cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Danny
Pearl

CPT - Check Point Packet Trace Utility ?

Will Check Point release a management plugin that offers a similar functionality to Cisco's ASDM packet tracer anytime soon? I'm thinking about coding it on my own for quite some time. Shall I start or wait for Check Point?

23 Replies

Re: CPT - Check Point Packet Trace Utility ?

Just do it. Would be very appreciated and useful for many mates, I am quiet sure.

There is the packet injection tool from CP but something similar to the packet tracer would be very nice.

and now to something completely different

Re: CPT - Check Point Packet Trace Utility ?

The only thing I know of is Packet Injector (sk110865), but that is done from the gateway itself via CLI.

Re: CPT - Check Point Packet Trace Utility ?

I think you might see something similar in R80.20. Checkpoint will implement the rule assistance utiliy which can be used to determine if there is a rule or not for certain traffic and it helps you to place the rules in the correct location.

Checkpoint has another utility that injects the packets but you have to run it from the gw

Check Point Packet Injector

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

In R80.10 gateways there is another utility (not documented) that doesn't inject packets but it does go through the policy files and database and tells you which rules the traffic will match but it doesn't inject the packets.

[Expert@GW01:0]#fw up_execute
Usage: fw up_execute [src=<IP>] [dst=<IP>] ipp=<ip protocol> [sport=<source port>] [dport=<dest port>] [protocol=<protocol>] [application=<application/category>]

Notes:  Parameters can be omitted, except the ipp (and dport in case of TCP or UDP).
        The order of the parameters does not matter.
        Applications can be entered multiple times.

Examples:
1) fw up_execute src=126.200.49.240 dst=10.1.1.1 ipp=1
2) fw up_execute src=10.1.1.1 ipp=6 dport=8080 protocol=HTTP application=Facebook application=Opera

Thanks

Highlighted

Re: CPT - Check Point Packet Trace Utility ?

There is also packet mode from SmartConsole: Use R80.10 New Packet Mode Feature to Search Through Policy - YouTube 

Admin
Admin

Re: CPT - Check Point Packet Trace Utility ?

ED
Silver

Re: CPT - Check Point Packet Trace Utility ?

Do it. 

0 Kudos
Petr_Hantak
Silver

Re: CPT - Check Point Packet Trace Utility ?

Packet Inject tool isn't bad, but I agree with others that some kind of simulation graphic tool will be appreciated.

0 Kudos

Re: CPT - Check Point Packet Trace Utility ?

Use:

fw monitor -p all -e "accept(...);"      

-> The old classic!          

fw ctl zdebug + monitorall  | grep -A 1 <IP w.x.y.z>   

-> It's an undocumented command that's very helpful. It is nice that no "fwaccel off" is necessary. With this command you can see even more details than "fw monitor" 🙂 The firewall worker and the CPU core are also displayed here. For more informtions: "fw ctl zdebug" Helpful Command Combinations 

Example view: 

...


eth0:O12 (tcpt outbound)[940]:10.1.1.1 -> 10.1.1.81 (TCP) len=940 id=18052;
;[cpu_2];[fw4_1];TCP: 22 -> 10058 ...PA. seq=4ced07e1 ack=75e09a88;

eth0:O13 (TCP streaming post VM)[940]:10.1.1.1 -> 10.1.1.81 (TCP) len=940 id=18052;
;[cpu_2];[fw4_1];TCP: 22 -> 10058 ...PA. seq=4ced07e1 ack=75e09a88;

eth0:O14 (IP Options Restore (out))[940]:10.1.1.1 -> 10.1.1.81 (TCP) len=940 id=18052;
;[cpu_2];[fw4_1];TCP: 22 -> 10058 ...PA. seq=4ced07e1 ack=75e09a88;

...

and Packet Injector:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Regards

Heiko

Re: CPT - Check Point Packet Trace Utility ?

Yes, please do it.  I came from a Cisco ASDM environment and this is definitely a feature that I miss.  In fact, I have been asking about it for a few years now with several of the SE's that have been assigned to my account.  This would be especially useful with layered rules that contain both tradition policies as well as blade specific (i.e. app/url/Antibot) policies to be able to test possible policy updates and get a graphical depiction of success or failure before they are actually installed.

Re: CPT - Check Point Packet Trace Utility ?

You should start, do not wait for checkpoint. There is packet tracer on cisco firepower and also checkpoint packet injector, you can customize these and this would be useful.

0 Kudos
Maik
Silver

Re: CPT - Check Point Packet Trace Utility ?

Hey Danny,

Sorry to dig into such an old thread, but since no clarification regarding an Check Point implementation was mentioned (I guess it is not planned due to packet mode search/pinj/fw monitor/fw vtl debug) - did you start with an own implementation? Or would you think it makes sense to open a thread where we ask the whole community if they would be interested in such a solution? Maybe Check Point is willing to implement it in a future release if enough people show their interest. Smiley Happy

I personally would benefit from such a tool, maybe placed on the SMS itself to be able to search through multiple policies and/or layers at the same time without the need to do it locally on the gw.

