Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ven
Explorer

Fw monitor troubleshooting

Jump to solution

Hello, 

I have a question about Fw monitor Inspection Points iIoO.  What does if i don`t see these inspection points in the fw monitor output and what could be the cause for each and also how to troubleshoot ? 

For example :  If i don`t see ' i ' ----I am thinking that the traffic/connection is not even reaching the firewall and I would look at the forwarding device if it is sending the tarffic to fw or not ? 

If i don`t see 'I' --

If i don`t see 'o' --- 

If i don`t see 'O' ---

 

 

Any help appreciated 

0 Kudos
Reply
2 Solutions

Accepted Solutions
PhoneBoy
Admin
Admin

You're correct on i.
If something doesn't get to I, it's most likely got dropped by a policy/access rule
If something doesn't get to o, the packet probably didn't get routed properly or it's being handled directly by the gateway.
If something doesn't get to O...well, it depends on the precise situation.

See also: https://community.checkpoint.com/t5/How-To-Videos/How-to-use-fw-monitor/m-p/97582 

View solution in original post

HeikoAnkenbrand
Champion
Champion

Hi @Ven

I agree with @PhoneBoy. Here is a small note. 
In different versions the "fw monitor inspection points" are displayed differently.
Screenshot_20201108-122634_Edge.jpg

For example, you cannot see "i" or "O" when it is VPN traffic on certain GAIA versions.

More read here:
- R80.x - Security Gateway Architecture (Logical Packet Flow)
- R80.x - Performance Tuning and Debug Tips - fw monitor
R80.x - cheat sheet - fw monitor

View solution in original post

5 Replies
PhoneBoy
Admin
Admin

You're correct on i.
If something doesn't get to I, it's most likely got dropped by a policy/access rule
If something doesn't get to o, the packet probably didn't get routed properly or it's being handled directly by the gateway.
If something doesn't get to O...well, it depends on the precise situation.

See also: https://community.checkpoint.com/t5/How-To-Videos/How-to-use-fw-monitor/m-p/97582 

View solution in original post

HeikoAnkenbrand
Champion
Champion

Hi @Ven

I agree with @PhoneBoy. Here is a small note. 
In different versions the "fw monitor inspection points" are displayed differently.
Screenshot_20201108-122634_Edge.jpg

For example, you cannot see "i" or "O" when it is VPN traffic on certain GAIA versions.

More read here:
- R80.x - Security Gateway Architecture (Logical Packet Flow)
- R80.x - Performance Tuning and Debug Tips - fw monitor
R80.x - cheat sheet - fw monitor

View solution in original post

Ven
Explorer

Thanks @HeikoAnkenbrand  for your notes

0 Kudos
Reply
Ven
Explorer

Thanks @PhoneBoy for your help.

0 Kudos
Reply
Timothy_Hall
Champion
Champion

Just to add on to Daemon's post: if traffic disappears at I it may have been dropped as he says (fw ctl zdebug + drop to check this), but it is also possible that your filter was matching against only the pre-NAT destination IP address.  If it is the destination IP address that is subject to NAT, the actual replacement of the destination IP address in the packet happens between i and I.  So in this case the packet "disappears" in your capture and never reaches I (as far as you can see), but the packet actually just stopped matching your pre-NAT destination IP address filtering condition and continued onwards through I.

By the same token if the traffic seems to disappear after o, it is possible that the packet was dropped (though much less likely than between i and I) for some reason.  What is far more probable is that you were matching against the pre-NAT source IP address, which will be transformed to the post-NAT source IP address between o and O, and the packet will once again seem to "disappear" in your capture, when in reality the packet was not dropped and continued through O.

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
Reply