Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
AntoinetteHodes
Employee
Employee

Monitor mode and PCAP on Quantum Spark gateways

Traffic capture on a SPARK appliance with the tcpdump tool on a port configured in the Monitor mode (SPAN) shows only broadcast and multicast packets. By default, acceleration is enabled on the SPARK appliances. The acceleration module does not send the traffic it inspected to the tcpdump tool. To capture traffic on a monitor port's logical interface (brS-LAN<x>):

  1. Configure all the applicable ports to work in monitor mode.

  2. Connect to the command line on the SPARK appliance.

  3. Log in to the Expert mode.

  4. Run:

    /opt/fw1/bin/cap_monitor_port.sh

  5. Capture the traffic with the tcpdump tool.

  6. To make this change persistent (to survive reboot), run this command in the Expert mode (do not change the syntax):

    echo /opt/fw1/bin/cap_monitor_port.sh >> /pfrm2.0/etc/userScript

Notes:

  • This command is available starting from R80.20.20.

  • Traffic that is dropped by the Security Policy is not captured.

For more information, check out sk172286

0 Kudos
2 Replies
RS_Daniel
Advisor

Hello,

The shared link points to a wiki.checkpoint.com URL, but the domain is not being resolved by DNS:

> wiki.checkpoint.com
Servidor: dns.google
Address: 8.8.8.8

*** dns.google no encuentra wiki.checkpoint.com: Non-existent domain
>

And the sk number is present on supportcenter.checkpoint.com. So maybe you can fix the link. 

Regards

0 Kudos
AntoinetteHodes
Employee
Employee

Hi Daniel, it is fixed. Thanks

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events