topic Re: R80.30 TCP Ping tool in Firewall and Security Management

R80.30 TCP Ping tool

Flanger — Wed, 09 Sep 2020 15:40:48 GMT

Hello.

I'm relatively new with checkpoint firewalls. Previously I've worked with Cisco ASA devices, which have TCP Ping tool letting you test TCP connectivity on specified destination's TCP port (ASA sends TCP SYN packets and evaluates reply on specified destination IP:Port). This utility also lets you source it from any source IP you want. That way you're not limited only to appliance's local interfaces' IP addresses and can emulate traffic, as if it was forwarded by the appliance.

This is very handy when troubleshooting network access issues, to make sure security policies are correct and that destination host/server is causing the problem.

Is there any similar tool/functionality within Checkpoint R80.30 virtual security gateways?

Re: R80.30 TCP Ping tool

Alex- — Wed, 09 Sep 2020 19:51:23 GMT

Check maybe the packet injector?

Re: R80.30 TCP Ping tool

Timothy_Hall — Wed, 09 Sep 2020 20:25:42 GMT

There used to be a tool called pinj that did exactly what you want, but it stopped working in R80.20, closest you can get now is the tcptraceroute tool.

Re: R80.30 TCP Ping tool

Flanger — Wed, 09 Sep 2020 21:09:40 GMT

Thank you for the reply.
I've read SK link provided by Alex and Packet Injector seems to be exactly what I want. I was going to install it on one of my R80.30 security gateways. Too bad it does not work now. Does it fail during installation as well, or maybe I should give it a try?

Re: R80.30 TCP Ping tool

PhoneBoy — Wed, 09 Sep 2020 22:20:51 GMT

GNU netcat is available on Gaia.

Re: R80.30 TCP Ping tool

Flanger — Wed, 09 Sep 2020 23:37:40 GMT

Thank you for the information. I'm afraid I'm unable to specify arbitrary source IP addresses with netcat to test the connectivity, as it accepts only security gateway's real interface addresses:

Error: Couldn't create connection (err=-3): Cannot assign requested address

This limitation makes it impossible to emulate specific connection traffic from security gw.

Re: R80.30 TCP Ping tool

John_Fleming — Thu, 10 Sep 2020 01:28:22 GMT

so tcptraceroute and traceroute are the same binary. I guess its just using the -T flag by default?

Re: R80.30 TCP Ping tool

PhoneBoy — Thu, 10 Sep 2020 04:39:09 GMT

hping2?
From the CLI help it appears to allow spoofing a source address.
Will admit haven’t tried.
Goes without saying you need to be an admin user with uid 0.

Re: R80.30 TCP Ping tool

Flanger — Thu, 10 Sep 2020 20:12:57 GMT

It works! Generated traffic shows in logs as well. Thank you again.

Re: R80.30 TCP Ping tool

vikassharma — Sat, 03 Apr 2021 14:05:13 GMT

this is very simple

ping -s --source ip-- destination ip

Re: R80.30 TCP Ping tool

irek — Fri, 24 Jun 2022 08:25:22 GMT

ping -I [source_ip|interface] destination

from clish, just like regular linux ping

limited to addresses configured on the firewall