topic Re: fw monitor GUI based in General Topics

fw monitor GUI based

Don_Paterson — Tue, 06 Aug 2019 11:49:07 GMT

Are there plans (if it does not already exist) to have the ability to run fw monitor in/from a GUI.

Please do not tell me that the output can be copied to a workstation and analysed in Wireshark (using the -o option). That is not what I am asking.

It could be useful to, for example, log into the Gaia web portal (or SmartConsole) and in a Tools area have fw monitor appear with drop down boxes to take care of the options (src=, dst= dport= and the ands and ors etc.) and then have the output download (option) to the workstation.

Re: fw monitor GUI based

Timothy_Hall — Sun, 07 Feb 2021 19:51:54 GMT

It is possible to do a "live" Wireshark capture on the firewall, but you have to use tcpdump as that is the only capturing tool I know of that can output raw captured packets to its stdout, so you will be limited to the rough equivalent of two capture points (Inbound/i and Outbound/O). If there is some secret, hidden way to make fw monitor dump raw captured packets directly to its stdout ("-o -" unfortunately just creates a file called "-") this should work with it. You'll need Wireshark and the full Putty suite (which includes plink.exe) installed. Here is an excerpt from my Max Capture class describing the technique and its limitations:

Re: fw monitor GUI based

the_rock — Sun, 07 Feb 2021 22:01:34 GMT

I hear you Don. I was personally always surprised that CP never implemented that from gut...Fortinet has such a nice and easy gui based option for exactly what you are asking.

Andy

Re: fw monitor GUI based

Timothy_Hall — Mon, 08 Feb 2021 04:32:12 GMT

Yep, I really wish Check Point had some kind of "triggered capture" feature, whereupon certain conditions were met it could automatically grab the next X number of matching packets for further analysis. As I mentioned in my Max Capture video series, taking packet captures on a Check Point is strictly a manual process and can get a bit complicated.