fw monitor {-h | -help}

fw monitor [-d] [-D] [-ci <Number of Inbound Packets>] [-co <Number of Outbound Packets>] [-e <INSPECT Expression> | -f {<INSPECT Filter File> | -}] [-i] [-l <Length>] [-m {i,I,o,O,e,E}] [-o <Output File> [-w]] [[-pi <Position>] [-pI <Position>] [-po <Position>] [-pO <Position>] | -p all [-a]] [-T] [-u | -s] [-v <VSID>] [-x <Offset>[,<Length>]]

fw6 monitor {-h | -help}

fw6 monitor [-d] [-D] [-ci <Number of Inbound Packets>] [-co <Number of Outbound Packets>] [-e <INSPECT Expression> | -f {<INSPECT Filter File> | -}] [-i] [-l <Length>] [-m {i,I,o,O,e,E}] [-o <Output File> [-w]] [[-pi <Position>] [-pI <Position>] [-po <Position>] [-pO <Position>] | -p all [-a]] [-T] [-u | -s] [-v <VSID>] [-x <Offset>[,<Length>]]

{-h | -help}

Shows the built-in usage.

-d

-D

Runs the command in debug mode and shows some information about how the FW Monitor starts and compiles the specified INSPECT filter:

• -d - Simple debug output.
• -D - Verbose output.

Note - You can specify both parameters to show more information.

-ci <Number of Inbound Packets>

-co <Number of Outbound Packets>

Specifies how many packets to capture.

The FW Monitor stops the traffic capture if it counted the specified number of packets.

• -ci - Specifies the number of inbound packets to count.
• -co - Specifies the number of inbound packets to count

You can use the "-ci" and the "-co" parameter together. This is especially useful during large volumes of traffic. In such scenarios, FW Monitor may bind so many resources (for writing to the console, or to a file) that recognizing the break sequence (CTRL+C) might take very long time.

-e <INSPECT Expression>

or

-f {<INSPECT Filter File> | -}

Captures only specific packets:

• "-e <INSPECT Expression>" parameter - Defines the INSPECT filter expression on the command line.
• "-f <INSPECT Filter File>" parameter - Reads the INSPECT filter expression from the specified file. You must enter the full path and name of the plain-text file that contains the INSPECT filter expression.
• "-f -" parameter - Reads the INSPECT filter expression from the standard input. After you enter the INSPECT filter expression, you must enter the ^D (CTRL+D) as the EOF (End Of File) character.

Refer to the $FWDIR/lib/fwmonitor.def file for useful macro definitions.

For syntax examples, see sk30583.

Important - Make sure to enclose the INSPECT filter expression correctly in single quotes (ASCII value 39) or double quotes (ASCII value 34).

Note - In R80.20, the FW Monitor filters do not apply to the accelerated traffic.

-i

Flushes the standard output.

Note - This parameter is valid only with the "-v <VSID>" parameter.

Use this parameter to make sure FW Monitor immediately writes the captured data for each packet to the standard output. This is especially useful if you want to kill a running FW Monitor process, and want to be sure that FW Monitor writes all the data to the specified file.

-l <Length>

Specifies the maximal length of the captured packets. FW Monitor reads only the specified number of bytes from each packet.

Notes:

• By default, this parameter is not required.
• This parameter lets you capture only the headers from each packet (for example, IP and TCP) and omit the payload. This decreases the size of the output file. This also helps the internal FW Monitor buffer not to fill too fast.
• Make sure to capture the minimal required number of bytes, to capture the Layer 3 IP header and Layer 4 Transport header.

-m {i, I, o, O, e, E}

Specifies the capture mask (inspection point) in relation to Chain Modules, in which the FW Monitor captures the traffic.

These are the inspection points, through which each packet passes on a Security Gateway.

• -m i - Pre-Inbound only (before the packet enters a Chain Module in the inbound direction)
• -m I - Post-Inbound only (after the packet passes a Chain Module in the inbound direction)
• -m o - Pre-Outbound only (before the packet enters a Chain Module in the outbound direction)
• -m O - Post-Outbound only (after the packet passes through a Chain Module in the outbound direction)
• -m e - Pre-Outbound VPN only (before the packet enters a VPN Chain Module in the outbound direction)
• -m E - Post-Outbound VPN only (after the packet passes through a VPN Chain Module in the outbound direction)

Notes:

• You can specify several capture masks (for example, to see NAT on the egress packets, enter"... -m o -m O ...").
• You can use this capture mask parameter "-m {i, I, o, O, e, E}" together with the chain module position parameter "-p{i | I | o | O}".
• In the inbound direction:

  All chain positions before the FireWall Virtual Machine module (the fw ctl chain command shows it as fw VM inbound) are Pre-Inbound.

  All chain modules after the FireWall Virtual Machine module are Post-Inbound.

• In the outbound direction:

  All chain position before the FireWall Virtual Machine module are Pre-Outbound.

  All chain modules after the FireWall Virtual Machine module are Post-Outbound.

• By default, the FW Monitor captures the traffic only in the FireWall Virtual Machine module.

(*) The packet direction relates to each specific packet, and not to the connection's direction.

(**) The letters "q" and "Q" after the inspection point mean that the QoS policy is applied to the interface.

Example packet flows:

• From a Client to a Server through the FireWall Virtual Machine module:

  [Client] --> ("i") {FW VM attached to eth1} ("I") [Security Gateway] ("o") {FW VM attached to eth2} ("O") --> [Server]

• From a Server to a Client through the FireWall Virtual Machine module:

  [Client] <-- ("O") {FW VM attached to eth1} ("o") [Security Gateway] ("I") {FW VM attached to eth2} ("i") <-- [Server]

-o <Output File>

Specifies the output file, to which FW Monitor writes the captured raw data.

Important - If you do not specify the path explicitly, FW Monitor creates this output file in the current working directory. Because this output file can grow very fast to very large size, we always recommend to specify the full path to the largest partition /var/log/.

The format of this output file is the same format used by tools like snoop (refer to RFC 1761).

You can later analyze the captured traffic with the same FW Monitor tool, or with special tools like Wireshark.

-pi <Position>

-pI <Position>

-po <Position>

-pO <Position>

or

-p all [-a]

Inserts the FW Monitor Chain Module at the specified position between the kernel Chain Modules.

If the FW Monitor writes the captured data to the specified output file (with the parameter "-o <Output File>"), it also writes the position of the FW Monitor chain module as one of the fields.

You can insert the FW Monitor Chain Module in these positions only:

• -pi <Position> - Inserts the FW Monitor Chain Module in the specified Pre-Inbound position.
• -pI <Position> - Inserts the FW Monitor Chain Module in the specified Post-Inbound position.
• -po <Position> - Inserts the FW Monitor Chain Module in the specified Pre-Outbound position.
• -pO <Position> - Inserts the FW Monitor Chain Module in the specified Post-Outbound position
• -p all [-a] - Inserts the FW Monitor Chain Module at all positions (both Inbound and Outbound).

  Important - This causes high load on the CPU, but provides the most complete traffic capture.

  The "-a" parameter specifies to use absolute chain positions. This parameter changes the chain ID from a relative value (which only makes sense with the matching output from the fw ctl chain command) to an absolute value.

Notes:

• <Position> can be one of these:
  • A relative position number - in the output of the fw ctl chain command, refer to the numbers in the leftmost column (for example, 0, 5, 14).
  • A relative position alias - in the output of the fw ctl chain command, refer to the internal chain module names in the rightmost column in the parentheses (for example, sxl_in, fw, cpas).
  • An absolute position - in the output of the fw ctl chain command, refer to the numbers in the second column from the left (for example, -7fffffff, -1fffff8, 7f730000). In the syntax, you must write these numbers in the hexadecimal format (for example, -0x7fffffff, -0x1fffff8, 0x7f730000).
• You can use this chain module position parameter "-p{i | I| o | O} ..." together with the capture mask parameter "-m {i, I, o, O, e, E}".
• In the inbound direction:

  All chain positions before the FireWall Virtual Machine module (the fw ctl chain command shows it as fw VM inbound) are Pre-Inbound.

  All chain modules after the FireWall Virtual Machine module are Post-Inbound.

• In the outbound direction:

  All chain position before the FireWall Virtual Machine module are Pre-Outbound.

  All chain modules after the FireWall Virtual Machine module are Post-Outbound.

• By default, the FW Monitor captures the traffic only in the FireWall Virtual Machine module.

Important - For more information about the inspection points, see the applicable table below.

-T

Shows the timestamp for each packet:

DDMMMYYYY HH:MM:SS.mmmmmm

Note - Use this parameter if you do not save the output to a file, but print it on the screen.

-u

or

-s

Shows UUID for each packet:

• -u - Prints connection's Universal-Unique-ID (UUID) for each packet
• -s - Prints connection's Session UUID (SUUID) for each packet

Note - It is only possible to print the UUID, or the SUUID - not both.

-v <VSID>

On a VSX Gateway or VSX Cluster Member, captures the packets on the specified Virtual System or Virtual Router.

By default, FW Monitor captures the packets on all Virtual Systems and Virtual Routers.

Example:

fw monitor -v 4 -e "accept;" -o /var/log/fw_mon.cap

-x <Offset>[,<Length>]

Specifies the position in each packet, where the FW Monitor starts to capture the data from each packet.

Optionally, it is also possible to limit the amount of data the FW Monitor captures.

• <Offset> - Specifies how many bytes to skip from the beginning of each packet. FW Monitor starts to capture the data from each packet only after the specified number of bytes.
• <Length> - Specifies the maximal length of the captured packets. FW Monitor reads only the specified number of bytes from each packet.

For example, to skip over the IP header and TCP header, enter -x 52,96

[Expert@MyGW:0]# fw monitor

monitor: getting filter (from command line)

monitor: compiling

monitorfilter:

Compiled OK.

monitor: loading

monitor: monitoring (control-C to stop)

[vs_0][fw_1] eth0:i[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40 id=31789

TCP: 53901 -> 22 ....A. seq=761113cd ack=f92e2a13

[vs_0][fw_1] eth0:I[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40 id=31789

TCP: 53901 -> 22 ....A. seq=761113cd ack=f92e2a13

[vs_0][fw_1] eth0:i[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40 id=31790

TCP: 53901 -> 22 ....A. seq=761113cd ack=f92e2a47

... ... ...

monitor: caught sig 2

monitor: unloading

[Expert@MyGW:0]#

[Expert@MyGW:0]# fw monitor -m i -ci 3

monitor: getting filter (from command line)

monitor: compiling

monitorfilter:

Compiled OK.

monitor: loading

monitor: monitoring (control-C to stop)

[vs_0][fw_1] eth0:i[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40 id=31905

TCP: 53901 -> 22 ....A. seq=76111bb5 ack=f92e683b

[vs_0][fw_1] eth0:i[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40 id=31906

TCP: 53901 -> 22 ....A. seq=76111bb5 ack=f92e68ef

[vs_0][fw_1] eth0:i[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40 id=31907

TCP: 53901 -> 22 ....A. seq=76111bb5 ack=f92e69a3

monitor: unloading

Read 3 inbound packets and 0 outbound packets

[Expert@MyGW:0]#

[Expert@MyGW:0]# fw ctl chain

in chain (15):

0: -7fffffff (0000000000000000) (00000000) SecureXL inbound (sxl_in)

1: -7ffffffe (0000000000000000) (00000000) SecureXL inbound CT (sxl_ct)

2: -7f800000 (ffffffff8b6718c0) (ffffffff) IP Options Strip (in) (ipopt_strip)

3: - 1fffff8 (ffffffff8b66f6f0) (00000001) Stateless verifications (in) (asm)

4: - 1fffff7 (ffffffff8b66f210) (00000001) fw multik misc proto forwarding

5: 0 (ffffffff8b8506a0) (00000001) fw VM inbound (fw)

6: 2 (ffffffff8b671d10) (00000001) fw SCV inbound (scv)

7: 4 (ffffffff8b061ed0) (00000003) QoS inbound offload chain module

8: 5 (ffffffff8b564d30) (00000003) fw offload inbound (offload_in)

9: 10 (ffffffff8b842710) (00000001) fw post VM inbound (post_vm)

10: 100000 (ffffffff8b7fd6c0) (00000001) fw accounting inbound (acct)

11: 22000000 (ffffffff8b0638d0) (00000003) QoS slowpath inbound chain mod (fg_sched)

12: 7f730000 (ffffffff8b3c40b0) (00000001) passive streaming (in) (pass_str)

13: 7f750000 (ffffffff8b0e5b40) (00000001) TCP streaming (in) (cpas)

14: 7f800000 (ffffffff8b671870) (ffffffff) IP Options Restore (in) (ipopt_res)

out chain (14):

0: -7f800000 (ffffffff8b6718c0) (ffffffff) IP Options Strip (out) (ipopt_strip)

1: - 1fffff0 (ffffffff8b0d0190) (00000001) TCP streaming (out) (cpas)

