CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it yet again - That's right, the 3rd edition is here!
You can read his announcement post here.
It's a massive upgrade focusing on current versions, and well worth checking out. -E

 

Results 1 to 9 of 9

Thread: fw ctl zdebug command is a bad practice

  1. #1
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    1,030
    Rep Power
    15

    Default fw ctl zdebug command is a bad practice

    Hello all, after seeing way to many mentions of zdebug on this forum, I have decided to make an effort in explaining why it should not be used at all.

    Please feel free to read and comment by the link:
    http://checkpoint-master-architect.b...or-why-fw.html
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  2. #2
    Join Date
    2006-09-26
    Posts
    3,194
    Rep Power
    17

    Default Re: fw ctl zdebug command is a bad practice

    Quote Originally Posted by varera View Post
    Hello all, after seeing way to many mentions of zdebug on this forum, I have decided to make an effort in explaining why it should not be used at all.

    Please feel free to read and comment by the link:
    http://checkpoint-master-architect.b...or-why-fw.html
    Very well written. I especially like this part: "And guess what, this is also the simplest way to bring your busy production FW cluster down. So no, do not try this at home or at your place of work, if job security is important for you."

  3. #3
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    321
    Rep Power
    13

    Default Re: fw ctl zdebug command is a bad practice

    Quote Originally Posted by varera View Post
    Hello all, after seeing way to many mentions of zdebug on this forum, I have decided to make an effort in explaining why it should not be used at all.

    Please feel free to read and comment by the link:
    http://checkpoint-master-architect.b...or-why-fw.html
    I disagree. For low-volume debugs (particularly 'drop' on any firewall I've seen in years), I contend zdebug is fine. On point 1, I typically prefer a small buffer for low-volume debugs because it's lower-impact. On point 2, sure, for debugs involving more than one flag (and really, most debugs other than 'drop'), full kdebug syntax is the way to go.

    On point 3, maybe I misunderstand this one. It sounds like you're saying the tool shouldn't exist because it lets people run debugs without full knowledge of what they're doing. If so, that's elitist, and I strenuously disagree. It is good to give less experienced people simple tools which can produce usable results. "You shouldn't be messing with this until you know as much as I do."? I reject that stance unconditionally. There is perhaps an argument to be made that the tool should be limited (for example, restricted to a handful of debug flags, and only one at a time). I see no valid argument that there should not be a simple way to run simple debugs, though.

    Finally, if your firewall is at risk of tipping over from a zdebug drop (far and away the most common use of zdebug), how would you run a drop debug with full kdebug syntax? INSPECT filtering won't help that much.
    Zimmie

  4. #4
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,658
    Rep Power
    10

    Default Re: fw ctl zdebug command is a bad practice

    Quote Originally Posted by Bob_Zimmerman View Post
    I disagree. For low-volume debugs (particularly 'drop' on any firewall I've seen in years), I contend zdebug is fine. On point 1, I typically prefer a small buffer for low-volume debugs because it's lower-impact. On point 2, sure, for debugs involving more than one flag (and really, most debugs other than 'drop'), full kdebug syntax is the way to go.

    On point 3, maybe I misunderstand this one. It sounds like you're saying the tool shouldn't exist because it lets people run debugs without full knowledge of what they're doing. If so, that's elitist, and I strenuously disagree. It is good to give less experienced people simple tools which can produce usable results. "You shouldn't be messing with this until you know as much as I do."? I reject that stance unconditionally. There is perhaps an argument to be made that the tool should be limited (for example, restricted to a handful of debug flags, and only one at a time). I see no valid argument that there should not be a simple way to run simple debugs, though.

    Finally, if your firewall is at risk of tipping over from a zdebug drop (far and away the most common use of zdebug), how would you run a drop debug with full kdebug syntax? INSPECT filtering won't help that much.
    I agree, i'd much rather explain to someone to do a zdebug and not worry about them messing up flags or resetting them.

