topic Re: FW monitor -F syntax in API / CLI Discussion

FW monitor -F syntax

FrozT — Mon, 01 Jun 2020 23:23:47 GMT

I don't understand why they nerf'd 'fw monitor -e' in favor of 'fw monitor -F'? My opinions aside ノಠ_ಠノ, how do we convert old syntax such as this:

fw monitor -e "accept net(13.64.0.0,11) and host(10.0.0.1);"

how do I do that with -F?

Re: FW monitor -F syntax

Danny — Tue, 02 Jun 2020 04:52:10 GMT

You don't. -F is a simple capture filter that relies on Kernel Debug filters and doesn't support supernetting. However, it supports using wildcards.

So you have two options:

fw monitor -F "10.0.0.1,0,13.*.*.*,0,0" -F "13.*.*.*,0,10.0.0.1,0,0"
fwaccel off; fw monitor -e "accept net(13.64.0.0,11) and host(10.0.0.1);"; fwaccel on

Re: FW monitor -F syntax

FrozT — Mon, 08 Jun 2020 04:22:25 GMT

Option 1 is not the same thing and option 2 isn't really an option because fw monitor -e doesn't work anymore regardless if acceleration is turned on or off. It will not filter anything and instead spit back what I can only guess is all the traffic.

So basically Checkpoint has removed one of the best troubleshooting methods and that's that. I can't believe that they've taken fw monitor away from us...

Re: FW monitor -F syntax

Timothy_Hall — Sun, 01 Nov 2020 19:48:40 GMT

fw monitor -F "10.0.0.1,0,13.*.*.*,0,0" -F "13.*.*.*,0,10.0.0.1,0,0"

This syntax doesn't seem to work correctly for me, as an example this works as expected:

fw monitor -F 4.2.2.2,*,*,*,* -F 0,0,4.2.2.2,0,0

However this next one doesn't install a filter at all, and just gives me everything unfiltered:

fw monitor -F 4.2.2.*,*,*,*,* -F 0,0,4.2.2.2,0,0

I've noticed that if you typo the -F filter it doesn't error out but just gives you everything unfiltered which is a bit dangerous in my opinion. Example:

fw monitor -F totalgarbage

I get every possible packet unfiltered, it even says "Compiled OK". Huh?

Re: FW monitor -F syntax

Danny — Sun, 01 Nov 2020 21:47:51 GMT

Right, that's another reason such complex tools should always come with a user interface that performs syntax checking. Such as my FW Monitor SuperTool. If I'd only find the time to add -F simple capture syntax support to it. Currently my entire free time is taken by Check Points CoreXL team to advance my CoreXL Dynamic Balancing extension to fully control the Dynamic Split via SmartConsole.

Re: FW monitor -F syntax

stallwoodj — Fri, 02 Jun 2023 15:29:23 GMT

Does it always support wildcards? because our R80.40 firewall complains!

[Expert@FW-INET-B:0]# fw monitor -F "0,0,10.223.*.*,0,0" -F "0,0,10.224.*.*,0,0" -F "10.223.*.*,0,0,0,0" -F "10.224.*.*,0,0"
PPAK 0: Get before set operation succeeded of fwmonitor_kiss_enable
PPAK 0: Get before set operation succeeded of simple_debug_filter_off
PPAK 0: Get before set operation succeeded of kiss_debug_force_kdprintf_enable
PPAK 0: Get before set operation succeeded of fwmonitorfreebufs
PPAK 0: Get before set operation succeeded of kiss_debug_force_kdprintf_enable
Invalid destination IP address 10.223.*.* in debug filter

Re: FW monitor -F syntax

the_rock — Fri, 02 Jun 2023 15:46:14 GMT

Good catch...I tried in R81.20 jumbo 14 lab and it was exact same error you got. Maybe someone from CP can confirm if this is expected...

Andy

Re: FW monitor -F syntax

Timothy_Hall — Fri, 02 Jun 2023 20:45:44 GMT

This is expected behavior, you cannot use any wildcards or other special characters/ranges with the -F option. Getting an error message like that is much better than what it used to do when the matching syntax/characters were invalid, which was to happily give you a completely unfiltered capture with no warning. Not a good outcome on a busy gateway...

Also beware of some unexpected interaction between fw ctl zdebug drop and fw monitor -F if you try to run them simultaneously as described here: Max Capture Update 2: Debug Filter Battle -- fw monitor -F vs. fw ctl zdebug + drop

Re: FW monitor -F syntax

the_rock — Fri, 02 Jun 2023 21:12:32 GMT

Thats definitely true, as I checked after making my post about it...we still have ongoing case with TAC escalation team about route based VPN issue and guy asked us to run fw monitor -F flag with wildcard and it was failing and I even told him it failed in my R81.20 lab, to which he responded it was normal.

Andy