[Check Point R81] How to investigate the cause of packet drops

Firewall (UTM)

Target environment

  • Check Point Gaia OS R81 Gateway

How to check the drop log

How can we investigate the cause of a packet being dropped by Check Point Gateway?

The first way you can think of is to access the management server with SmartConsole and check the logs on the [LOGS & MONITOR] page. However, this method does not give you the exact reason why the packet was dropped.

An alternative is to run the fw ctl zdebug + drop command on the target Gateway.

You can run the fw ctl zdebug + drop command to see a detailed log of dropped packets in real time.

Using this command can affect service communication, so I recommend using it only for troubleshooting purposes.

How to use “fw ctl zdebug + drop”

To run fw ctl zdebug + drop, run the command in CLI expert mode.

Simply log in to the CLI of the target Gateway, enter expert mode, and run this command.

When this command is executed, it will wait for a packet to drop after a certain amount of logs have flowed.

And when a packet drop occurs, the log such as the cause is displayed in real time.

The following is an example of command execution. You can see that the packet is being dropped by Anti-Spoofing.

[Expert@CP81-GW:0]# fw ctl zdebug + drop
Defaulting all kernel debugging options
Debug state was reset to default.
PPAK 0: Get before set operation succeeded of simple_debug_filter_off
Initialized kernel debugging buffer to size 1023K
Updated kernel's debug variable for module fw
Debug flags updated.
Kernel debugging buffer size: 1023KB

<omit>

@;32463;[kern];[tid_0];[SIM-209412829];pkt_handle_no_match: packet dropped (spoofed address), conn: <8.8.8.8,0,192.168.179.2,9646,1>;
@;32463;[kern];[tid_0];[SIM-209412829];sim_pkt_send_drop_notification: (0,0) received drop, reason: Anti-Spoofing, conn: <8.8.8.8,0,192.168.179.2,9646,1>;
@;32463;[kern];[tid_0];[SIM-209412829];sim_pkt_send_drop_notification: sending packet dropped notification drop mode: 0 debug mode: 1 send as is: 0 track_lvl: -1, conn: <8.8.8.8,0,192.168.179.2,9646,1>;
@;32463;[kern];[tid_0];[SIM-209412829];sim_pkt_send_drop_notification: sending single drop notification, conn: <8.8.8.8,0,192.168.179.2,9646,1>;
@;32464;[kern];[tid_0];[SIM-209412829];do_packet_finish: SIMPKT_IN_DROP vsid=0, conn:<8.8.8.8,0,192.168.179.2,9646,1>;
@;8188;[vs_0];[tid_0];[fw4_0];cphwd_notif_packet_dropped: recieved packet dropped notification, reason: Anti-Spoofing;
@;8188;[vs_0];[tid_0];[fw4_0];cphwd_notif_packet_dropped: notification holds a single drop;

Press Ctrl + C to end the process.

References

How to use " fw ctl zdebug" command


Comments

Copied title and URL