Kernel Debug Flags (R77.30)
Table of Contents
Usage ............................................................................................................................................................................ 2
Explanation for 'fw ctl debug' ........................................................................................................................................ 2
Explanation for 'fw ctl kdebug' ...................................................................................................................................... 2
Debug severity .............................................................................................................................................................. 2
Example ........................................................................................................................................................................ 3
Kernel debugging options for Firewall module: fw ........................................................................................................ 4
Kernel debugging options for VPN module: VPN ......................................................................................................... 6
Kernel debugging options for Cluster module: cluster .................................................................................................. 7
Kernel debugging options for Kernel Infrastructure module: kiss ................................................................................. 8
Kernel debugging options for Kernel Infrastructure Flow module: kissflow .................................................................. 8
Kernel debugging options for Multi-Kernel Inspection (CoreXL) module: multik .......................................................... 9
Kernel debugging options for Context Management Interface/Infrastructure Loader module: cmi_loader .................. 9
Kernel debugging options for Data Leak Prevention module: dlpk ............................................................................10
Kernel debugging options for Data Leak Prevention User module: dlpuk ..................................................................10
Kernel debugging options for Application Control Inspection module: APPI ..............................................................11
Kernel debugging options for Content Inspection module: CI ....................................................................................11
Kernel debugging options for Next Rule Base module: NRB .....................................................................................12
Kernel debugging options for Resource Advisor module: RAD_KERNEL .................................................................12
Kernel debugging options for Identity Awareness module: IDAPI ..............................................................................13
Kernel debugging options for Struct Generator module: SGEN .................................................................................13
Kernel debugging options for UserCheck module: UC ...............................................................................................13
Kernel debugging options for Check Point Active Streaming module: CPAS ............................................................14
Kernel debugging options for Web Intelligence module: WS .....................................................................................15
Kernel debugging options for Web Intelligence Infrastructure module: WSIS ...........................................................16
Kernel debugging options for Web Intelligence SIP Parser‎module: WS_SIP ...........................................................17
Kernel debugging options for Stream File Type module: SFT ...................................................................................18
Kernel debugging options for FloodGate-1 (QoS) module: fg ....................................................................................18
Kernel debugging options for Real Time Monitoring module: RTM............................................................................19
Kernel debugging options for VoIP H323 module: h323 ............................................................................................19
Kernel debugging options for Internet Content Adaptation Protocol Client module: ICAP_CLIENT ..........................20
Kernel debugging options for GPRS Tunneling Protocol (GTP) module: gtp ............................................................20
Kernel debugging options for Boolean Analyzer for Web Intelligence (BOA) module: BOA ......................................21
Sergei Shir (Intl TAC)
06 Nov 2018 15:50:00
Kernel Debug flags (R77.30)
Classification: [Protected]
page 1 of 21
Usage
# fw ctl debug -h :
# fw ctl debug [–x] [–m <module>] [+ |–] <options | all | 0>
# fw ctl debug [–t (NONE | ERR | WRN | NOTICE | INFO)] [–f (RARE | COMMON)]
# fw ctl kdebug [–i <file> | [–f] –o <file>] [–b <buffer size>] [–t | –T] [–p
fld1[,fld2...] [–m <num> [–s <size>]]
Explanation for 'fw ctl debug'
# fw ctl debug 0
# fw ctl debug -x
# fw ctl debug -buf <size>
# fw ctl debug
# fw ctl debug -m
# fw ctl debug -m <module>
// defaults (clears) all kernel debugging options
// disables all kernel debugging options :
// de-allocates‎the‎buffer‎&‎automatically‎kills‎“fw‎ctl‎debug”‎process
// allocates the buffer (OS will use maximal available buffer) :
// MIN value 128kB ; MAX value 32MB
// displays ALL kernel modules and their flags THAT WERE TURNED ON
// displays ALL kernel modules and their flags that‎machine‎“understands”
// displays the flags for this module THAT WERE TURNED ON
Explanation for 'fw ctl kdebug'
# fw ctl kdebug -t / -T
# fw ctl kdebug -p <field>
// in NGX only - prints the timestamp (t = seconds ; T = microseconds) helps synchronize packets in debug with packets in “FW Monitor”‎
// prints specific fields : all | proc | pid | date | mid | type |
freq | topic | time | ticks | tid | text | err | host
New in NGX :
# fw ctl kdebug -f -o <file_name> -m <num> -s <size>
file_name
= name of the output file
num
= maximum number of cyclic files to create
size
= maximum size of each cyclic file in kilobytes
When given <size> is reached (more or less), <file_name> is renamed to <file_name.0>, and a new
<file_name> is created. If <file_name.0> already exists, then <file_name> is renamed to <file_name.1>,
and so on - until the <number> limit is reached (then the rotation takes place - oldest files are just deleted).
Debug severity
# fw ctl debug -m <module> <severity list> <subject list>
List of debug severities:
info
= informational purposes only
warning
= warnings: may affect connection behavior
error
= errors: the connection is probably rejected
fatal
= fatal errors: may prevent policy installation, etc.
