Article of the Week - Check Point Packet Injector

I like Check Point Packet Injector tool. According my personal opinion it should be part of GAiA installation already. Also possibility to call ir remotelly for specific gateway from management server could be great.

R80.X management has an option "Open Shell" to the GW. As for the package, you can use script option to install it if you like. It's also in the SmartConsole

Awesome, gonna take a look. Been looking for this for some time since my days supporting ASA (packet tracer) was a very helpful utility.

Thank you everyone.

-Diego

It is actually available for more than a year now 🙂

Why does Check Point not provide this package in CPUSE?

That's a very good idea, Sven Glock‌

I created a small script to have the possibility to start pinj directly from smartconsole --> Gateways&Servers Tab --> Rightclick on the relevant Gateway --> Scripts --> Script-Repository:

if=$(ip route get $1 | head -1 | cut -d " " -f 3)
/opt/CPPinj-R80/pinj --sport 3333 --dport $3 --protocol $4 -I $if $1 $2 | head -1
##################################
#Arguments: <SRC-IP> <DST-IP> <dport> <tcp|udp>
##################################

This script is limited to non-vsx gateways. I will add VSX support soon.

Version 3 will get ICMP and traceroute support, too.

The output will be shown in the "Recent Tasks"-list. --> Details-

Just ignore the warning. This seems to be a cosmetical bug of pinj.

Great job, thanks!

Not trying to take away from the value of this tool, with Check Point unlike traditional security providers  you can also simulate packet mode searches without actual packets. Search through your policy using R80.10 new Packet Mode feature 

One of the ways this tool is most used in our team is for testing a third party VPN connection. Most of the time it is not possible for us to get the customers' users to test a new VPN we setup for them. We mostly only have a direct contact with the third party to make sure we have the same settings at both ends and Pinj just gives us the testing edge.

Code-Update:

##################################
#Arguments: <SRC-IP> <DST-IP> <dport> <tcp|udp>
##################################
#!/bin/bash
interface=$(ip route get $1 | head -1 | rev | cut -d " " -f 5 | rev)
sp=$(( RANDOM % (65535 - 1025 + 1 ) + 1025 ))
/opt/CPPinj-R80/pinj --sport $sp --dport $3 --protocol $4 -I $interface $1 $2 2>/dev/null‍‍‍‍‍‍‍

• As you can not use the same source port until it timed out I improved the script to choose random highports.

• The script always chooses the interface where the src IP will be routed to. In version 1 there is a problem when the src IP is behind the external interface. This is now fixed.

• Additionally this version will suppress IPv6 warnings 

VSX-support is a bit challanging, but I am working on it.

Cheers

Sven

Really nice one! Thank you 

Last week 1 of my colleagues was running a pinj on a R77.30 VSX gateway to do some VPN testingand we got word from the customer that they had seen OSPF failures at the exact same moment.

Anybody else seen anything like this?

Be aware of a bug that comes up with R80.10 VSX and PINJ: Check Point Packet Injector does not work on VS when using VMAC 

For my situation the workaround is not fuctional.

Regards

Sven

The Packet Injector is good but it could be better.

1. Added to the SG product by default (no need to install). Available in CLISH and bash.

2. Added to SmartConsole scripts repo by default.

3. More intuitive command format.

4. Even better - run just the executable (without options) and be prompted for SRC and DST details and any other options in a multi or single step option.

5. Able to execute centrally, from SMS CLI or SmartConsole (similar to above).

6. Timing and display of response by default or optional.

@Don_Paterson, thanks for your feedback. Just to clarify, PINJ is no longer supported with R80.20+

fw up_execute

Thanks, @JozkoMrkvicka, this is indeed the replacement 🙂

Hi,

are there any plans for a PINJ version for versions greater than R80.10? It was a really good tool especially to test VPNs.

Kind regards and stay healthy

Bjoern

Haven't tried but PhoneBoys solution 

https://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/R80-30-TCP-Ping-tool/td-p/96370 sounds like an alternative.