Table everything related to calls in the log INSPECT Virtual Machine - actual assembler commands being processed (FW can hang!) e-mail issues - POP3, IMAP Anti-Malware (Anti-Virus, Anti-Spam) Windows OS: Transport Driver Interface information (interface-related information) memory allocation issues Media Gateway Control Protocol (complementary to H.323 and SIP) miscellaneous helpful information - not shown with other flags Sergei Shir (Intl TAC) 06 Nov 2018 15:50:00 Kernel Debug flags (R77.30) Classification: [Protected] page 4 of 21 misp monitor monitorall mrtsync msnms multik nac nat nat64 ndis netquota packet packval portscan prof q qos rad route sam scv sctp sip smtp sock span spii synatk sync tcpstr te ua ucd user vm wap warning wire xlate xltrc zeco ISP Redundancy printsoutputsimilarto“fwmonitor”intothedebugbuffer (also enable the 'misc' flag) printsoutputsimilarto“fwmonitor -p all”intothedebugbuffer (also enable the 'misc' flag) synchronization (in kernel) between cluster members of Multicast Routes that are added when working with Dynamic Routing Multicast protocols MSN over MSMS (MSN Messenger protocol) - always include “sip” flag CoreXL related (enables all the flags except for flag 'packet' in the 'MULTIK' module) Network Access Control (NAC) Blade (refer to Identity Awareness) NAT issues - basic information NAT issues - 6in4 tunnels (IPv6 over IPv4) and 4in6 tunnels (IPv4 over IPv6) Windows OS: Network Driver Interface Specification (interface-related information) Network Quota IPS protection actions performed on packet - like accept, drop, fragment (esp. KFUNCs called by INSPECT) stateless verifications - sequences, fragments, translations and other header verifications port scanning prevention mechanics Firewall Priority Queues - connection profiler (refer to sk105762) driver queue - e.g., synchronization operations (crucial for ClusterXL sync debugging) QoS (FloodGate-1) Resource Advisor policy routing debugging (ISP Redundancy, fwcookie code) Suspicious Activity Monitoring (OPSec) SecureClient Verification Stream Control Transmission Protocol (SCTP) VoIP traffic - SIP and H323 e-mail issues - SMTP Sockstress TCP DoS attack (CVE-2008-4609) mirror port (duplicates the network traffic and records the activity in logs) Stateful Protocol Inspection Infrastructure and INSPECT Streaming Infrastructure 'SYN Attack' (SYNDefender) IPS protection synchronization operations in ClusterXL TCP streaming mechanism prints name of an interface for incoming connection from Threat Emulation Machine VoIP traffic - Universal Alcatel "UA" Protocol UserCheck connections to other cluster members User Space communication with Kernel Space (most useful for configuration and VSX debug) Virtual Machine chain decisions on traffic going through fw_filter_chain Multimedia Messaging Service (Wireless Application Protocol) various general warning messages (enabled by default) wire-mode Virtual Machine chain module NAT issues - basic information NAT issues - additional information - going through NAT rulebase Zero-Copy kernel module memory allocations Sergei Shir (Intl TAC) 06 Nov 2018 15:50:00 Kernel Debug flags (R77.30) Classification: [Protected] page 5 of 21 Kernel debugging options for VPN module: VPN Syntax: fw ctl debug -m VPN + flag1 flag2 flag3 ... | fw ctl debug -m VPN all Flag cluster comp counters cphwd driver err gtp ifnotify ike init l2tp lsv mem mspi multicast multik nat om_alloc osu packet pcktdmp policy queue rdp ref resolver rsl sas sr tagging tcpt tnlmon topology vin warn xl Explanation cluster related events compression for encrypted connections various status counters (typically for SmartView Monitor) hardware acceleration issues kernel attachment - access to kernel is shown as log entries errors that should not happen, or errors that critical to the working of the VPN module GTP (GPRS Tunneling Protocol) debugs notification of changes in interface status - up or down (received from OS). turns on all IKE kernel debug in respect to moving the IKE to the interface, where it will eventually leave and the modification of the source IP of the IKE packet, depending on the configuration. initializes the VPN kernel and kernel data structures, when kernel is up, or when policy is installed - it will also print the values of the flags that are set using CPSET upon policy reload L2TP protocol related events Large Scale VPN (LSV) allocation of VPN pools and VPN contexts information related to creation and destruction of MSA / MSPI VPN multicast information related to VPN and CoreXL interaction NAT issues , cluster IP manipulation (Virtual_IP-to-Member_IP and backwards) allocation of Office Mode IP addresses Optimal Service Upgrade events that can happen for every packet, unless covered by more specific debug flags dumps the encrypted / decrypted packets (before encryption / after decryption) events that can happen only for a special packet in a connection, usually related to policy decisions or logs / traps handling of Security Association (SA) queues handling of RDP packets information regarding reference counting for MSA / MSPI when storing or deleting SAs link selection table manipulation and Certificate Revocation List (CRL), which is also part of the peer resolving mechanism operations on range skip list printing of keys and SA information SecureClient/SecureRemote related issues sets the VPN policy of a connection according to VPN communities, VPN Policy related info TCP Tunnel (Visitor mode) related information (FW traversal on port 443) tunnel monitoring information related to VPN Link Selection information related to IPSec NIC interaction (on Windows OS only) warnings: may affect connection behavior Accelerator cards interaction (AC II / III / IV) Sergei Shir (Intl TAC) 06 Nov 2018 15:50:00 Kernel Debug flags (R77.30) Classification: [Protected] page 6 of 21 Kernel debugging options for Cluster module: cluster Syntax: fw ctl debug -m cluster + flag1 flag2 flag3 ... | fw ctl debug -m cluster all There is also the SYNC flag, which is in the “FW” module and shows debug that is related to SYNC only. Set this variable to print the contents of the packets in HEX format as "FW-1: fwha_print_packet: Buffer:" # fw ctl set int fwha_dprint_io 1 Set this variable to print all network checking printing # fw ctl set int fwha_dprint_all_net_check 1 Flag accel ccp conf cu df drop forward if log mac nokia pivot pnote select stat subs timer Explanation related to status and support of SecureXL (should be used in parallel with 'conf' flag) reception/transmission of Cluster Control Protocol (CCP) packets configuration and policy installation Connectivity Upgrade - translation of kernel tables, connection synchronization, connection rematch, etc. Decision Function - decides, which member will handle each packet in a Load Sharing mode connections dropped by the CXL Decision Function (DF) module (only in NGX)- excluding CCP packets Forwarding Layer messages - when sending and receiving a forwarded packet interface tracking and validation - all the operations and checks on interfaces creating and sending of logs by cluster(should be used in parallel with 'log' flag in 'fw' module) related to current configuration of and detection of cluster interfaces (should be used in parallel with 'conf' flag and 'if' flag) related to cluster running on Nokia IPSO platform related to ClusterXL Load Sharing Unicast mode (Pivot mode) related to registering and monitoring of critical devices (pnotes) packet selection - including Decision Function (DF) related to state of cluster members (state machine) Subscriber module - set of APIs, which enable user space processes (by using a DLL) to be aware of the current state of the ClusterXL state machine and other clustering configuration parameters. reports of cluster internal timers Sergei Shir (Intl TAC) 06 Nov 2018 15:50:00 Kernel Debug flags (R77.30) Classification: [Protected] page 7 of 21 Kernel debugging options for Kernel Infrastructure module: kiss Syntax: fw ctl debug -m kiss + flag1 flag2 flag3 ... | fw ctl debug -m kiss all Flag bench dfa driver error flofiler ghtab handles htab ioctl kqstats kw memory memprof misc mtctx pcre pm pmdump pmint pools queue rem salloc shmem sm stat swblade thinnfa thread timers usrmem vbuf warning worker Explanation CPU benchmarker Pattern Matcher (Deterministic Finite Automaton) compilation and execution when FW driver is loaded / unloaded different error messages (default) FLow prOFILER multi-threaded safe global hash tables Memory Pool allocation for tables multi-threaded safe hash tables IOCTL control messages - communication between kernel and daemon Kernel Worker thread statistics mechanism - resetting, initializing, turning off Kernel Worker state and Pattern Matcher inspection memory allocation issues memory allocation issues in memory profiler (when fw_conn_mem_prof_enabled=1) CPU counters, Memory counters, getting/setting of global kernel parameters multi-threaded context - memory allocation, reference count Perl Compatible Regular Expressions - execution, memory allocation Pattern Matcher compilation and execution Pattern Matcher DFA (dumping XMLs of DFAs) Pattern Matcher compilation Memory Pool allocation issues Kernel Worker thread queues Regular Expression Matcher - Pattern Matcher 2nd tier (slow path) System Memory allocation shared memory allocation String Matcher - Pattern Matcher 1st tier (fast path) statistics for categories and maps registration of Software Blades currently unused (Thin NFA) kernel thread that supplies kernel thread low level APIs internal timers User Space