List of debug subjects:
See the debug flags below
Sergei Shir (Intl TAC)
06 Nov 2018 15:50:00
Kernel Debug flags (R77.30)
Classification: [Protected]
page 2 of 21
Example
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
fw
fw
fw
fw
fw
fw
fw
fw
fw
fw
fw
fw
fw
fw
fw
fw
fw
fw
fw
fw
fw
fw
fw
fw
fw
fw
fw
fw
fw
ctl
ctl
ctl
ctl
ctl
ctl
ctl
ctl
ctl
ctl
ctl
ctl
ctl
ctl
ctl
ctl
ctl
ctl
ctl
ctl
ctl
ctl
ctl
ctl
ctl
ctl
ctl
ctl
ctl
debug 0
// Setting kernel debug default options
debug -buf 32000
// Setting kernel debug buffer
debug -m fw + flags
// FW debug
debug -m VPN + flags
// VPN debug
debug -m cluster + flags
// Cluster debug
debug -m kiss + flags
// Kernel Infrastructure debug
debug -m kissflow + flags
// Kernel Infrastructure Flow debug
debug -m multik + flags
// Multi-Kernel Inspection debug
debug -m cmi_loader + flags
// IPS CMI debug
debug -m dlpk + flags
// Data Leak Prevention (DLP) debug
debug -m dlpuk + flags
// Data Leak Prevention User module (DLP) debug
debug -m APPI + flags
// Application Control debug
debug -m CI + flags
// Content Inspection (AV) debug
debug -m NRB + flags
// Next Rule Base debug
debug -m RAD_KERNEL + flags
// Resource Advisor debug
debug -m IDAPI + flags
// Identity Awareness debug
debug -m SGEN + flags
// Struct Generator debug
debug -m UC + flags
// UserCheck debug
debug -m CPAS + flags
// CPAS debug
debug -m WS + flags
// Web Intelligence debug
debug -m WSIS + flags
// Web Intelligence Infrastructure debug
debug -m WS_SIP + flags
// Web Intelligence SIP Parser debug
debug -m SFT + flags
// Stream File Type debug
debug -m fg + flags
// FloodGate-1 (QoS) debug
debug -m RTM + flags
// Real-Time Monitoring debug
debug -m h323 + flags
// H.323 debug
debug -m ICAP_CLIENT + flags
// Internet Content Adaptation Protocol client debug
debug -m gtp + flags
// GPRS Tunneling Protocol (GTP) debug
kdebug -T -f > /var/log/kernel_debug.txt
// output file
Sergei Shir (Intl TAC)
06 Nov 2018 15:50:00
Kernel Debug flags (R77.30)
Classification: [Protected]
page 3 of 21
Kernel debugging options for Firewall module: fw
Syntax: fw ctl debug -m fw + flag1 flag2 flag3 ... | fw ctl debug -m fw all
Flag
acct
advp
aspii
balance
bridge
cgnat
chain
chainfwd
cifs
citrix
cmi
conn
connstats
content
context
cookie
cptls
crypt
cvpnd
dfilter
dlp
dnstun
domain
dos
driver
drop
dynlog
epq
error
ex
filter
ftp
highavail
hold
icmptun
if
install
integrity
ioctl
ipopt
ips
ipv6
kbuf
ld
leaks
link
log
machine
mail
malware
media
memory
mgcp
misc
Explanation
Application Control accounting in Smart View Tracker log (also debug module 'APPI')
advanced patterns (signatures over port ranges) - runs under ASPII and CMI
Accelerated Stateful Protocol Inspection Infrastructure (INPSECT streaming)
ConnectControl - logical servers in kernel , load balancing
Bridge mode
Carrier Grade NAT (CGN/CGNAT)
cookie chain , chain modules
chain forwarding - related to fwha_perform_chain_forwarding global kernel variable
Common Internet File System (CIFS) - file sharing protocol in Windows-based networks
Citrix processing
Context Management Interface/Infrastructure - IPS signature manager
Connections Table issues
connections statistics for Evaluation of Heavy Connections in CPView (refer to sk105762)
AV content inspection
operations on Memory context and CPU context in KISS module
virtual de-fragmentation , cookie issues (cookies in the data structure holding the packets)
CRYPTO-PRO Transport Layer Security (HTTPS inspection) - Russian VPN GOST
encrypted / decrypted packets, algorithms and keys are printed in clear text and cipher text
Mobile Access daemon
debug filter operations
Data Leak Prevention
DNS tunnels
DNS queries
DDoS attack mitigation (part of IPS)
kernel attachment - access to kernel is shown as log entries
associates a reason for (almost) every dropped packet
dynamic log enhancement (INSPECT logs)
End Point Quarantine (also AMD)
various general error messages (enabled by default)
dynamic table expiration issues (time-out)
packet filtering performed by kernel and all data loaded into kernel
FTP Data connections inspection (used to call applications over FTP Data - i.e., Anti-Virus)
cluster configuration - changes in the configuration and information about interfaces during
traffic processing
holding mechanism and all packets being held / released
ICMP tunnels
interface-related information - accessing the interfaces, installing a filter on an interfaces
driver installation - NIC attachment (fw ctl install and fw ctl uninstall)
client integrity mechanics
IOCTL control messages - communication between kernel and daemons, un/loading of FW-1
IP options enforcement
IPS logs and IPS IOCTL
IPv6 traffic debug
kernel-buffer memory pool - e.g., encryption keys use these memory allocations
kernel dynamic tables infrastructure - reads and writes to the tables (machine can hang!)
memory leak detection mechanism
Link creation in Connections Table
everything related to calls in the log
INSPECT Virtual Machine - actual assembler commands being processed (FW can hang!)
