This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Norbert_Papirny
Participant
‎2019-05-09 08:21 AM
Jump to solution

fw monitor output

Hi All,

I need some help with fw monitor output.  (R80.20 gaia T47)

Our GRE/SIP  communication doesn't work, and as you can see below, the last captured packet was stopped in pre-outbound (o4) chain position. It is the tunnel-inside traffic.

We have bidirectional rules between peers without NAT.

CP.PNG

Could you please somebody explain what caused this behavior? 

Here is also the relevant wireshark capture:

cp2.PNG

There are many articles/ cheat sheets ,etc. about how fw monitor is working, but i cant find any information about the output interpretation...  

 

in chain (14):
0: -7fffffff (0000000000000000) (00000000) SecureXL inbound (sxl_in)
1: -7ffffffe (0000000000000000) (00000000) SecureXL inbound CT (sxl_ct)
2: -7f800000 (ffffffff8a32eb80) (ffffffff) IP Options Strip (in) (ipopt_strip)
3: - 1fffff8 (ffffffff8a32c9b0) (00000001) Stateless verifications (in) (asm)
4: - 1fffff7 (ffffffff8a32c4d0) (00000001) fw multik misc proto forwarding
5: - 1fffff5 (ffffffff8a3e2ec0) (00000001) fw early SIP NAT (sipnat)
6: 0 (ffffffff8a48cc10) (00000001) fw VM inbound (fw)
7: 2 (ffffffff8a32efd0) (00000001) fw SCV inbound (scv)
8: 5 (ffffffff8a21a4d0) (00000003) fw offload inbound (offload_in)
9: 10 (ffffffff8a47eca0) (00000001) fw post VM inbound (post_vm)
10: 7f730000 (ffffffff89ffc520) (00000001) passive streaming (in) (pass_str)
11: 7f750000 (ffffffff89c8c7d0) (00000001) TCP streaming (in) (cpas)
12: 7f800000 (ffffffff8a32eb30) (ffffffff) IP Options Restore (in) (ipopt_res)
13: 7fb00000 (ffffffff89628750) (00000001) Cluster Late Correction (ha_for)
out chain (11):
0: -7f800000 (ffffffff8a32eb80) (ffffffff) IP Options Strip (out) (ipopt_strip)
1: - 1fffff0 (ffffffff89c76dd0) (00000001) TCP streaming (out) (cpas)
2: - 1ffff50 (ffffffff89ffc520) (00000001) passive streaming (out) (pass_str)
3: - 1f00000 (ffffffff8a32c9b0) (00000001) Stateless verifications (out) (asm)
4: 0 (ffffffff8a48cc10) (00000001) fw VM outbound (fw)
5: 10 (ffffffff8a47eca0) (00000001) fw post VM outbound (post_vm)
6: 18000000 (ffffffff89f28210) (00000001) fw record data outbound
7: 7f700000 (ffffffff89c8b2f0) (00000001) TCP streaming post VM (cpas)
8: 7f800000 (ffffffff8a32eb30) (ffffffff) IP Options Restore (out) (ipopt_res)
9: 7f900000 (0000000000000000) (00000000) SecureXL outbound (sxl_out)
10: 7fa00000 (0000000000000000) (00000000) SecureXL deliver (sxl_deliver)
monitor: monitoring (control-C to stop)

**********

 

outside traffic:

[vs_0][fw_2] bond2.654:i2 (IP Options Strip (in))[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203

[vs_0][fw_2] bond2.654:i3 (Stateless verifications (in))[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203

[vs_0][fw_2] bond2.654:i4 (fw multik misc proto forwarding)[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203

[vs_0][fw_2] bond2.654:i5 (fw early SIP NAT)[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203

[vs_0][fw_2] bond2.654:i6 (fw VM inbound )[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203

[vs_0][fw_2] bond2.654:I7 (fw SCV inbound)[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203

[vs_0][fw_2] bond2.654:I8 (fw offload inbound)[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203

[vs_0][fw_2] bond2.654:I9 (fw post VM inbound )[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203

[vs_0][fw_2] bond2.654:I10 (passive streaming (in))[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203

[vs_0][fw_2] bond2.654:I11 (TCP streaming (in))[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203

[vs_0][fw_2] bond2.654:I12 (IP Options Restore (in))[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203

[vs_0][fw_2] bond2.654:I13 (Cluster Late Correction)[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203

[vs_0][fw_2] bond2.654:I14 (Chain End)[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203

[vs_0][fw_2] bond1.509:o0 (IP Options Strip (out))[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203

[vs_0][fw_2] bond1.509:o1 (TCP streaming (out))[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203

[vs_0][fw_2] bond1.509:o2 (passive streaming (out))[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203

[vs_0][fw_2] bond1.509:o3 (Stateless verifications (out))[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203

[vs_0][fw_2] bond1.509:o4 (fw VM outbound)[448]: 10.42.14.60 -> 10.7.8.4 (47) len=448 id=62203

 

*********************outside traffic was stopped in 04 position

 

inside traffic:

[vs_0][fw_2] bond1.509:i2 (IP Options Strip (in))[441]: 10.7.8.4 -> 10.42.14.60 (47) len=441 id=958

[vs_0][fw_2] bond1.509:i3 (Stateless verifications (in))[441]: 10.7.8.4 -> 10.42.14.60 (47) len=441 id=958

[vs_0][fw_2] bond1.509:i4 (fw multik misc proto forwarding)[441]: 10.7.8.4 -> 10.42.14.60 (47) len=441 id=958

[vs_0][fw_2] bond1.509:i5 (fw early SIP NAT)[441]: 10.7.8.4 -> 10.42.14.60 (47) len=441 id=958

[vs_0][fw_2] bond1.509:i6 (fw VM inbound )[441]: 10.7.8.4 -> 10.42.14.60 (47) len=441 id=958

[vs_0][fw_2] bond2.654:i2 (IP Options Strip (in))[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204

[vs_0][fw_2] bond2.654:i3 (Stateless verifications (in))[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204

[vs_0][fw_2] bond2.654:i4 (fw multik misc proto forwarding)[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204

[vs_0][fw_2] bond2.654:i5 (fw early SIP NAT)[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204

[vs_0][fw_2] bond2.654:i6 (fw VM inbound )[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204

[vs_0][fw_2] bond2.654:I7 (fw SCV inbound)[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204

[vs_0][fw_2] bond2.654:I8 (fw offload inbound)[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204

[vs_0][fw_2] bond2.654:I9 (fw post VM inbound )[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204

[vs_0][fw_2] bond2.654:I10 (passive streaming (in))[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204

[vs_0][fw_2] bond2.654:I11 (TCP streaming (in))[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204

[vs_0][fw_2] bond2.654:I12 (IP Options Restore (in))[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204

[vs_0][fw_2] bond2.654:I13 (Cluster Late Correction)[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204

[vs_0][fw_2] bond2.654:I14 (Chain End)[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204

[vs_0][fw_2] bond1.509:o0 (IP Options Strip (out))[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204

[vs_0][fw_2] bond1.509:o1 (TCP streaming (out))[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204

[vs_0][fw_2] bond1.509:o2 (passive streaming (out))[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204

[vs_0][fw_2] bond1.509:o3 (Stateless verifications (out))[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204

[vs_0][fw_2] bond1.509:o4 (fw VM outbound)[444]: 10.42.14.60 -> 10.7.8.4 (47) len=444 id=62204

 

Many thanks,

Norbert

0 Kudos
1 Reply
This widget could not be displayed.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    Virtual

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82
    Virtual

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Thu 25 Apr 2024 @ 10:00 AM (CEST)

    The Anatomy of a Cloud Hack by NotSoSecure - EMEA Session

    Thu 25 Apr 2024 @ 06:00 PM (IDT)

    The Anatomy of a Cloud Hack by NotSoSecure - America Session
    Virtual

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap
    Virtual

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    Virtual

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82
    Virtual

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap
    Virtual

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap
    Virtual

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    Virtual

    Thu 02 May 2024 @ 04:00 PM (CEST)

    CheckMates Live DACH - Keine Kompromisse - Sicheres SD-WAN
    Virtual

    Thu 02 May 2024 @ 05:00 PM (CEST)

    SASE Masters: Deploying Harmony SASE for a 6,000-Strong Workforce in a Single Weekend
    CheckMates Events