This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Matlu
MVP Silver
MVP Silver
‎2025-06-16 05:42 PM
Jump to solution

FW Monitor in VSX

Hi Guys

Is it possible to run a "fw monitor" from the VS0 of a VSX Cluster environment?

I have several VS's, and I want to capture traffic from a particular VS (VS 5).

Is this possible, without having to "jump" to the instance?

Can you share with me the syntax of the command, how it could be done, based on the following example:

Source: 172.16.10.5
Destination: 10.100.20.10
Port: TCP 8080

Thanks

0 Kudos
2 Solutions

Accepted Solutions
Lesley
MVP Gold
MVP Gold
‎2025-06-17 12:24 AM
In response to Matlu
Jump to solution

This is all you need:

https://tcpdump101.com/#

Under Check Point -> FW Monitor -> New version

-------
Please press "Accept as Solution" if my post solved it 🙂

View solution in original post

the_rock
MVP Gold
MVP Gold
‎2025-06-17 04:37 AM
In response to Matlu
Jump to solution

There you go buddy 🙂

fw monitor -v 5 -o vs5.cap -F "172.16.10.5,0,10.100.20.10,8080,0"

Andy

Best,
Andy

View solution in original post

0 Kudos
14 Replies
the_rock
MVP Gold
MVP Gold
‎2025-06-16 05:59 PM
Jump to solution

fw monitor -v 0 -e accept "host 172.16.10.5 and host 10.200.20.10 and port 8080;"

Best,
Andy
0 Kudos
Matlu
MVP Silver
MVP Silver
‎2025-06-16 06:31 PM
In response to the_rock
Jump to solution

This applies if you are ‘standing’ on VS0 and want to capture traffic from VS 5?

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2025-06-16 06:32 PM
In response to Matlu
Jump to solution

Just replace 0 with 5 🙂

Best,
Andy
0 Kudos
Matlu
MVP Silver
MVP Silver
‎2025-06-16 07:24 PM
In response to the_rock
Jump to solution

The command syntax varies greatly if you need to send the command result to a file such as Wireshark?

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2025-06-16 07:32 PM
In response to Matlu
Jump to solution

Just add -o /path/filename.cap at the end

Best,
Andy
0 Kudos
Lesley
MVP Gold
MVP Gold
‎2025-06-17 12:24 AM
In response to Matlu
Jump to solution

This is all you need:

https://tcpdump101.com/#

Under Check Point -> FW Monitor -> New version

-------
Please press "Accept as Solution" if my post solved it 🙂
the_rock
MVP Gold
MVP Gold
‎2025-06-17 04:37 AM
In response to Matlu
Jump to solution

There you go buddy 🙂

fw monitor -v 5 -o vs5.cap -F "172.16.10.5,0,10.100.20.10,8080,0"

Andy

Best,
Andy
0 Kudos
Matlu
MVP Silver
MVP Silver
‎2025-06-17 04:36 PM
In response to the_rock
Jump to solution

One doubt, is there much difference in the ‘fw monitor ...’ command between using the -e vs -F parameter?

Is one better than the other?

the_rock
MVP Gold
MVP Gold
‎2025-06-17 04:44 PM
In response to Matlu
Jump to solution

Buddy,

Have a look at your own post 😉

Andy

https://community.checkpoint.com/t5/Security-Gateways/Traffic-capture-with-FW-MONITOR/m-p/245408

Best,
Andy
0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2025-06-18 08:12 AM
In response to Matlu
Jump to solution

Use -F if you can deal with the extremely limited matching syntax.  You will always get a complete capture regardless of the acceleration state of the traffic.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
Matlu
MVP Silver
MVP Silver
‎2025-06-18 08:15 AM
In response to Timothy_Hall
Jump to solution

Hello,
So, as a "best practice" it is always better to use the "-F" before the "-e"?
Greetings.

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2025-06-18 08:20 AM
In response to Matlu
Jump to solution

I'd say so, there are still some limited situations where -e is needed instead but they are fairly obscure.  The upcoming CCTA R82 class is being heavily updated to explore packet capturing & analysis in detail, and it covers this very topic.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
the_rock
MVP Gold
MVP Gold
‎2025-06-18 08:25 AM
In response to Matlu
Jump to solution

For what its worth, I usually use -F flag and works real well.

Andy

Best,
Andy
0 Kudos
the_rock
MVP Gold
MVP Gold
‎2025-06-17 04:29 PM
Jump to solution

@Matlu Did command we shared work for you?

Andy

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events