Check Point Firewall Troubleshooting and Debugging Commands – Complete Guide

Introduction

Check Point firewalls provide powerful troubleshooting and debugging tools to diagnose connectivity issues, policy problems, and performance bottlenecks. This guide covers essential commands including tcpdump, fw monitor, zdebug, and other critical troubleshooting tools that every Check Point administrator should master.

Understanding these tools helps identify where packets are being dropped, verify NAT translations, debug VPN connections, and troubleshoot application-level issues efficiently.

Basic Firewall Status and Information Commands

Check Firewall Status

cpwd_admin list
  

Displays all Check Point processes and their status.

fw stat
  

Shows firewall module status and installed policy information.

fw ver
  

Displays Check Point version, build number, and installed features.

View Installed Policy

fw stat -l
  

Shows detailed policy installation information including policy name and installation time.

Check Interface Status

ifconfig -a
ip addr show
  

Displays all network interfaces and their IP addresses.

Check Routing Table

netstat -rn
ip route show
  

fw monitor - Packet Capture at Firewall Inspection Points

fw monitor is Check Point's native packet capture tool that shows packets at different inspection points in the firewall kernel. It captures packets at four inspection points: pre-inbound (i), post-inbound (I), pre-outbound (o), and post-outbound (O).

Basic fw monitor Syntax

fw monitor -e "accept host(192.168.1.10);"
  

Captures all traffic to/from host 192.168.1.10

Common fw monitor Examples

Capture Traffic for Specific Host

fw monitor -e "accept host(10.1.1.100);"
  

Capture Traffic Between Two Hosts

fw monitor -e "accept (src=192.168.1.10 and dst=10.0.0.5);"
  

Capture Specific Port Traffic

fw monitor -e "accept (port=443 or port=80);"
  

Capture Traffic for Specific Subnet

fw monitor -e "accept net(192.168.10.0/24);"
  

Capture and Save to File

fw monitor -e "accept host(192.168.1.10);" -o /var/log/capture.cap
  

Capture with Packet Length Limit

fw monitor -e "accept host(192.168.1.10);" -m 1500
  

Captures full packet (default is 68 bytes)

Capture on Specific Interface

fw monitor -e "accept host(192.168.1.10);" -i eth0
  

Complex Filter Example

fw monitor -e "accept (src=192.168.1.0/24 and dst=10.0.0.5 and (port=443 or port=80));"
  

Understanding fw monitor Output

Each packet appears four times in fw monitor output:

• [i] - Pre-inbound: Packet arrives at interface before any processing
• [I] - Post-inbound: Packet after inbound processing (NAT, decryption)
• [o] - Pre-outbound: Packet before outbound processing
• [O] - Post-outbound: Packet after outbound processing (NAT, encryption)

If packet is missing at certain inspection points, it indicates where the packet was dropped.

Stop fw monitor

CTRL + C
  

or kill the process:

ps aux | grep fw
kill -9 <pid>
  

tcpdump - Standard Packet Capture Tool

tcpdump is the standard Linux packet capture tool available on Check Point Gaia OS. Unlike fw monitor, it captures raw packets without showing firewall inspection points.

Basic tcpdump Syntax

tcpdump -i any host 192.168.1.10
  

Common tcpdump Examples

Capture on All Interfaces

tcpdump -i any
  

Capture on Specific Interface

tcpdump -i eth0
  

Capture Specific Host

tcpdump -i any host 192.168.1.10
  

Capture Specific Port

tcpdump -i any port 443
  

Capture Source or Destination

tcpdump -i any src 192.168.1.10
tcpdump -i any dst 10.0.0.5
  

Capture Between Two Hosts

tcpdump -i any host 192.168.1.10 and host 10.0.0.5
  

Capture Specific Protocol

tcpdump -i any icmp
tcpdump -i any tcp
tcpdump -i any udp
  

Save to PCAP File

tcpdump -i any -w /var/log/capture.pcap host 192.168.1.10
  

Read from PCAP File

tcpdump -r /var/log/capture.pcap
  

Capture with Verbose Output

tcpdump -i any -vvv host 192.168.1.10
  

Display ASCII and Hex Output

tcpdump -i any -A host 192.168.1.10
tcpdump -i any -XX host 192.168.1.10
  

Capture with Timestamp

tcpdump -i any -tttt host 192.168.1.10
  

Limit Number of Packets

tcpdump -i any -c 100 host 192.168.1.10
  

Captures only 100 packets then stops

Complex Filter Example

tcpdump -i any 'src 192.168.1.0/24 and dst port 443 and tcp[tcpflags] & tcp-syn != 0'
  

Captures TCP SYN packets from 192.168.1.0/24 to port 443

Useful tcpdump Options

• -i - Specify interface
• -n - Don't resolve hostnames
• -nn - Don't resolve hostnames or port names
• -w - Write to file
• -r - Read from file
• -c - Capture count limit
• -s - Snapshot length (packet size)
• -v/-vv/-vvv - Verbose levels
• -A - ASCII output
• -XX - Hex and ASCII output

zdebug - Advanced Debugging Tool

zdebug is Check Point's powerful debugging tool that provides real-time troubleshooting for various Check Point components including VPN, NAT, routing, and more.

Basic zdebug Commands

Drop Debugging (Most Common)

fw ctl zdebug + drop
  

Shows all dropped packets with detailed drop reasons

Stop zdebug

fw ctl zdebug -
  

Common zdebug Flags

NAT Debugging

fw ctl zdebug + nat
  

Shows NAT translations in real-time

VPN Debugging

fw ctl zdebug + vpn
  

Chain Module Debugging

fw ctl zdebug + chain
  

Connection Tracking

fw ctl zdebug + conn
  

Filter Debugging

fw ctl zdebug + filter
  

Multiple Flags Combined

fw ctl zdebug + drop nat vpn
  

zdebug with Packet Filtering

Combine zdebug with fw monitor filter expressions:

fw ctl zdebug + drop | grep 192.168.1.10
  

Common Drop Reasons

Understanding drop reasons helps identify policy or configuration issues:

• Rule 0 (Implicit Drop) - No matching rule in policy
• Anti-Spoofing - Source IP doesn't match expected interface
• Unhandled protocol - Protocol not allowed in policy
• Out of state - Packet doesn't match existing connection
• TCP flags - Invalid TCP flag combination
• Fragment drop - Fragmented packet issue

fw ctl - Firewall Control Commands

Connection Table

fw tab -t connections -s
  

Shows active connections table statistics

fw tab -t connections -f
  

Displays all active connections

NAT Table

fw tab -t nat -f
  

Shows NAT translation table

Kernel Debug Buffer

fw ctl debug -buf 32000
  

Sets kernel debug buffer size (in bytes)

Clear Connections

fw tab -t connections -x
  

Warning: Clears all connection table entries. Use with caution in production.

Chain Modules

fw ctl chain
  

Displays firewall inspection chain modules and their order

Interface Statistics

fw ctl pstat
  

Shows packet statistics per interface

cpstat - Check Point Statistics

cpstat provides real-time statistics for various Check Point components.

Firewall Statistics

cpstat fw -f policy
  

VPN Statistics

cpstat vpn
  

IPS Statistics

cpstat ips
  

Multi-Queue Statistics

cpstat mg
  

OS Statistics

cpstat os -f all
  

Continuous Monitoring

cpstat fw -f policy -c
  

Updates statistics continuously (similar to top command)

VPN Troubleshooting Commands

VPN Tunnel Status

vpn tu
  

Shows all VPN tunnels and their status

IKE Debug

vpn debug on TDERROR_ALL_ALL=5
  

Enables detailed IKE debugging

Stop IKE Debug

vpn debug off
  

View IKE Debug Output

vpn debug trunc
  

Shows and clears IKE debug buffer

IPsec Debug

fw ctl zdebug + vpn | grep -i 192.168.1.10
  

VPN Shell

vpn shell
  

Interactive VPN troubleshooting shell

Show SA (Security Associations)

vpn tu tlist
  

Lists all IPsec security associations

Log File Locations and Monitoring

Important Log Files

/var/log/messages           # System logs
/var/log/fw.log             # Firewall logs (binary)
$FWDIR/log/fw.log           # Firewall logs
$CPDIR/log/cpwd.log         # Check Point daemon logs
$FWDIR/log/ike.elg          # IKE logs
  

Monitor Logs in Real-Time

tail -f /var/log/messages
  

View Firewall Logs

fw log -f
  

Follows firewall log in real-time (text format)

