This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Enes_Morina
Explorer
‎2022-10-17 03:05 AM

Problem with Packet Captures

Hello
I have a problem with Checkpoint Firewall (R81.10).

When I'm trying to check the monitoring in the Logs section/ When I click on Packet Captures, which I made to open with Wireshark, the message "the file "time1665992763.cap" does not exist.

Please help me...

Enes.

 

 

Preview file
28 KB
Preview file
14 KB
0 Kudos
7 Replies
_Val_
Admin
Admin
‎2022-10-19 12:32 AM

You need to download the file before Wireshark can open it. Opening the link with Wireshark will not work. Download the capture file first.

0 Kudos
Enes_Morina
Explorer
‎2022-10-19 12:57 AM
In response to _Val_

 

Thank you for your reply.
When I offer the mouse near packet captures, the possibility of saving is not given, but only open directly. Therefore, I have configured the .cap format to be opened with Wireshark. But even with Wireshark I'm getting the error that I described in the previous post . Is there any other possibility in the checkpoint to save the capture not in this way but in another way?

Thank you.

Enes

Preview file
7 KB
0 Kudos
_Val_
Admin
Admin
‎2022-10-19 01:23 AM
In response to Enes_Morina

I have double-checked, you should be able to save the capture. Here is the quote from Threat Prevention Admin guide:

Packet Capture

You can capture network traffic. The content of the packet capture provides a greater insight into the traffic which generated the log. With this feature activated, the Security Gateway sends a packet capture file with the log to the Log Server. You can open the file, or save it to a file location to retrieve the information a later time.

0 Kudos
_Val_
Admin
Admin
‎2022-10-19 01:15 AM

This is odd, it should actually allow you download. Please check if the file mentioned in the logs actually exists on the log server. Look into sk120773 for the location, then search by name. In case of the old captures, they may be cleaned already.

If the file does exist, but you cannot query it from the SmartConsole, please open a TAC case

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2022-10-19 06:50 AM

It is possible that only one packet capture (the latest one) is available for that particular protection and the old one you are attempting to access has rolled off.  How many subsequent packet captures for the same protection are going to be saved will vary depending upon whether the packet capture was taken for an IPS ThreatCloud Protection, a Core Protection/Activation, or an Inspection Setting and whether the capture was called for in the Track column of the Threat Prevention policy, the settings of the protection itself, or no capture was called for in the configuration at all but the firewall automatically saved a packet capture upon the latest triggering of that protection by default, but older ones for that protection are not retained.

In some cases a packet capture will not be available in the logs when it seems there should be; this can be caused in the following situations stated in the R81 Known Limitations:

• The detection occurred in the Check Point ThreatCloud (i.e. not locally on the gateway due to its own cache)
• The DeepScan engine portion of the firewall made the determination
• The connection was SSL/HTTPS encrypted by the firewall

What is the specific protection name, and do you have a packet capture set in the Track field of the TP rule matching the protection, the "capture packets" checkbox set on the protection itself, or both?

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
Enes_Morina
Explorer
‎2022-11-03 12:16 AM
In response to Timothy_Hall

We have the version of protection within our infrastructure on premises , we do not have it in the cloud.

Thank you for your reply...

0 Kudos
Alexander_Wilke
Advisor
‎2022-12-16 06:55 AM

If you have MDPS configured on the gateway you are not able to download captures from SmartConsole.

This is a bug and not solved.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events