cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

fw monitor not filtering

Hi community,

I have some problems with monitoring devices through an vpn tunnel.
I used

fw monitor -e "accept( host(<ip>));"
fw monitor e ‘(accept src=<ip>);'

but I got the whole traffic - the filter is not working.

Is that maybe one of the nice bugs of R80.20?
Currently I'm on JHF73 because Check Point shredded my IA.

Looking forward to your suggestions

Best Regards
Johannes

0 Kudos
12 Replies

Re: fw monitor not filtering

Maybe you can try without the extra ( ) like:
fw monitor -e "accept host(10.10.10.10);" -m iO
Regards, Maarten
0 Kudos

Re: fw monitor not filtering

I've just highlighted this in here too: https://community.checkpoint.com/t5/Product-Announcements/R80-20-Jumbo-Hotfix-Accumulator-New-Ongoin...

 

Regardless of SecureXL status, T73 appears to have broken the filters.

0 Kudos

Re: fw monitor not filtering

@Nick thanks for your reply, another wonderful bug in the CP world.
I guess it can only get better from now on
0 Kudos

Re: fw monitor not filtering

Hi @opal, didn't work, it's the same.
0 Kudos

fw monitor not filtering

I am sorry, but i really do not understand what you want to achieve here. Check Point's FW Monitor is a powerful built-in tool for capturing network traffic at the packet level. For monitoring devices for health, traffic rate a.o. most customers use SMNP !

 

fw monitor filters are using a subset of CheckPoints old INSPECT syntax to specify the packets to be captured. Details concerning functionality,  syntax a.o. can be found in How to use FW Monitor and in How to use FW Monitor.

0 Kudos

Re: fw monitor not filtering

@G_W_Albrecht: sry, I didn't explian myself from the beginning on.
Monitoring the cluster nodes with SNMP stopped working and I wanted to make sure, that the SNMP packets are passing the firewall.
Unfortunately the filters are broken (T-73) - maybe my monitoring problem is based on similar hotfix issues....
0 Kudos

Re: fw monitor not filtering

Hi Johannes,

Specifying just the host/source ip address is still bound to overwhelm you with a great deal of output, depending on the services that the host in question uses and the traffic it generates in general.

I think the best way forward would be for you to tell us the following:

  1. What is it exactly you are trying to achieve?
  2. Is the host in question on your site or on the remote site?
  3. What is exactly the traffic you are really interested in?
  4. What interface did you run the fw monitor command on?
  5. Did you turn securexl off before running the command? Remember that you don't have to do that on R80.20.

Many thanks.

0 Kudos

Re: fw monitor not filtering

The post that I made regarding the fw monitor filter being broken by JHFA T73 appears to have disappeared from the 'official' ongoing T73 thread. (The thread itself has been deleted).

I assume this means that a retraction of T73 is about to be made, functionality of fw monitor has been broken, and it will soon be replaced by a new ongoing take.

 

The symptoms of the OP match my findings, e.g. filters not being applied correctly/at all post upgrade to T73; but fine in T47.

Admin
Admin

Re: fw monitor not filtering

Did you open a TAC ticket on this?
0 Kudos

Re: fw monitor not filtering

No, I haven't opened up a TAC case.

The expression-thing seems to be known and is one of many recently experienced bugs.

Regarding the strange SNMP behavior: I first need more time to exclude other issues.

0 Kudos

Re: fw monitor not filtering

Dear Nico, I think it's a bug with JHF-73 - filtering the traffic with the stated expression should work as expected.
0 Kudos

Re: fw monitor not filtering

take74 still shows the issue