This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Flanger
Participant
‎2020-09-09 08:40 AM
Jump to solution

R80.30 TCP Ping tool

Hello.

I'm relatively new with checkpoint firewalls. Previously I've worked with Cisco ASA devices, which have TCP Ping tool letting you test TCP connectivity on specified destination's TCP port (ASA sends TCP SYN packets and evaluates reply on specified destination IP:Port). This utility also lets you source it from any source IP you want. That way you're not limited only to appliance's local interfaces' IP addresses and can emulate traffic, as if it was forwarded by the appliance.

This is very handy when troubleshooting network access issues, to make sure security policies are correct and that destination host/server is causing the problem.

Is there any similar tool/functionality within Checkpoint R80.30 virtual security gateways?

0 Kudos
2 Solutions

Accepted Solutions
PhoneBoy
Admin
Admin
‎2020-09-09 09:39 PM
In response to Flanger
Jump to solution

hping2?
From the CLI help it appears to allow spoofing a source address.
Will admit haven’t tried.
Goes without saying you need to be an admin user with uid 0.

View solution in original post

Flanger
Participant
‎2020-09-10 01:12 PM
In response to PhoneBoy
Jump to solution

It works! Generated traffic shows in logs as well. Thank you again.

View solution in original post

0 Kudos
10 Replies
Alex-
Leader Leader
Leader
‎2020-09-09 12:51 PM
Jump to solution

Check maybe the packet injector?

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2020-09-09 01:25 PM
Jump to solution

There used to be a tool called pinj that did exactly what you want, but it stopped working in R80.20, closest you can get now is the tcptraceroute tool.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
Flanger
Participant
‎2020-09-09 02:09 PM
In response to Timothy_Hall
Jump to solution

Thank you for the reply.
I've read SK link provided by Alex and Packet Injector seems to be exactly what I want. I was going to install it on one of my R80.30 security gateways. Too bad it does not work now. Does it fail during installation as well, or maybe I should give it a try?

0 Kudos
John_Fleming
Advisor
‎2020-09-09 06:28 PM
In response to Timothy_Hall
Jump to solution

so tcptraceroute and traceroute are the same binary. I guess its just using the -T flag by default?

0 Kudos
PhoneBoy
Admin
Admin
‎2020-09-09 03:20 PM
Jump to solution

GNU netcat is available on Gaia.

0 Kudos
Flanger
Participant
‎2020-09-09 04:37 PM
In response to PhoneBoy
Jump to solution

Thank you for the information. I'm afraid I'm unable to specify arbitrary source IP addresses with netcat to test the connectivity, as it accepts only security gateway's real interface addresses:

Error: Couldn't create connection (err=-3): Cannot assign requested address


This limitation makes it impossible to emulate specific connection traffic from security gw.

0 Kudos
PhoneBoy
Admin
Admin
‎2020-09-09 09:39 PM
In response to Flanger
Jump to solution

hping2?
From the CLI help it appears to allow spoofing a source address.
Will admit haven’t tried.
Goes without saying you need to be an admin user with uid 0.

Flanger
Participant
‎2020-09-10 01:12 PM
In response to PhoneBoy
Jump to solution

It works! Generated traffic shows in logs as well. Thank you again.

0 Kudos
vikassharma
Explorer
‎2021-04-03 07:05 AM
In response to PhoneBoy
Jump to solution

this is very simple

ping -s --source ip--  destination ip

 

0 Kudos
irek
Explorer
‎2022-06-24 01:25 AM
In response to vikassharma
Jump to solution

ping -I [source_ip|interface] destination

from clish, just like regular linux ping 

limited to addresses configured on the firewall

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events