- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- R80.30 TCP Ping tool
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Jump to solution
R80.30 TCP Ping tool
Hello.
I'm relatively new with checkpoint firewalls. Previously I've worked with Cisco ASA devices, which have TCP Ping tool letting you test TCP connectivity on specified destination's TCP port (ASA sends TCP SYN packets and evaluates reply on specified destination IP:Port). This utility also lets you source it from any source IP you want. That way you're not limited only to appliance's local interfaces' IP addresses and can emulate traffic, as if it was forwarded by the appliance.
This is very handy when troubleshooting network access issues, to make sure security policies are correct and that destination host/server is causing the problem.
Is there any similar tool/functionality within Checkpoint R80.30 virtual security gateways?
2 Solutions
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hping2?
From the CLI help it appears to allow spoofing a source address.
Will admit haven’t tried.
Goes without saying you need to be an admin user with uid 0.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It works! Generated traffic shows in logs as well. Thank you again.
10 Replies
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check maybe the packet injector?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There used to be a tool called pinj that did exactly what you want, but it stopped working in R80.20, closest you can get now is the tcptraceroute tool.
Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones
March 27th with sessions for both the EMEA and Americas time zones
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the reply.
I've read SK link provided by Alex and Packet Injector seems to be exactly what I want. I was going to install it on one of my R80.30 security gateways. Too bad it does not work now. Does it fail during installation as well, or maybe I should give it a try?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
so tcptraceroute and traceroute are the same binary. I guess its just using the -T flag by default?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
GNU netcat is available on Gaia.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the information. I'm afraid I'm unable to specify arbitrary source IP addresses with netcat to test the connectivity, as it accepts only security gateway's real interface addresses:
Error: Couldn't create connection (err=-3): Cannot assign requested address
This limitation makes it impossible to emulate specific connection traffic from security gw.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hping2?
From the CLI help it appears to allow spoofing a source address.
Will admit haven’t tried.
Goes without saying you need to be an admin user with uid 0.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It works! Generated traffic shows in logs as well. Thank you again.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
this is very simple
ping -s --source ip-- destination ip
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ping -I [source_ip|interface] destination
from clish, just like regular linux ping
limited to addresses configured on the firewall
R80.30 TCP Ping tool
Hello.
I'm relatively new with checkpoint firewalls. Previously I've worked with Cisco ASA devices, which have TCP Ping tool letting you test TCP connectivity on specified destination's TCP port (ASA sends TCP SYN packets and evaluates reply on specified destination IP:Port). This utility also lets you source it from any source IP you want. That way you're not limited only to appliance's local interfaces' IP addresses and can emulate traffic, as if it was forwarded by the appliance.
This is very handy when troubleshooting network access issues, to make sure security policies are correct and that destination host/server is causing the problem.
Is there any similar tool/functionality within Checkpoint R80.30 virtual security gateways?
