Using the ssadm debug_level Command

If you have access to the console on your SunScreen (through a serial line or directly connected CRT), you can use the ssadm debug_level command to control the printing of command debugging information from the SunScreen kernel.

If you type ssadm debug_level with no arguments, it displays the current debug-level mask. By default, this mask is 1, which means it only reports significant errors.

If you specify a hex number as an argument for ssadm debug_level, it sets the kernel debugging mask to that level. To get a list of debugging bit choices type:

# ssadm debug_level ?

You select a ssadm debug_level mask by setting all of the debugging bits in which you are interested.

Probably the most useful of the ssadm debug_level debugging bit is DEFAULT_DROP. For example, if you type:

# ssadm debug_level 1001

any packets being dropped by SunScreen because they do not match any rule are reported. This is a quick way to see if the SunScreen is passing packets that you expect it to pass. You can also achieve this same result by setting the default action on the interface to LOG_SUMMARY or LOG_DETAIL and examine the logs.

Another useful debugging bit to set is STATE_CHANGE. This causes the kernel to report any additions or deletions from its internal state tables.

Some of the debugging bits produce a very large amount of output on a production Screen and should be used with caution. An example is ACTION, which reports execution of any PFL action.