This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Danny
Champion Champion
Champion
‎2018-06-12 07:05 AM

CPT - Check Point Packet Trace Utility ?

Will Check Point release a management plugin that offers a similar functionality to Cisco's ASDM packet tracer anytime soon? I'm thinking about coding it on my own for quite some time. Shall I start or wait for Check Point?

25 Replies
Vincent_Bacher
Advisor
Advisor
‎2018-06-12 07:19 AM

Just do it. Would be very appreciated and useful for many mates, I am quiet sure.

There is the packet injection tool from CP but something similar to the packet tracer would be very nice.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
Alejandro_Mont1
Collaborator
‎2018-06-12 07:19 AM

The only thing I know of is Packet Injector (sk110865), but that is done from the gateway itself via CLI.

Houssameddine_1
Collaborator
‎2018-06-12 07:22 AM

I think you might see something similar in R80.20. Checkpoint will implement the rule assistance utiliy which can be used to determine if there is a rule or not for certain traffic and it helps you to place the rules in the correct location.

Checkpoint has another utility that injects the packets but you have to run it from the gw

Check Point Packet Injector

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

In R80.10 gateways there is another utility (not documented) that doesn't inject packets but it does go through the policy files and database and tells you which rules the traffic will match but it doesn't inject the packets.

[Expert@GW01:0]#fw up_execute
Usage: fw up_execute [src=<IP>] [dst=<IP>] ipp=<ip protocol> [sport=<source port>] [dport=<dest port>] [protocol=<protocol>] [application=<application/category>]

Notes:  Parameters can be omitted, except the ipp (and dport in case of TCP or UDP).
        The order of the parameters does not matter.
        Applications can be entered multiple times.

Examples:
1) fw up_execute src=126.200.49.240 dst=10.1.1.1 ipp=1
2) fw up_execute src=10.1.1.1 ipp=6 dport=8080 protocol=HTTP application=Facebook application=Opera

Thanks

Anthony_Holdswo
Employee Alumnus
Employee Alumnus
‎2018-06-15 11:00 AM
In response to Houssameddine_1

There is also packet mode from SmartConsole: Use R80.10 New Packet Mode Feature to Search Through Policy - YouTube 

PhoneBoy
Admin
Admin
‎2018-06-12 11:57 AM

See also: https://community.checkpoint.com/docs/DOC-2969 

ED
Advisor
‎2018-06-12 11:11 PM

Do it. 

0 Kudos
Petr_Hantak
Advisor
Advisor
‎2018-06-12 11:48 PM

Packet Inject tool isn't bad, but I agree with others that some kind of simulation graphic tool will be appreciated.

HeikoAnkenbrand
Champion Champion
Champion
‎2018-06-13 01:45 AM

Use:

fw monitor -p all -e "accept(...);"      

-> The old classic!          

fw ctl zdebug + monitorall  | grep -A 1 <IP w.x.y.z>   

-> It's an undocumented command that's very helpful. It is nice that no "fwaccel off" is necessary. With this command you can see even more details than "fw monitor" 🙂 The firewall worker and the CPU core are also displayed here. For more informtions: "fw ctl zdebug" Helpful Command Combinations 

Example view: 

...


eth0:O12 (tcpt outbound)[940]:10.1.1.1 -> 10.1.1.81 (TCP) len=940 id=18052;
;[cpu_2];[fw4_1];TCP: 22 -> 10058 ...PA. seq=4ced07e1 ack=75e09a88;

eth0:O13 (TCP streaming post VM)[940]:10.1.1.1 -> 10.1.1.81 (TCP) len=940 id=18052;
;[cpu_2];[fw4_1];TCP: 22 -> 10058 ...PA. seq=4ced07e1 ack=75e09a88;

eth0:O14 (IP Options Restore (out))[940]:10.1.1.1 -> 10.1.1.81 (TCP) len=940 id=18052;
;[cpu_2];[fw4_1];TCP: 22 -> 10058 ...PA. seq=4ced07e1 ack=75e09a88;

...

and Packet Injector:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Regards

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Mike_Schepers
Participant
‎2018-06-14 07:36 PM

Yes, please do it.  I came from a Cisco ASDM environment and this is definitely a feature that I miss.  In fact, I have been asking about it for a few years now with several of the SE's that have been assigned to my account.  This would be especially useful with layered rules that contain both tradition policies as well as blade specific (i.e. app/url/Antibot) policies to be able to test possible policy updates and get a graphical depiction of success or failure before they are actually installed.

Huseyin_Rencber
Collaborator
‎2018-06-15 02:25 PM

You should start, do not wait for checkpoint. There is packet tracer on cisco firepower and also checkpoint packet injector, you can customize these and this would be useful.

0 Kudos
Maik
Advisor
‎2018-09-16 05:36 AM

Hey Danny,

Sorry to dig into such an old thread, but since no clarification regarding an Check Point implementation was mentioned (I guess it is not planned due to packet mode search/pinj/fw monitor/fw vtl debug) - did you start with an own implementation? Or would you think it makes sense to open a thread where we ask the whole community if they would be interested in such a solution? Maybe Check Point is willing to implement it in a future release if enough people show their interest. Smiley Happy

I personally would benefit from such a tool, maybe placed on the SMS itself to be able to search through multiple policies and/or layers at the same time without the need to do it locally on the gw.

Regards,

Maik

Danny
Champion Champion
Champion
‎2018-09-16 05:56 PM
In response to Maik

I haven't started developing this yet as I'm currently working on an accompanying Bash script to Timothy Hall's Max Power Firewalls book.

