Documente Academic
Documente Profesional
Documente Cultură
official documentation
SecureKnowledge
CPUG forum
Check Point forum
Google
fw ctl zdebug drop
Replicate the problem and have a look at the gateway:
fw tab –t connections –s
fw hastat
HOST NUMBER HIGH AVAILABILITY STATE MACHINE STATUS
localhost 2 stand-by OK
cphaprob state
Cluster Mode: New High Availability (Primary Up)
Number Unique Address Assigned Load State
1 192.168.55.202 100% Active
2 (local) 192.168.55.201 0% Standby
ClusterXL
Displays ClusterXL Devices
cphaprob –a if
fw ctl pstat
cphaprob syncstat
fw lichosts
fw lichosts | wc –l
dtps lic
Licenses
Show license
cplic print
App. App.
TCP TCP
IP Routing IP
NIC NIC
fw monitor
[Expert@fw1]# fw monitor -e "accept (src=212.1.52.68 or
dst=212.1.52.68);"
monitor: getting filter (from command line)
monitor: compiling
monitorfilter:
Compiled OK.
monitor: loading
monitor: monitoring (control-C to stop)
eth3.7:i[52]: 212.1.56.233 -> 212.1.52.68 (TCP) len=52 id=18406
TCP: 56661 -> 22 .S.... seq=b2f3509d ack=00000000
eth3.7:I[52]: 212.1.56.233 -> 212.1.52.68 (TCP) len=52 id=18406
TCP: 56661 -> 22 .S.... seq=b2f3509d ack=00000000
eth0:o[52]: 212.1.56.233 -> 212.1.52.68 (TCP) len=52 id=18406
TCP: 56661 -> 22 .S.... seq=b2f3509d ack=00000000
eth0:O[52]: 212.1.56.233 -> 212.1.52.68 (TCP) len=52 id=18406
TCP: 56661 -> 22 .S.... seq=b2f3509d ack=00000000
eth0:i[52]: 212.1.52.68 -> 212.1.56.233 (TCP) len=52 id=0
TCP: 22 -> 56661 .S..A. seq=68a919c9 ack=b2f3509e
eth0:I[52]: 212.1.52.68 -> 212.1.56.233 (TCP) len=52 id=0
TCP: 22 -> 56661 .S..A. seq=68a919c9 ack=b2f3509e
eth3.7:o[52]: 212.1.52.68 -> 212.1.56.233 (TCP) len=52 id=0
TCP: 22 -> 56661 .S..A. seq=68a919c9 ack=b2f3509e
eth3.7:O[52]: 212.1.52.68 -> 212.1.56.233 (TCP) len=52 id=0
TCP: 22 -> 56661 .S..A. seq=68a919c9 ack=b2f3509e
fw monitor
eth3.7:O[52]: 212.1.52.68 -> 212.1.56.233
(TCP) len=52 id=0
TCP: 22 -> 56661 .S..A. seq=68a919c9
ack=b2f3509e
fw monitor
fw monitor options overview
-u | s Shows UUID or SUUID for every packet
-i write data to STDOUT
-d | D debug / more debug output
-e <expr> filter for expression (CLI mode)
-f <file> read filter expression from file
-l <len> limit length of captured packet
-m <mask> which positions should be shown
-x print raw packet data
-o <file> write packet into file
-p|x| <pos> insert fw monitor at specific chain position
-p all insert fwmonitor between all kernel modules
-ci <count> stop capture after count incoming packets
-co <count> stop capture after count outgoing packets
fw monitor
fw monitor
Capture only ICMP packets
fw monitor –f <filename>
#include „fwmonitor.def“
accept ((sport=22 or dport=22) and not
(host(x.x.x.x));
fw monitor
On SecuRemote/SecureClient
Check /opt/CPEdgecmp-R71/libsw/version.txt
http://<ip SmartCenter>:9283/
- restart SMS
- reload SMS settings
- force policy update
- reboot
- reset local (Edge) password
- view status information
Troubleshooting UTM-1 Edge
Troubleshooting UTM-1 Edge
Debugging Sofaware Management Server
Edit $FWDIR/conf/sofaware/SWManagement.ini
Change in line containing LogPolicy1 the value
Info to Debug
Smsstop
sms –confdir $FWDIR/conf/sofaware
/opt/CPinfo-10/bin/cpinfo –z <filename>
/opt/CPinfo-10/bin/cpinfo –l –z <filename>
Customer Focus
Director TAC
Programmers
Data Security
INTL Support Escalations Diamond Services Knowledge Center
Escalation
Support desk
Product team
Escalations
{
http://www.checkpoint.com/services/contact/escalation.html
General debugging
kernel mode user mode
usbcore security server
… sms
cpd
rtmmod
fwd
simmod
fwm
vpntmod
…
vpnmod
fwmod
kiss ??????
kissflow ???????
fw "Firewall Module"
h323 "VoIP H.323 Module"
multik "related to CoreXL"
BOA "Malicious Code Protection Module"
WS "SmartDefense Web Intelligence Module"
CI „Content Inspection“
CPAS "Active Streaming Module"
VPN "VPN Module"
RTM "SmartView Monitor Module"
SFT ???????
Cluster "ClusterXL Module"
FG-1 "Floodgate-1 QoS Module"
kernel mode debug
Some examples for modules and options:
Module: fw
Options: error warning cookie crypt domain ex
driver filter hold if install ioctl kbuf
ld log machine memory misc packet q xlate
xltrc conn synatk media align balance
chain bridge tcpstr scv ndis packval sync
ipopt link nat cifs drop
Module: vpn
Options: driver err packet policy sas rdp
clear cipher init sr comp xl counters mspi
cphwd ref vin cluster nat l2tp warn
kernel mode debug
fw ctl debug
Stop debugging
fw ctl debug 0
kernel mode debug
Filter debug, only lines with <strings> in it are
written to the output (best practice: error, failed)
Can be combined
Example:
or SmartView Monitor
vpn drv on
install policy
VPN debug
VPN debugging events can be logged on the
gateway
vpn debug on
On the gateway:
vpn debug ikeon / vpn debug ikeoff
Debug output is written to $FWDIR/log/ike.elg
VPN debug
Initiate VPN and IKE debug together
Exception: cpd
fwm debug
FWM controls connections from the SmartConsole to
the SmartCenter server and is responsible for
policy related functions
fw debug dtls on
Stop debugging
ulimit –c unlimited
um_core enable
Reboot
C:\Programme\CheckPoint\SmartConsole\R70\PROGRAM\data
if directory is omitted.
Resources
SmartSPLAT from Çağdaş Ulucan
www.smartsplat.com
Resources
Resources
Resources
Resources
Resources
Resources
fw monitor
http://www.checkpoint.com/techsupport/downloads/html/
ethereal/fw_monitor_rev1_01.pdf
Tobias Lachmann
tobias@lachmann.org
http://blog.lachmann.org