CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 10 of 10

Thread: How to output fw ctl zdebug + drop to a file ?

  1. #1
    Join Date
    2007-04-02
    Posts
    22
    Rep Power
    0

    Default How to output fw ctl zdebug + drop to a file ?

    Hello all,

    I need your help to figure out why my fw ctl zdebug + drop command would not write output to the file.

    If I run fw ctl zdebug + drop > /var/log/tmp/fw_ctl_zdebug_drop.txt , it works and data is written to the output file.

    If I run fw ctl zdebug + drop | grep '10.10.64.161|10.10.55.169|10.10.56.169', the filtered output is displayed on the console.

    So next command is fw ctl zdebug + drop | grep '10.10.64.161|10.10.55.169|10.10.56.169' > /var/log/tmp/fw_ctl_zdebug_drop.txt, output file gets created, but no data is written to this file.

    I asked few linux experts and none of them could understand why it is happening. If somebody can help me here, I will appreciate. Note I run command as admin on Checkpoint 4200 appliance which runs R77.30

    Thank you!

  2. #2
    Join Date
    2006-09-26
    Posts
    3,180
    Rep Power
    16

    Default Re: How to output fw ctl zdebug + drop to a file ?

    Quote Originally Posted by fkbr1 View Post
    Hello all,

    I need your help to figure out why my fw ctl zdebug + drop command would not write output to the file.

    If I run fw ctl zdebug + drop > /var/log/tmp/fw_ctl_zdebug_drop.txt , it works and data is written to the output file.

    If I run fw ctl zdebug + drop | grep '10.10.64.161|10.10.55.169|10.10.56.169', the filtered output is displayed on the console.

    So next command is fw ctl zdebug + drop | grep '10.10.64.161|10.10.55.169|10.10.56.169' > /var/log/tmp/fw_ctl_zdebug_drop.txt, output file gets created, but no data is written to this file.

    I asked few linux experts and none of them could understand why it is happening. If somebody can help me here, I will appreciate. Note I run command as admin on Checkpoint 4200 appliance which runs R77.30

    Thank you!
    There is a -o option that writes it to a file. I think you need to use that option.

    That being said, it is very dangerous to use "fw ctl zdebug" because you may crash the firewall. See this link from Checkpoint guru Valeri Loukine: http://checkpoint-master-architect.b...or-why-fw.html


    :

  3. #3
    Join Date
    2007-04-02
    Posts
    22
    Rep Power
    0

    Default Re: How to output fw ctl zdebug + drop to a file ?

    Quote Originally Posted by cciesec2006 View Post
    There is a -o option that writes it to a file. I think you need to use that option.

    That being said, it is very dangerous to use "fw ctl zdebug" because you may crash the firewall. See this link from Checkpoint guru Valeri Loukine: http://checkpoint-master-architect.b...or-why-fw.html


    :
    Thank you, though -o option does not work for me. There is also no documentation available on how to use it.

    I am aware of Valeri Loukine' s article. Though, command seems run just fine with output to the screen. Only output to file does not work. Mystery...

  4. #4
    Join Date
    2012-07-19
    Posts
    101
    Rep Power
    7

    Default Re: How to output fw ctl zdebug + drop to a file ?

    Try .. | grep --line-buffered 'Expression' >/path/to/file , that should suppress multi line buffering by grep (and may affect performance a bit). Seems to only happen with the Check Point GNU grep (and reportedly also on BSD and OSX).

  5. #5
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    292
    Rep Power
    12

    Default Re: How to output fw ctl zdebug + drop to a file ?

    Try this:
    Code:
    fw ctl zdebug -T drop | grep --line-buffered '10.10.64.161|10.10.55.169|10.10.56.169' | tee /var/log/tmp/fw_ctl_zdebug_drop.txt
    The 'tee' utility takes each input line and writes it both to the specified file and to STDOUT. This way, you can see the output live and record it to the file.

    The -T switch to 'fw ctl zdebug' causes it to print timestamps. Useful for correlating the data with endpoint logs or packet captures. I think it only works on R75 and newer, but might only be R77 and newer.

    As for Valeri's article, I very much disagree with him. If your firewall is so busy that zdebug is hazardous, you have much more serious problems. In years working for Check Point, I never once saw it cause an issue.
    Zimmie

  6. #6
    Join Date
    2007-04-02
    Posts
    22
    Rep Power
    0

    Default Re: How to output fw ctl zdebug + drop to a file ?

