Analyzing FW Monitor Output in CLI

If you understand the inspection points in Check Point and can use FW Monitor to get the required logs/captures then you can read further on how how to analyze those logs.

Click to enlarge

So to start off with, lets see what the different fields are in the above picture of a sample log from the console;

Continue reading

Using FW Monitor to Capture Traffic Flows in Check Point (Cheat Sheet)

I’m in no way a Check Point junkie. I got these FW Monitor templates from my tech lead at work and he has been using these for over 10 years now. I find these templates just about enough to get me the captures that I need. If you need a more sophisticated FW Monitor, then I’d recommend you go through this document. In the next post after this I plan to write on how to analyze those logs/captures on your console and in Wireshark (this can get lengthy). In FW Monitor there are a few switches you can use to customize your captures but I’ve only posted some basic templates where you can just replace the IPs and run it.

If you’re not aware of the inspection points in Check Point, you can check out my previous post which will help you to understand the FW Monitor logs in a better way and possibly help in troubleshooting.

Continue reading

Understanding Inspection Points in Check Point

I was just about to put some FW Monitor templates on my blog for quick reference when I need to troubleshoot some issues in Check Point but I thought it would be a nice thing to explain this first (for myself too, as I keep forgetting this stuff :D).

When traffic flows through a Check Point Security Gateway (look here if you want to know about the architecture) it has to cross a series of inspection points. This post tries to explain what those inspection points are and how to troubleshoot traffic flows based on the inspection points. The next post will show how to use the FW Monitor.

Edit: Check the bottom of the post for an update version of the inspection point in R80.x

Continue reading

Static PAT and Proxy ARP in Check Point R75

If you’re trying to configure a Static PAT/Port forwarding rule in Check Point and if it still isn’t working, then this post will help you to understand the reason behind it and also what additional configuration will be required to get it to work.

Adding  a Static PAT/Port forwarding rule in Check Point is one hell of a task because Auto NAT in Check Point doesn’t allow you to specify any ports (unlike Cisco ASA’s Auto NAT post 8.3), so you have to use Manual NAT here . And to make that work you’ll also have to configure Static ARPs on the firewall.

The reason for manually configuring the ARP entry is because, when you use a Manual NAT to configure a Static PAT rule, the external interface of the firewall does not proxy ARP if the NAT IP (public IP) used for the internal server belongs to the connected subnet with your ISP. Continue reading

Order of Rule Enforcement in Check Point R75

The following lists the order in which the rules/policies/ACLs (whatever you may call it) are enforced in Check Point R75:-

1. Anti-spoofing check

2. Implied rules configured First in the Global Properties.

3. Stealth rule (normally the first explicit rule) Continue reading