topic Re: fw monitor -F does not seems to show accurately in fw ctl chain in Firewall and Security Management

fw monitor -F does not seems to show accurately in fw ctl chain

Don_Paterson — Fri, 08 Jul 2022 09:52:46 GMT

Hello,

When I use the -F switch in fw monitor I see the fw ctl chain output showing the default Inspect Filter (fw monitor) capture positions, which are above the SecureXL 'kernel chain modules'.

This seems to be implying that the capture is done after SecureXL. Meaning that it is the old-style slow path only capture, which is is not.

Can anyone in Check Point offer an explanation please?

Is the fw ctl chain output simply inaccurate?

Thanks,

Don

Re: fw monitor -F does not seems to show accurately in fw ctl chain

_Val_ — Fri, 08 Jul 2022 10:01:50 GMT

version in use, screenshots?

Re: fw monitor -F does not seems to show accurately in fw ctl chain

Don_Paterson — Fri, 08 Jul 2022 10:02:34 GMT

R81.10

Thanks,

Don

Re: fw monitor -F does not seems to show accurately in fw ctl chain

Don_Paterson — Fri, 08 Jul 2022 11:42:22 GMT

Will update with screenshots later today but if you run fw monitor -F xyz and then in another console session fw ctl chain you will see fw monitor (i/f side) in chain position 12 (for example) and that implies it's capturing after SecureXL (in the first positions on the in chain).

That's what the question is all about.

Thanks,

Don

Re: fw monitor -F does not seems to show accurately in fw ctl chain

Timothy_Hall — Fri, 08 Jul 2022 13:51:20 GMT

My impression is that fw monitor -F captures traffic directly in the sim driver via a debug filter which is why you can capture fully-accelerated traffic with it. While running fw monitor -F does place the capturing modules in the chain sequence similar to fw monitor -e, I don't think those modules are actually capturing anything while fw monitor -F is running unless the traffic happens to be F2F and traversing the full chain sequence. This may also be the case for Medium Path traffic (PSL & CPAS) or even F2V but that is less clear to me. In the F2F case there could be modifications to the packet visible at I and o->O that the sim driver would not necessarily be able to "see" happening until it reached O and re-entered the sim driver on the outbound side. So I would assume placing the capturing chain modules while fw monitor -F is running handles this corner case and ensures a full capture of F2F traffic.

In R80.20 some of SecureXL's original responsibilities such as path determination and formation/matching of Accept/NAT templates were moved into the Firewall worker/instances which muddies the waters a bit here, and is why you see SecureXL "chain modules" in the output of fw ctl chain in R80.20+. The EA release notes for R81.20 state that even more of SecureXL/Performance Pack's functions are being moved out of sim into the Firewall Workers/Instances, but I haven't had a chance to check it out yet.

Re: fw monitor -F does not seems to show accurately in fw ctl chain

Marre96 — Mon, 18 Jul 2022 07:54:55 GMT

The first column are the modules number and they are not indicating in which order packets are traversing the firewall? Is it the second column that shows the "order of operation" The fw VM has a absolute value of 0 and operation that takes place before fw VM have a - (minus) hexadecimal number?

Re: fw monitor -F does not seems to show accurately in fw ctl chain

_Val_ — Mon, 18 Jul 2022 09:47:59 GMT

@Marre96 I assume you are talking about something like this:

The first number is location of the module in the chain (or order in the chain)
The second number is the absolute position in the chain. As you mentioned, fw VM is assumed position 0, chain modules before it have negative position numbers
The third - pointer to the function in the chain module