JozkoMrkvicka
Mentor
Mentor
‎2018-09-16 02:39 PM

Lets vote Smiley Happy

Kind regards,
Jozko Mrkvicka
0 Kudos
Yuri_Slobodyany
Collaborator
‎2018-09-16 10:05 PM

When all the competitors have it, it should be a question of when not if Smiley Happy .

Palo Alto: 

test security-policy-match
test nat-policy-match

test pbf-policy-match

https://www.linkedin.com/in/yurislobodyanyuk/
0 Kudos
PhoneBoy
Admin
Admin
‎2018-09-16 10:14 PM
In response to Yuri_Slobodyany

We already have this capability in the CLI, at least for the Access Policy.

See above comment that I marked "correct."

Check Point does not not currently have this for NAT (which would be nice to have) or Policy Forwarding (which assumes routing based on Application, something not currently in the product). 

0 Kudos
Tomer_Sole
Mentor
Mentor
‎2018-10-03 09:47 PM
In response to Yuri_Slobodyany

From the GUI or the API: How to use R80.10 Packet Mode feature to search in Access Control Policy? 

0 Kudos
JozkoMrkvicka
Mentor
Mentor
‎2018-09-17 03:01 AM

fw up_execute is really great tool and it works well. The only issue I see is that you need to run it from specific gateway.

The best will be to execute it from management with parameter for which gateway you want to find a match (or search all policy packages).

Kind regards,
Jozko Mrkvicka
PhoneBoy
Admin
Admin
‎2018-10-03 04:32 PM

fw up_execute is considered an "internal tool" according to my sources in R&D.

This tool does not support all the objects in the rulebase (e.g. Access Roles). 

Packet Injector is the supported way to do this: Check Point Packet Injector 

0 Kudos
JozkoMrkvicka
Mentor
Mentor
‎2018-10-04 04:07 AM
In response to PhoneBoy

ETA when will be "pinj" available for R80.20 gateways ?

[Expert@GWA_R8020:0]# tar -zxvf pinj_v1.4.6_R80.10.tgz
CPPinj-R80-00.i386.rpm


[Expert@GWA_R8020:0]# rpm -ihv CPPinj-R80-00.i386.rpm
Preparing... ########################################### [100%]
1:CPPinj ########################################### [100%]


[Expert@GWA_R8020:0]# cat /opt/CPInstLog/install_Pinj_R80.elg
#####################################################
Start Pinj preinstall script...
Set umask for this session...
End Pinj preinstall script...
#####################################################
#####################################################
Start Pinj postinstall script...
Set umask for this session.
Activate profile
1. Add keys to Check Point registry
0
Pinj registry key will be set to 0
0
2. Add lines to environment files
2.5. Update HFA registry keys
XInstall: /opt/CPPinj-R80/bin/hook_Pinj_HOTFIX_R80_10 file not found
Fail in call to ExecuteFile!
WARNING: No postinstall found at /opt/CPPinj-R80/system/install/postinstall
End Pinj postinstall script...
#####################################################

[Expert@GWA_R8020:0]# cd /opt/CPPinj-R80/

[Expert@GWA_R8020:0]# ./pinj
Traceback (most recent call last):
File "main.py", line 11, in <module>
import generator
File "/opt/CPPinj-R80/scripts/generator.py", line 15, in <module>
from scapy.all import *
File "/opt/CPPinj-R80/scripts/packetmaker.zip/scapy/all.py", line 28, in <module>
File "/opt/CPPinj-R80/scripts/packetmaker.zip/scapy/route6.py", line 271, in <module>
File "/opt/CPPinj-R80/scripts/packetmaker.zip/scapy/route6.py", line 29, in __init__
File "/opt/CPPinj-R80/scripts/packetmaker.zip/scapy/route6.py", line 42, in resync
File "/opt/CPPinj-R80/scripts/packetmaker.zip/scapy/arch/linux.py", line 245, in read_routes6
IOError: [Errno 12] Cannot allocate memory

Kind regards,
Jozko Mrkvicka
Gaurav_Pandya
Advisor
‎2018-10-04 03:39 AM

This is nice thread as we came to know all possibilities of troubleshooting Smiley Happy 

0 Kudos
JozkoMrkvicka
Mentor
Mentor
‎2019-03-29 02:16 PM
In response to Gaurav_Pandya

Some news here? Are there some new tools ready for R80.20 or R80.30 to check if traffic is already allowed or not? via CLI.

Kind regards,
Jozko Mrkvicka
0 Kudos
JozkoMrkvicka
Mentor
Mentor
‎2019-04-12 02:25 AM
In response to JozkoMrkvicka

I will answer myself for my question:

fw up_execute

Kind regards,
Jozko Mrkvicka
S_E_
Advisor
‎2020-03-16 08:48 AM
In response to JozkoMrkvicka

 
Hi
really a nice tool 'fw up_execute' and definetely worth to enhance/improve
 
https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/CP_R80.30_NextGenSecurityGateway_Guide...
 
However, I did not understand until now what a 'clob' is and what Rule 16777215' means. As well, more cosmetic, it does not properly show the rule number when using Global Policy / Inline layer.
Regards,
 
 

Rulebase execution ended successfully.

Overall status:

----------------

Active clob mask: 0

Required clob mask: 0

Match status: MATCH

Match action: Accept

 

Per Layer:

------------

Layer name: Network

Layer id: 0

Match status: MATCH

Match action: Accept

Matched rule: 2

Possible rules: 2 16777215

0 Kudos
B_P
Advisor
‎2023-12-15 11:23 AM
In response to S_E_

Yes, the utility is useless in the real world.

0 Kudos
Susana_Perez-He
Explorer
‎2019-06-14 05:57 AM

Sounds great!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events