cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted
Danny
Pearl

FW Monitor SuperTool

One-liner (Bash) to assist running fw monitor on Check Point firewall gateways.
In expert mode run:

if [[ `$CPDIR/bin/cpprod_util FwIsFirewallModule 2>/dev/null` != *'1'* ]]; then echo; tput bold; echo ' Not a firewall gateway!'; tput sgr0; echo; else echo; printf '%.s-' {1..60}; echo; echo ' FW Monitor SuperTool'; printf '%.s-' {1..60}; echo; echo; tput bold; echo -n ' Add host IPs '; tput sgr0; echo -n '(leave empty for any): '; read _hosts; h='0'; case $_hosts in '') echo -n '   any '; tput setaf 2; echo 'OK'; tput sgr0;; *) _hosts=($(echo $_hosts | tr ',;:|()#<>' ' ' | tr -s ' ')); for i in ${_hosts[@]}; do if [[ `ipcalc -ms $i` == *'='* ]] && [[ $i == *'.'* ]]; then echo -n '   '$i' '; tput setaf 2; echo 'OK'; h='1'; tput sgr0; else echo -n '   '$i' '; tput setaf 1; echo 'Bad syntax!'; tput sgr0; fi; done; esac; echo; tput bold; echo -n ' Add ports '; tput sgr0; echo -n '(leave empty for any): '; read _ports; p='0'; case $_ports in '') echo -n '   any '; tput setaf 2; echo 'OK'; tput sgr0;; *) _ports=($(echo $_ports | tr ',;:|()#<>' ' ' | tr -s ' ')); for i in ${_ports[@]}; do if [[ $i != *[^0-9]* ]]; then echo -n '   '$i' '; tput setaf 2; echo 'OK'; p='1'; tput sgr0; else echo -n '   '$i' '; tput setaf 1; echo 'Bad syntax!'; tput sgr0; fi; done; esac; echo; tput bold; echo -n ' Add protocol '; tput sgr0; echo -n '(tcp, udp, icmp): '; read _prot; c='0'; case $_prot in '') echo -n '   any '; tput setaf 2; echo 'OK'; tput sgr0;; *) _prot=($(echo $_prot | tr ',;:|()#<>' ' ' | tr -s ' ')); for i in ${_prot[@]}; do case $i in tcp|udp|icmp) echo -n '   '$i' '; tput setaf 2; echo 'OK'; c='1'; tput sgr0;; *) echo -n '   '$i' '; tput setaf 1; echo 'Unknown protocol!'; tput sgr0; esac; done; esac; echo; tput bold; echo -n ' Capture to file '; tput sgr0; read -p '(leave empty for stdout): ' _file; if [[ -n $_file ]]; then tput setaf 2; echo -n '   Saving output to: '; tput sgr0; echo $_file; else tput setaf 2; echo '   Output to CLI'; tput sgr0; fi; echo; printf '%.s-' {1..60}; echo; _sxl='0'; echo -n ' [Executing:]# '; if [[ `fw monitor -h 2>&1` != *'-F'* ]]; then case `fwaccel stat | grep 'Accelerator Status :' | cut -c 22-` in on) _sxl='1'; esac; fi; if [[ $_sxl == '1' ]]; then _run='fwaccel off; fw monitor'; else _run='fw monitor'; fi; if [[ `fw monitor -h 2>&1` != *'-F'* ]]; then _run+=' -e "'; if [[ $h == '1' && $p == '1' ]]; then _run+='('; elif [[ $h == '1' && $c == '1' ]]; then _run+='('; fi; for i in ${_hosts[@]}; do if [[ `ipcalc -ms $i` == *'='* ]] && [[ $i == *'.'* ]]; then _run+='host('$i') and '; fi; done; if [[ $h == '1' && $p == '1' ]]; then _run=${_run%?????}; _run+=')'; elif [[ $h == '1' && $c == '1' ]]; then _run=${_run%?????}; _run+=')'; fi; if [[ $h == '1' && $p == '1' ]]; then _run+=' and ('; elif [[ $p == '1' && $c == '1' ]]; then _run+='('; elif [[ $h == '1' && $c == '1' ]]; then _run+=' and ('; fi; for i in ${_ports[@]}; do if [[ $i != *[^0-9]* ]]; then _run+='port('$i') or '; fi; done; if [[ $h == '1' && $p == '1' ]]; then _run=${_run%????}; _run+=')'; elif [[ $p == '1' && $c == '1' ]]; then _run=${_run%????}; _run+=')'; elif [[ $h == '0' && $p == '1' ]]; then _run=${_run%????}; elif [[ $h == '1' && $p == '0' ]]; then _run=${_run%?????}; fi; if [[ $h == '1' || $p == '1' ]]; then if [[ $c == '1' ]]; then _run+=' and ('; fi; fi; for i in ${_prot[@]}; do case $i in tcp) _run+='ip_p=6 or ';; udp) _run+='ip_p=11 or ';; icmp) _run+='ip_p=1 or '; esac; done; if [[ $h == '1' || $p == '1' ]]; then if [[ $c == '1' ]]; then _run=${_run%????}; _run+=')'; fi; elif [[ $h == '1' && $p == '0' && $c == '0' ]]; then _run=${_run%?????}; elif [[ $h == '0' && $p == '1' && $c == '0' ]]; then _run=${_run%?????}; elif [[ $h == '0' && $p == '0' && $c == '1' ]]; then _run=${_run%????}; fi; if [[ $h == '1' || $p == '1' || $c == '1' ]]; then _run+=', '; fi; _run+='accept;"'; else _run+=' -F "0,0,0,0,0"'; fi; if [[ -n $_file ]]; then _run+=' -o /var/log/'$_file; fi; if [[ $_sxl == '1' ]]; then _run+='; fwaccel on'; fi; tput bold; echo $_run; tput sgr0; read -sn1; case $REPLY in '') eval $_run;; *) echo 'Abort!'; esac; echo; unset _hosts _ports _prot _file _sxl _run i h p c; fi

