Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ven
Participant
Jump to solution

Fw monitor troubleshooting

Hello, 

I have a question about Fw monitor Inspection Points iIoO.  What does if i don`t see these inspection points in the fw monitor output and what could be the cause for each and also how to troubleshoot ? 

For example :  If i don`t see ' i ' ----I am thinking that the traffic/connection is not even reaching the firewall and I would look at the forwarding device if it is sending the tarffic to fw or not ? 

If i don`t see 'I' --

If i don`t see 'o' --- 

If i don`t see 'O' ---

 

 

Any help appreciated 

0 Kudos
2 Solutions

Accepted Solutions
PhoneBoy
Admin
Admin

You're correct on i.
If something doesn't get to I, it's most likely got dropped by a policy/access rule
If something doesn't get to o, the packet probably didn't get routed properly or it's being handled directly by the gateway.
If something doesn't get to O...well, it depends on the precise situation.

See also: https://community.checkpoint.com/t5/How-To-Videos/How-to-use-fw-monitor/m-p/97582 

View solution in original post

HeikoAnkenbrand
Champion Champion
Champion

Hi @Ven

I agree with @PhoneBoy. Here is a small note. 
In different versions the "fw monitor inspection points" are displayed differently.
Screenshot_20201108-122634_Edge.jpg

For example, you cannot see "i" or "O" when it is VPN traffic on certain GAIA versions.

More read here:
- R80.x - Security Gateway Architecture (Logical Packet Flow)
- R80.x - Performance Tuning and Debug Tips - fw monitor
R80.x - cheat sheet - fw monitor

➜ CCSM Elite, CCME, CCTE

View solution in original post

5 Replies
PhoneBoy
Admin
Admin

You're correct on i.
If something doesn't get to I, it's most likely got dropped by a policy/access rule
If something doesn't get to o, the packet probably didn't get routed properly or it's being handled directly by the gateway.
If something doesn't get to O...well, it depends on the precise situation.

See also: https://community.checkpoint.com/t5/How-To-Videos/How-to-use-fw-monitor/m-p/97582 

HeikoAnkenbrand
Champion Champion
Champion

Hi @Ven

I agree with @PhoneBoy. Here is a small note. 
In different versions the "fw monitor inspection points" are displayed differently.
Screenshot_20201108-122634_Edge.jpg

For example, you cannot see "i" or "O" when it is VPN traffic on certain GAIA versions.

More read here:
- R80.x - Security Gateway Architecture (Logical Packet Flow)
- R80.x - Performance Tuning and Debug Tips - fw monitor
R80.x - cheat sheet - fw monitor

➜ CCSM Elite, CCME, CCTE
Ven
Participant

Thanks @HeikoAnkenbrand  for your notes

0 Kudos
Ven
Participant

Thanks @PhoneBoy for your help.

0 Kudos
Timothy_Hall
Champion
Champion

Just to add on to Daemon's post: if traffic disappears at I it may have been dropped as he says (fw ctl zdebug + drop to check this), but it is also possible that your filter was matching against only the pre-NAT destination IP address.  If it is the destination IP address that is subject to NAT, the actual replacement of the destination IP address in the packet happens between i and I.  So in this case the packet "disappears" in your capture and never reaches I (as far as you can see), but the packet actually just stopped matching your pre-NAT destination IP address filtering condition and continued onwards through I.

By the same token if the traffic seems to disappear after o, it is possible that the packet was dropped (though much less likely than between i and I) for some reason.  What is far more probable is that you were matching against the pre-NAT source IP address, which will be transformed to the post-NAT source IP address between o and O, and the packet will once again seem to "disappear" in your capture, when in reality the packet was not dropped and continued through O.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events