Troubleshooting guide
Chapter 2 Troubleshooting Tools VPN-1/FireWall-1 Control Commands
Advanced Technical Reference Guide 4.1 • June 2000 8
VPN-1/FireWall-1 Control Commands
fw ctl
fw ctl commands send control information to the VPN/FireWall Kernel module.
This syntax and explanation is based on the VPN-1/FireWall-1 Administration Guide (version 4.0) or the
VPN-1/FireWall-1 Reference Guide (version 4.1 and Check Point 2000).
This section focuses on the understanding the displayed VPN-1/FireWall-1 internal statistics, and the debug
options of the fw ctl commands.
Syntax
fw ctl [ip_forwarding option] | Iflist | pstat | install | uninstall arp
Explanation
The commands are:
Command Meaning
ip_forwarding
option
Option is one of the following;
always
IP forwarding is active if and only if VPN-1/FireWall-1 is active, regardless of machine
settings
never
IP forwarding depends on machine settings in /dev/ip, regardless of whether the FireWall
is running or not
default
IP forwarding is active if the machine settings specify so, or if VPN-1/FireWall-1 is active
pstat
This command prints detailed information about the hash kernel memory in use
(controlled by the parameter fwhmem) and the system kernel memory in use, including
peak values of both. See fw ctl pstat, on page 9,
iflist
Prints the interface list as seen by the FireWall, for example:
0:lo0
1:en0
2:en1
install
Installs the kernel module
uninstall
Uninstalls the kernel module
arp
Displays the ARP proxy table which is a mapping of IP and MAC addresses, and utilizes
local.arp file
debug
A powerful VPN-1/FireWall-1debugging tool. With its many commands it is possible to see
nearly everything that happens in the kernel module. See fw ctl debug on page 10