SuperTool interactively interactively asks for all data to build up the correct syntax to run fw monitor.

SuperTool adjusts the resulting fw monitor syntax according to the requirements of the gateway it is run.
It identifies if:

It also checks and deactivates SecureXL during fw monitor execution if necessary.
SuperTool will be integrated soon within our ccc script.

image.png

Attention! *Work in progress*

SuperTool will be further improved in the upcoming days to support:

  • full -F syntax (currently just filters all traffic)
  • VSX controls
  • decide between AND/OR for hosts
  • NOT controls

FW Monitor developers: @Coby_Schmidt (LinkedIn), ...
FW Monitor documentation: @Uri_Lewitus (LinkedIn)
FW Monitor memory usage: sk160954

-- More one-liners --

One-liner for Address Spoofing Troubleshooting
One-liner to show VPN topology on gateways
One-liner to show Geo Policy on gateways

13 Replies
Vladimir
Pearl

Re: FW Monitor SuperTool

@Danny , this is awesome! Happy to see CCC evolution over the past year! I hope that CP will decide one day to officially support or endorse it.

0 Kudos

Re: FW Monitor SuperTool

Wow!

Great job, @Danny 

0 Kudos
Wolfgang
Silver

Re: FW Monitor SuperTool

Danny,

thanks a lot for this, simplifies the daily work.

I used https://tcpdump101.com to built complex fw monitor filter but your tool make this easy.

applause, applause

Wolfgang

Lukas
Ivory

Re: FW Monitor SuperTool

+1

0 Kudos
Kim_Moberg
Silver

Re: FW Monitor SuperTool

Very nice Danny

but isnt fw monitor changed in r80.20 take 87?

fw monitor -e is changed with filter function isnt?

Best Regards
Kim
0 Kudos

Re: FW Monitor SuperTool

From me 100 points. 👍

I'll add him to my one-liner list:

One-liner collection

 

Tags (1)
Admin
Admin

Re: FW Monitor SuperTool

Wow, great work!
0 Kudos
Tom_Cripps
Silver

Re: FW Monitor SuperTool

Hi @Danny 

I'm having issues with this working? Paste it straight into the CLI or do I need to enter this into a script?

0 Kudos
Danny
Pearl

Re: FW Monitor SuperTool

Hi @Tom_Cripps ,

just paste it straight into your Expert mode CLI.

0 Kudos
Tom_Cripps
Silver

Re: FW Monitor SuperTool

Got this working now, just had to press Enter. 

Great work though! Kudos.

0 Kudos
Sven_Glock
Silver

Re: FW Monitor SuperTool

Hi Danny,

nice script! Well done!

I would highly recommend to add a friendly reminder at the end of the script that performing "fwaccel off" can increase the load of the gateway or could lead to outages if the gateways is already well loaded. 

 

Cheers

Sven

 

 

0 Kudos
Danny
Pearl

Re: FW Monitor SuperTool

@Sven_Glock ,

that‘s why this SuperTool checks if SecureXL is enabled on versions prior to R80.20 and only disables it while running fw monitor. I checked if disabling SecureXL just for the specified IP addresses (sk194468) would be an option, unluckily this requires adjustments on the SmartCenter, so I had to stay with fwaccel off/on.

Kane
Ivory

Re: FW Monitor SuperTool

Thank you Danny. Awesome work brov.

0 Kudos