fw monitor output

Norbert_Papirny — Thu, 09 May 2019 15:21:51 GMT

Hi All,

I need some help with fw monitor output. (R80.20 gaia T47)

Our GRE/SIP communication doesn't work, and as you can see below, the last captured packet was stopped in pre-outbound (o4) chain position. It is the tunnel-inside traffic.

We have bidirectional rules between peers without NAT.

Could you please somebody explain what caused this behavior?

Here is also the relevant wireshark capture:

There are many articles/ cheat sheets ,etc. about how fw monitor is working, but i cant find any information about the output interpretation...

in chain (14):
0: -7fffffff (0000000000000000) (00000000) SecureXL inbound (sxl_in)
1: -7ffffffe (0000000000000000) (00000000) SecureXL inbound CT (sxl_ct)
2: -7f800000 (ffffffff8a32eb80) (ffffffff) IP Options Strip (in) (ipopt_strip)
3: - 1fffff8 (ffffffff8a32c9b0) (00000001) Stateless verifications (in) (asm)
4: - 1fffff7 (ffffffff8a32c4d0) (00000001) fw multik misc proto forwarding
5: - 1fffff5 (ffffffff8a3e2ec0) (00000001) fw early SIP NAT (sipnat)
6: 0 (ffffffff8a48cc10) (00000001) fw VM inbound (fw)
7: 2 (ffffffff8a32efd0) (00000001) fw SCV inbound (scv)
8: 5 (ffffffff8a21a4d0) (00000003) fw offload inbound (offload_in)
9: 10 (ffffffff8a47eca0) (00000001) fw post VM inbound (post_vm)
10: 7f730000 (ffffffff89ffc520) (00000001) passive streaming (in) (pass_str)
11: 7f750000 (ffffffff89c8c7d0) (00000001) TCP streaming (in) (cpas)
12: 7f800000 (ffffffff8a32eb30) (ffffffff) IP Options Restore (in) (ipopt_res)
13: 7fb00000 (ffffffff89628750) (00000001) Cluster Late Correction (ha_for)
out chain (11):
0: -7f800000 (ffffffff8a32eb80) (ffffffff) IP Options Strip (out) (ipopt_strip)
1: - 1fffff0 (ffffffff89c76dd0) (00000001) TCP streaming (out) (cpas)
2: - 1ffff50 (ffffffff89ffc520) (00000001) passive streaming (out) (pass_str)
3: - 1f00000 (ffffffff8a32c9b0) (00000001) Stateless verifications (out) (asm)
4: 0 (ffffffff8a48cc10) (00000001) fw VM outbound (fw)
5: 10 (ffffffff8a47eca0) (00000001) fw post VM outbound (post_vm)
6: 18000000 (ffffffff89f28210) (00000001) fw record data outbound
7: 7f700000 (ffffffff89c8b2f0) (00000001) TCP streaming post VM (cpas)
8: 7f800000 (ffffffff8a32eb30) (ffffffff) IP Options Restore (out) (ipopt_res)
9: 7f900000 (0000000000000000) (00000000) SecureXL outbound (sxl_out)
10: 7fa00000 (0000000000000000) (00000000) SecureXL deliver (sxl_deliver)
monitor: monitoring (control-C to stop)

**********

outside traffic:

[vs_0][fw_2] bond2.654:i2 (IP Options Strip (in))[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203

[vs_0][fw_2] bond2.654:i3 (Stateless verifications (in))[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203

[vs_0][fw_2] bond2.654:i4 (fw multik misc proto forwarding)[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203

[vs_0][fw_2] bond2.654:i5 (fw early SIP NAT)[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203

[vs_0][fw_2] bond2.654:i6 (fw VM inbound )[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203

[vs_0][fw_2] bond2.654:I7 (fw SCV inbound)[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203

[vs_0][fw_2] bond2.654:I8 (fw offload inbound)[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203

