This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
FrozT
Participant
‎2020-06-01 04:17 PM

FW monitor -F syntax

I don't understand why they nerf'd 'fw monitor -e' in favor of 'fw monitor -F'?  My opinions aside ノಠ_ಠノ, how do we convert old syntax such as this:

fw monitor -e "accept net(13.64.0.0,11) and host(10.0.0.1);"

how do I do that with -F?

4 Replies
Danny
Champion
Champion
‎2020-06-01 09:52 PM

You don't. -F is a simple capture filter that relies on Kernel Debug filters and doesn't support supernetting. However, it supports using wildcards.

So you have two options:

  1. fw monitor -F "10.0.0.1,0,13.*.*.*,0,0" -F "13.*.*.*,0,10.0.0.1,0,0"
  2. fwaccel off; fw monitor -e "accept net(13.64.0.0,11) and host(10.0.0.1);"; fwaccel on
0 Kudos
FrozT
Participant
‎2020-06-07 09:22 PM
In response to Danny

Option 1 is not the same thing and option 2 isn't really an option because fw monitor -e doesn't work anymore regardless if acceleration is turned on or off.  It will not filter anything and instead spit back what I can only guess is all the traffic.

So basically Checkpoint has removed one of the best troubleshooting methods and that's that.  I can't believe that they've taken fw monitor away from us...

0 Kudos
Timothy_Hall
Champion
Champion
‎2020-11-01 11:48 AM
In response to Danny

fw monitor -F "10.0.0.1,0,13.*.*.*,0,0" -F "13.*.*.*,0,10.0.0.1,0,0"

This syntax doesn't seem to work correctly for me, as an example this works as expected:

fw monitor -F 4.2.2.2,*,*,*,* -F 0,0,4.2.2.2,0,0

However this next one doesn't install a filter at all, and just gives me everything unfiltered:

fw monitor -F 4.2.2.*,*,*,*,* -F 0,0,4.2.2.2,0,0

I've noticed that if you typo the -F filter it doesn't error out but just gives you everything unfiltered which is a bit dangerous in my opinion.  Example:

fw monitor -F totalgarbage

I get every possible packet unfiltered, it even says "Compiled OK".  Huh?

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
Danny
Champion
Champion
‎2020-11-01 01:47 PM
In response to Timothy_Hall

Right, that's another reason such complex tools should always come with a user interface that performs syntax checking. Such as my FW Monitor SuperTool. If I'd only find the time to add -F simple capture syntax support to it. Currently my entire free time is taken by Check Points CoreXL team to advance my CoreXL Dynamic Balancing extension to fully control the Dynamic Split via SmartConsole.

0 Kudos