This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Matlu
Advisor
‎2025-06-16 05:42 PM
Jump to solution

FW Monitor in VSX

Hi Guys

Is it possible to run a "fw monitor" from the VS0 of a VSX Cluster environment?

I have several VS's, and I want to capture traffic from a particular VS (VS 5).

Is this possible, without having to "jump" to the instance?

Can you share with me the syntax of the command, how it could be done, based on the following example:

Source: 172.16.10.5
Destination: 10.100.20.10
Port: TCP 8080

Thanks

0 Kudos
2 Solutions

Accepted Solutions
Lesley
Authority Authority
Authority
‎2025-06-17 12:24 AM
In response to Matlu
Jump to solution

This is all you need:

https://tcpdump101.com/#

Under Check Point -> FW Monitor -> New version

-------
If you like this post please give a thumbs up(kudo)! 🙂

View solution in original post

the_rock
Legend
Legend
‎2025-06-17 04:37 AM
In response to Matlu
Jump to solution

There you go buddy 🙂

fw monitor -v 5 -o vs5.cap -F "172.16.10.5,0,10.100.20.10,8080,0"

Andy

View solution in original post

0 Kudos
14 Replies
the_rock
Legend
Legend
‎2025-06-16 05:59 PM
Jump to solution

fw monitor -v 0 -e accept "host 172.16.10.5 and host 10.200.20.10 and port 8080;"

0 Kudos
Matlu
Advisor
‎2025-06-16 06:31 PM
In response to the_rock
Jump to solution

This applies if you are ‘standing’ on VS0 and want to capture traffic from VS 5?

0 Kudos
the_rock
Legend
Legend
‎2025-06-16 06:32 PM
In response to Matlu
Jump to solution

Just replace 0 with 5 🙂

0 Kudos
Matlu
Advisor
‎2025-06-16 07:24 PM
In response to the_rock
Jump to solution

The command syntax varies greatly if you need to send the command result to a file such as Wireshark?

0 Kudos
the_rock
Legend
Legend
‎2025-06-16 07:32 PM
In response to Matlu
Jump to solution

Just add -o /path/filename.cap at the end

0 Kudos
Lesley
Authority Authority
Authority
‎2025-06-17 12:24 AM
In response to Matlu
Jump to solution

This is all you need:

https://tcpdump101.com/#

Under Check Point -> FW Monitor -> New version

-------
If you like this post please give a thumbs up(kudo)! 🙂
the_rock
Legend
Legend
‎2025-06-17 04:37 AM
In response to Matlu
Jump to solution

There you go buddy 🙂

fw monitor -v 5 -o vs5.cap -F "172.16.10.5,0,10.100.20.10,8080,0"

Andy

0 Kudos
Matlu
Advisor
‎2025-06-17 04:36 PM
In response to the_rock
Jump to solution

One doubt, is there much difference in the ‘fw monitor ...’ command between using the -e vs -F parameter?

Is one better than the other?

the_rock
Legend
Legend
‎2025-06-17 04:44 PM
In response to Matlu
Jump to solution

Buddy,

Have a look at your own post 😉

Andy

https://community.checkpoint.com/t5/Security-Gateways/Traffic-capture-with-FW-MONITOR/m-p/245408

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2025-06-18 08:12 AM
In response to Matlu
Jump to solution

Use -F if you can deal with the extremely limited matching syntax.  You will always get a complete capture regardless of the acceleration state of the traffic.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
Matlu
Advisor
‎2025-06-18 08:15 AM
In response to Timothy_Hall
Jump to solution

Hello,
So, as a "best practice" it is always better to use the "-F" before the "-e"?
Greetings.

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2025-06-18 08:20 AM
In response to Matlu
Jump to solution

I'd say so, there are still some limited situations where -e is needed instead but they are fairly obscure.  The upcoming CCTA R82 class is being heavily updated to explore packet capturing & analysis in detail, and it covers this very topic.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
the_rock
Legend
Legend
‎2025-06-18 08:25 AM
In response to Matlu
Jump to solution

For what its worth, I usually use -F flag and works real well.

Andy

0 Kudos
the_rock
Legend
Legend
‎2025-06-17 04:29 PM
Jump to solution

@Matlu Did command we shared work for you?

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events