- Products
- Learn
- Local User Groups
- Partners
-
More
Celebrate the New Year
With CheckMates!
Value of Security
Vendor Self-Awareness
Join Us for CPX 360
23-24 February 2021
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
How to Remediate Endpoint & VPN
Issues (in versions E81.10 or earlier)
Mobile Security
Buyer's Guide Out Now
Important! R80 and R80.10
End Of Support around the corner (May 2021)
Hi community,
I have some problems with monitoring devices through an vpn tunnel.
I used
fw monitor -e "accept( host(<ip>));"
fw monitor e ‘(accept src=<ip>);'
but I got the whole traffic - the filter is not working.
Is that maybe one of the nice bugs of R80.20?
Currently I'm on JHF73 because Check Point shredded my IA.
Looking forward to your suggestions
Best Regards
Johannes
FROM sk30583
fw monitor -F "{src IP}, {src port}, {dst IP}, {dst port}, {protocol num}"
Filtering the packets based on IP/port/protocol.
Notes:
Note: Relevant for R80.20 from Jumbo Hotfix Accumulator for R80.20 (Take 73)
examples using fw monitor -F "{src IP}, {src port}, {dst IP}, {dst port}, {protocol num}":
fw monitor -F "0, 0, 0, 443, 0"
fw monitor -F "0, 0, 2.2.2.2, 0, 0"
fw monitor -F "1.1.1.1, 0, 2.2.2.2, 443, 0"
example for all DNS traffic which also captures all return traffic from DNS
fw monitor -F "0, 0, 0, 53, 0" -F "0, 53, 0, 0, 0" -w
I believe you need -w for full packet length capture and can still use -o to output files.
There is also a fw monitor -U to set fw monitor back to defaults. It appears to unload the monitor but not really sure what that does - I'm still testing the syntax and searching for more detailed documentation.
I've just highlighted this in here too: https://community.checkpoint.com/t5/Product-Announcements/R80-20-Jumbo-Hotfix-Accumulator-New-Ongoin...
Regardless of SecureXL status, T73 appears to have broken the filters.
I am sorry, but i really do not understand what you want to achieve here. Check Point's FW Monitor is a powerful built-in tool for capturing network traffic at the packet level. For monitoring devices for health, traffic rate a.o. most customers use SMNP !
fw monitor filters are using a subset of CheckPoints old INSPECT syntax to specify the packets to be captured. Details concerning functionality, syntax a.o. can be found in How to use FW Monitor and in How to use FW Monitor.
Hi Johannes,
Specifying just the host/source ip address is still bound to overwhelm you with a great deal of output, depending on the services that the host in question uses and the traffic it generates in general.
I think the best way forward would be for you to tell us the following:
Many thanks.
The post that I made regarding the fw monitor filter being broken by JHFA T73 appears to have disappeared from the 'official' ongoing T73 thread. (The thread itself has been deleted).
I assume this means that a retraction of T73 is about to be made, functionality of fw monitor has been broken, and it will soon be replaced by a new ongoing take.
The symptoms of the OP match my findings, e.g. filters not being applied correctly/at all post upgrade to T73; but fine in T47.
No, I haven't opened up a TAC case.
The expression-thing seems to be known and is one of many recently experienced bugs.
Regarding the strange SNMP behavior: I first need more time to exclude other issues.
take74 still shows the issue
Take 87 also seems to have the same issue
FROM sk30583
fw monitor -F "{src IP}, {src port}, {dst IP}, {dst port}, {protocol num}"
Filtering the packets based on IP/port/protocol.
Notes:
Note: Relevant for R80.20 from Jumbo Hotfix Accumulator for R80.20 (Take 73)
examples using fw monitor -F "{src IP}, {src port}, {dst IP}, {dst port}, {protocol num}":
fw monitor -F "0, 0, 0, 443, 0"
fw monitor -F "0, 0, 2.2.2.2, 0, 0"
fw monitor -F "1.1.1.1, 0, 2.2.2.2, 443, 0"
example for all DNS traffic which also captures all return traffic from DNS
fw monitor -F "0, 0, 0, 53, 0" -F "0, 53, 0, 0, 0" -w
I believe you need -w for full packet length capture and can still use -o to output files.
There is also a fw monitor -U to set fw monitor back to defaults. It appears to unload the monitor but not really sure what that does - I'm still testing the syntax and searching for more detailed documentation.
Thanks @Matt_Killeen for the update.
The old fw monitor was so hard to use, this new syntax is so innovative and ease to use.
Why use -e 'accept src(1.2.3.4)', when it's so much easier to use -F "1.2.3.4, 0, 0, 0, 0"
I want to get the pills or the stuff to smoke, the product management obviously got....
I mean we can be glad, the we are allowed to use IPs and no hex-stuff
I'm working to make using FW Monitor to be the easiest experience ever. Just follow my work progress @ FW Monitor SuperTool.
This seems to be a really nice tool to use. I am a bit skeptical about SecureXL getting disabled though. The gateway is under a bit of load at the moment.
However, this doesn't help me with my problem at hand. I have the filters and syntax correct but I'm only seeing a single inspection point in the firewall chain no matter what I do. Got a TAC case opened for this. Was just wondering if anyone successfully used fw monitor to capture all inspection points in R80.20 JHF take 87+
If you're at R80.20 JHF take 87+ SecureXL won't be disabled by FW Monitor SuperTool. Also if your gateway is under load and you are using an older version you should disable SecureXL only for the IP addresses to be monitored. This has to be done on the management though.
Does this show you all the inspection points? I tried this with -p all but it only shows me a single position in the inbound chain. What I need to see is the interface that the traffic is going out of.
Just want to brought this to your attention https://tcpdump101.com/# was updated with the -F syntax for fw monitor , thanks grave_rose for that
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY