https://community.checkpoint.com/t5/General-Topics/TCPDUMP-and-SecureXL/m-p/17039#M2858 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P>this question is mainly for Tim, but input from others is also appreciated.</P><P></P><P>Question: Do I need for tcpdump&nbsp;to disable SecureXL (fwaccel off) in order to see all packets?</P><P></P><P>From Book Max Power R80 - chapter Millisecond in the Life of a Frame - stage 6 - My understanding is that its not needed. Am I right?</P><P></P><P>Thanks</P></BODY></HTML> Fri, 20 Apr 2018 07:21:58 GMT Martin_Raska 2018-04-20T07:21:58Z https://community.checkpoint.com/t5/General-Topics/TCPDUMP-and-SecureXL/m-p/17039#M2858 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P>this question is mainly for Tim, but input from others is also appreciated.</P><P></P><P>Question: Do I need for tcpdump&nbsp;to disable SecureXL (fwaccel off) in order to see all packets?</P><P></P><P>From Book Max Power R80 - chapter Millisecond in the Life of a Frame - stage 6 - My understanding is that its not needed. Am I right?</P><P></P><P>Thanks</P></BODY></HTML> Fri, 20 Apr 2018 07:21:58 GMT https://community.checkpoint.com/t5/General-Topics/TCPDUMP-and-SecureXL/m-p/17039#M2858 Martin_Raska 2018-04-20T07:21:58Z https://community.checkpoint.com/t5/General-Topics/TCPDUMP-and-SecureXL/m-p/17040#M2859 <HTML><HEAD></HEAD><BODY><P>Yes, you must enter "fwaccel off" to see all packages.</P><P></P><P>If you enter fwaccel off, all packets go through the F2F path and are visible in the software. Thus tcpdump can display the packages correctly.</P><P></P><P>regards</P><P>Heiko</P></BODY></HTML> Fri, 20 Apr 2018 07:40:17 GMT https://community.checkpoint.com/t5/General-Topics/TCPDUMP-and-SecureXL/m-p/17040#M2859 HeikoAnkenbrand 2018-04-20T07:40:17Z https://community.checkpoint.com/t5/General-Topics/TCPDUMP-and-SecureXL/m-p/17041#M2860 <HTML><HEAD></HEAD><BODY><P>Hi Martin,</P><P></P><P>It depends, but usually <STRONG>tcpdump</STRONG> will show you all packets while SecureXL is enabled.&nbsp; If I had to put a percentage probability on it I'd say 75%.&nbsp; Factors that will determine the outcome are:</P><P></P><P>1) Packets being handled in the Accelerated Path (SXL) vs. Medium (PXL)/Firewall (F2F) paths.&nbsp; All traffic in the PXL/F2F paths will show up in <STRONG>tcpdump</STRONG>, and considering the typical blades enabled on firewalls today most traffic tends to be handled in PXL.&nbsp; Traffic to and from the gateway itself (i.e. SSH management, logging, policy loads) and the ICMP protocol are *never* accelerated by SecureXL, will always go F2F, and will appear in <STRONG>tcpdump</STRONG> and <STRONG>fw monitor</STRONG> 100%.</P><P></P><P>2) Traffic handled in SXL will almost always show up on the inbound interface, but may not appear at all on the outbound interface, or will appear but with some odd issues such as showing pre-NAT addresses like this:</P><P></P><P><A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk100194&amp;partition=Advanced&amp;product=Security" style="max-width: 840px;">sk100194: <STRONG>TCPdump</STRONG> shows wrong IP addresses for NATed traffic when SecureXL is enabled</A></P><P><A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk100071&amp;partition=Advanced&amp;product=Security" style="max-width: 840px;">sk100071: "<STRONG>tcpdump</STRONG>" output does not show the NATed IP address correctly</A></P><P><BR />This is due to how SecureXL works with accelerated packets on the outbound side, so if in your <STRONG>tcpdump</STRONG> capture you see NAT oddities or can't seem to see all packets of a connection, don't beat your head against the wall unnecessarily trying to figure out why you can't see everything.