https://community.checkpoint.com/t5/Scripts/Fw-monitor-script/m-p/268401#M1370 <DIV class="ubHDG _zere THa4i pinIo"> <DIV id="CONV_0dwoSeqEfI=_SUBJECT" class="oWEAX mJflQ allowTextSelection" role="heading" aria-level="3"> <DIV class="MshDW mBy5m"> <DIV class="UUCdJ O08WD">&nbsp;</DIV> </DIV> </DIV> </DIV> <DIV class="Q8TCC yyYQP owaMailComposeEditorScrollContainer customScrollBar" tabindex="-1" data-app-section="ItemContainer" data-is-scrollable="true"> <DIV class="wide-content-host"> <DIV class="fui-FluentProvider fui-FluentProviderr1u9 ___5n94it0 f19n0e5 f3rmtva fgusgyc fk6fouc fkhj508 figsok6 fytdu2e" dir="ltr"> <DIV class="Vm3e5 pinIo"> <DIV class="oHwUF"> <DIV class="o6bDv"> <DIV class="HwXOf"> <DIV class="y3ylY kcAOr t9ThB" data-testid="RecipientWell"> <DIV data-tabster="{&quot;mover&quot;:{&quot;cyclic&quot;:false,&quot;direction&quot;:2,&quot;memorizeCurrent&quot;:false}}"> <DIV id="MSG_gAGwOQvOwAA_TO" class="___sj378o0 fly5x3f f1l02sjl f113hnb5" role="heading" aria-level="3"> <DIV id="8" class="EditorClass ___1omki76 ftgm304 fr7e4de f1ids18y f1ohdurq f1fa7rqs f1ee13vk fy9rknc f1hu3pq6 f11qmguv fly5x3f f1g0x7ka fhxju0i f1qch9an f1cnd47f f19f4twv f1tyq0we fz5stix g7toD" tabindex="-1" role="presentation" aria-multiline="true" aria-readonly="true" aria-label="To: MAIL-SOC">​<SPAN>Hey guys,</SPAN></DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> <DIV data-test-id="mailMessageBodyContainer"> <DIV class="ulb23 customScrollBar GNqVo allowTextSelection"> <DIV id="UniqueMessageBody_2" class="BIZfh" tabindex="0" role="document" aria-label="Message body" data-fui-focus-visible=""> <DIV class="rps_3b49"> <DIV dir="ltr"> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">&nbsp;</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">Here is script that would let you enter src. Dst, protocol (all the regular info) on CP firewall and then even asks you what dir you wish to save it to. I tested it, worked well. This is in case you cant remember the actual syntax.</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">&nbsp;</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">Just run chmod 777 and dos2unix on it before executing it.</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">&nbsp;</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">Example from my lab:&nbsp;</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">&nbsp;</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">[Expert@CP-GW:0]# chmod 777 fwmonitor.sh</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">[Expert@CP-GW:0]# dos2unix fwmonitor.sh</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">dos2unix: converting file fwmonitor.sh to Unix format ...</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">[Expert@CP-GW:0]# dos2unix fwmonitor.sh</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">dos2unix: converting file fwmonitor.sh to Unix format ...</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">[Expert@CP-GW:0]# ./fwmonitor.sh</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">=== Check Point Gaia fw monitor bidirectional capture ===</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">Tip: Run in Expert mode. Policy install/uninstall may stop fw monitor. [1](<A href="https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_CLI_ReferenceGuide/Topics-CLIG/FWG/fw-monitor.htm)[2](https://support.checkpoint.com/results/sk/sk30583" target="_blank" rel="noopener">https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_CLI_ReferenceGuide/Topics-CLIG/FWG/fw-monitor.htm)[2](https://support.checkpoint.com/results/sk/sk30583</A>)</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">&nbsp;</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">Enter SOURCE IP/host: 172.16.10.249</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">Enter DESTINATION IP/host: 9.9.9.9</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">Protocol number (0=any, 6=TCP, 17=UDP, 1=ICMP, 58=ICMPv6) [0]: 0</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">Service port to filter (0=any). If you enter 443, it matches DST port 443 and return SRC port 443. [0]: 0</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">Capture points mask (default iIoO shows pre/post inbound/outbound) [iIoO]:</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">Output directory [/var/log]: /home/admin</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">Output filename [/home/admin/fwmon_172.16.10.249_to_9.9.9.9_20260123_075936.cap]: testcap.out</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">Capture duration in seconds (0=until Ctrl+C). Uses timeout if available. [0]:</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">VSID (VSX only) - leave blank for all:</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">&nbsp;</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">Will run:</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">&nbsp; fw monitor &nbsp;-m "iIoO" \</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">&nbsp; &nbsp; -F "172.16.10.249,0,9.9.9.9,0,0" -F "9.9.9.9,0,172.16.10.249,0,0" \</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">&nbsp; &nbsp; -o "testcap.out" -w</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">&nbsp;</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">Notes:</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">&nbsp;- '-F' filters apply to accelerated and non-accelerated traffic. [1](<A href="https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_CLI_ReferenceGuide/Topics-CLIG/FWG/fw-monitor.htm" target="_blank" rel="noopener">https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_CLI_ReferenceGuide/Topics-CLIG/FWG/fw-monitor.htm</A>)</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">&nbsp;- '-e' INSPECT filters may NOT apply to accelerated traffic (SecureXL). [1](<A href="https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_CLI_ReferenceGuide/Topics-CLIG/FWG/fw-monitor.htm)[2](https://support.checkpoint.com/results/sk/sk30583" target="_blank" rel="noopener">https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_CLI_ReferenceGuide/Topics-CLIG/FWG/fw-monitor.htm)[2](https://support.checkpoint.com/results/sk/sk30583</A>)</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">&nbsp;- Output file (-o) is in snoop format and can be analyzed later (e.g., Wireshark). [1](<A href="https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_CLI_ReferenceGuide/Topics-CLIG/FWG/fw-monitor.htm" target="_blank" rel="noopener">https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_CLI_ReferenceGuide/Topics-CLIG/FWG/fw-monitor.htm</A>)</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">&nbsp;</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">Capturing until Ctrl+C... (Stop from another shell with: fw monitor -U) [1](<A href="https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_CLI_ReferenceGuide/Topics-CLIG/FWG/fw-monitor.htm" target="_blank" rel="noopener">https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_CLI_ReferenceGuide/Topics-CLIG/FWG/fw-monitor.htm</A>)</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">PPAK 0: Get before set operation succeeded of fwmonitor_kiss_enable</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">PPAK 0: Get before set operation succeeded of fwmonitor_debug_filter_off</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">PPAK 0: Get before set operation succeeded of fwmonitorfreebufs</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">fw ctl set string fwmonitor_debug_filter_saddr_1 172.16.10.249 -a</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">PPAK 0: Get before set operation succeeded of fwmonitor_debug_filter_saddr_1</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">fw ctl set int fwmonitor_debug_filter_sport_1 0 -a</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">PPAK 0: Get before set operation succeeded of fwmonitor_debug_filter_sport_1</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">fw ctl set string fwmonitor_debug_filter_daddr_1 9.9.9.9 -a</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">PPAK 0: Get before set operation succeeded of fwmonitor_debug_filter_daddr_1</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">fw ctl set int fwmonitor_debug_filter_dport_1 0 -a</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">PPAK 0: Get before set operation succeeded of fwmonitor_debug_filter_dport_1</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">fw ctl set int fwmonitor_debug_filter_proto_1 