topic Re: CPT - Check Point Packet Trace Utility ? in Firewall and Security Management

Check Point Packet Trace Utility

Danny — Tue, 21 Apr 2026 04:42:01 GMT

Will Check Point release a management plugin that offers a similar functionality to Cisco's ASDM packet tracer anytime soon? I'm thinking about coding it on my own for quite some time. Should I start or wait for Check Point?

Re: CPT - Check Point Packet Trace Utility ?

Vincent_Bacher — Tue, 12 Jun 2018 14:19:06 GMT

Just do it. Would be very appreciated and useful for many mates, I am quiet sure.

There is the packet injection tool from CP but something similar to the packet tracer would be very nice.

Re: CPT - Check Point Packet Trace Utility ?

Alejandro_Mont1 — Tue, 12 Jun 2018 14:19:42 GMT

The only thing I know of is Packet Injector (sk110865), but that is done from the gateway itself via CLI.

Re: CPT - Check Point Packet Trace Utility ?

Houssameddine_1 — Tue, 12 Jun 2018 14:22:54 GMT

I think you might see something similar in R80.20. Checkpoint will implement the rule assistance utiliy which can be used to determine if there is a rule or not for certain traffic and it helps you to place the rules in the correct location.

Checkpoint has another utility that injects the packets but you have to run it from the gw

Check Point Packet Injector

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk110865&partition=Advanced&product=Security

In R80.10 gateways there is another utility (not documented) that doesn't inject packets but it does go through the policy files and database and tells you which rules the traffic will match but it doesn't inject the packets.

[Expert@GW01:0]#fw up_execute
Usage: fw up_execute [src=<IP>] [dst=<IP>] ipp=<ip protocol> [sport=<source port>] [dport=<dest port>] [protocol=<protocol>] [application=<application/category>]

Notes: Parameters can be omitted, except the ipp (and dport in case of TCP or UDP).
The order of the parameters does not matter.
Applications can be entered multiple times.

Examples:
1) fw up_execute src=126.200.49.240 dst=10.1.1.1 ipp=1
2) fw up_execute src=10.1.1.1 ipp=6 dport=8080 protocol=HTTP application=Facebook application=Opera

Thanks

Re: CPT - Check Point Packet Trace Utility ?

PhoneBoy — Fri, 21 Jun 2019 09:17:19 GMT

Re: CPT - Check Point Packet Trace Utility ?

ED — Wed, 13 Jun 2018 06:11:04 GMT

Do it.

Re: CPT - Check Point Packet Trace Utility ?

Petr_Hantak — Wed, 13 Jun 2018 06:48:13 GMT

Packet Inject tool isn't bad, but I agree with others that some kind of simulation graphic tool will be appreciated.

Re: CPT - Check Point Packet Trace Utility ?

HeikoAnkenbrand — Wed, 13 Jun 2018 08:45:09 GMT

Use:

fw monitor -p all -e "accept(...);"

-> The old classic!

fw ctl zdebug + monitorall | grep -A 1 <IP w.x.y.z>

-> It's an undocumented command that's very helpful. It is nice that no "fwaccel off" is necessary. With this command you can see even more details than "fw monitor" 🙂 The firewall worker and the CPU core are also displayed here. For more informtions: "fw ctl zdebug" Helpful Command Combinations

Example view:

...

eth0:O12 (tcpt outbound)[940]:10.1.1.1 -> 10.1.1.81 (TCP) len=940 id=18052;
;[cpu_2];[fw4_1];TCP: 22 -> 10058 ...PA. seq=4ced07e1 ack=75e09a88;

eth0:O13 (TCP streaming post VM)[940]:10.1.1.1 -> 10.1.1.81 (TCP) len=940 id=18052;
;[cpu_2];[fw4_1];TCP: 22 -> 10058 ...PA. seq=4ced07e1 ack=75e09a88;

eth0:O14 (IP Options Restore (out))[940]:10.1.1.1 -> 10.1.1.81 (TCP) len=940 id=18052;
;[cpu_2];[fw4_1];TCP: 22 -> 10058 ...PA. seq=4ced07e1 ack=75e09a88;

...

and Packet Injector:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk110865&partition=Advanced&product=Security

Regards

Heiko

Re: CPT - Check Point Packet Trace Utility ?

