Troubleshooting guide
Chapter 2 Troubleshooting Tools More Information
Advanced Technical Reference Guide 4.1 • June 2000 20
Using the debug command
The debug command makes it possible to see which part of the code is entered and when.
Insert a debug command at the end of the condition that you want to test. In the following example, we want to
see when the test for an ftp connection is verified and to know what was the source (Ip_Src is defined in
tcpip.def) of the packet.
eitherbound all@ariel
accept start_rule_code(1),
(tcp, ftp),
RECORD_CONN(1),
LOG(short, LOG_NOALERT, 1),
debug ip_src; /* this is the line we inserted to get the
debug */
eitherbound all@ariel
accept start_rule_code(2),
(tcp, http),
RECORD_CONN(2),
LOG(short, LOG_NOALERT, 2);
eitherbound all@ariel
accept start_rule_code(3),
(tcp, telnet),
RECORD_CONN(3),
LOG(short, LOG_NOALERT, 3);
eitherbound all@ariel
accept start_rule_code(4),
(icmp, icmp-proto),
RECORD_CONN(4),
LOG(short, LOG_NOALERT, 4);
eitherbound all@ariel
accept start_rule_code(5),
RECORD_CONN(5);
.
.
.
The debug command can be also inserted other INSPECT files, specifically the .def files, mainly base.def
where are the definition of packet inspection for the different protocols.
Another format exists for debug. It is possible to print several data in one command by using:
debug <number1,number2,number3,...>;
Only numbers can be displayed because that is the only type known by INSPECT. They are printed in a
hexadecimal form.
The new policy has to be loaded after the modification: fw load <policy_file>
Then write: fw ctl debug –buf to redirect the result of the debug command to a buffer, and
fw ctl kdebug –f [> <filename>] to send the results to the standard output or redirect the buffer to
a file.
More Information
For more information on INSPECT and VPN-1/FireWall-1 Control (fw ctl) commands see the
VPN-1/FireWall-1 4.1 and 4.1 SP1 (Check Point 2000) Reference Guides