Using the ssadm debug_level Command

If you have access to the console on your SunScreen (through a serial line or directly connected keyboard and display), you can use the ssadm debug_level command to control the printing of command debugging information from the SunScreen kernel.

Typing ssadm debug_level with no arguments displays the current debug-level mask. By default, this mask is 1, which means it only reports significant errors.

If you specify a hex number as an argument for ssadm debug_level, the kernel debugging mask is set to that level. To get a list of debugging bit choices, type:

# ssadm debug_level ?

You select a ssadm debug_level mask by setting all of the debugging bits in which you are interested.

Probably the most useful of the ssadm debug_level debugging bit is DEFAULT_DROP. For example, if you type:

# ssadm debug_level 1001

any packets being dropped by SunScreen because they do not match any rule are reported. This is a quick way to see if the SunScreen is passing packets that you expect it to pass. You can also achieve this same result by setting the default action on the interface to LOG_SUMMARY or LOG_DETAIL and examine the logs.

Another useful debugging bit to set is STATE_CHANGE. This causes the kernel to report any additions or deletions from its internal state tables.

Some of the debugging bits produce a very large amount of output on a production Screen and should be used with caution. An example is ACTION, which reports execution of any PFL action.

TIP: it is often useful to employ a pair of ssadm debug_levelcommands, separated by the Solaris sleep(1) command, especially for levels which generate large amounts of output:

# ssadm debug_level
Current debug level is: 00000001<>
# ssadm debug_level 1c01 ; sleep 30 ; ssadm debug_level 1

This would ensure that only 30 seconds of debug would be logged. This also avoids the mistake of leaving debugging enabled by accident.