This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
tonyhsueh
Explorer
‎2024-05-27 10:06 PM

tcpdump issues

HI:

We have two mho140 and two checkpoint6200 in mho topology, no traffic packet (mho140 or checkpoint6200) when I using tcpdump in expert mode.

MHO topology is support for tcpdump in expert mode?

Which one(mho140 or checkpoint6200) using tcpdump?

thanks!

 

0 Kudos
5 Replies
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2024-05-27 10:22 PM

You can only do packet captures with tcpdump at the SGMs. 

0 Kudos
Nir_Shamir
Employee Employee
Employee
‎2024-05-27 10:22 PM

you need to run tcpdump from the 6200 appliances , from the SMO.

use g_tcpdump command to see traffic from all members

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2024-05-28 12:44 PM
In response to Nir_Shamir

g_tcpdump will certainly work, but should be used with caution on a busy Maestro security group; use asg perf -vp run from any SGM to see how utilized the security group is.  Below is a screenshot from my Gateway Performance Optimization Course showing this great command.  

Another alternative if under high load is using the asg search command to identify which specific SGM is handling all the packets of the connection you want to capture, then logging into that SGM and running a local tcpdump from expert mode locally.  For subsequent connections with the same attributes (sIP, dIP, and possibly dPort if L4 is enabled), the same SGM will always handle that same connection unless the number of active SGMs changes or the distribution algorithm is changed.  However if the connection is NATted you may not always get a complete capture with this latter technique, depending upon how the pre-NAT and post-NAT flows are distributed in the security group.

asgperf.png

 

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
tonyhsueh
Explorer
‎2024-05-27 06:35 AM

Hi bro:

We have two mho140 and two checkpoint6200 in topology, but no traffic packet using expert mode by tcpdump.

Whether mho140 or checkpoint are no traffic packet.

How to capture traffic packet by tcpdump?

0 Kudos
Lesley
MVP Gold
MVP Gold
‎2024-05-28 11:42 AM
In response to tonyhsueh

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_Maestro_AdminGuide/Content/T...

 

 

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
 
Upcoming Maestro Events

    CheckMates Events