0 -a</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">PPAK 0: Get before set operation succeeded of fwmonitor_debug_filter_proto_1</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">fw ctl set string fwmonitor_debug_filter_saddr_2 9.9.9.9 -a</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">PPAK 0: Get before set operation succeeded of fwmonitor_debug_filter_saddr_2</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">fw ctl set int fwmonitor_debug_filter_sport_2 0 -a</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">PPAK 0: Get before set operation succeeded of fwmonitor_debug_filter_sport_2</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">fw ctl set string fwmonitor_debug_filter_daddr_2 172.16.10.249 -a</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">PPAK 0: Get before set operation succeeded of fwmonitor_debug_filter_daddr_2</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">fw ctl set int fwmonitor_debug_filter_dport_2 0 -a</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">PPAK 0: Get before set operation succeeded of fwmonitor_debug_filter_dport_2</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">fw ctl set int fwmonitor_debug_filter_proto_2 0 -a</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">PPAK 0: Get before set operation succeeded of fwmonitor_debug_filter_proto_2</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">PPAK 0: Get before set operation succeeded of fwmonitor_ppak_all_position</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">&nbsp;monitor: getting filter (from command line)</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">&nbsp;monitor: compiling</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">monitorfilter:</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">Compiled OK.</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">&nbsp;monitor: loading</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">&nbsp;monitor: monitoring (control-C to stop)</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">0PPAK 0: Get before set operation succeeded of fwmonitormaxpacket</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">PPAK 0: Get before set operation succeeded of fwmonitormask</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">PPAK 0: Get before set operation succeeded of fwmonitorallocbufs</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">PPAK 0: Get before set operation succeeded of printuuid</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">PPAK 0: Get before set operation succeeded of fwmonitor_kiss_enable</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">44 ^C monitor: caught sig 2</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">&nbsp;monitor: unloading</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">PPAK 0: Get before set operation succeeded of fwmonitor_kiss_enable</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">PPAK 0: Get before set operation succeeded of fwmonitor_debug_filter_off</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">PPAK 0: Get before set operation succeeded of fwmonitorfreebufs</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">&nbsp;</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">Capture complete.</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">Saved to: testcap.out</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">Tip: Copy it off-box and open in Wireshark (snoop/Firewall-1 monitor format). [1](<A href="https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_CLI_ReferenceGuide/Topics-CLIG/FWG/fw-monitor.htm)[4](https://studylib.net/doc/8763162/check-point-fw-monitor-cheat-sheet---jens-roesen" target="_blank" rel="noopener">https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_CLI_ReferenceGuide/Topics-CLIG/FWG/fw-monitor.htm)[4](https://studylib.net/doc/8763162/check-point-fw-monitor-cheat-sheet---jens-roesen</A>)</DIV> <DIV class="x_elementToProof" data-ogsc="rgb(0, 0, 0)">[Expert@CP-GW:0]#</DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> Wed, 25 Mar 2026 08:43:52 GMT the_rock 2026-03-25T08:43:52Z https://community.checkpoint.com/t5/Scripts/Fw-monitor-script/m-p/268401#M1370 3 Wed, 25 Mar 2026 08:43:52 GMT https://community.checkpoint.com/t5/Scripts/Fw-monitor-script/m-p/268401#M1370 the_rock 2026-03-25T08:43:52Z https://community.checkpoint.com/t5/Scripts/Fw-monitor-script/m-p/268402#M1371 <P>Basic capture I got from my lab fw...tested from 172.16.10.249 to quad 9 dns server</P> Fri, 23 Jan 2026 13:09:47 GMT https://community.checkpoint.com/t5/Scripts/Fw-monitor-script/m-p/268402#M1371 the_rock 2026-01-23T13:09:47Z https://community.checkpoint.com/t5/Scripts/Fw-monitor-script/m-p/268403#M1372 <P>Nice feature!