Thursday, May 27, 2010

How to check drop log in command line / cli in Checkpoint firewall?

Do you know how to troubleshoot connection issues the easy way? Instead of looking into SmartView Tracker for the reason of a connection drop, just enter the shell. Then issue fw ctl zdebug drop and you'll see the dropped packet in realtime with the reason for the drop. This is an undocumented command, which is actually a shortcut for a couple of debugging commands. A developer from Check Point was to tired of typing the needed debug lines again and again and so he introduced the zdebug command. His first name began with the letter Z, so this is why the command is zdebug.
The output is very nice, shows the reason for the drop and can easily be filtered with the grep command for IP addresses:
fw_log_drop: Packet proto=17 -> dropped by fw_antispoof_log Reason: Address spoofing
fw_log_drop: Packet proto=17 -> dropped by fw_handle_first_packet Reason: Rulebase drop - rule 243
fw_log_drop: Packet proto=1 -> dropped by fw_icmp_stateless_checks Reason: ICMP redirect packets are not allowed
fw_log_drop: Packet proto=6 -> dropped by fw_first_packet_state_checks Reason: First packet isn't SYN
Since this is realtime debug output, you need to have live traffic through the firewall to see if a packet is dropped. When you try to investigate the reason for a drop of an older connection, you have to go the SmartView Tracker.

No comments: