Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
tadams
Explorer

Using FWMONITOR with SecureXL enabled (R80.20 and up) TechTip

Hello everyone,

 

I wanted to spread the knowledge that starting with R80.20 it is possible to packet capture with FWMONITOR with SecureXL turned on. I know it can sometimes be a hassle to troubleshoot traffic that can’t be seen with SecureXL acceleration. It can also be dangerous to turn it off because of the possibility of the non-accelerated traffic overpowering the CPU. In R80.20 and later traffic can be fully captured by fw monitor with SecureXL still enabled, as long as you use the -F flag along with an alternate traffic filtering syntax. Here is an example:

 

fw monitor  -F  0,0,0,80,0

 

This equivalent fw monitor command can capture all destination port 80 traffic regardless of whether it is accelerated. You see there are five numeric positions in this syntax after the -F. Here are the meaning of them by positon.

 

  1. Source IP
  2. Source Port
  3. Destination IP
  4. Destination Port
  5. Protocol

 

 

 

Hopefully this will be a help in your technical journeys!

0 Kudos
1 Reply
HeikoAnkenbrand
Champion Champion
Champion

More read here:

What is FW Monitor? sk30583 
-> Capture Examples of "-F" flag

  1. Usual Capture
  2. Host Specific Capture
  3. Port Specific Capture
  4. Protocol Specific Capture

 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events