<BR />Two suggestions for improvement. If nothing is entered for src or dst, perhaps any should be used.</P> <P>Pressing return results in an error.</P> <P><BR />And perhaps support for entering a network with a mask, e.g. 192.168.1.0/24.</P> Fri, 23 Jan 2026 13:26:43 GMT https://community.checkpoint.com/t5/Scripts/Fw-monitor-script/m-p/268403#M1372 Vincent_Bacher 2026-01-23T13:26:43Z https://community.checkpoint.com/t5/Scripts/Fw-monitor-script/m-p/268404#M1373 <P>Totally FAIR, Vince. I can definitely work on that.</P> Fri, 23 Jan 2026 13:30:14 GMT https://community.checkpoint.com/t5/Scripts/Fw-monitor-script/m-p/268404#M1373 the_rock 2026-01-23T13:30:14Z https://community.checkpoint.com/t5/Scripts/Fw-monitor-script/m-p/268407#M1374 <P>While you're at it, you can – as I do in the scripts – protect the user from themselves<BR />so that they don't enter la.le.lu.li/24 or 10.10.10.0/200 or 300.0.0.1,<BR />by checking whether it is even a valid address/network <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>Of course, one can assume that the user knows what they are doing, but I like error handling in scripts.</P> Fri, 23 Jan 2026 13:35:40 GMT https://community.checkpoint.com/t5/Scripts/Fw-monitor-script/m-p/268407#M1374 Vincent_Bacher 2026-01-23T13:35:40Z https://community.checkpoint.com/t5/Scripts/Fw-monitor-script/m-p/268412#M1375 <P>Again, totally fair.</P> Fri, 23 Jan 2026 13:53:52 GMT https://community.checkpoint.com/t5/Scripts/Fw-monitor-script/m-p/268412#M1375 the_rock 2026-01-23T13:53:52Z https://community.checkpoint.com/t5/Scripts/Fw-monitor-script/m-p/268493#M1383 <P>I made tcpdump script that does any, will test it tomorrow in the lab.</P> Fri, 23 Jan 2026 23:07:48 GMT https://community.checkpoint.com/t5/Scripts/Fw-monitor-script/m-p/268493#M1383 the_rock 2026-01-23T23:07:48Z https://community.checkpoint.com/t5/Scripts/Fw-monitor-script/m-p/268494#M1384 <P>Here you go brother : - )</P> <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/16383">@Vincent_Bacher</a>&nbsp;</P> <P>updated script, works with any. You can give it a go Monday.</P> Fri, 23 Jan 2026 23:15:21 GMT https://community.checkpoint.com/t5/Scripts/Fw-monitor-script/m-p/268494#M1384 the_rock 2026-01-23T23:15:21Z https://community.checkpoint.com/t5/Scripts/Fw-monitor-script/m-p/268495#M1385 <P>Just updated the script to work with any as srs/dst:</P> <P>lab:</P> <P><BR />[Expert@CP-GW:0]# cd /var/log/scripts/<BR />[Expert@CP-GW:0]# chmod 777 *<BR />[Expert@CP-GW:0]# dos2unix *<BR />dos2unix: converting file cp_tcpdump.sh to Unix format ...<BR />dos2unix: converting file fwmonitor.sh to Unix format ...<BR />[Expert@CP-GW:0]# ./fwmonitor.sh<BR />Source (IP/hostname/any) [any]:<BR />Destination (IP/hostname/any) [any]:<BR />Port (1-65535/any) [any]:<BR />Protocol (tcp/udp/icmp/any or number) [any]:<BR />Output mode: (1) screen only (2) text file (3) capture+decode files [1]: ^C<BR />[Expert@CP-GW:0]#</P> Fri, 23 Jan 2026 23:17:12 GMT https://community.checkpoint.com/t5/Scripts/Fw-monitor-script/m-p/268495#M1385 the_rock 2026-01-23T23:17:12Z https://community.checkpoint.com/t5/Scripts/Fw-monitor-script/m-p/268622#M1391 <P>I'm really sorry, but this won't be possible this week. I've just come back from the doctor's, and I've been signed off work for a week, with more tests to come.</P> Mon, 26 Jan 2026 12:15:42 GMT https://community.checkpoint.com/t5/Scripts/Fw-monitor-script/m-p/268622#M1391 Vincent_Bacher 2026-01-26T12:15:42Z https://community.checkpoint.com/t5/Scripts/Fw-monitor-script/m-p/268623#M1392 <P>never be sorry for stuff like that mate...health ALWAYS first, ALWAYS. Be well and get healthy.</P> Mon, 26 Jan 2026 12:21:22 GMT https://community.checkpoint.com/t5/Scripts/Fw-monitor-script/m-p/268623#M1392 the_rock 2026-01-26T12:21:22Z