Tuesday, July 25, 2017

R80.10 debug documents are now public

Check Point has published a set of new documents describing kernel modules and debug flags, SecureXL and CoreXL debug details in R80.10. 

Although the documents are public, to download them you will need to log in to User Center.

Kernel Debug flags - R80.10 http://downloads.checkpoint.com/dc/download.htm?ID=56864 SecureXL Debug Flags - FWAccel (R80.10) http://downloads.checkpoint.com/dc/download.htm?ID=56865 SecureXL Debug Flags - SIM (R80.10) http://downloads.checkpoint.com/dc/download.htm?ID=56866

Special thanks to Sergei Shir for this publication.



-----------
Support CPET project and this blog with your donations to https://www.paypal.me/cpvideonuggets 

2 comments:

  1. Валера, а не мог бы ты, как эксперт по дебагу, подсказать команду? А то я спросил у checkpoint специалиста который курирует нашу компанию а он не знает. Команда нужна такая: КАК ПОСМОТРЕТЬ КАКОЕ ПРАВИЛО РАЗРЕШАЕТ ТРАФИК ЕСЛИ ЛОГИ ОТКЛЮЧИНЫ?
    Специалист предложил то, с чем я уже успел поиграться: fw ctl debug -fw conn. Но из вывода этой команы нельзя понять какое правило таки разрешило трафик. Вся надежда на тебя!

    ReplyDelete
    Replies
    1. Hi Viktor,

      I am surprised by the answer. If you debug a new connection with flags "vm" and "conn", AND under condition secureXL is not matching a template, you will see messages like"

      [cpu_3];[fw4_0];fw_handle_first_packet: match on rule XX;

      where XX is the absolute rule position on the GW. It is not a direct equivalent of rule number in the policy but is still pretty close.

      More, if you look in the connection table, rule number is also listed for the connection entry.

      So you do not really have to run kernel debug at all, just look in the connection table.

      However, kernel debug in R80.10 requires module UP with several flags to see which rule is finally matched. Look into my posts from June if you need more details.

      Anyhow, connection table ALWAYS has the absolute rule number as part of the connection entry.

      Delete