SecureXL Debug Flags - SIM (R77.30) Table of Contents

Transcription

1 SecureXL Debug s - SIM (R77.30) Table of Contents Usage... 1 Example... 1 for 'fw ctl debug' and 'sim dbg '... 2 for 'fw ctl kdebug'... 2 SecureXL debugging options for Packet (default) module:... 2 SecureXL debugging options for Database module: db... 3 SecureXL debugging options for Driver module: drv... 3 SecureXL debugging options for Manager module: mgr... 3 SecureXL debugging options for Connections Queue module: cqueue... 4 SecureXL debugging options for Drop Templates module: dtmpl... 4 SecureXL debugging options for IP module: ip... 4 SecureXL debugging options for Utilization module: util... 4 SecureXL debugging options for Error module:... 4 SecureXL debugging options for Hash Table module: htab... 4 SecureXL debugging options for VPN module: vpn... 5 SecureXL debugging options for Ranges module: ranges... 5 SecureXL debugging options for Denial of Service Defender module: dos... 5 SecureXL debugging options for Identities Infrastructure module: infra... 5 SecureXL debugging options for Network Access Control (NAC) module: nac... 5 SecureXL debugging options for SAM card (ADP) module: adp... 6 Usage # sim dbg -h : sim dbg [-m MODULE] [resetall reset list all mask +/- <flags>] Example # fw ctl debug 0 // Setting kernel debug default options # fw ctl debug -buf // Setting kernel debug buffer # sim dbg all // enables flags only for module PKT # sim dbg -m mgr all // Manager debug # sim dbg -m db all // Database debug # sim dbg -m all // Packet debug # sim dbg -m drv all // Driver debug # sim dbg -m dos all // Denial of Service Defender debug # sim dbg -m vpn all // VPN debug # sim dbg -m htab all // Hash Table debug # sim dbg -m ranges all // Ranges debug # sim dbg -m ip all // IP debug # sim dbg -m cqueue all // Connections Queue debug # sim dbg -m dtmpl all // Drop Templates debug # sim dbg -m util all // Utilization debug # sim dbg -m all // Error debug # sim dbg -m nac all // Id. Aw. Network Access Control debug # sim dbg -m infra all // Identities Infrastructure debug # sim dbg -m adp all // SAM card (ADP) debug # fw ctl kdebug -T -f > /var/log/kernel_debug.ctl // output file Sergei Shir (Intl TAC) SecureXL Debug flags - SIM (R77.30) 29 Sep :37:00 page 1 of 6

2 for 'fw ctl debug' and 'sim dbg ' # fw ctl debug 0 // defaults (clears) all kernel debugging options # fw ctl debug -x // disables all kernel debugging options : // de-allocates the buffer & automatically kills fw ctl debug process # fw ctl debug -buf <size> // allocates the buffer (MAX value in NGX is 32MB) # sim dbg -m // displays ALL modules and their flags that machine understands # sim dbg list // displays the ALL flags THAT WERE TURNED ON # sim dbg -m MODULE + <flags> // sets the given debug flags for MODULE # sim dbg -m MODULE - <flags> // unsets the given debug flags for MODULE # sim dbg -m MODULE all // sets all debug flags for MODULE # sim dbg -m MODULE reset // resets all debug flags for MODULE # sim dbg resetall // resets all debug flags for all modules # sim dbg -f Source_IP,Source_Port,Dest_IP,Dest_Port,Proto // sets debugging filter - // only the specified connection will be printed in the debug output # sim dbg -f reset // resets the debugging filter for 'fw ctl kdebug' # fw ctl kdebug -t / -T // in NGX only - prints the timestamp (t = seconds ; T = microseconds) - helps synchronize packets in debug with packets in FW Monitor SecureXL debugging options for Packet (default) module: Displays information about the packets If you want to activate the debug flags for this module, you need to run: sim dbg -m + flag acct cpls drop f2f frag nat nat64 notif pxl qxl routing seqvalid spoof tcpstate tcpstate temporary connection accounting information + NetFlow on Gaia OS ClusterXL Load Sharing logging of packets dropped by SecureXL reason for forwarding a packet to the FireWall fragment handling NAT issues NAT issues - 6in4 tunnels (IPv6 over IPv4) and 4in6 tunnels (IPv4 over IPv6) notification sending to the firewall packet handling PXL [PacketXL] handling - API between the SecureXL device and PSL [Packet Streaming Layer] (TCP Streaming engine that parses the TCP stream) QoS acceleration (sk98229) routing handling TCP window scale option handling Anti-Spoofing enforcement TCP state handling TCP packet information temporary connection Sergei Shir (Intl TAC) SecureXL Debug flags - SIM (R77.30) 29 Sep :37:00 page 2 of 6

