Debugging FwPlatinum

Debugging Server Scripts

Check that all the server scripts work by running them on the Firewall Management Station in debug mode as the fwplat userid:

0 connections reported

If fwplatinum reports 0 connections (or anything else derived from the fw log), but everything appears to be up and working, try doing an 'fw logswitch'. I've found that this needs to be done at least once per 11,000,000 connections (or thereabouts). Of course, it doesn't hurt to do this even more frequently!

Can't locate in @INC

This error message indicates that you are running an old version of perl which required C header files to be converted to Perl Header files following the installation of Perl. The best way to resolve this is to upgrade to the latest stable version of Perl. If this is not an option, then find the h2ph program which came with your Perl distribution, ensure that it is in your PATH environment variable, and run it by:

cd /usr/include; h2ph * sys/* perl: Can't find shared library ""

When installing perl onto a Nokia firewall (see Nokia Resolution 1783), you may run across the above error message. This is due to not being in /usr/lib as expected. To fix this, you need to set up the LD_LIBRARY_PATH environment variable -
Bourne Shell; export LD_LIBRARY_PATH

C Shell
Thanks to Sreedhar Gade for this fix.

CGI Script reports: "Error: Can't locate loadable object for module RRDs"

Assuming that /usr/local/rrdtool is a symlink pointing to your RRDtool installation, then this problem occurs when the ID the webserver runs as (usually 'nobody') doesn't have authority to read it. Try the following commands:
su		#Su to root
su nobody	#Su to the webserver ID (assuming it's nobody)
cd /usr
cd /usr/local
cd /usr/local/rrdtool
cd /usr/local/rrdtool/lib
cd /usr/local/rrdtool/lib/perl
cat /usr/local/rrdtool/lib/perl/
This will show you which directory or file needs it's permissions relaxing. Directories need to be 0755, and 0644. They should all be owned by root.

fwplat-serverd reports: " open failed: No such file or directory"

Add the following to the top of the fwplat-init script:

All the graphs work except for the connections table

Check that the fw tab command is working -
# $FWDIR/bin/fw tab -t connections -s Gateway
HOST                  NAME                               ID #VALS #PEAK #SLINKS
Gateway          connections                      8158 -1085049692   288 1085069369
If you see a negative #VALS value, as above, then it's a bug in FW-1.
Checkpoints resolution for this problem is:

Upgrade both the SmartCenter (Management) Server and FireWall-1 enforcement modules to NG w/ Application Intelligence.

As for older NG versions, please contact Check Point Technical Assistance Center at +1 817-606-6600 for a Hotfix.

Please note, that for this solution to work, all FireWall-1 entities, SmartCenter (Management) Server and FireWall-1 modules should be running with the same Hotfix or all should be running with FireWall-1 w/ NG Application Intelligence

Steve Campbell <>, 21 May 2004