platform memory usage virtual buffer warnings (default) Kernel Worker - queuing and dequeuing Kernel debugging options for Kernel Infrastructure Flow module: kissflow Syntax: fw ctl debug -m kissflow + flag1 flag2 flag3 ... | fw ctl debug -m kissflow all Flag compile dfa error memory pm warning Explanation Pattern Matcher - pattern compilation Pattern Matcher (Deterministic Finite Automaton) compilation and execution different error messages (default) memory allocation issues Pattern Matcher - general information warnings (default) Sergei Shir (Intl TAC) 06 Nov 2018 15:50:00 Kernel Debug flags (R77.30) Classification: [Protected] page 8 of 21 Kernel debugging options for Multi-Kernel Inspection (CoreXL) module: multik Syntax: fw ctl debug -m multik + flag1 flag2 flag3 ... | fw ctl debug -m multik all When enabling the 'multik' flag in the 'FW' module, it enables all the flags in this module except for flag 'packet' Flag api clb conn counter error event fwstats ioctl lock message packet packet_err prio queue quota state temp_conns uid Explanation registration and unregistration of cross-instance function calls statistics collection for the core load balancer utility creation and deletion of connections in the dispatcher table cross-instance counter infrastructure various error conditions in CoreXL infrastructure cross-instance event aggregation infrastructure FW-1 statistics distribution of IOCTLs to different instances obtaining and releasing fw_lock on multiple instances cross-instance messages (used for local sync and port scanning) per packet, shows the dispatching decision - instance and reason invalidpackets,forwhichdispatchingdecisioncan’tbemade Firewall Priority Queues (refer to sk105762) packet queue cross-instance quota table (used by the network quota feature) starting and stopping of instances, establishment of relationship between instances temporary connections Cross-instance Unique IDs Kernel debugging options for Context Management Interface/Infrastructure Loader module: cmi_loader Syntax: fw ctl debug -m cmi_loader + flag1 flag2 flag3 ... | fw ctl debug -m cmi_loader all Flag address connection coverage error global_states info inspect memory module policy sigload subject timestamp verbose vs warning Explanation information about connection's IP address currently unused shows the coverage times - entering, blocking, and time spent various general error messages user space global states structures general information cmi_loader INSPECT code memory allocation issues cmi_loader module operations - initialization, module loading, calls to module, contexts, etc policy installation signatures, patterns, ranges shows the debug subject of each message a timestamp for each debug message (changes when 'coverage' is active) used with other flags - for additional information prints VSID of the debugged Virtual System warnings Sergei Shir (Intl TAC) 06 Nov 2018 15:50:00 Kernel Debug flags (R77.30) Classification: [Protected] page 9 of 21 Kernel debugging options for Data Leak Prevention module: dlpk Syntax: fw ctl debug -m dlpk + flag1 flag2 flag3 ... | fw ctl debug -m dlpk all Flag error cmi drv identity rulebase stat warning Explanation various general error messages HTTP Proxy, connection redirection, identity information, Async DLP inspection user identity, connection identity, Async DLP rulebase match counters statistics warnings Kernel debugging options for Data Leak Prevention User module: dlpuk Syntax: fw ctl debug -m dlpuk + flag1 flag2 flag3 ... | fw ctl debug -m dlpuk all Flag address buffer coverage error info memory module policy serialize subject timestamp verbose vs warning Explanation information about connection's IP address currently unused shows the coverage times - entering, blocking, and time spent various general error messages general information memory allocation issues initiating / removing of DLPUK debug infrastructure currently unused data buffers and data sizes shows the debug subject of each message a timestamp for each debug message (changes when 'coverage' is active) used with other flags - for additional information prints VSID of the debugged Virtual System warnings Sergei Shir (Intl TAC) 06 Nov 2018 15:50:00 Kernel Debug flags (R77.30) Classification: [Protected] page 10 of 21 Kernel debugging options for Application Control Inspection module: APPI Syntax: fw ctl debug -m APPI + flag1 flag2 flag3 ... | fw ctl debug -m APPI all Flag account address btime connection coverage error global info limit memory module policy session subject timestamp urlf_ssl verbose vs warning Explanation accounting information information about connection's IP address browse time APPI connections shows the coverage times - entering, blocking, and time spent various general error messages global policy operations