CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 10 of 10

Thread: fw ctl zdebug command question

  1. #1
    Join Date
    2017-11-01
    Posts
    37
    Rep Power
    0

    Default fw ctl zdebug command question

    Hi there,

    I am trying to run the fw ctl zdebug + drop command, however I want to only apply it to one virtual firewall in a VSX cluster.

    As you cant log on to the virtual firewall via ssh, I have to log onto the VSX Gateway to do this, however the results are huge as it is outputting everything from the cluster.

    Can someone help with what command variables I need to add to run the output just for one particular virtual firewall please.

  2. #2
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,484
    Rep Power
    16

    Default Re: fw ctl zdebug command question

    fw ctl debug --help suggests the -v option will allow you to specify (by VSID) which virtual firewall to apply the debug to.
    Yes, I know I didn't say zdebug, but it has the same options
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  3. #3
    Join Date
    2017-11-01
    Posts
    37
    Rep Power
    0

    Default Re: fw ctl zdebug command question

    Fantastic! Thank you.

  4. #4
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,226
    Rep Power
    13

    Default Re: fw ctl zdebug command question

    Quote Originally Posted by PhoneBoy View Post
    fw ctl debug --help suggests the -v option will allow you to specify (by VSID) which virtual firewall to apply the debug to.
    Yes, I know I didn't say zdebug, but it has the same options
    If you happen to know the Firewall Worker instance number you want to monitor (fw ctl affinity -l -r), you can also confine the zdebug to a particular Firewall Worker core like this:

    fw -i (instance number) ctl zdebug drop
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  5. #5
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    257
    Rep Power
    12

    Default Re: fw ctl zdebug command question

    Quote Originally Posted by JPYDX View Post
    Hi there,

    I am trying to run the fw ctl zdebug + drop command, however I want to only apply it to one virtual firewall in a VSX cluster.

    As you cant log on to the virtual firewall via ssh, I have to log onto the VSX Gateway to do this, however the results are huge as it is outputting everything from the cluster.

    Can someone help with what command variables I need to add to run the output just for one particular virtual firewall please.
    Use 'vsx stat -v' to find the ID of the VS you want to monitor. Then use this command:

    fw ctl zdebug drop | egrep "^;\[vs_<ID>\]"

    If you want timestamps from R77.30 and up:

    fw ctl zdebug -T drop | egrep "^;[^;]+;\[vs_<ID>\]"

    In both cases, replace the full "<ID>" string with your VSID. For example, to see drops on VS 18 with timestamps, run this:

    fw ctl zdebug -T drop | egrep "^;[^;]+;\[vs_18\]"
    Zimmie

  6. #6
    Join Date
    2008-07-31
    Location
    Netherlands, Europe
    Posts
    1,141
    Rep Power
    12

    Default Re: fw ctl zdebug command question

    Or use 'vsx stat -v'to get the correct VS number and use 'vsenv <ID>' to go to the CLI of that VS and and then run 'fw clt zdebug drop' from that context, as you do with all the commands you want to run specifically for that VS.
    Regards, Maarten.
    Triple MDS on R77.30, MDS on R80.10, VSX, GAIA.

  7. #7
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    257
    Rep Power
    12

    Default Re: fw ctl zdebug command question

    Quote Originally Posted by msjouw View Post
    Or use 'vsx stat -v'to get the correct VS number and use 'vsenv <ID>' to go to the CLI of that VS and and then run 'fw clt zdebug drop' from that context, as you do with all the commands you want to run specifically for that VS.
    On all of my VSX firewalls (R67, R77.30, R80.10), 'fw ctl zdebug drop' shows data from all VSs, regardless of which VS you run it from.

    It's kind of irritating how little actually changes as you move from VS to VS. I'd prefer a system more like OpenBSD's rdomain(4).
    Zimmie

  8. #8
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    1,028
    Rep Power
    14

    Default Re: fw ctl zdebug command question

    oh boy, i really hate zdebug leaking out. it gets out of control.

    fw ctl zdebug is problematic. it was never intended to leave Check Point RND bubble. use fw ctl debug mechanism, it provides you much more control and flexibility.
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  9. #9
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,625
    Rep Power
    9

    Default Re: fw ctl zdebug command question

    Maybe it started out in a R&D bubble but its for sure main stream now.

    sk100808
    How to use " fw ctl zdebug" command

    bla bla bla

    "See sk98799 for more information about in-depth kernel debugging."

  10. #10
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    1,028
    Rep Power
    14

    Default Re: fw ctl zdebug command question

    Quote Originally Posted by jflemingeds View Post
    Maybe it started out in a R&D bubble but its for sure main stream now.

    sk100808
    How to use " fw ctl zdebug" command

    bla bla bla

    "See sk98799 for more information about in-depth kernel debugging."
    I am expressing my displeasure with the situation to Check Point for years.
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

Similar Threads

  1. su command alias question
    By rugby1725 in forum Check Point SecurePlatform (SPLAT)
    Replies: 9
    Last Post: 2011-02-11, 00:10
  2. fw ctl zdebug - output
    By Danielpb in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 5
    Last Post: 2010-03-25, 12:10
  3. fw ctl zdebug command?
    By menz456 in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 2
    Last Post: 2009-03-05, 10:33
  4. Question regarding the following command
    By desperado618 in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 0
    Last Post: 2008-03-26, 13:47
  5. NTP Command Question
    By rbuzzard in forum Check Point SecurePlatform (SPLAT)
    Replies: 1
    Last Post: 2006-06-14, 12:31

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •