cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted
Danny
Pearl

FW Monitor SuperTool

One-liner (Bash) to assist running fw monitor on Check Point firewall gateways.
In expert mode run:

if [[ `$CPDIR/bin/cpprod_util FwIsFirewallModule 2>/dev/null` != *'1'* ]]; then echo; tput bold; echo ' Not a firewall gateway!'; tput sgr0; echo; else echo; printf '%.s-' {1..60}; echo; echo ' FW Monitor SuperTool'; printf '%.s-' {1..60}; echo; echo; tput bold; echo -n ' Add host IPs '; tput sgr0; echo -n '(leave empty for any): '; read _hosts; h='0'; case $_hosts in '') echo -n '   any '; tput setaf 2; echo 'OK'; tput sgr0;; *) _hosts=($(echo $_hosts | tr ',;:|()#<>' ' ' | tr -s ' ')); for i in ${_hosts[@]}; do if [[ `ipcalc -ms $i` == *'='* ]] && [[ $i == *'.'* ]]; then echo -n '   '$i' '; tput setaf 2; echo 'OK'; h='1'; tput sgr0; else echo -n '   '$i' '; tput setaf 1; echo 'Bad syntax!'; tput sgr0; fi; done; esac; echo; tput bold; echo -n ' Add ports '; tput sgr0; echo -n '(leave empty for any): '; read _ports; p='0'; case $_ports in '') echo -n '   any '; tput setaf 2; echo 'OK'; tput sgr0;; *) _ports=($(echo $_ports | tr ',;:|()#<>' ' ' | tr -s ' ')); for i in ${_ports[@]}; do if [[ $i != *[^0-9]* ]]; then echo -n '   '$i' '; tput setaf 2; echo 'OK'; p='1'; tput sgr0; else echo -n '   '$i' '; tput setaf 1; echo 'Bad syntax!'; tput sgr0; fi; done; esac; echo; tput bold; echo -n ' Add protocol '; tput sgr0; echo -n '(tcp, udp, icmp): '; read _prot; c='0'; case $_prot in '') echo -n '   any '; tput setaf 2; echo 'OK'; tput sgr0;; *) _prot=($(echo $_prot | tr ',;:|()#<>' ' ' | tr -s ' ')); for i in ${_prot[@]}; do case $i in tcp|udp|icmp) echo -n '   '$i' '; tput setaf 2; echo 'OK'; c='1'; tput sgr0;; *) echo -n '   '$i' '; tput setaf 1; echo 'Unknown protocol!'; tput sgr0; esac; done; esac; echo; tput bold; echo -n ' Capture to file '; tput sgr0; read -p '(leave empty for stdout): ' _file; if [[ -n $_file ]]; then tput setaf 2; echo -n '   Saving output to: '; tput sgr0; echo $_file; else tput setaf 2; echo '   Output to CLI'; tput sgr0; fi; echo; printf '%.s-' {1..60}; echo; _sxl='0'; echo -n ' [Executing:]# '; if [[ `fw monitor -h 2>&1` != *'-F'* ]]; then case `fwaccel stat | grep 'Accelerator Status :' | cut -c 22-` in on) _sxl='1'; esac; fi; if [[ $_sxl == '1' ]]; then _run='fwaccel off; fw monitor'; else _run='fw monitor'; fi; if [[ `fw monitor -h 2>&1` != *'-F'* ]]; then _run+=' -e "'; if [[ $h == '1' && $p == '1' ]]; then _run+='('; elif [[ $h == '1' && $c == '1' ]]; then _run+='('; fi; for i in ${_hosts[@]}; do if [[ `ipcalc -ms $i` == *'='* ]] && [[ $i == *'.'* ]]; then _run+='host('$i') and '; fi; done; if [[ $h == '1' && $p == '1' ]]; then _run=${_run%?????}; _run+=')'; elif [[ $h == '1' && $c == '1' ]]; then _run=${_run%?????}; _run+=')'; fi; if [[ $h == '1' && $p == '1' ]]; then _run+=' and ('; elif [[ $p == '1' && $c == '1' ]]; then _run+='('; elif [[ $h == '1' && $c == '1' ]]; then _run+=' and ('; fi; for i in ${_ports[@]}; do if [[ $i != *[^0-9]* ]]; then _run+='port('$i') or '; fi; done; if [[ $h == '1' && $p == '1' ]]; then _run=${_run%????}; _run+=')'; elif [[ $p == '1' && $c == '1' ]]; then _run=${_run%????}; _run+=')'; elif [[ $h == '0' && $p == '1' ]]; then _run=${_run%????}; elif [[ $h == '1' && $p == '0' ]]; then _run=${_run%?????}; fi; if [[ $h == '1' || $p == '1' ]]; then if [[ $c == '1' ]]; then _run+=' and ('; fi; fi; for i in ${_prot[@]}; do case $i in tcp) _run+='ip_p=6 or ';; udp) _run+='ip_p=11 or ';; icmp) _run+='ip_p=1 or '; esac; done; if [[ $h == '1' || $p == '1' ]]; then if [[ $c == '1' ]]; then _run=${_run%????}; _run+=')'; fi; elif [[ $h == '1' && $p == '0' && $c == '0' ]]; then _run=${_run%?????}; elif [[ $h == '0' && $p == '1' && $c == '0' ]]; then _run=${_run%?????}; elif [[ $h == '0' && $p == '0' && $c == '1' ]]; then _run=${_run%????}; fi; if [[ $h == '1' || $p == '1' || $c == '1' ]]; then _run+=', '; fi; _run+='accept;"'; else _run+=' -F "0,0,0,0,0"'; fi; if [[ -n $_file ]]; then _run+=' -o /var/log/'$_file; fi; if [[ $_sxl == '1' ]]; then _run+='; fwaccel on'; fi; tput bold; echo $_run; tput sgr0; read -sn1; case $REPLY in '') eval $_run;; *) echo 'Abort!'; esac; echo; unset _hosts _ports _prot _file _sxl _run i h p c; fi

SuperTool interactively asks for all data to build up the correct syntax to run fw monitor. If gateways require the new -F syntax (R80.20 JHF 73+, R80.30 JHF?+) SuperTool adjusts the syntax accordingly. It also checks and deactivates SecureXL during fw monitor execution if necessary. SuperTool will be integrated soon within our ccc script.

image.png

Attention! *Work in progress*

SuperTool will be further improved in the upcoming days to support:

  • full -F syntax (currently just filters all traffic)
  • VSX controls
  • decide between AND/OR for hosts
  • NOT controls

Kudos to the entire CheckMates community. Special greetings to: @Moti , @Timothy_Hall , @Kaspars_Zibarts , @Vladimir , @HeikoAnkenbrand , @PhoneBoy , @Valeri_Loukine , @Amit_Sharon , @Niran , @Yasushi_Kono1 and the entire Check Point Support and R&D Team.

-- More one-liners --

One-liner for Address Spoofing Troubleshooting
One-liner to show VPN topology on gateways
One-liner to show Geo Policy on gateways

10 Replies
Vladimir
Pearl

Re: FW Monitor SuperTool

@Danny , this is awesome! Happy to see CCC evolution over the past year! I hope that CP will decide one day to officially support or endorse it.

0 Kudos

Re: FW Monitor SuperTool

Wow!

Great job, @Danny 

0 Kudos
Wolfgang
Silver

Re: FW Monitor SuperTool

Danny,

thanks a lot for this, simplifies the daily work.

I used https://tcpdump101.com to built complex fw monitor filter but your tool make this easy.

applause, applause

Wolfgang

Re: FW Monitor SuperTool

+1

0 Kudos
Kim_Moberg
Silver

Re: FW Monitor SuperTool

Very nice Danny

but isnt fw monitor changed in r80.20 take 87?

fw monitor -e is changed with filter function isnt?

Best Regards
Kim
0 Kudos

Re: FW Monitor SuperTool

From me 100 points. 👍

I'll add him to my one-liner list:

One-liner collection

 

Tags (1)
Admin
Admin

Re: FW Monitor SuperTool

Wow, great work!
0 Kudos
Tom_Cripps
Copper

Re: FW Monitor SuperTool

Hi @Danny 

I'm having issues with this working? Paste it straight into the CLI or do I need to enter this into a script?

0 Kudos
Danny
Pearl

Re: FW Monitor SuperTool

Hi @Tom_Cripps ,

just paste it straight into your Expert mode CLI.

0 Kudos
Tom_Cripps
Copper

Re: FW Monitor SuperTool

Got this working now, just had to press Enter. 

Great work though! Kudos.

0 Kudos