Fw monitor script

the_rock

Hey guys,

Here is script that would let you enter src. Dst, protocol (all the regular info) on CP firewall and then even asks you what dir you wish to save it to. I tested it, worked well. This is in case you cant remember the actual syntax.

Just run chmod 777 and dos2unix on it before executing it.

Example from my lab:

[Expert@CP-GW:0]# chmod 777 fwmonitor.sh

[Expert@CP-GW:0]# dos2unix fwmonitor.sh

dos2unix: converting file fwmonitor.sh to Unix format ...

[Expert@CP-GW:0]# dos2unix fwmonitor.sh

dos2unix: converting file fwmonitor.sh to Unix format ...

[Expert@CP-GW:0]# ./fwmonitor.sh

=== Check Point Gaia fw monitor bidirectional capture ===

Tip: Run in Expert mode. Policy install/uninstall may stop fw monitor. [1](https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_CLI_ReferenceGuide/Topics-CLIG/FWG...)

Enter SOURCE IP/host: 172.16.10.249

Enter DESTINATION IP/host: 9.9.9.9

Protocol number (0=any, 6=TCP, 17=UDP, 1=ICMP, 58=ICMPv6) [0]: 0

Service port to filter (0=any). If you enter 443, it matches DST port 443 and return SRC port 443. [0]: 0

Capture points mask (default iIoO shows pre/post inbound/outbound) [iIoO]:

Output directory [/var/log]: /home/admin

Output filename [/home/admin/fwmon_172.16.10.249_to_9.9.9.9_20260123_075936.cap]: testcap.out

Capture duration in seconds (0=until Ctrl+C). Uses timeout if available. [0]:

VSID (VSX only) - leave blank for all:

Will run:

fw monitor -m "iIoO" \

-F "172.16.10.249,0,9.9.9.9,0,0" -F "9.9.9.9,0,172.16.10.249,0,0" \

-o "testcap.out" -w

Notes:

- '-F' filters apply to accelerated and non-accelerated traffic. [1](https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_CLI_ReferenceGuide/Topics-CLIG/FWG...)

- '-e' INSPECT filters may NOT apply to accelerated traffic (SecureXL). [1](https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_CLI_ReferenceGuide/Topics-CLIG/FWG...)

- Output file (-o) is in snoop format and can be analyzed later (e.g., Wireshark). [1](https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_CLI_ReferenceGuide/Topics-CLIG/FWG...)

Capturing until Ctrl+C... (Stop from another shell with: fw monitor -U) [1](https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_CLI_ReferenceGuide/Topics-CLIG/FWG...)

PPAK 0: Get before set operation succeeded of fwmonitor_kiss_enable

PPAK 0: Get before set operation succeeded of fwmonitor_debug_filter_off

PPAK 0: Get before set operation succeeded of fwmonitorfreebufs

fw ctl set string fwmonitor_debug_filter_saddr_1 172.16.10.249 -a

PPAK 0: Get before set operation succeeded of fwmonitor_debug_filter_saddr_1

fw ctl set int fwmonitor_debug_filter_sport_1 0 -a

PPAK 0: Get before set operation succeeded of fwmonitor_debug_filter_sport_1

fw ctl set string fwmonitor_debug_filter_daddr_1 9.9.9.9 -a

PPAK 0: Get before set operation succeeded of fwmonitor_debug_filter_daddr_1

fw ctl set int fwmonitor_debug_filter_dport_1 0 -a

PPAK 0: Get before set operation succeeded of fwmonitor_debug_filter_dport_1

fw ctl set int fwmonitor_debug_filter_proto_1 0 -a

PPAK 0: Get before set operation succeeded of fwmonitor_debug_filter_proto_1

fw ctl set string fwmonitor_debug_filter_saddr_2 9.9.9.9 -a

PPAK 0: Get before set operation succeeded of fwmonitor_debug_filter_saddr_2

fw ctl set int fwmonitor_debug_filter_sport_2 0 -a

PPAK 0: Get before set operation succeeded of fwmonitor_debug_filter_sport_2

fw ctl set string fwmonitor_debug_filter_daddr_2 172.16.10.249 -a

PPAK 0: Get before set operation succeeded of fwmonitor_debug_filter_daddr_2

fw ctl set int fwmonitor_debug_filter_dport_2 0 -a

PPAK 0: Get before set operation succeeded of fwmonitor_debug_filter_dport_2

fw ctl set int fwmonitor_debug_filter_proto_2 0 -a

PPAK 0: Get before set operation succeeded of fwmonitor_debug_filter_proto_2

PPAK 0: Get before set operation succeeded of fwmonitor_ppak_all_position

monitor: getting filter (from command line)

monitor: compiling

monitorfilter:

Compiled OK.

monitor: loading

monitor: monitoring (control-C to stop)

0PPAK 0: Get before set operation succeeded of fwmonitormaxpacket

PPAK 0: Get before set operation succeeded of fwmonitormask

PPAK 0: Get before set operation succeeded of fwmonitorallocbufs

PPAK 0: Get before set operation succeeded of printuuid

PPAK 0: Get before set operation succeeded of fwmonitor_kiss_enable

44 ^C monitor: caught sig 2

monitor: unloading

PPAK 0: Get before set operation succeeded of fwmonitor_kiss_enable

PPAK 0: Get before set operation succeeded of fwmonitor_debug_filter_off

PPAK 0: Get before set operation succeeded of fwmonitorfreebufs

Capture complete.

Saved to: testcap.out

Tip: Copy it off-box and open in Wireshark (snoop/Firewall-1 monitor format). [1](https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_CLI_ReferenceGuide/Topics-CLIG/FWG...)

[Expert@CP-GW:0]#

Best,
Andy
"Have a great day and if its not, change it"

the_rock · ‎2026-01-23

Basic capture I got from my lab fw...tested from 172.16.10.249 to quad 9 dns server

Best,
Andy
"Have a great day and if its not, change it"

Vincent_Bacher · ‎2026-01-23

Nice feature!
Two suggestions for improvement. If nothing is entered for src or dst, perhaps any should be used.

Pressing return results in an error.

And perhaps support for entering a network with a mask, e.g. 192.168.1.0/24.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite

the_rock · ‎2026-01-23

Totally FAIR, Vince. I can definitely work on that.

Best,
Andy
"Have a great day and if its not, change it"

Vincent_Bacher · ‎2026-01-23

While you're at it, you can – as I do in the scripts – protect the user from themselves
so that they don't enter la.le.lu.li/24 or 10.10.10.0/200 or 300.0.0.1,
by checking whether it is even a valid address/network 🙂

Of course, one can assume that the user knows what they are doing, but I like error handling in scripts.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite

the_rock · ‎2026-01-23

Again, totally fair.

Best,
Andy
"Have a great day and if its not, change it"

the_rock · ‎2026-01-23

I made tcpdump script that does any, will test it tomorrow in the lab.

Best,
Andy
"Have a great day and if its not, change it"

the_rock · ‎2026-01-23

Here you go brother : - )

@Vincent_Bacher

updated script, works with any. You can give it a go Monday.

Best,
Andy
"Have a great day and if its not, change it"

Vincent_Bacher · ‎2026-01-26

I'm really sorry, but this won't be possible this week. I've just come back from the doctor's, and I've been signed off work for a week, with more tests to come.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite

the_rock · ‎2026-01-26

never be sorry for stuff like that mate...health ALWAYS first, ALWAYS. Be well and get healthy.

Best,
Andy
"Have a great day and if its not, change it"

the_rock · ‎2026-01-23

Just updated the script to work with any as srs/dst:

lab:

[Expert@CP-GW:0]# cd /var/log/scripts/
[Expert@CP-GW:0]# chmod 777 *
[Expert@CP-GW:0]# dos2unix *
dos2unix: converting file cp_tcpdump.sh to Unix format ...
dos2unix: converting file fwmonitor.sh to Unix format ...
[Expert@CP-GW:0]# ./fwmonitor.sh
Source (IP/hostname/any) [any]:
Destination (IP/hostname/any) [any]:
Port (1-65535/any) [any]:
Protocol (tcp/udp/icmp/any or number) [any]:
Output mode: (1) screen only (2) text file (3) capture+decode files [1]: ^C
[Expert@CP-GW:0]#

Best,
Andy
"Have a great day and if its not, change it"

Filters

Sort By

Categories

Fw monitor script

Disclaimer: Check Point does not provide maintenance services or technical or customer support for third party content provided on this Site, including in CheckMates Toolbox. See also our Third Party Software Disclaimer.