</P><P></P><P>3) If there is hardware acceleration (i.e. 23000 SAM/ADP card) involved, chances are good that <STRONG>tcpdump</STRONG> will not see that traffic at all.&nbsp; I'm curious to see how this will be handled (or not) on the upcoming Falcon accelerator card.</P><P></P><P>If you are experiencing problems seeing all traffic with <STRONG>tcpdump</STRONG> (or have a limited time window to execute the <STRONG>tcpdump</STRONG> and want to maximize the chances of getting a complete capture), it is vastly preferable to selectively disable SecureXL for the IP address(es) you want to capture as described here:</P><P></P><P><A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk104468&amp;partition=Advanced&amp;product=SecureXL%22" style="max-width: 840px;">sk104468: How to <STRONG>disable</STRONG> <STRONG>SecureXL</STRONG> for specific IP addresses</A></P><P></P><P>As described in the SK, this is easily accomplished by editing the table.def file on the SMS and pushing policy to the gateway ahead of time.&nbsp; Once this is done <STRONG>tcpdump</STRONG> (and <STRONG>fw monitor</STRONG>) will give you a complete capture as all traffic matching the defined exclusion will go F2F.&nbsp; If the IP address(es) cannot be known ahead of time, it is also possible to define a SecureXL exclusion based on destination port number.&nbsp; Generally it is not a good idea to completely disable SecureXL via <STRONG>fwaccel off </STRONG>for this purpose, especially on a gateway with more than 8 cores as it may cause severe performance issues.</P><P></P><P>One last warning: if you are capturing packets that are fragmented, <STRONG>tcpdump</STRONG> will show the individual fragments in their original state, while <STRONG>fw monitor</STRONG> will only show the packets after they have been virtually reassembled for inspection and not how they actually appear on the wire.&nbsp; Fragmented packets always go F2F unless a SAM/ADP card is present.</P><P></P><P>--<BR /> Second Edition of my "Max Power" Firewall Book<BR /> Now Available at <A href="http://www.maxpowerfirewalls.com" target="_blank">http://www.maxpowerfirewalls.com</A></P></BODY></HTML> Fri, 20 Apr 2018 13:44:40 GMT https://community.checkpoint.com/t5/General-Topics/TCPDUMP-and-SecureXL/m-p/17041#M2860 Timothy_Hall 2018-04-20T13:44:40Z https://community.checkpoint.com/t5/General-Topics/TCPDUMP-and-SecureXL/m-p/17042#M2861 <HTML><HEAD></HEAD><BODY><P>Thank you very much Tim&nbsp;for the exhausting explanation.</P></BODY></HTML> Mon, 23 Apr 2018 06:34:35 GMT https://community.checkpoint.com/t5/General-Topics/TCPDUMP-and-SecureXL/m-p/17042#M2861 Martin_Raska 2018-04-23T06:34:35Z https://community.checkpoint.com/t5/General-Topics/TCPDUMP-and-SecureXL/m-p/17043#M2862 <HTML><HEAD></HEAD><BODY><P><SPAN style="font-size: 15px; color: #000000;">SecureXL "<STRONG>fwaccel off</STRONG>" does <STRONG>not</STRONG> have to be <STRONG>disabled on R80.20</STRONG> to run "fw monitor". This is good for performance, so "fw monitor" does not affect performance any more.</SPAN></P><P></P><P><SPAN style="font-size: 15px; color: #000000;">More see here: <A href="https://community.checkpoint.com/docs/DOC-3351">R80.x Performance Tuning and Debug Tips – fw monitor</A>&nbsp;</SPAN></P><P></P><P><SPAN style="font-size: 15px; color: #000000;">Regards</SPAN></P><P><SPAN style="font-size: 15px; color: #000000;">Heiko</SPAN></P></BODY></HTML> Sun, 18 Nov 2018 19:59:36 GMT https://community.checkpoint.com/t5/General-Topics/TCPDUMP-and-SecureXL/m-p/17043#M2862 HeikoAnkenbrand 2018-11-18T19:59:36Z