Hello,
If I have the SXL disabled on the box, the “fw monitor -F ...” filter will not work?
Do I have to enable SXL for it to work properly?

Could you share with me, what would be the syntax of the command, if I need to use this data in the “fw monitor”, please
IP SOURCE: 192.168.100.20
DESTINATION IP: 10.100.100.50
DESTINATION PORT: 4443

Thank you.

The -F filters are only supported by recent versions. I forget which first added it. On versions which support it, it works all the time, regardless of whether SecureXL is enabled or disabled. The filter is in the form of five values separated by commas like this: "0,0,0,0,0". A 0 in a field is a wildcard. The fields are source IP, source port, destination IP, destination port, and IP protocol.

Note that these filters are directional. If you want to catch a whole conversation, you need to use two filters. For the values you specified, I would run the capture like so:

fw monitor \
-F "192.168.100.20,0,10.100.100.50,4443,0" \
-F "10.100.100.50,4443,192.168.100.20,0,0" \
...

The backslashes let me spread the command onto multiple lines. This helps catch errors in the filters, since the filters to catch both directions of a single conversation should be the same length. Replace the '...' with whatever other flags you want to add. -w to catch whole packets, -o <file> to write to a file, and so on.

The -F flag for fw monitor was added in one of the Jumbo HFAs for R80.20 right around the time of the major rework of SecureXL.  fw monitor -F is actually starting a filtered debug in the sim driver itself on the SND core which is why the syntax is so restrictive, but it does allow a full capture regardless of the state of SecureXL.

Hi.

To capture ICMP traffic do you have to change the command syntax a lot?

If it is required to do an ICMP test between 192.168.10.100 and IP 172.16.100.10, the command syntax changes a lot?

Thank you.

ICMP always goes slowpath, so you can use fw monitor -e if desired, obviously -F will work too.

Hi.
On many occasions I often forget to turn off SXL, and so I want to run a 'FW Monitor...' that does not depend on SXL.
I understand that the best option in this case would be to apply the ‘F’ in the command syntax, right?
Greetings. 🙏

Note the IP protocol is 0, the special wildcard value, in both of the filters I listed. If you just set the port to 0 as well, you will catch ICMP, TCP, UDP, ESP, whatever else between those two endpoints:

fw monitor \
-F "192.168.100.20,0,10.100.100.50,0,0" \
-F "10.100.100.50,0,192.168.100.20,0,0" \
...

Hi,

in such case I would run

- g_ as I am happy user of Maestro - always suprises me 🙂

- I am assuming, that TCP is considered, thus I am using IANA number protocol of 6,

- I also like to see packets path so adding a -p all

- Sometimes I am adding -T, but only when someone is complaining about latency

g_fw monitor -F "192.168.100.20,0,10.100.100.50,4443,6" -F "10.100.100.50,4443,192.168.100.20,0,6" -p all

Oof, be careful using the -p all option on a production gateway.  Instead of showing each accepted packet 4-6 times (iIoO), -p all will show each accepted packet at least 40 times, basically as it transitions between each individual software chain module (fw ctl chain).

Good point, thanks ! I never had any issues while using this parameter, I have seen the warning of high CPU usage, but many (if not the most) of the CP debugging tools bare this badge 🤔

Luckily my setup is scaled very well - lot's of umff left for debugs. I should have added, that I will use -p only in case of "difficult customers", the beautiful output it gives might be overwhelming 🤣

And once again - THANK THANK THAAANK you Sir, for your last webinar, what a great knowledge booster ! I am still studying it, but I have already found solutions to some of the problems on my setup.

I would say using -F flag is probably safest.

Andy

Yes sir, and he is still trying to make that site even better, when he got time, which is not often lol

Anyway, I will tell him you said hi 🙂

Andy

Hey Bro.

To capture encrypted traffic, related to S2S VPN, the “fw monitor -F ....” filter is more than enough?

Or should the “-F” be replaced by “-e” in the command syntax?

🤙

If its encrypted, you would probably never see big 0, but you can try either flag.

Andy

Encrypted traffic runs in SecureXL usually, so -F is still needed.
Note that you can have up to five -F statements in an fw monitor, which is enough to see both the IPsec traffic and an unencrypted flow.

I keep forgetting 5 -F flags, tx for a reminder. I always say to people there is no limit to it, but most I had seen them run is 3 times lol

Andy

Bro,

@Bob_Zimmerman described it perfectly, so, keep in mind, -e flag is not super useful if sxl is on, but -F would be.

Andy