Using FW Monitor to Capture Traffic Flows in Check Point (Cheat Sheet)


I’m in no way a Check Point junkie. I got these FW Monitor templates from my tech lead at work and he has been using these for over 10 years now. I find these templates just about enough to get me the captures that I need. If you need a more sophisticated FW Monitor, then I’d recommend you go through this document. In the next post after this I plan to write on how to analyze those logs/captures on your console and in Wireshark (this can get lengthy). In FW Monitor there are a few switches you can use to customize your captures but I’ve only posted some basic templates where you can just replace the IPs and run it.

If you’re not aware of the inspection points in Check Point, you can check out my previous post which will help you to understand the FW Monitor logs in a better way and possibly help in troubleshooting.

Disable SecureXL for capturing proper logs:

  • If you have SecureXL enabled, it fast switches the packets and won’t show you all the detailed logs that you would like to see in your captures. You can disable SecureXL temporarily, if you want to inspect packets at that granularity (i.e ‘I’ and ‘o’). In my experience, disabling SecureXL hasn’t been a problem* and I haven’t seen any performance impact as such.

Right before the capture, turn off SecureXL on the gateway:

fwaccel off

Immediately after the capture, turn on SecureXL on the gateway:

fwaccel on

To turn on/off SecureXL on multiple VSXs at once:

fwaccel on -a fwaccel off -a
  • Ensure that you re-enable after you are done capturing the logs.
  • Be aware that SecureXL does affect how the traffic passes through the firewall and only disable it if you are 100% sure of what you’re doing. Do it at your own risk, I do not take any responsibility for anything going wrong with this as it does affect the live traffic immediately. Read the blog’s disclaimer. :)

Display all 8 inspection points (iIoO) for a complete two-way traffic on the console:

For specific flow:
fw monitor -e 'accept (src=10.1.1.1 and dst=20.2.2.2) or (src=20.2.2.2 and dst=10.1.1.1);' -m iIoO
OR
For specific IP:
fw monitor -e 'accept (src=10.1.1.1 or dst=10.1.1.1);' -m iIoO

Display 4 inspection points (iO) for a complete two-way traffic on the console:

fw monitor -e 'accept (src=10.1.1.1 and dst=20.2.2.2) or (src=20.2.2.2 and dst=10.1.1.1);' -m iO
  • Note that we are only grepping iO, that means you are not looking for what is going on at the post-inbound (I) and pre-outbound (o) inspection points and just trying to get fewer output to see if it actually leaves the egress interface or not.
  • If you suspect something missing, then run -m iIoO and see at which inspection point it’s getting stuck and use the previous post for troubleshooting tips.

Saving fw monitor logs to a .pcap file to analyse in wireshark:

fw monitor -e 'accept (src=10.1.1.1 and dst=20.2.2.2) or (src=20.2.2.2 and dst=10.1.1.1);' -m iIoO -o wireshark.pcap
  • By default, the capture file is saved to the /home/admin directory.
  • Use WinSCP to access the Security Gateway and copy the file to your local drive to analyze it in Wireshark.

Saving a TCP dump in a .pcap file:

tcpdump -w capture.pcap -i eth-s1p2c0 host 10.1.1.1 and host 20.2.2.2
tcpdump -nni any host 10.1.1.1 -w capture.pcap
tcpdump -nni any host 10.1.1.1 and host 20.2.2.2 -w capture.pcap
  • Replace the interface name and capture name as required.

Switches:

Ctrl+C This is the break sequence
-e Custom expression. Sets the filter for fw monitor.
-o Writes the raw packet data output to a file.
-ci
-co
Captures only the number of inbound (ci) and outbound (co) packets. This is useful if you have many packets going between a source and destination and the break sequence can take time to stop those captures.-vSpecifies the virtual device where the fw monitor needs to run

Related articles:

Understanding Inspection Points in Check Point
Analyzing FW Monitor Output in CLI

More on Check Point here:

https://networkology.net/category/checkpoint/

Advertisements

4 thoughts on “Using FW Monitor to Capture Traffic Flows in Check Point (Cheat Sheet)

  1. NONE of your commands worked. I even tried a direct copy/paste and still came back with syntax errors. however as a host IP capture this does work

    fw monitor -e “host(192.168.2.1), accept;” -m iIoO

  2. Hi Spencer,

    Sorry about the commands not working for you. Maybe the commands have changed since the last time I used it. I believe I used this on R75, which version of CheckPoint are you running?

    For me it worked pretty well and I directly copy pasted those commands here :)

    Thanks,
    Shoaib

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s