Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Don_Paterson
Advisor
Advisor

fw monitor -F does not seems to show accurately in fw ctl chain

Hello,

When I use the -F switch in fw monitor I see the fw ctl chain output showing the default Inspect Filter (fw monitor) capture positions, which are above the SecureXL 'kernel chain modules'.

This seems to be implying that the capture is done after SecureXL. Meaning that it is the old-style slow path only capture, which is is not.

Can anyone in Check Point offer an explanation please?

Is the fw ctl chain output simply inaccurate?

Thanks,

Don

 

0 Kudos
6 Replies
_Val_
Admin
Admin

version in use, screenshots?

0 Kudos
Don_Paterson
Advisor
Advisor

R81.10

Thanks,

Don

0 Kudos
Don_Paterson
Advisor
Advisor

Will update with screenshots later today but if you run fw monitor -F xyz and then in another console session fw ctl chain you will see fw monitor (i/f side) in chain position 12 (for example) and that implies it's capturing after SecureXL (in the first positions on the in chain).

That's what the question is all about. 

Thanks,

Don

 

0 Kudos
Timothy_Hall
Legend Legend
Legend

My impression is that fw monitor -F captures traffic directly in the sim driver via a debug filter which is why you can capture fully-accelerated traffic with it.  While running fw monitor -F does place the capturing modules in the chain sequence similar to fw monitor -e, I don't think those modules are actually capturing anything while fw monitor -F is running unless the traffic happens to be F2F and traversing the full chain sequence.  This may also be the case for Medium Path traffic (PSL & CPAS) or even F2V but that is less clear to me.  In the F2F case there could be modifications to the packet visible at I and o->O that the sim driver would not necessarily be able to "see" happening until it reached O and re-entered the sim driver on the outbound side.  So I would assume placing the capturing chain modules while fw monitor -F is running handles this corner case and ensures a full capture of F2F traffic.

In R80.20 some of SecureXL's original responsibilities such as path determination and formation/matching of Accept/NAT templates were moved into the Firewall worker/instances which muddies the waters a bit here, and is why you see SecureXL "chain modules" in the output of fw ctl chain in R80.20+.  The EA release notes for R81.20 state that even more of SecureXL/Performance Pack's functions are being moved out of sim into the Firewall Workers/Instances, but I haven't had a chance to check it out yet.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Marre96
Explorer

The first column are the modules number and they are not indicating in which order packets are traversing the firewall? Is it the second column that shows the "order of operation" The fw VM has a absolute value of 0 and operation that takes place before fw VM have a - (minus) hexadecimal number?

0 Kudos
_Val_
Admin
Admin

@Marre96 I assume you are talking about something like this:

fw ctl chain.png

  • The first number is location of the module in the chain (or order in the chain)
  • The second number is the absolute position in the chain. As you mentioned, fw VM is assumed position 0, chain modules before it have negative position numbers
  • The third - pointer to the function in the chain module
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events