Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Advisor

How to see what firewall rules match some traffic

Jump to solution

I need to see what firewall rules match some traffic. There are a lot of rules in my policy, accordingly, not all rules are logged. What kind of debug and which flags can I use for this purpose (except the flag "conn")? Or what method can I use for this purpose?

0 Kudos
1 Solution

Accepted Solutions
Highlighted

Not exactly what you want, but sort of

https://community.checkpoint.com/thread/5319-my-top-3-check-point-cli-commands#comment-14596 

EDIT: Check this thread:

CPT - Check Point Packet Trace Utility ? 

EDIT2:

And the winner is (hidden tool in R80):

fw up_execute 

Kind regards,
Jozko Mrkvicka

View solution in original post

9 Replies
Highlighted
Champion
Champion
0 Kudos
Highlighted
Advisor

Unfortunately, no. Connstat we can use only for Windows. For Gaia we can use CPmonitor, but is not supported on a 64-bit based OS.

0 Kudos
Highlighted
Champion
Champion

I do not understand - you can collect the table using

fw tab -t connections -u > /var/log/Connections_Table.txt

transfer it to the PC and run the utility with the relevant flags:

C:\> connStat.exe -f Name_of_Table_File.txt [-a|-c|-s|-r|-l|-p|-d|-n <number>] > Name_of_Output_File.txt

Also, CPMonitor 32bit limitation should not apply here.

0 Kudos
Highlighted
Advisor

Thanks for explanation, but it does not suit me, unfortunately.

I need to see what rule number match traffic with specific dst and src address.

0 Kudos
Highlighted
Champion
Champion

Now i understand! This is all in the used connections table, but you must analyze it yourself, see sk65133: Connections Table Format

0 Kudos
Highlighted

Not exactly what you want, but sort of

https://community.checkpoint.com/thread/5319-my-top-3-check-point-cli-commands#comment-14596 

EDIT: Check this thread:

CPT - Check Point Packet Trace Utility ? 

EDIT2:

And the winner is (hidden tool in R80):

fw up_execute 

Kind regards,
Jozko Mrkvicka

View solution in original post

Highlighted
Advisor

fw up_execute is a winner, you are right)

Highlighted
Advisor
No need to go into CLI, you can use Packet Mode in SmartConsole R80.10+. See https://community.checkpoint.com/thread/5233-packet-mode-a-new-way-of-searching-through-your-securit...


My blog: https://checkpoint.engineer
Highlighted
Contributor

Hello
The easy Way enable on Smart Console the Option Hit than you can see if the all the Policys are in use.
Alexander

0 Kudos