general information APPI limits memory allocation issues APPI module operations - initialization, module loading, calls to module, policy loading, etc information about APPI policy session layer shows the debug subject of each message a timestamp for each debug message (changes when 'coverage' is active) URL Filtering for SSL used with other flags - for additional information prints VSID of the debugged Virtual System warnings Kernel debugging options for Content Inspection module: CI Syntax: fw ctl debug -m CI + flag1 flag2 flag3 ... | fw ctl debug -m CI all Flag address av coverage crypto error fatal filter info ioctl memory module policy profile regexp session stat subject timestamp track uf vs warning Explanation shows connection address [Source_IP:Source_Port -> Dest_IP:Dest_Port] Anti-Virus inspection shows the coverage times - entering, blocking, and time spent basic information about encryption and decryption various general error messages fatal errors basic information about URL filters general information currently unused memory allocation issues CI module operations - initialization, module loading, calls to module, policy loading, etc information about CI policy very basic information about CI module - initialization, destroying, freeing regular expression library session layer Content Inspection statistics shows the debug subject of each message a timestamp for each debug message (changes when 'coverage' is active) use only for very limited important debug prints, so it can be used in a loaded environment Content-Disposition, Content-Type, extension validation, extension matching URL filters and URL cache prints VSID of the debugged Virtual System warnings Sergei Shir (Intl TAC) 06 Nov 2018 15:50:00 Kernel Debug flags (R77.30) Classification: [Protected] page 11 of 21 Kernel debugging options for Next Rule Base module: NRB Syntax: fw ctl debug -m NRB + flag1 flag2 flag3 ... | fw ctl debug -m NRB all Flag address appi coverage dlp error info match memory module policy sec_rb session ssl_insp subject timestamp verbose vs warning Explanation information about connection's IP address rules and applications shows the coverage times - entering, blocking, and time spent Data Leak Prevention various general error messages general information rule matching memory allocation issues NRB module operations - initialization, module loading, calls to module, contexts, etc policy installation security rulebase session layer HTTPS SSL Inspection shows the debug subject of each message a timestamp for each debug message (changes when 'coverage' is active) used with other flags - for additional information prints VSID of the debugged Virtual System warnings Kernel debugging options for Resource Advisor module: RAD_KERNEL Syntax: fw ctl debug -m RAD_KERNEL + flag1 flag2 flag3 ... | fw ctl debug -m RAD_KERNEL all Flag address cache coverage error global info memory subject timestamp verbose vs warning Explanation information about connection's IP address RAD kernel malware cache shows the coverage times - entering, blocking, and time spent various general error messages RAD global contexts general information memory allocation issues shows the debug subject of each message a timestamp for each debug message (changes when 'coverage' is active) used with other flags - for additional information prints VSID of the debugged Virtual System warnings Sergei Shir (Intl TAC) 06 Nov 2018 15:50:00 Kernel Debug flags (R77.30) Classification: [Protected] page 12 of 21 Kernel debugging options for Identity Awareness module: IDAPI Syntax: fw ctl debug -m IDAPI + flag1 flag2 flag3 ... | fw ctl debug -m IDAPI all Flag address async coverage data error htab info memory module subject test timestamp verbose vs warning Explanation information about connection's IP address checking known network shows the coverage times - entering, blocking, and time spent Portal, IP address matching for Terminal Servers Identity Agent, session handling various general error messages checking for network IP address, working with kernel tables general information memory allocation issues removing of IDAPI debug IS, failed to convert to Base64, failed to append src to dst shows the debug subject of each message IP test, IDAPI sync a timestamp for each debug message (changes when 'coverage' is active) used with other flags - for additional information prints VSID of the debugged Virtual System warnings Kernel debugging options for Struct Generator module: SGEN Syntax: fw ctl debug -m SGEN + flag1 flag2 flag3 ... | fw ctl debug -m SGEN all Flag engine error fatal field general info load serialize warning Explanation Struct Generator engine operations various general error messages fatal errors operations on fields general types macros general information loading of