cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Article of the Week - Check Point Packet Injector

Understanding how a particular connection is matched through your security policy is vital. There is now a tool for that, Check Point Packet Injector.

This utility is executed on the Security Gateway, simulating packets arriving from the sender on their way to the target host. After the packets are sent, Packet Injector listens for response packets from the target host back to the sender passing through the Security Gateway, letting the user know they arrived.

For more details, please refer to the article.

;
TO READ THE FULL POST it's simple and free
18 Comments
Petr_Hantak
Silver

I like Check Point Packet Injector tool. According my personal opinion it should be part of GAiA installation already. Also possibility to call ir remotelly for specific gateway from management server could be great.

R80.X management has an option "Open Shell" to the GW. As for the package, you can use script option to install it if you like. It's also in the SmartConsole

Diego_Lopez
Nickel

Awesome, gonna take a look. Been looking for this for some time since my days supporting ASA (packet tracer) was a very helpful utility.

Thank you everyone.

-Diego

It is actually available for more than a year now 🙂

Sven_Glock
Silver

Why does Check Point not provide this package in CPUSE?

That's a very good idea, Sven Glock

Sven_Glock
Silver

I created a small script to have the possibility to start pinj directly from smartconsole --> Gateways&Servers Tab --> Rightclick on the relevant Gateway --> Scripts --> Script-Repository:

if=$(ip route get $1 | head -1 | cut -d " " -f 3)
/opt/CPPinj-R80/pinj --sport 3333 --dport $3 --protocol $4 -I $if $1 $2 | head -1
##################################
#Arguments: <SRC-IP> <DST-IP> <dport> <tcp|udp>
##################################

This script is limited to non-vsx gateways. I will add VSX support soon.

Version 3 will get ICMP and traceroute support, too.

The output will be shown in the "Recent Tasks"-list. --> Details-

Just ignore the warning. This seems to be a cosmetical bug of pinj.

Great job, thanks!

Not trying to take away from the value of this tool, with Check Point unlike traditional security providers  you can also simulate packet mode searches without actual packets. Search through your policy using R80.10 new Packet Mode feature 

One of the ways this tool is most used in our team is for testing a third party VPN connection. Most of the time it is not possible for us to get the customers' users to test a new VPN we setup for them. We mostly only have a direct contact with the third party to make sure we have the same settings at both ends and Pinj just gives us the testing edge.

Sven_Glock
Silver

Code-Update:

##################################
#Arguments: <SRC-IP> <DST-IP> <dport> <tcp|udp>
##################################
#!/bin/bash
interface=$(ip route get $1 | head -1 | rev | cut -d " " -f 5 | rev)
sp=$(( RANDOM % (65535 - 1025 + 1 ) + 1025 ))
/opt/CPPinj-R80/pinj --sport $sp --dport $3 --protocol $4 -I $interface $1 $2 2>/dev/null

  • As you can not use the same source port until it timed out I improved the script to choose random highports.

  • The script always chooses the interface where the src IP will be routed to. In version 1 there is a problem when the src IP is behind the external interface. This is now fixed.

  • Additionally this version will suppress IPv6 warnings 

VSX-support is a bit challanging, but I am working on it.

Cheers

Sven

Petr_Hantak
Silver

Really nice one! Thank you Smiley Happy

Last week 1 of my colleagues was running a pinj on a R77.30 VSX gateway to do some VPN testingand we got word from the customer that they had seen OSPF failures at the exact same moment.

Anybody else seen anything like this?

Sven_Glock
Silver

Be aware of a bug that comes up with R80.10 VSX and PINJ: Check Point Packet Injector does not work on VS when using VMAC 

For my situation the workaround is not fuctional.

Regards

Sven

Don_Paterson
Silver

The Packet Injector is good but it could be better.

1. Added to the SG product by default (no need to install). Available in CLISH and bash.

2. Added to SmartConsole scripts repo by default.

3. More intuitive command format.

4. Even better - run just the executable (without options) and be prompted for SRC and DST details and any other options in a multi or single step option.

5. Able to execute centrally, from SMS CLI or SmartConsole (similar to above).

6. Timing and display of response by default or optional.

 

 

@Don_Paterson, thanks for your feedback. Just to clarify, PINJ is no longer supported with R80.20+

JozkoMrkvicka
Platinum

Thanks, @JozkoMrkvicka, this is indeed the replacement 🙂