[vs_0][fw_2] bond2.654:I9 (fw post VM inbound )[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203

[vs_0][fw_2] bond2.654:I10 (passive streaming (in))[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203

[vs_0][fw_2] bond2.654:I11 (TCP streaming (in))[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203

[vs_0][fw_2] bond2.654:I12 (IP Options Restore (in))[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203

[vs_0][fw_2] bond2.654:I13 (Cluster Late Correction)[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203

[vs_0][fw_2] bond2.654:I14 (Chain End)[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203

[vs_0][fw_2] bond1.509:o0 (IP Options Strip (out))[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203

[vs_0][fw_2] bond1.509:o1 (TCP streaming (out))[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203

[vs_0][fw_2] bond1.509:o2 (passive streaming (out))[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203

[vs_0][fw_2] bond1.509:o3 (Stateless verifications (out))[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203

[vs_0][fw_2] bond1.509:o4 (fw VM outbound)[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203

*********************outside traffic was stopped in 04 position

inside traffic:

[vs_0][fw_2] bond1.509:i2 (IP Options Strip (in))[441]: 10.7.8.4 -> 10.42.14.60 (47) len=441 id=958

[vs_0][fw_2] bond1.509:i3 (Stateless verifications (in))[441]: 10.7.8.4 -> 10.42.14.60 (47) len=441 id=958

[vs_0][fw_2] bond1.509:i4 (fw multik misc proto forwarding)[441]: 10.7.8.4 -> 10.42.14.60 (47) len=441 id=958

[vs_0][fw_2] bond1.509:i5 (fw early SIP NAT)[441]: 10.7.8.4 -> 10.42.14.60 (47) len=441 id=958

[vs_0][fw_2] bond1.509:i6 (fw VM inbound )[441]: 10.7.8.4 -> 10.42.14.60 (47) len=441 id=958

[vs_0][fw_2] bond2.654:i2 (IP Options Strip (in))[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204

[vs_0][fw_2] bond2.654:i3 (Stateless verifications (in))[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204

[vs_0][fw_2] bond2.654:i4 (fw multik misc proto forwarding)[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204

[vs_0][fw_2] bond2.654:i5 (fw early SIP NAT)[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204

[vs_0][fw_2] bond2.654:i6 (fw VM inbound )[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204

[vs_0][fw_2] bond2.654:I7 (fw SCV inbound)[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204

[vs_0][fw_2] bond2.654:I8 (fw offload inbound)[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204

[vs_0][fw_2] bond2.654:I9 (fw post VM inbound )[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204

[vs_0][fw_2] bond2.654:I10 (passive streaming (in))[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204

[vs_0][fw_2] bond2.654:I11 (TCP streaming (in))[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204

[vs_0][fw_2] bond2.654:I12 (IP Options Restore (in))[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204

[vs_0][fw_2] bond2.654:I13 (Cluster Late Correction)[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204

[vs_0][fw_2] bond2.654:I14 (Chain End)[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204

[vs_0][fw_2] bond1.509:o0 (IP Options Strip (out))[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204

[vs_0][fw_2] bond1.509:o1 (TCP streaming (out))[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204

[vs_0][fw_2] bond1.509:o2 (passive streaming (out))[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204

[vs_0][fw_2] bond1.509:o3 (Stateless verifications (out))[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204

[vs_0][fw_2] bond1.509:o4 (fw VM outbound)[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204

Many thanks,

Norbert

Re: fw monitor output

PhoneBoy — Sat, 11 May 2019 22:06:19 GMT

This is where you need to break out the debug commands to find out why it dropped.
You can start with fw ctl zdebug drop | grep 10.42.14.60.
A little bit more about fw ctl zdebug, which should generally be used with care: https://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/quot-fw-ctl-zdebug-quot-Helpful-Command-Combinations/m-p/40680

topic Re: fw monitor output in Firewall and Security Management

fw monitor output

Re: fw monitor output