This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Alexander_K
Explorer
‎2017-10-16 01:12 AM
Jump to solution

IPS packet capture

In R77.30 and earlier IPS packet capture was stored on the gateways as .pcap files and we could retrieve them using "fwm getpcap" over SSH. In R80+, IPS has been moved to Threat Prevention and it seems that packet capture is now being stored as .EML files. Looking at the logs from "fw log", the "packet_capture_unique_id" is now a name, where on earlier versions this was a ID number. Tried running "fwm getpcap" with different ID's from the logs, but all returning errors.

I heard that there are plans to stop using .EML files, but until then, are there any ways to get the IPS packet captures out from SSH?

1 Solution

Accepted Solutions
Pablo_Munoz
Employee Employee
Employee
‎2018-03-02 01:20 PM
Jump to solution

I don't know if this is too late, but maybe sk120773 helps:

IPS packet captures are located on on the Security Gateway in:

  • Before R80.x - $FWDIR/log/captures_repository 
  • In R80.10 - $FWDIR/log/forensics and /var/log/spool/mail/

View solution in original post

11 Replies
PhoneBoy
Admin
Admin
‎2017-10-20 04:29 PM
Jump to solution

Hm... good question.

Let me ping my friends in R&D about this one.

0 Kudos
PhoneBoy
Admin
Admin
‎2017-10-23 07:11 AM
Jump to solution

Turns out that’s in R80.10+, the packet captures are stored on the log server, not the gateway as was the case in R77.30 and earlier.

Consequentially, the fwm getpcap command does not work for R80.10+ Gateways

An API for this is planned in R80.20.

Also, in R80.20, we plan to make the pcap available as a pcap (not EML).

Meanwhile, in R80.10, the only way to get the capture is via SmartConsole.

Alexander_K
Explorer
‎2017-10-25 12:27 AM
In response to PhoneBoy
Jump to solution

Thanks, will await for R80.20 then

0 Kudos
Jim_Stergiou
Participant
‎2018-05-07 06:01 AM
In response to PhoneBoy
Jump to solution

Did the ability to pull pcaps from the API make it into the R80.20 EA?

0 Kudos
PhoneBoy
Admin
Admin
‎2018-05-07 07:03 AM
In response to Jim_Stergiou
Jump to solution

I don't see anything in the API docs for it offhand...

0 Kudos
Pablo_Munoz
Employee Employee
Employee
‎2018-03-02 01:20 PM
Jump to solution

I don't know if this is too late, but maybe sk120773 helps:

IPS packet captures are located on on the Security Gateway in:

  • Before R80.x - $FWDIR/log/captures_repository 
  • In R80.10 - $FWDIR/log/forensics and /var/log/spool/mail/
PhoneBoy
Admin
Admin
‎2018-03-03 02:49 PM
In response to Pablo_Munoz
Jump to solution

Never too late for a correct answer Smiley Happy

The nice thing is in R80.10, these files are stored as .cap files directly, which means Wireshark and other tools can read them.

0 Kudos
Brian_Olesen
Explorer
‎2018-06-21 01:58 AM
Jump to solution

In a R80.10 installation it seems that there is only .cap files for the last couple of days. Does anyone know for how long the .cap files are stored and where it can be configured?

0 Kudos
Pablo_Munoz
Employee Employee
Employee
‎2018-06-21 06:13 AM
In response to Brian_Olesen
Jump to solution

It's my understanding that these settings are configured from 'Disk Space Management' (GW Properties -> Logs -> Local Storage). Here you can also define how much disk space will be allocated for packet capturing. Files should be stored until we start running out of space (then log rotation starts working as per the settings)

0 Kudos
Oliver_Fink
Advisor
Advisor
‎2022-05-02 07:55 AM
In response to Pablo_Munoz
Jump to solution

It seems that R81.10 does not offer the possibility to configure this anymore:

Bildschirmfoto 2022-05-02 um 16.53.48.png

 

Same on R80.30:

Bildschirmfoto 2022-05-02 um 16.59.39.png

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2022-05-02 10:59 AM
In response to Oliver_Fink
Jump to solution

This is configured on the gateway object, not the SMS.  The Local Storage screens you are showing are for an SMS.

 

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events