📕 Referenced in the book: Max Power 2020
▶️ Featured in How to use fw monitor

One-liner (Bash) to assist running fw monitor on Check Point firewall gateways.
In expert mode run:

if [[ `$CPDIR/bin/cpprod_util FwIsFirewallModule 2>/dev/null` != *'1'* ]]; then echo; tput bold; echo ' Not a firewall gateway!'; tput sgr0; echo; else echo; printf '%.s-' {1..60}; echo; echo ' FW Monitor SuperTool'; printf '%.s-' {1..60}; echo; echo; tput bold; echo -n ' Add host IPs '; tput sgr0; echo -n '(leave empty for any): '; read _hosts; b='0'; case $_hosts in '') echo -n '   any '; tput setaf 2; echo 'OK'; tput sgr0;; *) _hosts=($(echo $_hosts | tr ',;:|()#<>' ' ' | tr -s ' ')); for a in ${_hosts[@]}; do if [[ `ipcalc -ms $a` == *'='* ]] && [[ $a == *'.'* ]]; then echo -n '   '$a' '; tput setaf 2; echo 'OK'; b='1'; tput sgr0; else echo -n '   '$a' '; tput setaf 1; echo 'Bad syntax!'; tput sgr0; fi; done; esac; echo; tput bold; echo -n ' Add ports '; tput sgr0; echo -n '(leave empty for any): '; read _ports; d='0'; case $_ports in '') echo -n '   any '; tput setaf 2; echo 'OK'; tput sgr0;; *) _ports=($(echo $_ports | tr ',;:|()#<>' ' ' | tr -s ' ')); for a in ${_ports[@]}; do if [[ $a != *[^0-9]* ]]; then echo -n '   '$a' '; tput setaf 2; echo 'OK'; d='1'; tput sgr0; else echo -n '   '$a' '; tput setaf 1; echo 'Bad syntax!'; tput sgr0; fi; done; esac; echo; tput bold; echo -n ' Add protocol '; tput sgr0; echo -n '(tcp, udp, icmp): '; read _prot; c='0'; case $_prot in '') echo -n '   any '; tput setaf 2; echo 'OK'; tput sgr0;; *) _prot=($(echo $_prot | tr ',;:|()#<>' ' ' | tr -s ' ')); for a in ${_prot[@]}; do case $a in tcp|udp|icmp) echo -n '   '$a' '; tput setaf 2; echo 'OK'; c='1'; tput sgr0;; *) echo -n '   '$a' '; tput setaf 1; echo 'Unknown protocol!'; tput sgr0; esac; done; esac; echo; tput bold; echo -n ' Capture to file '; tput sgr0; read -p '(leave empty for stdout): ' _file; if [[ -n $_file ]]; then tput setaf 2; echo -n '   Saving output to: '; tput sgr0; echo $_file; else tput setaf 2; echo '   Output to CLI'; tput sgr0; fi; echo; printf '%.s-' {1..60}; echo; _sxl='0'; tput setab 1; tput setaf 7; tput bold; echo -n ' Executing ? '; tput sgr0; echo -n ' '; if [[ `fw monitor -h 2>&1` != *'-F'* ]]; then case `fwaccel stat | grep 'Accelerator Status :' | cut -c 22-` in on) _sxl='1'; esac; fi; if [[ $_sxl == '1' ]]; then _run='fwaccel off; fw monitor'; else _run='fw monitor'; fi; if [[ -z $_file ]]; then _run+=' -T'; if [[ `fw monitor -h 2>&1` != *'-F'* ]]; then _run+=' -e "'; if [[ $b == '1' && $d == '1' ]]; then _run+='('; elif [[ $b == '1' && $c == '1' ]]; then _run+='('; fi; for a in ${_hosts[@]}; do if [[ `ipcalc -ms $a` == *'='* ]] && [[ $a == *'.'* ]]; then _run+='host('$a') and '; fi; done; if [[ $b == '1' && $d == '1' ]]; then _run=${_run%?????}; _run+=')'; elif [[ $b == '1' && $c == '1' ]]; then _run=${_run%?????}; _run+=')'; fi; if [[ $b == '1' && $d == '1' ]]; then _run+=' and ('; elif [[ $d == '1' && $c == '1' ]]; then _run+='('; elif [[ $b == '1' && $c == '1' ]]; then _run+=' and ('; fi; for a in ${_ports[@]}; do if [[ $a != *[^0-9]* ]]; then _run+='port('$a') or '; fi; done; if [[ $b == '1' && $d == '1' ]]; then _run=${_run%????}; _run+=')'; elif [[ $d == '1' && $c == '1' ]]; then _run=${_run%????}; _run+=')'; elif [[ $b == '0' && $d == '1' ]]; then _run=${_run%????}; elif [[ $b == '1' && $d == '0' ]]; then _run=${_run%?????}; fi; if [[ $b == '1' || $d == '1' ]]; then if [[ $c == '1' ]]; then _run+=' and ('; fi; fi; for a in ${_prot[@]}; do case $a in tcp) _run+='ip_p=6 or ';; udp) _run+='ip_p=11 or ';; icmp) _run+='ip_p=1 or '; esac; done; if [[ $b == '1' || $d == '1' ]]; then if [[ $c == '1' ]]; then _run=${_run%????}; _run+=')'; fi; elif [[ $b == '1' && $d == '0' && $c == '0' ]]; then _run=${_run%?????}; elif [[ $b == '0' && $d == '1' && $c == '0' ]]; then _run=${_run%?????}; elif [[ $b == '0' && $d == '0' && $c == '1' ]]; then _run=${_run%????}; fi; if [[ $b == '1' || $d == '1' || $c == '1' ]]; then _run+=', '; fi; _run+='accept;"'; else _run+=' -F "0,0,0,0,0"'; fi; if [[ -n $_file ]]; then _run+=' -o /var/log/'$_file; fi; if [[ $_sxl == '1' ]]; then _run+='; fwaccel on'; fi; tput bold; echo -n $_run; tput sgr0; read -sn1; echo; case $REPLY in '') eval $_run;; *) echo 'Abort!'; esac; echo; unset _hosts _ports _prot _file _sxl _run a b c d; fi; fi

SuperTool interactively asks for all data to build up the correct syntax to run fw monitor.

SuperTool adjusts the resulting fw monitor syntax according to the requirements of the gateway it is run.
It identifies if:

• the classic -e syntax (inspect code) is required
• the new -F syntax (simple capture filter) is supported (see Kernel Debug Filters)

It also checks and deactivates SecureXL during fw monitor execution if necessary.
SuperTool is also integrated within our ccc script.

Attention! *Work in progress*

SuperTool will be further improved to support:

• full -F syntax (currently just filters all traffic)
• VSX controls
• decide between AND/OR for hosts
• NOT controls
• SMB appliances

FW Monitor developers: @Coby_Schmidt (LinkedIn), ...
FW Monitor documentation: @Uri_Lewitus (LinkedIn)
FW Monitor memory usage: sk160954