cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Re: R80.20 cheat sheet - fw monitor

Copied from sk30583:

 

Note: Relevant for R80.20 from Jumbo Hotfix Accumulator for R80.20 (Take 73)
[-w whole packet] [-F simple filter "{src IP},{src port},{dst IP},{dst port},{protocol num}"] [-U clear]

Re: R80.20 cheat sheet - fw monitor

-F:  any hint how to filter for networks instead of single IP addresses?

10.1.1.0/24 --> doesn't filter at all

10.1.1.0/255.255.255.0 --> "Set operation failed: failed to get parameter simple_debug_filter_saddr_1"

10.1.1.0,24: --> oviously not possible

Re: R80.20 cheat sheet - fw monitor

Check Point's documentation is vague on exactly how the filter should look. They include braces. That looks like JSON. Should the filter be in the form of a JSON object? A list of objects? Can't tell, since they don't include any examples.

 

I just tested and this exact form worked for me:

 

[Expert@MyFW ACTIVE]# fw monitor -F "10.20.30.40,0,0,0,0"

 FW monitor will record only ip & transport layers in a packet

 For capturing the whole packet please do -w

 monitor: getting filter (from command line)

 monitor: compiling

monitorfilter:

Compiled OK.

 monitor: loading

 monitor: monitoring (control-C to stop)

[vs_0][fw_0] bond1.2345:i[44]: 10.20.30.40 -> 192.168.128.64 (TCP) len=1000 id=45972

TCP: ***** -> ***** ...PA. seq=******** ack=********

[vs_0][fw_0] bond1.2345:i[40]: 10.20.30.40 -> 192.168.128.64 (TCP) len=40 id=45973

TCP: ***** -> ***** ....A. seq=******** ack=********

[vs_0][fw_0] bond1.2345:i[40]: 10.20.30.40 -> 192.168.128.64 (TCP) len=40 id=45974

TCP: ***** -> ***** ....A. seq=******** ack=********

 monitor: caught sig 2

 monitor: unloading

0 Kudos

Re: R80.20 cheat sheet - fw monitor

Even more vague is the answer to how we can capture traffic post-outbound O without the need to add another filter with the NATted address.

As described in the examples on the bottom of the SK:

fw monitor -F "x.x.x.x,0,y.y.y.y,0,0" -F "y.y.y.y,0, x.x.x.x ,0,0"

Filter 1: source ip: x.x.x.x, source port: any, destination ip: y.y.y.y, destination port: any, protocol: any.
Filter 2: source ip: y.y.y.y, source port: any, destination ip: x.x.x.x, destination port: any, protocol: any.

This does not take into account a (possible) NAT translation and thus will not capture/display it.

 

Any ideas?

0 Kudos

Re: R80.20 cheat sheet - fw monitor

@Jan_Boonen Use AND expression and include NAT-ed address, if you know it. Alternatively, use source or destination alone for the IP that is not NAT-ed

0 Kudos
Employee+
Employee+

Re: R80.20 cheat sheet - fw monitor

fw monitor is thoroughly described in the CLI admin guide

0 Kudos

Re: R80.20 cheat sheet - fw monitor

Several aspects are described in the CLI reference guide, but not all.

Specifically, there are no examples of filters (either INSPECT or simple).

0 Kudos
Highlighted
Employee+
Employee+

Re: R80.20 cheat sheet - fw monitor

We are adding those "as we speak" 

0 Kudos