topic Re: tcpdump issues in Hyperscale Firewall (Maestro)

tcpdump issues

tonyhsueh — Tue, 28 May 2024 05:06:24 GMT

HI:

We have two mho140 and two checkpoint6200 in mho topology, no traffic packet (mho140 or checkpoint6200) when I using tcpdump in expert mode.

MHO topology is support for tcpdump in expert mode?

Which one(mho140 or checkpoint6200) using tcpdump?

thanks!

tcpdump issues

tonyhsueh — Mon, 27 May 2024 13:35:45 GMT

Hi bro:

We have two mho140 and two checkpoint6200 in topology, but no traffic packet using expert mode by tcpdump.

Whether mho140 or checkpoint are no traffic packet.

How to capture traffic packet by tcpdump?

Re: tcpdump issues

emmap — Tue, 28 May 2024 05:22:18 GMT

You can only do packet captures with tcpdump at the SGMs.

Re: tcpdump issues

Nir_Shamir — Tue, 28 May 2024 05:22:34 GMT

you need to run tcpdump from the 6200 appliances , from the SMO.

use g_tcpdump command to see traffic from all members

Re: tcpdump issues

Lesley — Tue, 28 May 2024 18:42:44 GMT

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_Maestro_AdminGuide/Content/Topics-Maestro-AG/Multi-Blade-Traffic-Capture.htm

Re: tcpdump issues

Timothy_Hall — Tue, 28 May 2024 19:52:11 GMT

g_tcpdump will certainly work, but should be used with caution on a busy Maestro security group; use asg perf -vp run from any SGM to see how utilized the security group is. Below is a screenshot from my Gateway Performance Optimization Course showing this great command.

Another alternative if under high load is using the asg search command to identify which specific SGM is handling all the packets of the connection you want to capture, then logging into that SGM and running a local tcpdump from expert mode locally. For subsequent connections with the same attributes (sIP, dIP, and possibly dPort if L4 is enabled), the same SGM will always handle that same connection unless the number of active SGMs changes or the distribution algorithm is changed. However if the connection is NATted you may not always get a complete capture with this latter technique, depending upon how the pre-NAT and post-NAT flows are distributed in the security group.