macros serialization during loading of macros warnings Kernel debugging options for UserCheck module: UC Syntax: fw ctl debug -m UC + flag1 flag2 flag3 ... | fw ctl debug -m UC all Flag address coverage error htab info memory module subject timestamp verbose vs warning webapi Explanation information about connection's IP address shows the coverage times - entering, blocking, and time spent various general error messages hash table general information memory allocation issues UC module initializing, UC table hits, finding User ID in cache, removing of UC debug IS shows the debug subject of each message a timestamp for each debug message (changes when 'coverage' is active) used with other flags - for additional information prints VSID of the debugged Virtual System warnings URL patterns, UC incidents, connection redirection Sergei Shir (Intl TAC) 06 Nov 2018 15:50:00 Kernel Debug flags (R77.30) Classification: [Protected] page 13 of 21 Kernel debugging options for Check Point Active Streaming module: CPAS Syntax: fw ctl debug -m CPAS + flag1 flag2 flag3 ... | fw ctl debug -m CPAS all Flag api conns error events ftp glue http icmp notify pkts skinny sync tcp tcpinfo timer warning Explanation interface layer messages detailed description of connections, and connection's limit-related messages errors: the connection is probably rejected event-related messages messages of the FTP example server glue layer messages messages of the HTTP example server messages of the ICMP example server e-mail Messaging Security application packets handling messages (allocation, splitting, resizing, etc.) SCCP (Skinny Client Control Protocol - Cisco proprietary VoIP protocol) synchronization operations in cluster TCP processing messages TCP processing messages - more detailed description reports of timer ticks (pours many messages, without real content) warnings: may affect connection behavior Sergei Shir (Intl TAC) 06 Nov 2018 15:50:00 Kernel Debug flags (R77.30) Classification: [Protected] page 14 of 21 Kernel debugging options for Web Intelligence module: WS Syntax: fw ctl debug -m WS + flag1 flag2 flag3 ... | fw ctl debug -m WS all Set this variable to debug specific Virtual System: # fw ctl set int ws_debug_vs <VSID> Set this variable to 0 (zero) to debug all Virtual Systems (default): # fw ctl set int ws_debug_vs 0 Set this variable to debug specific IPv4 address: # fw ctl set int ws_debug_ip <XXX.XXX.XXX.XXX> Set this variable to 0 (zero) to debug all IPv4 addresses (default): # fw ctl set int ws_debug_ip 0 Flag address body connection cookie coverage error event fatal global info ioctl mem_pool memory module parser parser_err pfinder pkt_dump policy regexp report_mgr session spii ssl_insp sslt stat stream subject timestamp uuid vs warning Explanation information about connection's IP address HTTP body (content) layer connection layer HTTP cookie header shows the coverage times - entering, blocking, and time spent errors: the connection is probably rejected events fatal errors: may prevent policy installation, etc. global structure handling (usually policy related) informational purposes only IOCTL control messages - communication between kernel and daemon, un/loading of FW-1 memory pool related memory allocation issues module related HTTP header parser layer HTTP header parsing errors pattern finder related traffic packet dump (requires connection) policy (installation and enforcement) regular expression library report manager (errors and logs) session layer Stateful Protocol Inspection Infrastructure (INSPECT streaming) HTTPS SSL Inspection SSLT library memory usage statistics stream virtualization shows the debug subject of each message a timestamp for each debug message (changes when 'coverage' is active) session UUID related prints VSID of the debugged Virtual System warnings: may affect connection behavior Sergei Shir (Intl TAC) 06 Nov 2018 15:50:00 Kernel Debug flags (R77.30) Classification: [Protected] page 15 of 21 Kernel debugging options for Web Intelligence Infrastructure module: WSIS Syntax: fw ctl debug -m WSIS + flag1 flag2 flag3 ... | fw ctl debug -m WSIS all Set this variable to debug specific Virtual System: # fw ctl set int ws_debug_vs <VSID> Set this variable to 0 (zero) to debug all Virtual Systems (default): # fw ctl set int ws_debug_vs 0 Set this variable to debug specific IPv4 address: # fw ctl set int ws_debug_ip <XXX.XXX.XXX.XXX> Set this variable to 0 (zero) to debug all IPv4 addresses (default): # fw ctl set int ws_debug_ip 0 Flag address common coverage datastruct decoder error info memory parser subject timestamp verbose vs warning Explanation information about connection's IP address prints a message when parameters are invalid shows the coverage times - entering, blocking, and time spent data structure tree