tag:blogger.com,1999:blog-7755136273253085483.post6583033668096190453..comments2024-03-21T15:44:25.378+01:00Comments on CCMA's blog: R80.10 debug documents are now publicValeri Loukinehttp://www.blogger.com/profile/11915389342131738939noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-7755136273253085483.post-37057772665965979342017-08-16T08:55:06.724+02:002017-08-16T08:55:06.724+02:00Hi Viktor,
I am surprised by the answer. If you d...Hi Viktor,<br /><br />I am surprised by the answer. If you debug a new connection with flags "vm" and "conn", AND under condition secureXL is not matching a template, you will see messages like" <br /><br />[cpu_3];[fw4_0];fw_handle_first_packet: match on rule XX; <br /><br />where XX is the absolute rule position on the GW. It is not a direct equivalent of rule number in the policy but is still pretty close.<br /><br />More, if you look in the connection table, rule number is also listed for the connection entry. <br /><br />So you do not really have to run kernel debug at all, just look in the connection table.<br /><br />However, kernel debug in R80.10 requires module UP with several flags to see which rule is finally matched. Look into my posts from June if you need more details. <br /><br />Anyhow, connection table ALWAYS has the absolute rule number as part of the connection entry.Valeri Loukinehttps://www.blogger.com/profile/11915389342131738939noreply@blogger.comtag:blogger.com,1999:blog-7755136273253085483.post-18419829289155434942017-08-15T23:21:42.299+02:002017-08-15T23:21:42.299+02:00Валера, а не мог бы ты, как эксперт по дебагу, под...Валера, а не мог бы ты, как эксперт по дебагу, подсказать команду? А то я спросил у checkpoint специалиста который курирует нашу компанию а он не знает. Команда нужна такая: КАК ПОСМОТРЕТЬ КАКОЕ ПРАВИЛО РАЗРЕШАЕТ ТРАФИК ЕСЛИ ЛОГИ ОТКЛЮЧИНЫ?<br />Специалист предложил то, с чем я уже успел поиграться: fw ctl debug -fw conn. Но из вывода этой команы нельзя понять какое правило таки разрешило трафик. Вся надежда на тебя!Viktorhttps://www.blogger.com/profile/17833139866723771681noreply@blogger.com