e-mail issues - POP3, IMAP
Anti-Malware (Anti-Virus, Anti-Spam)
Windows OS: Transport Driver Interface information (interface-related information)
memory allocation issues
Media Gateway Control Protocol (complementary to H.323 and SIP)
miscellaneous helpful information - not shown with other flags
Sergei Shir (Intl TAC)
06 Nov 2018 15:50:00
Kernel Debug flags (R77.30)
Classification: [Protected]
page 4 of 21
misp
monitor
monitorall
mrtsync
msnms
multik
nac
nat
nat64
ndis
netquota
packet
packval
portscan
prof
q
qos
rad
route
sam
scv
sctp
sip
smtp
sock
span
spii
synatk
sync
tcpstr
te
ua
ucd
user
vm
wap
warning
wire
xlate
xltrc
zeco
ISP Redundancy
prints‎output‎similar‎to‎“fw‎monitor”‎into‎the‎debug‎buffer (also enable the 'misc' flag)
prints‎output‎similar‎to‎“fw‎monitor -p all”‎into‎the‎debug‎buffer (also enable the 'misc' flag)
synchronization (in kernel) between cluster members of Multicast Routes that are added
when working with Dynamic Routing Multicast protocols
MSN over MSMS (MSN Messenger protocol) - always include “sip” flag
CoreXL related (enables all the flags except for flag 'packet' in the 'MULTIK' module)
Network Access Control (NAC) Blade (refer to Identity Awareness)
NAT issues - basic information
NAT issues - 6in4 tunnels (IPv6 over IPv4) and 4in6 tunnels (IPv4 over IPv6)
Windows OS: Network Driver Interface Specification (interface-related information)
Network Quota IPS protection
actions performed on packet - like accept, drop, fragment (esp. KFUNCs called by INSPECT)
stateless verifications - sequences, fragments, translations and other header verifications
port scanning prevention mechanics
Firewall Priority Queues - connection profiler (refer to sk105762)
driver queue - e.g., synchronization operations (crucial for ClusterXL sync debugging)
QoS (FloodGate-1)
Resource Advisor policy
routing debugging (ISP Redundancy, fwcookie code)
Suspicious Activity Monitoring (OPSec)
SecureClient Verification
Stream Control Transmission Protocol (SCTP)
VoIP traffic - SIP and H323
e-mail issues - SMTP
Sockstress TCP DoS attack (CVE-2008-4609)
mirror port (duplicates the network traffic and records the activity in logs)
Stateful Protocol Inspection Infrastructure and INSPECT Streaming Infrastructure
'SYN Attack' (SYNDefender) IPS protection
synchronization operations in ClusterXL
TCP streaming mechanism
prints name of an interface for incoming connection from Threat Emulation Machine
VoIP traffic - Universal Alcatel "UA" Protocol
UserCheck connections to other cluster members
User Space communication with Kernel Space (most useful for configuration and VSX debug)
Virtual Machine chain decisions on traffic going through fw_filter_chain
Multimedia Messaging Service (Wireless Application Protocol)
various general warning messages (enabled by default)
wire-mode Virtual Machine chain module
NAT issues - basic information
NAT issues - additional information - going through NAT rulebase
Zero-Copy kernel module memory allocations
Sergei Shir (Intl TAC)
06 Nov 2018 15:50:00
Kernel Debug flags (R77.30)
Classification: [Protected]
page 5 of 21
Kernel debugging options for VPN module: VPN
Syntax: fw ctl debug -m VPN + flag1 flag2 flag3 ... | fw ctl debug -m VPN all
Flag
cluster
comp
counters
cphwd
driver
err
gtp
ifnotify
ike
init
l2tp
lsv
mem
mspi
multicast
multik
nat
om_alloc
osu
packet
pcktdmp
policy
queue
rdp
ref
resolver
rsl
sas
sr
tagging
tcpt
tnlmon
topology
vin
warn
xl
Explanation
cluster related events
compression for encrypted connections
various status counters (typically for SmartView Monitor)
hardware acceleration issues
kernel attachment - access to kernel is shown as log entries
errors that should not happen, or errors that critical to the working of the VPN module
GTP (GPRS Tunneling Protocol)
debugs notification of changes in interface status - up or down (received from OS).
turns on all IKE kernel debug in respect to moving the IKE to the interface, where it will
eventually leave and the modification of the source IP of the IKE packet, depending on the
configuration.
initializes the VPN kernel and kernel data structures, when kernel is up, or when policy is
installed - it will also print the values of the flags that are set using CPSET upon policy reload
L2TP protocol related events
Large Scale VPN (LSV)
allocation of VPN pools and VPN contexts
information related to creation and destruction of MSA / MSPI
VPN multicast
information related to VPN and CoreXL interaction
NAT issues , cluster IP manipulation (Virtual_IP-to-Member_IP and backwards)
allocation of Office Mode IP addresses
Optimal Service Upgrade
events that can happen for every packet, unless covered by more specific debug flags
dumps the encrypted / decrypted packets (before encryption / after decryption)
events that can happen only for a special packet in a connection,
usually related to policy decisions or logs / traps
handling of Security Association (SA) queues
handling of RDP packets
information regarding reference counting for MSA / MSPI when storing or deleting SAs
link selection table manipulation and Certificate Revocation List (CRL), which is also part of
the peer resolving mechanism
operations on range skip list
printing of keys and SA information
SecureClient/SecureRemote related issues
sets the VPN policy of a connection according to VPN communities, VPN Policy related info
TCP Tunnel (Visitor mode) related information (FW traversal on port 443)
tunnel monitoring
information related to VPN Link Selection
information related to IPSec NIC interaction (on Windows OS only)
warnings: may affect connection behavior
Accelerator cards interaction (AC II / III / IV)
Sergei Shir (Intl TAC)
06 Nov 2018 15:50:00
Kernel Debug flags (R77.30)
Classification: [Protected]
page 6 of 21
Kernel debugging options for Cluster module: cluster
Syntax: fw ctl debug -m cluster + flag1 flag2 flag3 ... | fw ctl debug -m cluster all



There is also the SYNC flag, which is in the “FW” module and shows debug that is related to SYNC only.
