Debugging the Security Servers

In FireWall-1 4.1 and earlier, in order to debug the Security Servers, you were required to set environment variables and restart the fwd process. In FireWall-1 NG, you can now perform debugging without restarting any processes. When these variables are set, FireWall-1 logs the information generated into the various files in $FWDIR/log. Each Security Server has its own file with a .elg extension (e.g., the HTTP Security Server has ahttpd.elg, the FTP Security Server has ftpd.elg, and so on).

To enable debugging for the HTTP Security Server, issue the following command from your firewall module:

# fw debug on in.ahttpd FWAHTTPD_LEVEL=3

To disable debugging, issue the following command from your firewall module:

# fw debug off in.ahttpd FWAHTTPD_LEVEL=3

To enable debugging for the other Security Servers, use similar syntax. Table 9.3 shows the variables to set for the Security Servers. You can assign the variables values of 1 through 3. The larger the number, the more verbose the debugging information.

Table 9.3. Debug variables for the Security Servers
Variable	Description
`FWAHTTPD_LEVEL`	Debug information from the HTTP Security Server (`in.ahttpd`)
`FWAFTPD_LEVEL`	Debug information from the FTP Security Server (`in.aftpd`)
`FWACLIENTD_LEVEL`	Debug information from the Client Authentication daemon over Telnet (`in.aclientd`)
`FWAHCLIENTD_LEVEL`	Debug information from the Client Authentication daemon over HTTP (`in.ahclientd`)
`FWASMTPD_LEVEL`	Debug information from the SMTP Security Server receiving process (`in.asmtpd`)
`FWMDQ_LEVEL`	Debug information from the SMTP Security Server mail dequeuer process (`mdq`)
`FWARLOGIND_LEVEL`	Debug information from the rlogin Security Server (`in.arlogind`)
`FWATELNETD_LEVEL`	Debug information from the Telnet Security Server (`in.atelnetd`)
`FWGENERICD_LEVEL`	Debug information from the TCP Security Server (`in.genericd`)

This method permits setting only one environment variable at a time, which means multiple Security Servers cannot be debugged. If you need to debug multiple Security Servers, you need to manually set the environment variables on the command line. The following example on a UNIX-based firewall using a Bourne-type shell shows you how to enable debugging for the HTTP Security Server and the SMTP mdq process.

# fw kill fwd
# FWAHTTPD_LEVEL=3; export FWAHTTPD_LEVEL
# FWMDQ_LEVEL=3; export FWMDQ_LEVEL
# fwd

To do this on a Windows-based firewall, use the following commands.

> fw kill fwd
> SET FWAHTTPD_LEVEL=3
> SET FWMDQ_LEVEL=3
> fwd

Frequently Asked Questions

Preface

Chapter 1. Introduction to Firewalls

Chapter 2. Planning Your FireWall-1 Installation

Chapter 3. Installing FireWall-1

Chapter 4. Building Your Rulebase

Chapter 5. Logging and Alerting

Chapter 6. Common Issues

Chapter 7. Remote Management

Chapter 8. User Authentication

Chapter 9. Content Security

The Security Servers

The HTTP Security Server

The FTP Security Server

The SMTP Security Server

The TCP Security Server

General Questions about the Security Servers

Debugging the Security Servers

Summary

Sample Configurations

Chapter 10. Network Address Translation

Chapter 11. Site-to-Site VPN

Chapter 12. SecuRemote and SecureClient

Chapter 13. High Availability

Chapter 14. INSPECT

Appendix A. Securing Your Bastion Host

Appendix B. Sample Acceptable Usage Policy

Appendix C. 'firewall-1.conf' File for Use with OpenLDAP v1

Appendix D. 'firewall-1.schema' File for Use with OpenLDAP v2

Appendix E. Performance Tuning

Appendix F. Sample 'defaultfilter.pf' File

Appendix G. Other Resources

Appendix H. Further Reading

Debugging the Security Servers

Table 9.3. Debug variables for the Security Servers