Troubleshooting guide
Chapter 2 Troubleshooting Tools Debugging with INSPECT
Advanced Technical Reference Guide 4.1 • June 2000 19
Debugging with INSPECT
Important: Check Point will not support customer changes to the Inspect code.
There are two main ways of using the INSPECT language to debug the Security policy:
1. Changing the log format in order to display additional information about packets going through the
FireWall.
2. Inserting debug lines in the INSPECT code to show run time information and to check where the code is
entered.
Changing the log format
The two most important files that are needed in order to modify the log format are: formats.def and
fwui_head.def
The log formats appear in formats.def in Short and Long formats, and contain information that is relevant
to the protocols and VPN-1/FireWall-1 features used in the rule. For instance, there is a different format for
ICMP long log format, and long log formats for other protocols.
In order to display additional information in an existing log format, add a line to the format with the following
model:
<”information_label”, information_type, information_value>,
Example: To add the packet length to the short format (it already exits in the long format).
The packet length is defined as ip_len in tcpip.def where the definitions of the header fields in IP, TCP,
UDP, ICMP,… protocols can be found.
The original format is:
short = format {
<"proto", proto, ip_p>,
<"src", ipaddr, src>,
<"dst", ipaddr, dst>,
<"service", port, dport>
};
It must be modified to:
short = format {
<"proto", proto, ip_p>,
<"src", ipaddr, src>,
<"dst", ipaddr, dst>,
<"service", port, dport>,
<"length", int, ip_len> /* ---> added line <--- */
};
The new field will be added to the Info column in the Log Viewer (see “Appendix C: Log Viewer "info"
Messages,” page 189.