Set this variable to print the contents of the packets in HEX format as "FW-1: fwha_print_packet: Buffer:"
# fw ctl set int fwha_dprint_io 1
Set this variable to print all network checking printing
# fw ctl set int fwha_dprint_all_net_check 1
Flag
accel
ccp
conf
cu
df
drop
forward
if
log
mac
nokia
pivot
pnote
select
stat
subs
timer
Explanation
related to status and support of SecureXL (should be used in parallel with 'conf' flag)
reception/transmission of Cluster Control Protocol (CCP) packets
configuration and policy installation
Connectivity Upgrade - translation of kernel tables, connection synchronization, connection
rematch, etc.
Decision Function - decides, which member will handle each packet in a Load Sharing mode
connections dropped by the CXL Decision Function (DF) module (only in NGX)‎- excluding
CCP packets
Forwarding Layer messages - when sending and receiving a forwarded packet
interface tracking and validation - all the operations and checks on interfaces
creating and sending of logs by cluster‎(should be used in parallel with 'log' flag in 'fw' module)
related to current configuration of and detection of cluster interfaces (should be used in
parallel with 'conf' flag and 'if' flag)
related to cluster running on Nokia IPSO platform
related to ClusterXL Load Sharing Unicast mode (Pivot mode)‎
related to registering and monitoring of critical devices (pnotes)‎
packet selection - including Decision Function (DF)
related to state of cluster members (state machine)‎
Subscriber module - set of APIs, which enable user space processes (by using a DLL) to be
aware of the current state of the ClusterXL state machine and other clustering configuration
parameters.
reports of cluster internal timers
Sergei Shir (Intl TAC)
06 Nov 2018 15:50:00
Kernel Debug flags (R77.30)
Classification: [Protected]
page 7 of 21
Kernel debugging options for Kernel Infrastructure module: kiss
Syntax: fw ctl debug -m kiss + flag1 flag2 flag3 ... | fw ctl debug -m kiss all
Flag
bench
dfa
driver
error
flofiler
ghtab
handles
htab
ioctl
kqstats
kw
memory
memprof
misc
mtctx
pcre
pm
pmdump
pmint
pools
queue
rem
salloc
shmem
sm
stat
swblade
thinnfa
thread
timers
usrmem
vbuf
warning
worker
Explanation
CPU benchmarker
Pattern Matcher (Deterministic Finite Automaton) compilation and execution
when FW driver is loaded / unloaded
different error messages (default)
FLow prOFILER
multi-threaded safe global hash tables
Memory Pool allocation for tables
multi-threaded safe hash tables
IOCTL control messages - communication between kernel and daemon
Kernel Worker thread statistics mechanism - resetting, initializing, turning off
Kernel Worker state and Pattern Matcher inspection
memory allocation issues
memory allocation issues in memory profiler (when fw_conn_mem_prof_enabled=1)
CPU counters, Memory counters, getting/setting of global kernel parameters
multi-threaded context - memory allocation, reference count
Perl Compatible Regular Expressions - execution, memory allocation
Pattern Matcher compilation and execution
Pattern Matcher DFA (dumping XMLs of DFAs)
Pattern Matcher compilation
Memory Pool allocation issues
Kernel Worker thread queues
Regular Expression Matcher - Pattern Matcher 2nd tier (slow path)
System Memory allocation
shared memory allocation
String Matcher - Pattern Matcher 1st tier (fast path)
statistics for categories and maps
registration of Software Blades
currently unused (Thin NFA)
kernel thread that supplies kernel thread low level APIs
internal timers
User Space platform memory usage
virtual buffer
warnings (default)
Kernel Worker - queuing and dequeuing
Kernel debugging options for Kernel Infrastructure Flow module: kissflow
Syntax: fw ctl debug -m kissflow + flag1 flag2 flag3 ... | fw ctl debug -m kissflow all
Flag
compile
dfa
error
memory
pm
warning
Explanation
Pattern Matcher - pattern compilation
Pattern Matcher (Deterministic Finite Automaton) compilation and execution
different error messages (default)
memory allocation issues
Pattern Matcher - general information
warnings (default)
Sergei Shir (Intl TAC)
06 Nov 2018 15:50:00
Kernel Debug flags (R77.30)
Classification: [Protected]
page 8 of 21
Kernel debugging options for Multi-Kernel Inspection (CoreXL) module: multik
Syntax: fw ctl debug -m multik + flag1 flag2 flag3 ... | fw ctl debug -m multik all
When enabling the 'multik' flag in the 'FW' module, it enables all the flags in this module except for flag 'packet'
Flag
api
clb
conn
counter
error
event
fwstats
ioctl
lock
message
packet
packet_err
prio
queue
quota
state
temp_conns
uid
Explanation
registration and unregistration of cross-instance function calls
statistics collection for the core load balancer utility
creation and deletion of connections in the dispatcher table
cross-instance counter infrastructure
various error conditions in CoreXL infrastructure
cross-instance event aggregation infrastructure
FW-1 statistics
distribution of IOCTLs to different instances
obtaining and releasing fw_lock on multiple instances
cross-instance messages (used for local sync and port scanning)
per packet, shows the dispatching decision - instance and reason
invalid‎packets,‎for‎which‎dispatching‎decision‎can’t‎be‎made
Firewall Priority Queues (refer to sk105762)‎
packet queue
cross-instance quota table (used by the network quota feature)
starting and stopping of instances, establishment of relationship between instances
