Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 

FW Monitor SuperTool

Danny
Champion Champion
Champion

📕 Referenced in the book: Max Power 2020
▶️ Featured in How to use fw monitor

One-liner (Bash) to assist running fw monitor on Check Point firewall gateways.
In expert mode run:


    if [[ `$CPDIR/bin/cpprod_util FwIsFirewallModule 2>/dev/null` != *'1'* ]]; then echo; tput bold; echo ' Not a firewall gateway!'; tput sgr0; echo; else echo; printf '%.s-' {1..60}; echo; echo ' FW Monitor SuperTool'; printf '%.s-' {1..60}; echo; echo; tput bold; echo -n ' Add host IPs ';
...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free

Disclaimer: Check Point does not provide maintenance services or technical or customer support for third party content provided on this Site, including in CheckMates Toolbox. See also our Third Party Software Disclaimer.




(1)
38 Replies

Vladimir
Champion
Champion

@Danny , this is awesome! Happy to see CCC evolution over the past year! I hope that CP will decide one day to officially support or endorse it.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

_Val_
Admin
Admin

Wow!

Great job,  @Danny 

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos
(1)

Wolfgang
Authority
Authority

Danny,

thanks a lot for this, simplifies the daily work.

I used https://tcpdump101.com to built complex fw monitor filter but your tool make this easy.

applause, applause

Wolfgang

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Ziegelsambach
Contributor

+1

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Kim_Moberg
Advisor

Very nice Danny

but isnt fw monitor changed in r80.20 take 87?

fw monitor -e is changed with filter function isnt?

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

HeikoAnkenbrand
Champion Champion
Champion

From me 100 points. 👍

I'll add the one-liner to my one-liner list:

One-liner collection

 

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


PhoneBoy
Admin
Admin
Wow, great work! ;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Tom_Cripps
Advisor

Hi  @Danny 

I'm having issues with this working? Paste it straight into the CLI or do I need to enter this into a script?

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Danny
Champion Champion
Champion

Hi  @Tom_Cripps ,

just paste it straight into your Expert mode CLI.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Tom_Cripps
Advisor

Got this working now, just had to press Enter. 

Great work though! Kudos.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Sven_Glock
Advisor

Hi Danny,

nice script! Well done!

I would highly recommend to add a friendly reminder at the end of the script that performing "fwaccel off" can increase the load of the gateway or could lead to outages if the gateways is already well loaded. 

 

Cheers

Sven

 

 

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Danny
Champion Champion
Champion

@Sven_Glock ,

that‘s why this SuperTool checks if SecureXL is enabled on versions prior to R80.20 and only disables it while running fw monitor. I checked if disabling SecureXL just for the specified IP addresses (sk194468) would be an option, unluckily this requires adjustments on the SmartCenter, so I had to stay with fwaccel off/on.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Kane
Explorer

Thank you Danny. Awesome work brov.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Danny
Champion Champion
Champion

I'm glad you like it!  🙂

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

AkosBakos
Collaborator

Amazing script.

Now I put this text to my desktop. Maybe should I print it? 🙂

Akos

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Danny
Champion Champion
Champion

Go for it and post a photo of your work desk feature the printout!  😎

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

FrozT
Participant

This doesn't work at all.  No matter what values I give it it only generates the following command:

Executing ? fw monitor -F "0,0,0,0,0"

I'm using R80.20 - Build 128 in expert mode.  I hate this new syntax for fw monitor.   Can someone tell me how to translate the following from the old fw monitor syntax to the new style?

fw monitor -e "accept (host (1.2.3.4) and net(13.104.0.0,14));"

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Danny
Champion Champion
Champion

This is the expected behaviour as -F is currently not supported (see my initial post).
So the tool is working as it should and correctly informs you to use fw monitor with simple filters instead of inspect code.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

JackPrendergast
Advisor
Advisor

Outstanding work Danny. 

 

My issue with fw monitor has always been its complexity to run a command. Granted, once you have a command written out, its just a case of changing variables - however in the middle of a change, or whilst troubleshooting a situation, getting the syntax completely correct is just a pain for someone like me.

 

Ill start using fw monitor more proficiently now!

 

Thank you

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Rick_Carlo
Employee
Employee

Holy Cow!  This is AMAZING!!!

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Matthias_Kring
Contributor

I need to add an additional ";fi" to get it running. Nevertheless, great helping tool!

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Nicolas_Vanhoek
Participant
Participant

add fi.jpg

 yep,  that fixed it for me too

 

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

abubakr3092
Explorer

I tried running the script but it doesn't work. Below is my gateway version.

This is Check Point's software version R80.30 - Build 484
kernel: R80.30 - Build 478

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Danny
Champion Champion
Champion

I added ";fi" at the end as this seem to be required now on most systems. Please try again.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Mike_Jensen
Advisor

This tool used to work great for me every time.  I am running R80.30 - Build 217 and no matter what I enter into the tool what shows up to be executed is "fw monitor -T -F "0,0,0,0,0"".  This is true when simply entering a single ip address into the tool and nothing else.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Danny
Champion Champion
Champion

Yes, that's because full -F (simple filter) syntax is not supported yet.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Mike_Jensen
Advisor

Understood.  Do I simply remove the -F from the script to make it work?

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

ADe
Participant

I have version R80.40 running, but each IP address is ingored in the filer, result is always : 

fw monitor -T- F "0,0,0,0,0"
What is going wrong, and how can I solve this ?

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Timothy_Hall
Champion
Champion

Known limitation.  Quoted from above:

Attention! *Work in progress*

SuperTool will be further improved to support:

  • full -F syntax (currently just filters all traffic)

The -F syntax isn't too tough to come up with on your own (-F srcIP,srcPort,dstIP,dstPort,IPProto), but just keep in mind some points mentioned in my Max Capture series:

  1. Up to five -F expressions can be utilized with one invocation of fw monitor -F, and the multiple expressions will be ORed toget
...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


(1)