decoder for content transfer encoding (UUEncode, UTF-8, HTML encoding &#) various general error messages general information memory allocation issues HTTP header parser layer shows the debug subject of each message a timestamp for each debug message (changes when 'coverage' is active) used with other flags - for additional information prints VSID of the debugged Virtual System warnings Sergei Shir (Intl TAC) 06 Nov 2018 15:50:00 Kernel Debug flags (R77.30) Classification: [Protected] page 16 of 21 Kernel debugging options for Web Intelligence SIP Parsermodule: WS_SIP Syntax: fw ctl debug -m WS_SIP + flag1 flag2 flag3 ... | fw ctl debug -m WS_SIP all Set this variable to debug specific Virtual System: # fw ctl set int ws_debug_vs <VSID> Set this variable to 0 (zero) to debug all Virtual Systems (default): # fw ctl set int ws_debug_vs 0 Set this variable to debug specific IPv4 address: # fw ctl set int ws_debug_ip <XXX.XXX.XXX.XXX> Set this variable to 0 (zero) to debug all IPv4 addresses (default): # fw ctl set int ws_debug_ip 0 Flag address body connection cookie coverage error event fatal global info ioctl mem_pool memory module parser parser_err pfinder pkt_dump policy regexp report_mgr session spii ssl_insp sslt stat stream subject timestamp uuid vs warning Explanation information about connection's IP address HTTP body (content) layer connection layer HTTP cookie header shows the coverage times - entering, blocking, and time spent errors: the connection is probably rejected events fatal errors: may prevent policy installation, etc. global structure handling (usually policy related) informational purposes only IOCTL control messages - communication between kernel and daemon, un/loading of FW-1 memory pool related memory allocation issues module related HTTP header parser layer HTTP header parsing errors pattern finder related traffic packet dump (requires connection) policy (installation and enforcement) regular expression library report manager (errors and logs) session layer Stateful Protocol Inspection Infrastructure (INSPECT streaming) HTTPS SSL Inspection SSLT library memory usage statistics stream virtualization shows the debug subject of each message a timestamp for each debug message (changes when 'coverage' is active) session UUID related prints VSID of the debugged Virtual System warnings: may affect connection behavior Sergei Shir (Intl TAC) 06 Nov 2018 15:50:00 Kernel Debug flags (R77.30) Classification: [Protected] page 17 of 21 Kernel debugging options for Stream File Type module: SFT Syntax: fw ctl debug -m SFT + flag1 flag2 flag3 ... | fw ctl debug -m SFT all Flag error fatal info mgr warning Explanation various general error messages fatal errors general information rule match, database, connection processing, classification warnings Kernel debugging options for FloodGate-1 (QoS) module: fg Syntax: fw ctl debug -m fg + flag1 flag2 flag3 ... | fw ctl debug -m fg all Flag auth automatch autosched chain chainq citrix conn dns driver drops dropsv error fwrate general install llq log ls memory multik pkt policy qosaccel rates registry rtm sched tcp time timers url verbose Explanation authenticated QoS feature report matching process (debug version only) report scheduling process (debug version only) - a good way to report the rates on rules tracing each packet through FloodGate-1 points in the cookie chain holding and releasing packets during critical actions (policy install / uninstall) internal Chain Q mechanism Citrix processing connection information and identification processing DNS classification mechanism kernel attachment - access to kernel is shown as log entries dropped packets due to WFRED policy dropped packets due to WFRED policy - with additional debug information (verbose version) different error messages (default) report rate statistics per interface and direction currently unused policy installation and building internal data structure (for future use) low latency queuing everything related to calls in the log Load Sharing memory allocation issues CoreXL related packet recording mechanism QoS policy rules matching classification mechanism QoS acceleration reporting rule / connection rates - IQ Engine behaviour and status failed to open a key from Check Point Registry ($CPDIR/registry/HKLM_registry.data) failures in information gathering in RTM module (SmartView Monitor) basic scheduling information TCP streaming (re-transmission detection) mechanism currently unused reports of timer ticks (pours many messages, without real content) URL and URI for QoS classification mechanism used with other flags - for additional information Sergei Shir (Intl TAC) 06 Nov 2018 15:50:00 Kernel Debug flags (R77.30) Classification: [Protected] page 18 of 21 Kernel debugging options for Real Time Monitoring