Debugging FwPlatinum

Debugging Server Scripts
0 connections reported
Can't locate syslog.ph in @INC
perlld.so: perl: Can't find shared library "libc.so.3.1"
CGI Script reports: "Error: Can't locate loadable object for module RRDs"
fwplat-serverd reports: "libfw1.so: open failed: No such file or directory"
All the graphs work except for the connections table

Debugging Server Scripts

Check that all the server scripts work by running them on the Firewall Management Station in debug mode as the fwplat userid:

Check that fwplat-tabd can access the connection tables:

su fwplatd
./fwplat-tabd -d

<Output snipped>

PID 11114: fwplat-tabd server started.
/opt/CPfw1-41/bin/fw tab -t connections -short fw1 fw2 fw3 fw4
Child 11115 closed with return code 0

Got table results:
ConnectionTable:GAUGE_fw1:9694
ConnectionTable:GAUGE_fw2:14055
ConnectionTable:GAUGE_fw3:12225
ConnectionTable:GAUGE_fw4:13012


^CPID 11114: Signaled to shutdown.

Check that fwplat-logtaild can run 'fw log -tfn' and parse the results:

./fwplat-logtaild -d

<Output snipped>


/opt/CPfw1-41/bin/fw log -ft -n 

Got results:
fwdrops:udp:0
fwdrops:tcp:0
fwdrops:icmp:0
fwrejects:udp:0
fwrejects:tcp:0
fwrejects:icmp:0
services:POP3:0
services:DNS:0
services:SMTP:0
services:HTTP:0
services:RADIUS:0
services:Other:0
fwaccepts:udp:0
fwaccepts:tcp:0
fwaccepts:icmp:0
fwconnections:udp:0
fwconnections:tcp:0
fwconnections:icmp:0
firewalls:fw1:0
firewalls:fw2:0
firewalls:fw3:0
firewalls:fw4:0



Got results:
fwdrops:udp:41
fwdrops:tcp:73
fwdrops:icmp:15
fwrejects:udp:0
fwrejects:tcp:68
fwrejects:icmp:0
services:POP3:3370
services:DNS:1210
services:SMTP:1970
services:HTTP:2642
services:RADIUS:1372
services:Other:372
fwaccepts:udp:2580
fwaccepts:tcp:8040
fwaccepts:icmp:59
fwconnections:udp:2621
fwconnections:tcp:8181
fwconnections:icmp:74
firewalls:fw1:2285
firewalls:fw2:3178
firewalls:fw3:2658
firewalls:fw4:2815

^CPID 11551: Signaled to shutdown.

Check that fwplat-serverd is accepting connections:

./fwplat-serverd -d
PID 11832: Server started on port 1234

< Run command on the right >

Connection from localhost [127.0.0.1] port 35240
Child 11902 closed with return code 65536
Child 11902 started

^CPID 11832: Signaled to shutdown.

telnet localhost 1234
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
1005932920
fwdrops:udp:41
fwdrops:tcp:73
fwdrops:icmp:15
fwrejects:udp:0
fwrejects:tcp:68
fwrejects:icmp:0
services:POP3:3370
services:DNS:1210
services:SMTP:1970
services:HTTP:2642
services:RADIUS:1372
services:Other:372
fwaccepts:udp:2580
fwaccepts:tcp:8040
fwaccepts:icmp:59
fwconnections:udp:2621
fwconnections:tcp:8181
fwconnections:icmp:74
firewalls:fw1:2285
firewalls:fw2:3178
firewalls:fw3:2658
firewalls:fw4:2815
ConnectionTable:GAUGE_fw1:9694
ConnectionTable:GAUGE_fw2:14055
ConnectionTable:GAUGE_fw3:12225
ConnectionTable:GAUGE_fw4:13012
Connection closed by foreign host.

0 connections reported

If fwplatinum reports 0 connections (or anything else derived from the fw log), but everything appears to be up and working, try doing an 'fw logswitch'. I've found that this needs to be done at least once per 11,000,000 connections (or thereabouts). Of course, it doesn't hurt to do this even more frequently!

Can't locate syslog.ph in @INC

This error message indicates that you are running an old version of perl which required C header files to be converted to Perl Header files following the installation of Perl. The best way to resolve this is to upgrade to the latest stable version of Perl. If this is not an option, then find the h2ph program which came with your Perl distribution, ensure that it is in your PATH environment variable, and run it by:


cd /usr/include; h2ph * sys/*

perlld.so: perl: Can't find shared library "libc.so.3.1"

When installing perl onto a Nokia firewall (see Nokia Resolution 1783), you may run across the above error message. This is due to libc.so.3.1 not being in /usr/lib as expected. To fix this, you need to set up the LD_LIBRARY_PATH environment variable -

Bourne Shell: LD_LIBRARY_PATH=Directory_containing_libc.so.3.1; export LD_LIBRARY_PATH
C Shell: setenv LD_LIBRARY_PATH "Directory_containing_libc.so.3.1"

Thanks to Sreedhar Gade for this fix.

CGI Script reports: "Error: Can't locate loadable object for module RRDs"

Assuming that /usr/local/rrdtool is a symlink pointing to your RRDtool installation, then this problem occurs when the ID the webserver runs as (usually 'nobody') doesn't have authority to read it. Try the following commands:

su		#Su to root
su nobody	#Su to the webserver ID (assuming it's nobody)
cd /usr
cd /usr/local
cd /usr/local/rrdtool
cd /usr/local/rrdtool/lib
cd /usr/local/rrdtool/lib/perl
cat /usr/local/rrdtool/lib/perl/RRDs.pm

This will show you which directory or file needs it's permissions relaxing. Directories need to be 0755, and RRDs.pm 0644. They should all be owned by root.

fwplat-serverd reports: "libfw1.so: open failed: No such file or directory"

Add the following to the top of the fwplat-init script:

LD_LIBRARY_PATH=$FWDIR/lib
export LD_LIBRARY_PATH

All the graphs work except for the connections table

Check that the fw tab command is working -

# $FWDIR/bin/fw tab -t connections -s Gateway
HOST                  NAME                               ID #VALS #PEAK #SLINKS
Gateway          connections                      8158 -1085049692   288 1085069369

If you see a negative #VALS value, as above, then it's a bug in FW-1.

Checkpoints resolution for this problem is:

Upgrade both the SmartCenter (Management) Server and FireWall-1 enforcement modules to NG w/ Application Intelligence.

As for older NG versions, please contact Check Point Technical Assistance Center at +1 817-606-6600 for a Hotfix.

Please note, that for this solution to work, all FireWall-1 entities, SmartCenter (Management) Server and FireWall-1 modules should be running with the same Hotfix or all should be running with FireWall-1 w/ NG Application Intelligence

Steve Campbell <steve@computurn.com>, 21 May 2004