topic Re: FW Monitor in VSX in Firewall and Security Management

FW Monitor in VSX

Matlu — Tue, 17 Jun 2025 00:42:48 GMT

Hi Guys

Is it possible to run a "fw monitor" from the VS0 of a VSX Cluster environment?

I have several VS's, and I want to capture traffic from a particular VS (VS 5).

Is this possible, without having to "jump" to the instance?

Can you share with me the syntax of the command, how it could be done, based on the following example:

Source: 172.16.10.5
Destination: 10.100.20.10
Port: TCP 8080

Thanks

Re: FW Monitor in VSX

the_rock — Tue, 17 Jun 2025 00:59:45 GMT

fw monitor -v 0 -e accept "host 172.16.10.5 and host 10.200.20.10 and port 8080;"

Re: FW Monitor in VSX

Matlu — Tue, 17 Jun 2025 01:31:20 GMT

This applies if you are ‘standing’ on VS0 and want to capture traffic from VS 5?

Re: FW Monitor in VSX

the_rock — Tue, 17 Jun 2025 01:32:36 GMT

Just replace 0 with 5 🙂

Re: FW Monitor in VSX

Matlu — Tue, 17 Jun 2025 02:24:48 GMT

The command syntax varies greatly if you need to send the command result to a file such as Wireshark?

Re: FW Monitor in VSX

the_rock — Tue, 17 Jun 2025 02:32:11 GMT

Just add -o /path/filename.cap at the end

Re: FW Monitor in VSX

Lesley — Tue, 17 Jun 2025 07:24:39 GMT

This is all you need:

https://tcpdump101.com/#

Under Check Point -> FW Monitor -> New version

Re: FW Monitor in VSX

the_rock — Tue, 17 Jun 2025 11:37:46 GMT

There you go buddy 🙂

fw monitor -v 5 -o vs5.cap -F "172.16.10.5,0,10.100.20.10,8080,0"

Andy

Re: FW Monitor in VSX

the_rock — Tue, 17 Jun 2025 23:29:04 GMT

@Matlu Did command we shared work for you?

Andy

Re: FW Monitor in VSX

Matlu — Tue, 17 Jun 2025 23:36:40 GMT

One doubt, is there much difference in the ‘fw monitor ...’ command between using the -e vs -F parameter?

Is one better than the other?

Re: FW Monitor in VSX

the_rock — Tue, 17 Jun 2025 23:44:26 GMT

Buddy,

Have a look at your own post 😉

Andy

https://community.checkpoint.com/t5/Security-Gateways/Traffic-capture-with-FW-MONITOR/m-p/245408

Re: FW Monitor in VSX

Timothy_Hall — Wed, 18 Jun 2025 15:12:45 GMT

Use -F if you can deal with the extremely limited matching syntax. You will always get a complete capture regardless of the acceleration state of the traffic.

Re: FW Monitor in VSX

Matlu — Wed, 18 Jun 2025 15:16:13 GMT

Hello,
So, as a "best practice" it is always better to use the "-F" before the "-e"?
Greetings.

Re: FW Monitor in VSX

Timothy_Hall — Wed, 18 Jun 2025 15:20:41 GMT

I'd say so, there are still some limited situations where -e is needed instead but they are fairly obscure. The upcoming CCTA R82 class is being heavily updated to explore packet capturing & analysis in detail, and it covers this very topic.

Re: FW Monitor in VSX

the_rock — Wed, 18 Jun 2025 15:25:22 GMT

For what its worth, I usually use -F flag and works real well.

Andy