In this article, I will solve the first topic of CCSM certification: Troubleshoot security problems.
Those questions are available in CCSM Study Guide.
What command you would use for a packet capture on an absolute position for TCP streaming (out)
As seen in sk30583, you can use
fw monitor -po <position> or
fw monitor -pO <position>.
fw monitor -po -0x1ffffe0 or
fw monitor -pO -0x1ffffe0
Source: sk30583 - What is FW Monitor?
What type of information the command
fw monitor -p all displays?
fw monitor -p all is used to capture a network packet in all positions of Check Point kernel chains
Capture everything between hosts X,Z and hosts Y,Z on all Check Point kernel chains:
[Expert@HostName]# fw monitor -p all -e "((src=x.x.x.x or dst=z.z.z.z) and (src=y.y.y.y or dst=z.z.z.z)), accept ;" -o /var/log/fw_mon.cap
Source: sk30583 - What is FW Monitor?
What command lists the firewall kernel modules on a Security Gateway?
fw ctl debug -m will show a large output with all modules available in the installed version, and, the most importantly, all debugging options available per module
Also, to see all currently enabled options per module use
fw ctl debug command. To see all enabled options for a particular module only, use
fw ctl -m <module dame> command.
Here's a printscreen of an example:
So, the basic command is:
fw ctl debug -m <module> all. It will raise all debugging options for the module in question.
What flag option(s) you would use to dump the complete table in a user-friendly format, assuming the
connections in the table are more than 100?
fw tab can help us, as in sk65133:
The usage of
fw tab is:
-f is explained above.
-u is for unlimited numbers. You can use
-m to set the maximum values.
So, the right answer to this question is:
fw tab -t connections -f -u
The command functions of
fw ctl kdebug <params> ?
There are three common commands to start debugging:
fw ctl debug
fw ctl zdebug
fw ctl kdebug
fw ctl debug, will generate debug messages to a buffer. Reference
fw ctl kdebug will read the buffer that you enabled with
fw ctl debug. If there is no debug buffer, the command will fail. Reference
fw ctl zdebug, will enable the debug mode and print it. The buffer will be auto-allocated with 1024.
Reference - sk100808 - How to use " fw ctl zdebug" command
Reference - Troubleshooting and Debugging Tools for Faster Resolution - Page 2
So, the command
fw ctl kdebug <params> will read the kernel debug buffer and print them.
Further reading: Check Point Kernel Debugging, In-Depth
Which command to use to generate a detailed status of your Threat Emulation quota in a specific
tecli s c q shows the quota for ThreatCloud emulation
tecli show cloud quota shows data about ThreatCloud monthly emulation quota
tecli show cloud quota or
tecli s c q will show the same output answering the question.
The fastest way to troubleshoot silent drops, i.e. don’t see any drops in the logs?
As seen in sk100808, you can use the
fw ctl zdebug + <flags> and the most common flag is
drop. In this command, we have a small buffer, so you can debug with
debug to set a bigger buffer. It is mentioned in past question The command functions of fw ctl kdebug
So, the full command to see the silent drops that you can't see in logs is:
fw ctl zdebug drop
This command is also "greppable" so you can search for a string using grep like
fw ctl zdebug + drop | grep "10.10.10.10" if you want to see only silent drops for the IP 10.10.10.10.
If you want to see the drops within IPv6, you use the
fw6 ctl zdebug drop | grep 2001:0db8::0001
What behavior results from enabling the “Match for any” setting on more than one service with the
same destination port?
In this article, Dreezman have done the full lab with this situation. You can check it by yourself.
The results are:
- If there are conflicting ports in a rule, the first one found will be used. So if you have huge groups of services make sure there are not any conflicts OR make sure you know which one will be hit first.
- The “Match For Any” flag is used to put a services into the “Any” group. Note that the bigger this “Any” group is, the slower the rulebase will be so use it judiciously. If there are conflicts in the “Any” group, then the INSPECT enabled service seems to be favored (but I can’t verify that).
- Services like H323 are weird because (IMHO) CP’s implementation is flawed (see my previous blog). So if you create new generic services make sure you call them out explicitly in the rule and don’t rely upon the “Any” rule to catch packets that drop from your rule because you will hit the INSPECT H323 rule and not the Generic rule.
Here we have a video of this lab! :)
The issue that would cause connections to be dropped “because the connections table is full” on a firewall under VSX mode when the connections table is big enough?
In sk39555 - Capacity Optimization and Connections Table, they say in the last paragraph of the image below:
It is not recommended to change this setting to a high value for VSs that are not planned to process a large amount of connections in the near future, because a high value of "Maximum concurrent connections" consumes memory, even if no entries are recorded in the connections table.
So, the main cause is that the "Maximum concurrent connections" is badly tuned.
Which gateway directory first receives the new policy files when pushing policy to a security
Which debug produces the following output and to which file?
The host is not allowed to connect to the Security Management Server(SMS), so this error occurs.
To start the debug execute the following commands:
[Expert@Hostname]# fw debug fwm on TDERROR_DBG_OPT=time,host,prog,topic,pid,tid [Expert@Hostname]# fw debug fwm on TDERROR_ALL_ALL=5 [Expert@Hostname]# fw debug fwm on OPSEC_DEBUG_LEVEL=3
After this, the debug will be in
Which process you should suspect when a Policy installation fails with the following error message:
Failed to load Policy on Module? Especially when you find that –
- You are able to push policy successfully to other gateways from the same management.
- That the policy installation files are not getting updated to the gateway.
In [sk84700 - Methodology for debugging "Load on Module Failed" error](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk84700&partition=Advanced&product=Security#Additional debug), is explained how to troubleshoot this error.
The process to troubleshoot is the CPD, because its responsible for installing and fetching the policy:
Source 0: [sk84700 - Methodology for debugging "Load on Module Failed" error](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk84700&partition=Advanced&product=Security#Additional debug)
Source 1: sk86320 - How to debug CPD daemon
Source 2: sk97638 - Check Point Processes and Daemons
The MOST LIKELY root cause when Policy installation to a gateway fails with the following error
What dropped by net indicates in the following output?
Which blade do you investigate when you see high CPU caused by the pdpd process?
pdpd is the Policy Decision Point daemon, used by Identity Awareness
To start a debug, just use
pdp debug <parameter> <option>
That's all for today!
Thank you so much for reading!
See you in the second topic! :)