Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 

Article of the Week - Check Point Packet Injector

Understanding how a particular connection is matched through your security policy is vital. There is now a tool for that, Check Point Packet Injector.

This utility is executed on the Security Gateway, simulating packets arriving from the sender on their way to the target host. After the packets are sent, Packet Injector listens for response packets from the target host back to the sender passing through the Security Gateway, letting the user know they arrived.

For more details, please refer to the article.

;
TO READ THE FULL POST it's simple and free
20 Comments
Petr_Hantak
Advisor

I like Check Point Packet Injector tool. According my personal opinion it should be part of GAiA installation already. Also possibility to call ir remotelly for specific gateway from management server could be great.

_Val_
Admin
Admin

R80.X management has an option "Open Shell" to the GW. As for the package, you can use script option to install it if you like. It's also in the SmartConsole

Diego_Lopez
Contributor

Awesome, gonna take a look. Been looking for this for some time since my days supporting ASA (packet tracer) was a very helpful utility.

Thank you everyone.

-Diego

_Val_
Admin
Admin

It is actually available for more than a year now 🙂

Sven_Glock
Advisor

Why does Check Point not provide this package in CPUSE?

_Val_
Admin
Admin

That's a very good idea, Sven Glock

Sven_Glock
Advisor

I created a small script to have the possibility to start pinj directly from smartconsole --> Gateways&Servers Tab --> Rightclick on the relevant Gateway --> Scripts --> Script-Repository:

if=$(ip route get $1 | head -1 | cut -d " " -f 3)
/opt/CPPinj-R80/pinj --sport 3333 --dport $3 --protocol $4 -I $if $1 $2 | head -1
##################################
#Arguments: <SRC-IP> <DST-IP> <dport> <tcp|udp>
##################################

This script is limited to non-vsx gateways. I will add VSX support soon.

Version 3 will get ICMP and traceroute support, too.

The output will be shown in the "Recent Tasks"-list. --> Details-

Just ignore the warning. This seems to be a cosmetical bug of pinj.

_Val_
Admin
Admin

Great job, thanks!

Tomer_Sole
Employee Alumnus
Employee Alumnus

Not trying to take away from the value of this tool, with Check Point unlike traditional security providers  you can also simulate packet mode searches without actual packets. Search through your policy using R80.10 new Packet Mode feature 

Maarten_Sjouw
Champion
Champion

One of the ways this tool is most used in our team is for testing a third party VPN connection. Most of the time it is not possible for us to get the customers' users to test a new VPN we setup for them. We mostly only have a direct contact with the third party to make sure we have the same settings at both ends and Pinj just gives us the testing edge.

Sven_Glock
Advisor

Code-Update:

##################################
#Arguments: <SRC-IP> <DST-IP> <dport> <tcp|udp>
##################################
#!/bin/bash
interface=$(ip route get $1 | head -1 | rev | cut -d " " -f 5 | rev)
sp=$(( RANDOM % (65535 - 1025 + 1 ) + 1025 ))
/opt/CPPinj-R80/pinj --sport $sp --dport $3 --protocol $4 -I $interface $1 $2 2>/dev/null

  • As you can not use the same source port until it timed out I improved the script to choose random highports.

  • The script always chooses the interface where the src IP will be routed to. In version 1 there is a problem when the src IP is behind the external interface. This is now fixed.

  • Additionally this version will suppress IPv6 warnings 

VSX-support is a bit challanging, but I am working on it.

Cheers

Sven

Petr_Hantak
Advisor

Really nice one! Thank you Smiley Happy

Maarten_Sjouw
Champion
Champion

Last week 1 of my colleagues was running a pinj on a R77.30 VSX gateway to do some VPN testingand we got word from the customer that they had seen OSPF failures at the exact same moment.

Anybody else seen anything like this?

Sven_Glock
Advisor

Be aware of a bug that comes up with R80.10 VSX and PINJ: Check Point Packet Injector does not work on VS when using VMAC 

For my situation the workaround is not fuctional.

Regards

Sven

Don_Paterson
Advisor

The Packet Injector is good but it could be better.

1. Added to the SG product by default (no need to install). Available in CLISH and bash.

2. Added to SmartConsole scripts repo by default.

3. More intuitive command format.

4. Even better - run just the executable (without options) and be prompted for SRC and DST details and any other options in a multi or single step option.

5. Able to execute centrally, from SMS CLI or SmartConsole (similar to above).

6. Timing and display of response by default or optional.

 

 

_Val_
Admin
Admin

@Don_Paterson, thanks for your feedback. Just to clarify, PINJ is no longer supported with R80.20+

JozkoMrkvicka
Leader
Leader
_Val_
Admin
Admin

Thanks, @JozkoMrkvicka, this is indeed the replacement 🙂

Bjoern_Baumann
Participant

Hi,

are there any plans for a PINJ version for versions greater than R80.10? It was a really good tool especially to test VPNs.

 

Kind regards and stay healthy

Bjoern

Bjoern_Baumann
Participant

Haven't tried but PhoneBoys solution 

https://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/R80-30-TCP-Ping-tool/td-p/96370 sounds like an alternative.