3 SecureXL debugging options for Database module: db Displays management of tables If you want to activate the debug flags for this module, you need to run: sim dbg -m db + flag ant del del_ profile save tmo tmpl anticipated connections deleting data from the database failures when deleting data from the database database related or retrieving data from the database (connections table, template table, etc) ializing / finalizing the Performance Pack database (connections table, template table, etc) operations on profile table saving data to the database (connections table, template table, etc) database entries timeout handling template database handling SecureXL debugging options for Driver module: drv If you want to activate the debug flags for this module, you need to run: sim dbg -m drv + flag cpdrv deliver drv fini hlqos lock routing tag vlan idle flag packet delivery driver information finalizing the driver Heavy Load Quality of Service (under heavy load, SIM drops packets, instead of forwarding them to firewall) ializing the driver lock ializing and finalizing packet handling routing information packet tag handling VLAN tag handling SecureXL debugging options for Manager module: mgr Displays API calls to the device ( mirror of the API module in FWAcell) If you want to activate the debug flags for this module, you need to run: sim dbg -m mgr + flag acct add conf del _state gtp nac notif notif_ pxl qxl seqvalid stat tmpl update vpn connections table, template table connection adding (applies also to partial / anticipated connections) configuration of the device (for example: interfaces) connection / template deletion connection state adding/updating/deleting of GTP tunnel ializing / finalizing the acceleration Identity Awareness Network Access Control operations - SIM ialization failure notification handling currently is not used SIM ialization failure on a Virtual System QoS connection update ; SIM ialization failure on a Virtual System sequence validation statistics handling templates handling connection updates VPN handling Sergei Shir (Intl TAC) SecureXL Debug flags - SIM (R77.30) 29 Sep :37:00 page 3 of 6

4 SecureXL debugging options for Connections Queue module: cqueue If you want to activate the debug flags for this module, you need to run: sim dbg -m cqueue + flag add flush adding elements to the call queue flushing the call queue ializing the call queue SecureXL debugging options for Drop Templates module: dtmpl If you want to activate the debug flags for this module, you need to run: sim dbg -m dtmpl + flag notif ting of Drop Template notification about Drop Template SecureXL debugging options for IP module: ip If you want to activate the debug flags for this module, you need to run: sim dbg -m ip + flag or regarding IP protocol SecureXL debugging options for Utilization module: util If you want to activate the debug flags for this module, you need to run: sim dbg -m util + flag gen simulator utilities debug SecureXL debugging options for Error module: If you want to activate the debug flags for this module, you need to run: sim dbg -m + flag general ors SecureXL debugging options for Hash Table module: htab If you want to activate the debug flags for this module, you need to run: sim dbg -m htab + flag create del destroy expire set table creation entries deletion from tables table destruction entries expiration ting entries from tables setting entries in tables Sergei Shir (Intl TAC) SecureXL Debug flags - SIM (R77.30) 29 Sep :37:00 page 4 of 6

5 SecureXL debugging options for VPN module: vpn If you want to activate the debug flags for this module, you need to run: sim dbg -m vpn + flag linksel routing vpn vpn VPN Link Selection VPN Encryption routing information VPN handling VPN packet handling SecureXL debugging options for Ranges module: ranges If you want to activate the debug flags for this module, you need to run: sim dbg -m ranges + flag create print sort creation of ranges list N/A ializing the ranges printing of ranges list sorting of ranges list SecureXL debugging options for Denial of Service Defender module: dos If you want to activate the debug flags for this module, you need to run: sim dbg -m dos + flag conn log connection handling ialization log messages packet handling SecureXL debugging options for Identities Infrastructure module: infra If you want to activate the debug flags for this module, you need to run: sim dbg -m infra + flag ids allocating IDs for a given range SecureXL debugging options for Network Access Control (NAC) module: nac Displays Identity Awareness Network Access Control operations If you want to make sure that the firewall accepted the flags, you need to run : sim dbg -m nac + flag db db ex updating, adding, deleting of identities updating, fetching, searching of identities forwarding of connection to FireWall (when identity is not found or revoked, or NAC packettagging verification failed) NAC packet-tagging verification Sergei Shir (Intl TAC) SecureXL Debug flags - SIM (R77.30) 29 Sep :37:00 page 5 of 6

6 SecureXL debugging options for SAM card (ADP) module: adp If you want to activate the debug flags for this module, you need to run: sim dbg -m adp + flag accounting cxl offload route state stop template additional information about the state of a connection and SAM card's slots related to ClusterXL general ors configuration failure offload of connections and templates currently is not used information about the state of a connection stopping of SAM card handling of SecureXL Accept Templates Sergei Shir (Intl TAC) SecureXL Debug flags - SIM (R77.30) 29 Sep :37:00 page 6 of 6