Regards,

Maik

Danny
Pearl

Re: CPT - Check Point Packet Trace Utility ?

I haven't started developing this yet as I'm currently working on an accompanying Bash script to Timothy Hall's Max Power Firewalls book.

JozkoMrkvicka
Platinum

Re: CPT - Check Point Packet Trace Utility ?

Lets vote Smiley Happy

Kind regards,
Jozko Mrkvicka
0 Kudos

Re: CPT - Check Point Packet Trace Utility ?

When all the competitors have it, it should be a question of when not if Smiley Happy .

Palo Alto: 

test security-policy-match
test nat-policy-match

test pbf-policy-match

0 Kudos
Admin
Admin

Re: CPT - Check Point Packet Trace Utility ?

We already have this capability in the CLI, at least for the Access Policy.

See above comment that I marked "correct."

Check Point does not not currently have this for NAT (which would be nice to have) or Policy Forwarding (which assumes routing based on Application, something not currently in the product). 

0 Kudos

Re: CPT - Check Point Packet Trace Utility ?

0 Kudos
JozkoMrkvicka
Platinum

Re: CPT - Check Point Packet Trace Utility ?

fw up_execute is really great tool and it works well. The only issue I see is that you need to run it from specific gateway.

The best will be to execute it from management with parameter for which gateway you want to find a match (or search all policy packages).

Kind regards,
Jozko Mrkvicka
Admin
Admin

Re: CPT - Check Point Packet Trace Utility ?

fw up_execute is considered an "internal tool" according to my sources in R&D.

This tool does not support all the objects in the rulebase (e.g. Access Roles). 

Packet Injector is the supported way to do this: Check Point Packet Injector 

0 Kudos
JozkoMrkvicka
Platinum

Re: CPT - Check Point Packet Trace Utility ?

ETA when will be "pinj" available for R80.20 gateways ?

[Expert@GWA_R8020:0]# tar -zxvf pinj_v1.4.6_R80.10.tgz
CPPinj-R80-00.i386.rpm


[Expert@GWA_R8020:0]# rpm -ihv CPPinj-R80-00.i386.rpm
Preparing... ########################################### [100%]
1:CPPinj ########################################### [100%]


[Expert@GWA_R8020:0]# cat /opt/CPInstLog/install_Pinj_R80.elg
#####################################################
Start Pinj preinstall script...
Set umask for this session...
End Pinj preinstall script...
#####################################################
#####################################################
Start Pinj postinstall script...
Set umask for this session.
Activate profile
1. Add keys to Check Point registry
0
Pinj registry key will be set to 0
0
2. Add lines to environment files
2.5. Update HFA registry keys
XInstall: /opt/CPPinj-R80/bin/hook_Pinj_HOTFIX_R80_10 file not found
Fail in call to ExecuteFile!
WARNING: No postinstall found at /opt/CPPinj-R80/system/install/postinstall
End Pinj postinstall script...
#####################################################

[Expert@GWA_R8020:0]# cd /opt/CPPinj-R80/

[Expert@GWA_R8020:0]# ./pinj
Traceback (most recent call last):
File "main.py", line 11, in <module>
import generator
File "/opt/CPPinj-R80/scripts/generator.py", line 15, in <module>
from scapy.all import *
File "/opt/CPPinj-R80/scripts/packetmaker.zip/scapy/all.py", line 28, in <module>
File "/opt/CPPinj-R80/scripts/packetmaker.zip/scapy/route6.py", line 271, in <module>
File "/opt/CPPinj-R80/scripts/packetmaker.zip/scapy/route6.py", line 29, in __init__
File "/opt/CPPinj-R80/scripts/packetmaker.zip/scapy/route6.py", line 42, in resync
File "/opt/CPPinj-R80/scripts/packetmaker.zip/scapy/arch/linux.py", line 245, in read_routes6
IOError: [Errno 12] Cannot allocate memory

Kind regards,
Jozko Mrkvicka

Re: CPT - Check Point Packet Trace Utility ?

This is nice thread as we came to know all possibilities of troubleshooting Smiley Happy 

0 Kudos
JozkoMrkvicka
Platinum

Re: CPT - Check Point Packet Trace Utility ?

Some news here? Are there some new tools ready for R80.20 or R80.30 to check if traffic is already allowed or not? via CLI.

Kind regards,
Jozko Mrkvicka
0 Kudos
JozkoMrkvicka
Platinum

Re: CPT - Check Point Packet Trace Utility ?

I will answer myself for my question:

fw up_execute

Kind regards,
Jozko Mrkvicka

Re: CPT - Check Point Packet Trace Utility ?

Sounds great!

0 Kudos