topic Re: R80.40, fw monitor -F not capturing HTTP/Get & OK ? in Firewall and Security Management

R80.40, fw monitor -F not capturing HTTP/Get & OK ?

796570686578 — Fri, 14 Aug 2020 10:38:32 GMT

Hello everyone,

I am currently trying to get a better understanding on how "fw monitor" works and how to use it. For that, I am currently comparing output from R80.10 and R80.40(take_67) in my Lab.

I am capturing http traffic from Host A to Webserver B . My topology looks like this:

Webserver B ---- FW R80.10 ---- FW R80.40 ---- Host A

Webserver B IP: 192.168.1.100

Host A: 172.16.10.150 - NAT to 67.83.0.1(FW R80.40)

I am capturing the traffic from Host A to Webserver B in both directions on both Gateways.

On R80.10 I disabled SecureXL to capture accelerated packets aswell and on R80.40 I am using the -F flag to capture accelerated and non accelerated traffic.

It works to a certain point, but I am running into an issue which I haven't found a solution for so far.

I can see the 3-way handshake in both captures, on R80.10 I see the HTTP/Get & OK but on R80.40 it is not beeing captured...

These are the filters I am using:

R80.10:

fwaccell off

fw monitor -e "accept (src=67.83.0.1 and dst=192.168.1.100) or (src=192.168.1.100 and dst=67.83.0.1);" -o fwmonR8010AccCap.pcap

R80.40:

fw monitor -F "172.16.10.150,0,192.168.1.100,80" -F "192.168.1.100,80,67.83.0.1,0" -o fwmonR8040AccCap.pcap

Can you tell me what I am doing wrong or missing here?

Thank you very much!!

greeting,

con

Re: R80.40, fw monitor -F not capturing HTTP/Get & OK ?

PhoneBoy — Tue, 18 Aug 2020 04:07:21 GMT

Pretty sure you use the same syntax that you used in R80.10 on R80.40.
However, will admit the SK isn’t that clear on this.

See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk30583

Re: R80.40, fw monitor -F not capturing HTTP/Get & OK ?

796570686578 — Tue, 18 Aug 2020 08:07:05 GMT

Hey PhoneBoy,

thanks for your help! Unfortunately, this didn't show different results.

I have used the equivalent syntax on R80.40 as I did on R80.10 and still didn't capture the HTTP messages. I also disabled SecureXL beforehand on R80.40.

When using the -e Flag on R80.40 it actually says in the output:

*** Using "-e" filter will not monitor accelerated traffic. To monitor and filter accelerated traffic please use the "-F" filter ***

I was able to start the capture but again only saw 3-Way HS & PSH,ACKs on R80.40 while on R80.10 I was able to capture the http packets.

I also read the SK, thanks for sharing it. What I gathered from it, is, that since R80.40, Accelerated Traffic will be captured by default and the "-F" flag can be used for that.

In R80.40, Default behavior will be to monitor all traffic.
Since R80.20 Jumbo take 73, using the "-e" flag will not filter accelerated traffic (all accelerated traffic will be monitored). To Filter accelerated traffic use the "-F" flag (exists from Jumbo take 73)
Since R80.20 Jumbo take 117, using the "-e" flag will filter out all accelerated traffic. To filter and monitor Accelerated traffic use "-F" (exists from Jumbo take 73)

From the R80.40 Admin Guide:
"-F" - Specifies the capture filter (for both accelerated and non-accelerated traffic)

The more I read about it, the more I am convinced that it is not working as intended or I am doing some major mistakes..

Summary of capture Filters I have used so far on R80.40:

fw monitor
- -F "172.16.10.150,0,192.168.1.100,80" -F "192.168.1.100,80,67.83.0.1,0"
- -F "0,0,0,0,0" <- Capture everything
- -F "172.16.10.150,0,192.168.1.100,0" -F "192.168.1.100,0,67.83.0.1,0" <- Capture all traffic between 2 hosts
- -e "accept (src=172.16.10.150 and dst=192.168.1.100) or (src=192.168.1.100 and dst=67.83.0.1) or (src=67.83.0.1 and dst=192.168.1.100);"
- -e "accept;" <- Capture everything

I really like the idea of capturing accelerated traffic without the need to disable SecureXL on the whole system. I will test this with other protocols aswell and report back my findings 🙂

Re: R80.40, fw monitor -F not capturing HTTP/Get & OK ?

Maarten_Sjouw — Tue, 18 Aug 2020 07:53:27 GMT

You can replace -e "accept (src=172.16.10.150 and dst=192.168.1.100) or (src=192.168.1.100 and dst=67.83.0.1) (src=67.83.0.1 and dst=192.168.1.100);" with this:

-e "accept (host(192.168.1.100) AND host(172.16.10.150)) OR (host(192.168.1.100) AND host(67.83.0.1))

Re: R80.40, fw monitor -F not capturing HTTP/Get & OK ?

_Val_ — Tue, 18 Aug 2020 07:53:57 GMT

I suspect even after disabling SecureXL, traffic is being accelerated: sk162492. In essense, you cannot disable SXL in R8020 and above completely.

What to do to make sure no accelerated traffic is passing?

Disable acceleration on both cluster members
Fail over
Run traces on the new active member

Re: R80.40, fw monitor -F not capturing HTTP/Get & OK ?

796570686578 — Tue, 18 Aug 2020 08:02:46 GMT

Good Morning Val!

Sorry, I might not have expressed my issue correctly. It's not that accelerated traffic isn't passing, it works fine. The issue is, that I am not able to capture it (No HTTP/Get & OK packets) with the -F filter. So I just tested it with the -e Flag as PhoneBoy suggested.

I will do a Fail over later and report back!

Re: R80.40, fw monitor -F not capturing HTTP/Get & OK ?

796570686578 — Tue, 18 Aug 2020 08:12:47 GMT

Hey Maarten,

thanks for that. Great way to simplify it and much easier to read! Thanks alot 🙂

Re: R80.40, fw monitor -F not capturing HTTP/Get & OK ?

796570686578 — Tue, 18 Aug 2020 09:32:56 GMT

I found the issue...😅

I had to use the "-w" flag aswell in order to capture the GET & OK packets. I tried it with ftp aswell and when not using the "-w" flag, these packets are not captured. Weird hmmm..

so syntax would be: fw monitor -w -F etc.

But at least it works now 🙂

-w	When using -o/ -x flag, there is an option to print whole raw data of packet. Note: Relevant for R80.20 from Jumbo Hotfix Accumulator for R80.20 (Take 73). Currently, not relevant for R80.30.

Thanks for your help!

Re: R80.40, fw monitor -F not capturing HTTP/Get & OK ?

Václav_Brožík — Mon, 18 Jan 2021 12:16:32 GMT

You can replace -e "accept (host(192.168.1.100) AND host(172.16.10.150)) OR (host(192.168.1.100) AND host(67.83.0.1));" with this:

-e "accept host(192.168.1.100) and (host(172.16.10.150) or host(67.83.0.1));"