Mike_Schepers — Fri, 15 Jun 2018 02:36:14 GMT

Yes, please do it. I came from a Cisco ASDM environment and this is definitely a feature that I miss. In fact, I have been asking about it for a few years now with several of the SE's that have been assigned to my account. This would be especially useful with layered rules that contain both tradition policies as well as blade specific (i.e. app/url/Antibot) policies to be able to test possible policy updates and get a graphical depiction of success or failure before they are actually installed.

Re: CPT - Check Point Packet Trace Utility ?

Anthony_Holdswo — Fri, 15 Jun 2018 18:00:54 GMT

There is also packet mode from SmartConsole: Use R80.10 New Packet Mode Feature to Search Through Policy - YouTube

Re: CPT - Check Point Packet Trace Utility ?

Huseyin_Rencber — Fri, 15 Jun 2018 21:25:16 GMT

You should start, do not wait for checkpoint. There is packet tracer on cisco firepower and also checkpoint packet injector, you can customize these and this would be useful.

Re: CPT - Check Point Packet Trace Utility ?

Maik — Sun, 16 Sep 2018 12:36:37 GMT

Hey Danny,

Sorry to dig into such an old thread, but since no clarification regarding an Check Point implementation was mentioned (I guess it is not planned due to packet mode search/pinj/fw monitor/fw vtl debug) - did you start with an own implementation? Or would you think it makes sense to open a thread where we ask the whole community if they would be interested in such a solution? Maybe Check Point is willing to implement it in a future release if enough people show their interest.

I personally would benefit from such a tool, maybe placed on the SMS itself to be able to search through multiple policies and/or layers at the same time without the need to do it locally on the gw.

Regards,

Maik

Re: CPT - Check Point Packet Trace Utility ?

JozkoMrkvicka — Sun, 16 Sep 2018 21:39:18 GMT

Lets vote

Re: CPT - Check Point Packet Trace Utility ?

Danny — Mon, 17 Sep 2018 00:56:11 GMT

I haven't started developing this yet as I'm currently working on an accompanying Bash script to Timothy Hall's Max Power Firewalls book.

Re: CPT - Check Point Packet Trace Utility ?

Yuri_Slobodyany — Mon, 17 Sep 2018 05:05:18 GMT

When all the competitors have it, it should be a question of when not if .

Palo Alto:

test security-policy-match
test nat-policy-match

test pbf-policy-match

Re: CPT - Check Point Packet Trace Utility ?

PhoneBoy — Mon, 17 Sep 2018 05:14:07 GMT

We already have this capability in the CLI, at least for the Access Policy.

See above comment that I marked "correct."

Check Point does not not currently have this for NAT (which would be nice to have) or Policy Forwarding (which assumes routing based on Application, something not currently in the product).

Re: CPT - Check Point Packet Trace Utility ?

JozkoMrkvicka — Mon, 17 Sep 2018 10:01:20 GMT

fw up_execute is really great tool and it works well. The only issue I see is that you need to run it from specific gateway.

The best will be to execute it from management with parameter for which gateway you want to find a match (or search all policy packages).

Re: CPT - Check Point Packet Trace Utility ?

PhoneBoy — Wed, 03 Oct 2018 23:32:01 GMT

fw up_execute is considered an "internal tool" according to my sources in R&D.

This tool does not support all the objects in the rulebase (e.g. Access Roles).

Packet Injector is the supported way to do this: Check Point Packet Injector

Re: CPT - Check Point Packet Trace Utility ?

Tomer_Sole — Thu, 04 Oct 2018 04:47:49 GMT

From the GUI or the API: How to use R80.10 Packet Mode feature to search in Access Control Policy?

Re: CPT - Check Point Packet Trace Utility ?

Gaurav_Pandya — Thu, 04 Oct 2018 10:39:11 GMT

This is nice thread as we came to know all possibilities of troubleshooting