temporary connections
Cross-instance Unique IDs
Kernel debugging options for Context Management Interface/Infrastructure Loader module: cmi_loader
Syntax: fw ctl debug -m cmi_loader + flag1 flag2 flag3 ... | fw ctl debug -m cmi_loader all
Flag
address
connection
coverage
error
global_states
info
inspect
memory
module
policy
sigload
subject
timestamp
verbose
vs
warning
Explanation
information about connection's IP address
currently unused
shows the coverage times - entering, blocking, and time spent
various general error messages
user space global states structures
general information
cmi_loader INSPECT code
memory allocation issues
cmi_loader module operations - initialization, module loading, calls to module, contexts, etc
policy installation
signatures, patterns, ranges
shows the debug subject of each message
a timestamp for each debug message (changes when 'coverage' is active)‎
used with other flags - for additional information
prints VSID of the debugged Virtual System
warnings
Sergei Shir (Intl TAC)
06 Nov 2018 15:50:00
Kernel Debug flags (R77.30)
Classification: [Protected]
page 9 of 21
Kernel debugging options for Data Leak Prevention module: dlpk
Syntax: fw ctl debug -m dlpk + flag1 flag2 flag3 ... | fw ctl debug -m dlpk all
Flag
error
cmi
drv
identity
rulebase
stat
warning
Explanation
various general error messages
HTTP Proxy, connection redirection, identity information, Async
DLP inspection
user identity, connection identity, Async
DLP rulebase match
counters statistics
warnings
Kernel debugging options for Data Leak Prevention User module: dlpuk
Syntax: fw ctl debug -m dlpuk + flag1 flag2 flag3 ... | fw ctl debug -m dlpuk all
Flag
address
buffer
coverage
error
info
memory
module
policy
serialize
subject
timestamp
verbose
vs
warning
Explanation
information about connection's IP address
currently unused
shows the coverage times - entering, blocking, and time spent
various general error messages
general information
memory allocation issues
initiating / removing of DLPUK debug infrastructure
currently unused
data buffers and data sizes
shows the debug subject of each message
a timestamp for each debug message (changes when 'coverage' is active)‎
used with other flags - for additional information
prints VSID of the debugged Virtual System
warnings
Sergei Shir (Intl TAC)
06 Nov 2018 15:50:00
Kernel Debug flags (R77.30)
Classification: [Protected]
page 10 of 21
Kernel debugging options for Application Control Inspection module: APPI
Syntax: fw ctl debug -m APPI + flag1 flag2 flag3 ... | fw ctl debug -m APPI all
Flag
account
address
btime
connection
coverage
error
global
info
limit
memory
module
policy
session
subject
timestamp
urlf_ssl
verbose
vs
warning
Explanation
accounting information
information about connection's IP address
browse time
APPI connections
shows the coverage times - entering, blocking, and time spent
various general error messages
global policy operations
general information
APPI limits
memory allocation issues
APPI module operations - initialization, module loading, calls to module, policy loading, etc
information about APPI policy
session layer
shows the debug subject of each message
a timestamp for each debug message (changes when 'coverage' is active)
URL Filtering for SSL
used with other flags - for additional information
prints VSID of the debugged Virtual System
warnings
Kernel debugging options for Content Inspection module: CI
Syntax: fw ctl debug -m CI + flag1 flag2 flag3 ... | fw ctl debug -m CI all
Flag
address
av
coverage
crypto
error
fatal
filter
info
ioctl
memory
module
policy
profile
regexp
session
stat
subject
timestamp
track
uf
vs
warning
Explanation
shows connection address [Source_IP:Source_Port -> Dest_IP:Dest_Port]
Anti-Virus inspection
shows the coverage times - entering, blocking, and time spent
basic information about encryption and decryption
various general error messages
fatal errors‎
basic information about URL filters
general information
currently unused
memory allocation issues
CI module operations - initialization, module loading, calls to module, policy loading, etc
information about CI policy
very basic information about CI module - initialization, destroying, freeing
regular expression library
session layer
Content Inspection ‎statistics
shows the debug subject of each message
a timestamp for each debug message (changes when 'coverage' is active)
use only for very limited important debug prints, so it can be used in a loaded environment Content-Disposition, Content-Type, extension validation, extension matching
URL filters and URL cache
prints VSID of the debugged Virtual System
warnings
Sergei Shir (Intl TAC)
06 Nov 2018 15:50:00
Kernel Debug flags (R77.30)
Classification: [Protected]
page 11 of 21
Kernel debugging options for Next Rule Base module: NRB
Syntax: fw ctl debug -m NRB + flag1 flag2 flag3 ... | fw ctl debug -m NRB all
Flag
address
appi
coverage
dlp
error
info
match
memory
module
policy
sec_rb
session
ssl_insp
subject
timestamp
verbose
vs
warning
Explanation
information about connection's IP address
rules and applications
shows the coverage times - entering, blocking, and time spent
Data Leak Prevention
various general error messages
general information
rule matching
memory allocation issues
NRB module operations - initialization, module loading, calls to module, contexts, etc
policy installation
security rulebase
session layer