  5. #5
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    1,030
    Rep Power
    15

    Default Re: fw ctl zdebug command is a bad practice

    Quote Originally Posted by Bob_Zimmerman View Post
    I disagree. For low-volume debugs (particularly 'drop' on any firewall I've seen in years), I contend zdebug is fine. On point 1, I typically prefer a small buffer for low-volume debugs because it's lower-impact.
    It seems you misunderstand what the debug buffer size is. It does not control the volume of the output from the kernel. It only gives you a memory space where that output is whitten too. Once the buffer is full and not cleaned by read operation in time, further messages will be lost. You actually get "X debug messages lost" error as part of your debug. Smaller the buffer is, higher is the chance of missing your issue completely.


    On point 2, sure, for debugs involving more than one flag (and really, most debugs other than 'drop'), full kdebug syntax is the way to go.
    No problem here. Yet, one has to understand the kernel structure and actual syntax before debugging With zdebug, however, this is not required, as tool is too user friendly.

    On point 3, maybe I misunderstand this one. It sounds like you're saying the tool shouldn't exist because it lets people run debugs without full knowledge of what they're doing. If so, that's elitist, and I strenuously disagree. It is good to give less experienced people simple tools which can produce usable results. "You shouldn't be messing with this until you know as much as I do."? I reject that stance unconditionally. There is perhaps an argument to be made that the tool should be limited (for example, restricted to a handful of debug flags, and only one at a time). I see no valid argument that there should not be a simple way to run simple debugs, though.
    People tend to use kernel debug for all the wrong reasons. Simpler it gets to use it, more is the risk. It is an open heart surgery type of operation, hence certain requirements for people to understand the procedure. Yes, by all means, you should not mess around till you understand what you are doing and can justify your actions. Most people don't.


    Finally, if your firewall is at risk of tipping over from a zdebug drop (far and away the most common use of zdebug), how would you run a drop debug with full kdebug syntax? INSPECT filtering won't help that much.
    Why should you jump right away to drop debug? that should be your last resort, reserved for situations when other options are depleted. That would be the case if zdebug did not exist. Yet today, instead of reviewing logs, it is just too easy to run debugs. And lots of things are disregarded, such as acceleration, performance etc.
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  6. #6
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    1,030
    Rep Power
    15

    Default Re: fw ctl zdebug command is a bad practice

    Quote Originally Posted by jflemingeds View Post
    I agree, i'd much rather explain to someone to do a zdebug and not worry about them messing up flags or resetting them.
    Right. Why teaching someone gun safety rules, ballistics and do target practice. Just load his gun and teach him how to get safety off. What can go wrong?
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  7. #7
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    1,030
    Rep Power
    15

    Default Re: fw ctl zdebug command is a bad practice

    Of course you are objecting, guys, as you are way too comfortable with the tool. That is the danger, being comfortable.

    Now, here is the bummer, you should never be at ease with kernel debug in the first place. It is just too tempting to rush and debug instead of going to logs and to review config, right? That should not be the way.

    kernel debug is something that should be performed in a limited case of scenarios and must be reserved and allowed to experts and CP support engineers only.
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  8. #8
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,658
    Rep Power
    10

    Default Re: fw ctl zdebug command is a bad practice

    Its not the size of the buffer that counts, its how you use it Don Quixote.

  9. #9
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    1,030
    Rep Power
    15

    Default Re: fw ctl zdebug command is a bad practice

    Quote Originally Posted by jflemingeds View Post
    Its not the size of the buffer that counts, its how you use it Don Quixote.
    LOL, hilarious, but I am afraid, wrong in this context
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

Similar Threads

  1. fw ctl zdebug command question
    By JPYDX in forum R77.30
    Replies: 9
    Last Post: 2017-11-07, 05:01
  2. [fw ctl zdebug] dropped by fw_state_verification Reason: avoid reuse of NATed SYN;
    By Vengent in forum NAT (Network Address Translation)
    Replies: 4
    Last Post: 2013-02-04, 22:49
  3. R70.30 Unable to Parse FTP PORT/227 command - header IP different from command IP
    By mc_rockz in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 6
    Last Post: 2010-07-23, 23:17
  4. fw ctl zdebug - output
    By Danielpb in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 5
    Last Post: 2010-03-25, 12:10
  5. fw ctl zdebug command?
    By menz456 in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 2
    Last Post: 2009-03-05, 10:33

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •