So to start off with, lets see what the different fields are in the above picture of a sample log from the console;
I’m in no way a Check Point junkie. I got these FW Monitor templates from my tech lead at work and he has been using these for over 10 years now. I find these templates just about enough to get me the captures that I need. If you need a more sophisticated FW Monitor, then I’d recommend you go through this document. In the next post after this I plan to write on how to analyze those logs/captures on your console and in Wireshark (this can get lengthy). In FW Monitor there are a few switches you can use to customize your captures but I’ve only posted some basic templates where you can just replace the IPs and run it.
If you’re not aware of the inspection points in Check Point, you can check out my previous post which will help you to understand the FW Monitor logs in a better way and possibly help in troubleshooting.
I was just about to put some FW Monitor templates on my blog for quick reference when I need to troubleshoot some issues in Check Point but I thought it would be a nice thing to explain this first (for myself too, as I keep forgetting this stuff :D).
When traffic flows through a Check Point Security Gateway (look here if you want to know about the architecture) it has to cross a series of inspection points. This post tries to explain what those inspection points are and how to troubleshoot traffic flows based on the inspection points. The next post will show how to use the FW Monitor.