HTTPS SSL Inspection
shows the debug subject of each message
a timestamp for each debug message (changes when 'coverage' is active)‎
used with other flags - for additional information
prints VSID of the debugged Virtual System
warnings
Kernel debugging options for Resource Advisor module: RAD_KERNEL
Syntax: fw ctl debug -m RAD_KERNEL + flag1 flag2 flag3 ... | fw ctl debug -m RAD_KERNEL all
Flag
address
cache
coverage
error
global
info
memory
subject
timestamp
verbose
vs
warning
Explanation
information about connection's IP address
RAD kernel malware cache
shows the coverage times - entering, blocking, and time spent
various general error messages
RAD global contexts
general information
memory allocation issues
shows the debug subject of each message
a timestamp for each debug message (changes when 'coverage' is active)‎
used with other flags - for additional information
prints VSID of the debugged Virtual System
warnings
Sergei Shir (Intl TAC)
06 Nov 2018 15:50:00
Kernel Debug flags (R77.30)
Classification: [Protected]
page 12 of 21
Kernel debugging options for Identity Awareness module: IDAPI
Syntax: fw ctl debug -m IDAPI + flag1 flag2 flag3 ... | fw ctl debug -m IDAPI all
Flag
address
async
coverage
data
error
htab
info
memory
module
subject
test
timestamp
verbose
vs
warning
Explanation
information about connection's IP address
checking known network
shows the coverage times - entering, blocking, and time spent
Portal, IP address matching for Terminal Servers Identity Agent, session handling
various general error messages
checking for network IP address, working with kernel tables
general information
memory allocation issues
removing of IDAPI debug IS, failed to convert to Base64, failed to append src to dst
shows the debug subject of each message
IP test, IDAPI sync
a timestamp for each debug message (changes when 'coverage' is active)‎
used with other flags - for additional information
prints VSID of the debugged Virtual System
warnings
Kernel debugging options for Struct Generator module: SGEN
Syntax: fw ctl debug -m SGEN + flag1 flag2 flag3 ... | fw ctl debug -m SGEN all
Flag
engine
error
fatal
field
general
info
load
serialize
warning
Explanation
Struct Generator ‎engine operations
various general error messages
fatal errors‎
operations on fields
general types macros
general information
loading of macros
serialization during loading of macros
warnings
Kernel debugging options for UserCheck module: UC
Syntax: fw ctl debug -m UC + flag1 flag2 flag3 ... | fw ctl debug -m UC all
Flag
address
coverage
error
htab
info
memory
module
subject
timestamp
verbose
vs
warning
webapi
Explanation
information about connection's IP address
shows the coverage times - entering, blocking, and time spent
various general error messages
hash table
general information
memory allocation issues
UC module initializing, UC table hits, finding User ID in cache, removing of UC debug IS
shows the debug subject of each message
a timestamp for each debug message (changes when 'coverage' is active)
used with other flags - for additional information
prints VSID of the debugged Virtual System
warnings
URL patterns, UC incidents, connection redirection
Sergei Shir (Intl TAC)
06 Nov 2018 15:50:00
Kernel Debug flags (R77.30)
Classification: [Protected]
page 13 of 21
Kernel debugging options for Check Point Active Streaming module: CPAS
Syntax: fw ctl debug -m CPAS + flag1 flag2 flag3 ... | fw ctl debug -m CPAS all
Flag
api
conns
error
events
ftp
glue
http
icmp
notify
pkts
skinny
sync
tcp
tcpinfo
timer
warning
Explanation
interface layer messages
detailed description of connections, and connection's limit-related messages
errors: the connection is probably rejected
event-related messages
messages of the FTP example server
glue layer messages
messages of the HTTP example server
messages of the ICMP example server
e-mail Messaging Security application
packets handling messages (allocation, splitting, resizing, etc.)
SCCP (Skinny Client Control Protocol - Cisco proprietary VoIP protocol)
synchronization operations in cluster
TCP processing messages
TCP processing messages - more detailed description
reports of timer ticks (pours many messages, without real content)
warnings: may affect connection behavior
Sergei Shir (Intl TAC)
06 Nov 2018 15:50:00
Kernel Debug flags (R77.30)
Classification: [Protected]
page 14 of 21
Kernel debugging options for Web Intelligence module: WS
Syntax: fw ctl debug -m WS + flag1 flag2 flag3 ... | fw ctl debug -m WS all




Set this variable to debug specific Virtual System:
# fw ctl set int ws_debug_vs <VSID>
Set this variable to 0 (zero) to debug all Virtual Systems (default):
# fw ctl set int ws_debug_vs 0
Set this variable to debug specific IPv4 address:
# fw ctl set int ws_debug_ip <XXX.XXX.XXX.XXX>
Set this variable to 0 (zero) to debug all IPv4 addresses (default):
# fw ctl set int ws_debug_ip 0
Flag
address
body
connection
cookie
coverage
error
event
fatal
global
info
ioctl
mem_pool
memory
module
parser
parser_err
pfinder
pkt_dump
policy
regexp
report_mgr
session
spii
ssl_insp
sslt
stat
stream
subject
timestamp
uuid
vs
warning
Explanation
information about connection's IP address
HTTP body (content) layer
connection layer
HTTP cookie header
shows the coverage times - entering, blocking, and time spent
errors: the connection is probably rejected
events
fatal errors: may prevent policy installation, etc.
