Debugging the Security Servers

In FireWall-1 4.1 and earlier, in order to debug the Security Servers, you were required to set environment variables and restart the fwd process. In FireWall-1 NG, you can now perform debugging without restarting any processes. When these variables are set, FireWall-1 logs the information generated into the various files in $FWDIR/log. Each Security Server has its own file with a .elg extension (e.g., the HTTP Security Server has ahttpd.elg, the FTP Security Server has ftpd.elg, and so on).

To enable debugging for the HTTP Security Server, issue the following command from your firewall module:

# fw debug on in.ahttpd FWAHTTPD_LEVEL=3

To disable debugging, issue the following command from your firewall module:

# fw debug off in.ahttpd FWAHTTPD_LEVEL=3

To enable debugging for the other Security Servers, use similar syntax. Table 9.3 shows the variables to set for the Security Servers. You can assign the variables values of 1 through 3. The larger the number, the more verbose the debugging information.

Table 9.3. Debug variables for the Security Servers

Variable

Description

FWAHTTPD_LEVEL

Debug information from the HTTP Security Server (in.ahttpd)

FWAFTPD_LEVEL

Debug information from the FTP Security Server (in.aftpd)

FWACLIENTD_LEVEL

Debug information from the Client Authentication daemon over Telnet (in.aclientd)

FWAHCLIENTD_LEVEL

Debug information from the Client Authentication daemon over HTTP (in.ahclientd)

FWASMTPD_LEVEL

Debug information from the SMTP Security Server receiving process (in.asmtpd)

FWMDQ_LEVEL

Debug information from the SMTP Security Server mail dequeuer process (mdq)

FWARLOGIND_LEVEL

Debug information from the rlogin Security Server (in.arlogind)

FWATELNETD_LEVEL

Debug information from the Telnet Security Server (in.atelnetd)

FWGENERICD_LEVEL

Debug information from the TCP Security Server (in.genericd)

This method permits setting only one environment variable at a time, which means multiple Security Servers cannot be debugged. If you need to debug multiple Security Servers, you need to manually set the environment variables on the command line. The following example on a UNIX-based firewall using a Bourne-type shell shows you how to enable debugging for the HTTP Security Server and the SMTP mdq process.

# fw kill fwd
# FWAHTTPD_LEVEL=3; export FWAHTTPD_LEVEL
# FWMDQ_LEVEL=3; export FWMDQ_LEVEL
# fwd

To do this on a Windows-based firewall, use the following commands.

> fw kill fwd
> SET FWAHTTPD_LEVEL=3
> SET FWMDQ_LEVEL=3
> fwd