If you have ever had to debug VPN-s on a Check Point SMB device you might have noticed that they rotate their logs every 1MB, which means that sometimes You might actually miss the information You were looking for. At least for me it was a problem trying to get debug level information on some VPN issues that occurred randomly.
So in order to get the required output I added a 32GB SD-card to the firewall to extend its small storage made some symlinks and wrote a few little script to get all the output I required for debugging.
So on to the details. After you have mounted your SD-card you have access to it on the path:
Before You enable debugging You should make symbolic links for the ikev2.xmll and ike.elg files so that you wouldn’t run out of space on the built-in flash. You can do that by using the following commands:
touch /mnt/sd/ikev2.xmll && touch /mnt/sd/ike.elg
ln -s /opt/fw1/log/ike.elg /mnt/sd/ike.elg
ln -s /op/fw1/log/ikev2.xmll /mnt/sd/ikev2.xmll
Now enable debugging like you usually would(cp support site SK):
vpn debug trunc
vpn debug on TDERROR_ALL_ALL=5
And here is the script I used to copy the logs to the SD-card as they were rotated:
fmtime=$(stat -c %Y /opt/fw1/log/sfwd.elg.0)
if test $diff -le 1
cp /opt/fw1/log/sfwd.elg.0 /mnt/sd/sfwd.elg-$fmtime
So basically, it checks if the sfwd.elg.0 file has changed every second and copies the changed file to the SD-card. I actually also experimented using logger to send the log to a central server via syslog. Using logger just didn’t work. It sent the first one fine, but then the other changes afterwards were just dropped and I opted for the copying.