Note: From version R80.20 Jumbo Jotfix Accumulator take_73, the "-e" flag is not supported for Accelerated traffic.
I noticed this today running a R80.20 CCVS/VSX class, if the traffic is accelerated the -e filter is ignored and you simply see everything. This is fixed in R80.20 Ongoing Take 117:
PRJ-5507, PMTR-41300 Security Gateway In some scenarios, when running "fw monitor" with "-e" flag, SecureXL traffic is not filtered, and all traffic is displayed.
In the meantime you need to use the new simple filter via -F which works correctly:
fw monitor -F "x.x.x.x,0,y.y.y.y,0,0"
This will filter connection "x.x.x.x:<Any> --> y.y.y.y:<Any>, <protocol: Any>"
Source ip: x.x.x.x, source port: any, destination ip: y.y.y.y, destination port: any, protocol: any
You can also use "*" as a wildcard like this:
fw monitor -F "192.168.1.*,0,10.1.1.*,0,0"
As far as fw monitor dumping core when trying to use the -v VSID flag we noticed that too in R80.20 with Jumbo HFA 103 applied. Definitely a bug...
Updated 2023 IPS/AV/ABOT R81.20 Course now
available at maxpowerfirewalls.com