module: RTM Syntax: fw ctl debug -m RTM + flag1 flag2 flag3 ... | fw ctl debug -m RTM all Flag accel chain con_conn driver err import init ioctl netmasks per_conn per_pckt performance policy rtm s_err sort special tabs topo view_add view_update view_update1 wd Explanation displays SecureXL information regarding accelerated packets, connections, etc. displays information about chain registering, and about the E2E chain function actions; this important flag helps you know if the E2E (VL) is identifying VL packets. displaysthesameinformationas“per_conn”flag kernel attachment - access to kernel is shown as log entries different error messages (default) displays information about RTM importing functions from other modules (FW-1, FG-1) rarely used RTM IOCTL control messages displays information about how the RTM handles netmasks, if you are monitoring network object, which is a network messages per connection (when a new connection is handled by RTM) messages per packet (when a new packet arrives) - use it with care currently unused displays FireWall-1 load/unload messages (indicates that the RTM received the FW-1 callback) displays information about RTM monitoring displays various error messages (regarding tables info and other failures) debugging the RTM top X monitoring sorting display information about how E2E modifies E2ECP protocol packets currently unused display information about how the RTM calculates network topography when Views are added or deleted when Views are updated with new information when Views are updated with new information displays information regarding WebDefense views Kernel debugging options for VoIP H323 module: h323 Syntax: fw ctl debug -m h323 + flag1 flag2 flag3 ... | fw ctl debug -m h323 all Flag align cpas decode error h225 h245 init ras Explanation VoIP debug general messages (for example, VOIP infrastructure) CPAS TCP debug messages - since H323 : H225 and H245 are over TCP ; this flag is not included when debug is run with "all" flag ( # fw ctl debug -m h323 all ) H323 decoder messages different error messages (default) H225 call signaling messages (SETUP, CONNECT, RELEASE COMPLETE, etc.) H245 control signaling messages (OPEN LOGICAL CHANNEL, END SESSION COMMAND, etc.) used for internal errors H225 RAS messages (REGISTRATION, ADMISSION, and STATUS REQUEST / RESPONSE) Sergei Shir (Intl TAC) 06 Nov 2018 15:50:00 Kernel Debug flags (R77.30) Classification: [Protected] page 19 of 21 Kernel debugging options for Internet Content Adaptation Protocol Client module: ICAP_CLIENT Syntax: fw ctl debug -m ICAP_CLIENT + flag1 flag2 flag3 ... | fw ctl debug -m ICAP_CLIENT all Flag address coverage error global info memory module policy subject timestamp verbose vs warning Explanation information about connection's IP address shows the coverage times - entering, blocking, and time spent various general error messages global client general information memory allocation issues kernel handler, user mode handler, policy shows the debug subject of each message a timestamp for each debug message (changes when 'coverage' is active) used with other flags - for additional information prints VSID of the debugged Virtual System warnings Kernel debugging options for GPRS Tunneling Protocol (GTP) module: gtp Syntax: fw ctl debug -m gtp + flag1 flag2 flag3 ... | fw ctl debug -m gtp all Flag create create2 dbg delete delete2 error ioctl ld log log2 modify other other2 packet parse parse2 policy state state2 sxl tpdu update Explanation GTPv0 / GTPv1 create PDP context GTPv2 create session GTP debug mechanism GTPv0 / GTPv1 delete PDP context GTPv2 delete session GTP errors GTP IOCTL commands GTP table operations GTPv0 / GTPv1 logging GTPv2 logging GTPv2 modify bearer GTPv0 / GTPv1 other messages GTPv2 other messages GTP main packet flow GTPv0 / GTPv1 parsing GTPv2 parsing GTP policy installation GTPv0 / GTPv1 dispatching GTPv2 dispatching GTP processing by SecureXL GTP T-PDU GTPv0 / GTPv1 update PDP context Sergei Shir (Intl TAC) 06 Nov 2018 15:50:00 Kernel Debug flags (R77.30) Classification: [Protected] page 20 of 21 Kernel debugging options for Boolean Analyzer for Web Intelligence (BOA) module: BOA Syntax: fw ctl debug -m BOA + flag1 flag2 flag3 ... | fw ctl debug -m BOA all Flag analyzer disasm error fatal flow info lock memory spider stat stream warning Explanation BOA module operations some disassembler information various general error messages fatal errors and failures BOA module operations general information information about internal locks in FireWall kernel memory allocation information information about internal hash tables statistics information memory allocation when processing streamed data warnings Sergei Shir (Intl TAC) 06 Nov 2018 15:50:00 Kernel Debug flags (R77.30) Classification: [Protected] page 21 of 21