This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ven
Participant
‎2020-11-05 12:50 AM
Jump to solution

Fw monitor troubleshooting

Hello, 

I have a question about Fw monitor Inspection Points iIoO.  What does if i don`t see these inspection points in the fw monitor output and what could be the cause for each and also how to troubleshoot ? 

For example :  If i don`t see ' i ' ----I am thinking that the traffic/connection is not even reaching the firewall and I would look at the forwarding device if it is sending the tarffic to fw or not ? 

If i don`t see 'I' --

If i don`t see 'o' --- 

If i don`t see 'O' ---

 

 

Any help appreciated 

0 Kudos
2 Solutions

Accepted Solutions
PhoneBoy
Admin
Admin
‎2020-11-07 07:29 PM
Jump to solution

You're correct on i.
If something doesn't get to I, it's most likely got dropped by a policy/access rule
If something doesn't get to o, the packet probably didn't get routed properly or it's being handled directly by the gateway.
If something doesn't get to O...well, it depends on the precise situation.

See also: https://community.checkpoint.com/t5/How-To-Videos/How-to-use-fw-monitor/m-p/97582 

View solution in original post

HeikoAnkenbrand
MVP Platinum
MVP Platinum
‎2020-11-08 03:30 AM
In response to PhoneBoy
Jump to solution

Hi @Ven

I agree with @PhoneBoy. Here is a small note. 
In different versions the "fw monitor inspection points" are displayed differently.
Screenshot_20201108-122634_Edge.jpg

For example, you cannot see "i" or "O" when it is VPN traffic on certain GAIA versions.

More read here:
- R80.x - Security Gateway Architecture (Logical Packet Flow)
- R80.x - Performance Tuning and Debug Tips - fw monitor
R80.x - cheat sheet - fw monitor

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

5 Replies
PhoneBoy
Admin
Admin
‎2020-11-07 07:29 PM
Jump to solution

You're correct on i.
If something doesn't get to I, it's most likely got dropped by a policy/access rule
If something doesn't get to o, the packet probably didn't get routed properly or it's being handled directly by the gateway.
If something doesn't get to O...well, it depends on the precise situation.

See also: https://community.checkpoint.com/t5/How-To-Videos/How-to-use-fw-monitor/m-p/97582 

HeikoAnkenbrand
MVP Platinum
MVP Platinum
‎2020-11-08 03:30 AM
In response to PhoneBoy
Jump to solution

Hi @Ven

I agree with @PhoneBoy. Here is a small note. 
In different versions the "fw monitor inspection points" are displayed differently.
Screenshot_20201108-122634_Edge.jpg

For example, you cannot see "i" or "O" when it is VPN traffic on certain GAIA versions.

More read here:
- R80.x - Security Gateway Architecture (Logical Packet Flow)
- R80.x - Performance Tuning and Debug Tips - fw monitor
R80.x - cheat sheet - fw monitor

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Ven
Participant
‎2020-11-09 10:26 AM
In response to HeikoAnkenbrand
Jump to solution

Thanks @HeikoAnkenbrand  for your notes

0 Kudos
Ven
Participant
‎2020-11-09 10:25 AM
In response to PhoneBoy
Jump to solution

Thanks @PhoneBoy for your help.

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2021-02-07 11:21 AM
In response to PhoneBoy
Jump to solution

Just to add on to Daemon's post: if traffic disappears at I it may have been dropped as he says (fw ctl zdebug + drop to check this), but it is also possible that your filter was matching against only the pre-NAT destination IP address.  If it is the destination IP address that is subject to NAT, the actual replacement of the destination IP address in the packet happens between i and I.  So in this case the packet "disappears" in your capture and never reaches I (as far as you can see), but the packet actually just stopped matching your pre-NAT destination IP address filtering condition and continued onwards through I.

By the same token if the traffic seems to disappear after o, it is possible that the packet was dropped (though much less likely than between i and I) for some reason.  What is far more probable is that you were matching against the pre-NAT source IP address, which will be transformed to the post-NAT source IP address between o and O, and the packet will once again seem to "disappear" in your capture, when in reality the packet was not dropped and continued through O.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events