    Quote Originally Posted by Jejerod View Post
    Try .. | grep --line-buffered 'Expression' >/path/to/file , that should suppress multi line buffering by grep (and may affect performance a bit). Seems to only happen with the Check Point GNU grep (and reportedly also on BSD and OSX).
    Dear Jejerod

    thank you so much, it works !!!

  7. #7
    Join Date
    2007-04-02
    Posts
    22
    Rep Power
    0

    Default Re: How to output fw ctl zdebug + drop to a file ?

    Quote Originally Posted by Bob_Zimmerman View Post
    Try this:
    Code:
    fw ctl zdebug -T drop | grep --line-buffered '10.10.64.161|10.10.55.169|10.10.56.169' | tee /var/log/tmp/fw_ctl_zdebug_drop.txt
    The 'tee' utility takes each input line and writes it both to the specified file and to STDOUT. This way, you can see the output live and record it to the file.

    The -T switch to 'fw ctl zdebug' causes it to print timestamps. Useful for correlating the data with endpoint logs or packet captures. I think it only works on R75 and newer, but might only be R77 and newer.

    As for Valeri's article, I very much disagree with him. If your firewall is so busy that zdebug is hazardous, you have much more serious problems. In years working for Check Point, I never once saw it cause an issue.
    Dear Zimmie

    thank you so much, it works too !!! As you said, output is to both console and file.

    How do you know such things !? I tried to get an answer form my local Checkpoint support company, who has 4-star Checkpoint partner certification, and to which we pay for support every year, and none of their "certified" engineers could help me. Is it just your work experience or you have access to some "hidden" knowledge database ? :)

  8. #8
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    292
    Rep Power
    12

    Default Re: How to output fw ctl zdebug + drop to a file ?

    My Check Point knowledge is from years of working in their call center (terrible work environment; always fill out post-ticket surveys and give top marks, because nobody deserves management that unsupportive). My UNIX knowledge comes from years of interacting with Solaris/Illumos, FreeBSD, OpenBSD, and macOS. My Linux knowledge comes from taking a UNIX concept and asking myself how a brain-damaged monkey would implement it. ;)

    More seriously, this stuff just takes time to learn. I recommend setting up a CentOS VM somewhere. CentOS is Redhat Enterprise Linux with all the trademarked stuff removed, so it’s free. SecurePlatform and GAiA are also based on Redhat. Once you have the VM up, check out the ‘man’ command. ‘man grep’ shows you the manual for the command ‘grep’. To see a lot of the commands which are available, look at the contents of /bin, /sbin, /usr/bin, and /usr/sbin. Check out the manual for each of them. You probably won’t care about most, but you’ll run across a lot of interesting ones like tee. The first page of the manual is generally enough to get an idea of what the command is meant to do.

    Check Point removed all the manpages from SecurePlatform and GAiA. Thus my recommendation of setting up a CentOS VM. There are a few commands I would recommend learning early: egrep, sed, awk, printf, and xargs. A little knowledge of each goes a really long way. You can do some amazing stuff with them.
    Zimmie

  9. #9
    Join Date
    2007-04-02
    Posts
    22
    Rep Power
    0

    Default Re: How to output fw ctl zdebug + drop to a file ?

    Thank you Zimmie and All,

    I really appreciate your help.

    BTW, it was a typo in my messages. Correct expression for grep on GAIA is '10.10.64.161\|10.10.55.169\|10.10.56.169' (as per sk100808) and not '10.10.64.161|10.10.55.169|10.10.56.169'.

  10. #10
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    1,030
    Rep Power
    15

    Default Re: How to output fw ctl zdebug + drop to a file ?

    Quote Originally Posted by fkbr1 View Post
    Hello all,

    I need your help to figure out why my fw ctl zdebug + drop command would not write output to the file.


    Thank you!
    As mentioned here already, you can redirect output to a text file. That iis pretty much it. If you need a proper capture file that would be compatible with WireShark and tcpdump, use fw ctl debug set of commands instead.
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

Similar Threads

  1. Difference in block and drop ,…drop and reject
    By gajendra229 in forum General Exam Topics
    Replies: 1
    Last Post: 2019-02-06, 14:49
  2. fw ctl zdebug command question
    By JPYDX in forum R77.30
    Replies: 9
    Last Post: 2017-11-07, 05:01
  3. rotating fw monitor output file
    By johnny in forum Miscellaneous
    Replies: 0
    Last Post: 2012-03-27, 10:21
  4. fw ctl zdebug - output
    By Danielpb in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 5
    Last Post: 2010-03-25, 12:10
  5. fw ctl zdebug command?
    By menz456 in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 2
    Last Post: 2009-03-05, 10:33

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •