I’m in no way a Check Point junkie. I got these FW Monitor templates from my tech lead at work and he has been using these for over 10 years now. I find these templates just about enough to get me the captures that I need. If you need a more sophisticated FW Monitor, then I’d recommend you go through this document. In the next post after this I plan to write on how to analyze those logs/captures on your console and in Wireshark (this can get lengthy). In FW Monitor there are a few switches you can use to customize your captures but I’ve only posted some basic templates where you can just replace the IPs and run it.
If you’re not aware of the inspection points in Check Point, you can check out my previous post which will help you to understand the FW Monitor logs in a better way and possibly help in troubleshooting.
Disable SecureXL for capturing proper logs:
- If you have SecureXL enabled, it fast switches the packets and won’t show you all the detailed logs that you would like to see in your captures. You can disable SecureXL temporarily, if you want to inspect packets at that granularity (i.e ‘I’ and ‘o’). In my experience, disabling SecureXL hasn’t been a problem* and I haven’t seen any performance impact as such.
Right before the capture, turn off SecureXL on the gateway:
Immediately after the capture, turn on SecureXL on the gateway:
To turn on/off SecureXL on multiple VSXs at once:
fwaccel on -a fwaccel off -a
- Ensure that you re-enable after you are done capturing the logs.
- Be aware that SecureXL does affect how the traffic passes through the firewall and only disable it if you are 100% sure of what you’re doing. Do it at your own risk, I do not take any responsibility for anything going wrong with this as it does affect the live traffic immediately. Read the blog’s disclaimer. :)
Display all 8 inspection points (iIoO) for a complete two-way traffic on the console:
For specific flow: fw monitor -e 'accept (src=10.1.1.1 and dst=184.108.40.206) or (src=220.127.116.11 and dst=10.1.1.1);' -m iIoO OR For specific IP: fw monitor -e 'accept (src=10.1.1.1 or dst=10.1.1.1);' -m iIoO
Display 4 inspection points (iO) for a complete two-way traffic on the console:
fw monitor -e 'accept (src=10.1.1.1 and dst=18.104.22.168) or (src=22.214.171.124 and dst=10.1.1.1);' -m iO
- Note that we are only grepping iO, that means you are not looking for what is going on at the post-inbound (I) and pre-outbound (o) inspection points and just trying to get fewer output to see if it actually leaves the egress interface or not.
- If you suspect something missing, then run -m iIoO and see at which inspection point it’s getting stuck and use the previous post for troubleshooting tips.
Saving fw monitor logs to a .pcap file to analyse in wireshark:
fw monitor -e 'accept (src=10.1.1.1 and dst=126.96.36.199) or (src=188.8.131.52 and dst=10.1.1.1);' -m iIoO -o wireshark.pcap
- By default, the capture file is saved to the /home/admin directory.
- Use WinSCP to access the Security Gateway and copy the file to your local drive to analyze it in Wireshark.
Saving a TCP dump in a .pcap file:
tcpdump -w capture.pcap -i eth-s1p2c0 host 10.1.1.1 and host 184.108.40.206 tcpdump -nni any host 10.1.1.1 -w capture.pcap tcpdump -nni any host 10.1.1.1 and host 220.127.116.11 -w capture.pcap
- Replace the interface name and capture name as required.
|Ctrl+C||This is the break sequence|
|-e||Custom expression. Sets the filter for fw monitor.|
|-o||Writes the raw packet data output to a file.|
|Captures only the number of inbound (ci) and outbound (co) packets. This is useful if you have many packets going between a source and destination and the break sequence can take time to stop those captures.-vSpecifies the virtual device where the fw monitor needs to run|