Debugging the Security Servers

In FireWall-1 4.1 and earlier, in order to debug the Security Servers, you were required to set environment variables and restart the fwd process. In FireWall-1 NG, you can now perform debugging without restarting any processes. When these variables are set, FireWall-1 logs the information generated into the various files in $FWDIR/log . Each Security Server has its own file with a .elg extension (e.g., the HTTP Security Server has ahttpd.elg , the FTP Security Server has ftpd .elg , and so on).

To enable debugging for the HTTP Security Server, issue the following command from your firewall module:

 #  fw debug on in.ahttpd FWAHTTPD_LEVEL=3  

To disable debugging, issue the following command from your firewall module:

 #  fw debug off in.ahttpd FWAHTTPD_LEVEL=3  

To enable debugging for the other Security Servers, use similar syntax. Table 9.3 shows the variables to set for the Security Servers. You can assign the variables values of 1 through 3 . The larger the number, the more verbose the debugging information.

Table 9.3. Debug variables for the Security Servers

This method permits setting only one environment variable at a time, which means multiple Security Servers cannot be debugged . If you need to debug multiple Security Servers, you need to manually set the environment variables on the command line. The following example on a UNIX-based firewall using a Bourne-type shell shows you how to enable debugging for the HTTP Security Server and the SMTP mdq process.

 #  fw kill fwd  #  FWAHTTPD_LEVEL=3; export FWAHTTPD_LEVEL  #  FWMDQ_LEVEL=3; export FWMDQ_LEVEL  #  fwd  

To do this on a Windows-based firewall, use the following commands.

 >  fw kill fwd  >  SET FWAHTTPD_LEVEL=3  >  SET FWMDQ_LEVEL=3  >  fwd