Search Logs

grep -i "192.168.1.10" /var/log/messages
  

Performance Monitoring Commands

CPU Usage

top
  

or Check Point specific:

cpstat os -f cpu
  

Memory Usage

free -m
cpstat os -f memory
  

Disk Usage

df -h
  

Network Statistics

netstat -i
cpstat os -f ifconfig
  

Core XL Status

cpview
  

Interactive system monitoring tool

fw ctl multik stat
  

Shows CoreXL firewall worker instances and their load

Policy Installation and Verification

Install Policy

fwm load <policy-name> <target-gateway>
  

Verify Policy Installation

fw stat
fw stat -l
  

Display Policy Rules

fw ctl get policy
  

Check Last Policy Push

cpstat fw -f policy
  

Anti-Spoofing Troubleshooting

Check Anti-Spoofing Configuration

fw ctl arp
  

Temporarily Disable Anti-Spoofing (Testing Only)

fw ctl set int fw_allow_simultaneous_ping 1
  

Warning: Only for testing. Re-enable after troubleshooting.

Common Troubleshooting Scenarios

Scenario 1: Connection Drops/Blocked

# Step 1: Check if packets reach firewall
fw monitor -e "accept host(192.168.1.10);"

# Step 2: Check for drops
fw ctl zdebug + drop | grep 192.168.1.10

# Step 3: Check policy
fw stat

# Step 4: Check logs
fw log -f | grep 192.168.1.10
  

Scenario 2: NAT Not Working

# Check NAT table
fw tab -t nat -f | grep 192.168.1.10

# Debug NAT
fw ctl zdebug + nat | grep 192.168.1.10

# Verify with fw monitor
fw monitor -e "accept host(192.168.1.10);"
  

Scenario 3: VPN Tunnel Down

# Check tunnel status
vpn tu

# Enable IKE debug
vpn debug on TDERROR_ALL_ALL=5

# Monitor in real-time
vpn debug trunc

# Check IPsec
fw ctl zdebug + vpn
  

Scenario 4: Slow Performance

# Check CPU and memory
top
cpstat os -f all

# Check CoreXL distribution
fw ctl multik stat

# Check connection table
fw tab -t connections -s

# Monitor with cpview
cpview
  

Best Practices

• Always use packet filters with fw monitor and tcpdump to avoid overwhelming output
• Save captures to files for offline analysis with Wireshark
• Use zdebug carefully in production - excessive debugging impacts performance
• Always stop debug commands after troubleshooting (fw ctl zdebug -)
• Combine multiple tools for comprehensive troubleshooting
• Document timestamps and conditions when issues occur
• Keep debug output and captures organized with descriptive filenames
• Use fw monitor to see firewall inspection points, tcpdump for raw packet analysis
• Monitor logs in real-time during troubleshooting sessions
• Check both SmartConsole logs and CLI output for complete picture

Quick Reference Command Summary

# Basic Status
cpwd_admin list              # Process status
fw stat                      # Firewall status
fw ver                       # Version information

# Packet Capture
fw monitor -e "accept host(X.X.X.X);"
tcpdump -i any host X.X.X.X -w capture.pcap

# Debugging
fw ctl zdebug + drop         # Drop debugging
fw ctl zdebug + nat          # NAT debugging
fw ctl zdebug -              # Stop debugging

# Connection Tables
fw tab -t connections -s     # Connection stats
fw tab -t nat -f             # NAT table

# VPN
vpn tu                       # VPN tunnels
vpn debug on TDERROR_ALL_ALL=5

# Logs
fw log -f                    # Follow firewall log
tail -f /var/log/messages    # System log

# Performance
cpview                       # System monitoring
fw ctl multik stat           # CoreXL status
  

Conclusion

Mastering Check Point troubleshooting commands is essential for effective firewall administration. The combination of fw monitor, tcpdump, zdebug, and other diagnostic tools provides complete visibility into packet flow, policy enforcement, and system behavior. Regular practice with these commands in lab environments builds confidence for production troubleshooting scenarios.

Always approach troubleshooting systematically: verify connectivity, check policy, examine logs, and use packet captures to understand exactly where and why traffic is failing. With these tools and techniques, you can quickly identify and resolve most Check Point firewall issues.