global structure handling (usually policy related)
informational purposes only
IOCTL control messages - communication between kernel and daemon, un/loading of FW-1
memory pool related
memory allocation issues
module related
HTTP header parser layer
HTTP header parsing errors
pattern finder related
traffic packet dump (requires connection)
policy (installation and enforcement)
regular expression library
report manager (errors and logs)
session layer
Stateful Protocol Inspection Infrastructure (INSPECT streaming)
HTTPS SSL Inspection
SSLT library
memory usage statistics
stream virtualization
shows the debug subject of each message
a timestamp for each debug message (changes when 'coverage' is active)
session UUID related
prints VSID of the debugged Virtual System
warnings: may affect connection behavior
Sergei Shir (Intl TAC)
06 Nov 2018 15:50:00
Kernel Debug flags (R77.30)
Classification: [Protected]
page 15 of 21
Kernel debugging options for Web Intelligence Infrastructure module: WSIS
Syntax: fw ctl debug -m WSIS + flag1 flag2 flag3 ... | fw ctl debug -m WSIS all




Set this variable to debug specific Virtual System:
# fw ctl set int ws_debug_vs <VSID>
Set this variable to 0 (zero) to debug all Virtual Systems (default):
# fw ctl set int ws_debug_vs 0
Set this variable to debug specific IPv4 address:
# fw ctl set int ws_debug_ip <XXX.XXX.XXX.XXX>
Set this variable to 0 (zero) to debug all IPv4 addresses (default):
# fw ctl set int ws_debug_ip 0
Flag
address
common
coverage
datastruct
decoder
error
info
memory
parser
subject
timestamp
verbose
vs
warning
Explanation
information about connection's IP address
prints a message when parameters are invalid
shows the coverage times - entering, blocking, and time spent
data structure tree
decoder for content transfer encoding (UUEncode, UTF-8, HTML encoding &#)
various general error messages
general information
memory allocation issues
HTTP header parser layer
shows the debug subject of each message
a timestamp for each debug message (changes when 'coverage' is active)‎
used with other flags - for additional information
prints VSID of the debugged Virtual System
warnings
Sergei Shir (Intl TAC)
06 Nov 2018 15:50:00
Kernel Debug flags (R77.30)
Classification: [Protected]
page 16 of 21
Kernel debugging options for Web Intelligence SIP Parser‎module: WS_SIP
Syntax: fw ctl debug -m WS_SIP + flag1 flag2 flag3 ... | fw ctl debug -m WS_SIP all




Set this variable to debug specific Virtual System:
# fw ctl set int ws_debug_vs <VSID>
Set this variable to 0 (zero) to debug all Virtual Systems (default):
# fw ctl set int ws_debug_vs 0
Set this variable to debug specific IPv4 address:
# fw ctl set int ws_debug_ip <XXX.XXX.XXX.XXX>
Set this variable to 0 (zero) to debug all IPv4 addresses (default):
# fw ctl set int ws_debug_ip 0
Flag
address
body
connection
cookie
coverage
error
event
fatal
global
info
ioctl
mem_pool
memory
module
parser
parser_err
pfinder
pkt_dump
policy
regexp
report_mgr
session
spii
ssl_insp
sslt
stat
stream
subject
timestamp
uuid
vs
warning
Explanation
information about connection's IP address
HTTP body (content) layer
connection layer
HTTP cookie header
shows the coverage times - entering, blocking, and time spent
errors: the connection is probably rejected
events
fatal errors: may prevent policy installation, etc.
global structure handling (usually policy related)
informational purposes only
IOCTL control messages - communication between kernel and daemon, un/loading of FW-1
memory pool related
memory allocation issues
module related
HTTP header parser layer
HTTP header parsing errors
pattern finder related
traffic packet dump (requires connection)
policy (installation and enforcement)
regular expression library
report manager (errors and logs)
session layer
Stateful Protocol Inspection Infrastructure (INSPECT streaming)
HTTPS SSL Inspection
SSLT library
memory usage statistics
stream virtualization
shows the debug subject of each message
a timestamp for each debug message (changes when 'coverage' is active)
session UUID related
prints VSID of the debugged Virtual System
warnings: may affect connection behavior
Sergei Shir (Intl TAC)
06 Nov 2018 15:50:00
Kernel Debug flags (R77.30)
Classification: [Protected]
page 17 of 21
Kernel debugging options for Stream File Type module: SFT
Syntax: fw ctl debug -m SFT + flag1 flag2 flag3 ... | fw ctl debug -m SFT all
Flag
error
fatal
info
mgr
warning
Explanation
various general error messages
fatal errors‎
general information
rule match, database, connection processing, classification
warnings
Kernel debugging options for FloodGate-1 (QoS) module: fg
Syntax: fw ctl debug -m fg + flag1 flag2 flag3 ... | fw ctl debug -m fg all
Flag
auth
automatch
autosched
chain
chainq
citrix
conn
dns
driver
drops
dropsv
error
fwrate
general
install
llq
log
ls
memory
multik
pkt
policy
qosaccel
rates
registry
rtm
sched
tcp
time
timers
url
verbose
Explanation
authenticated QoS feature
report matching process (debug version only)
report scheduling process (debug version only) - a good way to report the rates on rules
tracing each packet through FloodGate-1 points in the cookie chain
holding and releasing packets during critical actions (policy install / uninstall) internal Chain Q mechanism
Citrix processing
connection information and identification processing
DNS classification mechanism
kernel attachment - access to kernel is shown as log entries
dropped packets due to WFRED policy
dropped packets due to WFRED policy - with additional debug information (verbose version)
different error messages (default)
report rate statistics per interface and direction
currently unused
policy installation and building internal data structure (for future use)
low latency queuing
everything related to calls in the log
Load Sharing
memory allocation issues
CoreXL related
packet recording mechanism
QoS policy rules matching classification mechanism
QoS acceleration
reporting rule / connection rates - IQ Engine behaviour and status
failed to open a key from Check Point Registry ($CPDIR/registry/HKLM_registry.data)
failures in information gathering in RTM module (SmartView Monitor)
basic scheduling information
TCP streaming (re-transmission detection) mechanism
currently unused
reports of timer ticks (pours many messages, without real content)
URL and URI for QoS classification mechanism
used with other flags - for additional information
Sergei Shir (Intl TAC)
06 Nov 2018 15:50:00
Kernel Debug flags (R77.30)
Classification: [Protected]
page 18 of 21
Kernel debugging options for Real Time Monitoring module: RTM
Syntax: fw ctl debug -m RTM + flag1 flag2 flag3 ... | fw ctl debug -m RTM all
Flag
accel
chain
con_conn
driver
err
import
init
ioctl
netmasks
per_conn
per_pckt
performance
policy
rtm
s_err
sort
special
tabs
topo
view_add
view_update
view_update1
wd
Explanation
displays SecureXL information regarding accelerated packets, connections, etc.
displays information about chain registering, and about the E2E chain function actions;
this important flag helps you know if the E2E (VL) is identifying VL packets.
displays‎the‎same‎information‎as‎“per_conn”‎flag
kernel attachment - access to kernel is shown as log entries
different error messages (default)
displays information about RTM importing functions from other modules (FW-1, FG-1)
rarely used
RTM IOCTL control messages
displays information about how the RTM handles netmasks,
if you are monitoring network object, which is a network
messages per connection (when a new connection is handled by RTM)
messages per packet (when a new packet arrives) - use it with care
currently unused
displays FireWall-1 load/unload messages
(indicates that the RTM received the FW-1 callback)
displays information about RTM monitoring
displays various error messages (regarding tables info and other failures)
debugging the RTM top X monitoring sorting
display information about how E2E modifies E2ECP protocol packets
currently unused
display information about how the RTM calculates network topography
when Views are added or deleted
when Views are updated with new information
when Views are updated with new information
displays information regarding WebDefense views
Kernel debugging options for VoIP H323 module: h323
Syntax: fw ctl debug -m h323 + flag1 flag2 flag3 ... | fw ctl debug -m h323 all
Flag
align
cpas
decode
error
h225
h245
init
ras
Explanation
VoIP debug general messages (for example, VOIP infrastructure)
CPAS TCP debug messages - since H323 : H225 and H245 are over TCP ;
this flag is not included when debug is run with "all" flag ( # fw ctl debug -m h323 all )
H323 decoder messages
different error messages (default)
H225 call signaling messages (SETUP, CONNECT, RELEASE COMPLETE, etc.)
H245 control signaling messages (OPEN LOGICAL CHANNEL, END SESSION COMMAND, etc.)
used for internal errors
H225 RAS messages (REGISTRATION, ADMISSION, and STATUS REQUEST / RESPONSE)
Sergei Shir (Intl TAC)
06 Nov 2018 15:50:00
Kernel Debug flags (R77.30)
Classification: [Protected]
page 19 of 21
Kernel debugging options for Internet Content Adaptation Protocol Client module: ICAP_CLIENT
Syntax: fw ctl debug -m ICAP_CLIENT + flag1 flag2 flag3 ... | fw ctl debug -m ICAP_CLIENT all
Flag
address
coverage
error
global
info
memory
module
policy
subject
timestamp
verbose
vs
warning
Explanation
information about connection's IP address
shows the coverage times - entering, blocking, and time spent
various general error messages
global client
general information
memory allocation issues
kernel handler, user mode handler,
policy
shows the debug subject of each message
a timestamp for each debug message (changes when 'coverage' is active)
used with other flags - for additional information
prints VSID of the debugged Virtual System
warnings
Kernel debugging options for GPRS Tunneling Protocol (GTP) module: gtp
Syntax: fw ctl debug -m gtp + flag1 flag2 flag3 ... | fw ctl debug -m gtp all
Flag
create
create2
dbg
delete
delete2
error
ioctl
ld
log
log2
modify
other
other2
packet
parse
parse2
policy
state
state2
sxl
tpdu
update
Explanation
GTPv0 / GTPv1 ‎create PDP context
GTPv2 ‎create session
GTP debug mechanism
GTPv0 / GTPv1 ‎delete PDP context
GTPv2 ‎delete session
GTP errors
GTP IOCTL commands
GTP table operations
GTPv0 / GTPv1 logging
GTPv2 logging
GTPv2 modify bearer
GTPv0 / GTPv1 other messages
GTPv2 other messages
GTP main packet flow
GTPv0 / GTPv1 parsing
GTPv2 parsing
GTP policy installation
GTPv0 / GTPv1 dispatching
GTPv2 dispatching
GTP processing by SecureXL
GTP T-PDU
GTPv0 / GTPv1 ‎update PDP context
Sergei Shir (Intl TAC)
06 Nov 2018 15:50:00
Kernel Debug flags (R77.30)
Classification: [Protected]
page 20 of 21
Kernel debugging options for Boolean Analyzer for Web Intelligence (BOA) module: BOA
Syntax: fw ctl debug -m BOA + flag1 flag2 flag3 ... | fw ctl debug -m BOA all
Flag
analyzer
disasm
error
fatal
flow
info
lock
memory
spider
stat
stream
warning
Explanation
BOA module operations
some disassembler information
various general error messages
fatal errors and failures
BOA module operations
general information
information about internal locks in FireWall kernel
memory allocation information
information about internal hash tables
statistics information
memory allocation when processing streamed data
warnings
Sergei Shir (Intl TAC)
06 Nov 2018 15:50:00
Kernel Debug flags (R77.30)
Classification: [Protected]
page 21 of 21