2: - 1ffff50 (ffffffff8b3c40b0) (00000001) passive streaming (out) (pass_str)

3: - 1f00000 (ffffffff8b66f6f0) (00000001) Stateless verifications (out) (asm)

4: - 1ff (ffffffff8aeec0a0) (00000001) NAC Packet Outbound (nac_tag)

5: 0 (ffffffff8b8506a0) (00000001) fw VM outbound (fw)

6: 10 (ffffffff8b842710) (00000001) fw post VM outbound (post_vm)

7: 15000000 (ffffffff8b062540) (00000003) QoS outbound offload chain modul (fg_pol)

8: 21000000 (ffffffff8b0638d0) (00000003) QoS slowpath outbound chain mod (fg_sched)

9: 7f000000 (ffffffff8b7fd6c0) (00000001) fw accounting outbound (acct)

10: 7f700000 (ffffffff8b0e4660) (00000001) TCP streaming post VM (cpas)

11: 7f800000 (ffffffff8b671870) (ffffffff) IP Options Restore (out) (ipopt_res)

12: 7f900000 (0000000000000000) (00000000) SecureXL outbound (sxl_out)

13: 7fa00000 (0000000000000000) (00000000) SecureXL deliver (sxl_deliver)

[Expert@MyGW:0]#

[Expert@MyGW:0]# fw monitor -pi 2 -ci 3

monitor: getting filter (from command line)

monitor: compiling

monitorfilter:

Compiled OK.

monitor: loading

in chain (17):

0: -7fffffff (0000000000000000) (00000000) SecureXL inbound (sxl_in)

1: -7ffffffe (0000000000000000) (00000000) SecureXL inbound CT (sxl_ct)

2: -7f800001 (ffffffff8b6774d0) (ffffffff) fwmonitor (i/f side)

3: -7f800000 (ffffffff8b6718c0) (ffffffff) IP Options Strip (in) (ipopt_strip)

4: - 1fffff8 (ffffffff8b66f6f0) (00000001) Stateless verifications (in) (asm)

5: - 1fffff7 (ffffffff8b66f210) (00000001) fw multik misc proto forwarding

6: 0 (ffffffff8b8506a0) (00000001) fw VM inbound (fw)

7: 2 (ffffffff8b671d10) (00000001) fw SCV inbound (scv)

8: 4 (ffffffff8b061ed0) (00000003) QoS inbound offload chain module

9: 5 (ffffffff8b564d30) (00000003) fw offload inbound (offload_in)

10: 10 (ffffffff8b842710) (00000001) fw post VM inbound (post_vm)

11: 100000 (ffffffff8b7fd6c0) (00000001) fw accounting inbound (acct)

12: 22000000 (ffffffff8b0638d0) (00000003) QoS slowpath inbound chain mod (fg_sched)

13: 70000000 (ffffffff8b6774d0) (ffffffff) fwmonitor (IP side)

14: 7f730000 (ffffffff8b3c40b0) (00000001) passive streaming (in) (pass_str)

15: 7f750000 (ffffffff8b0e5b40) (00000001) TCP streaming (in) (cpas)

16: 7f800000 (ffffffff8b671870) (ffffffff) IP Options Restore (in) (ipopt_res)

out chain (16):

0: -7f800000 (ffffffff8b6718c0) (ffffffff) IP Options Strip (out) (ipopt_strip)

1: -70000000 (ffffffff8b6774d0) (ffffffff) fwmonitor (i/f side)

2: - 1fffff0 (ffffffff8b0d0190) (00000001) TCP streaming (out) (cpas)

3: - 1ffff50 (ffffffff8b3c40b0) (00000001) passive streaming (out) (pass_str)

4: - 1f00000 (ffffffff8b66f6f0) (00000001) Stateless verifications (out) (asm)

5: - 1ff (ffffffff8aeec0a0) (00000001) NAC Packet Outbound (nac_tag)

6: 0 (ffffffff8b8506a0) (00000001) fw VM outbound (fw)

7: 10 (ffffffff8b842710) (00000001) fw post VM outbound (post_vm)

8: 15000000 (ffffffff8b062540) (00000003) QoS outbound offload chain modul (fg_pol)

9: 21000000 (ffffffff8b0638d0) (00000003) QoS slowpath outbound chain mod (fg_sched)

10: 70000000 (ffffffff8b6774d0) (ffffffff) fwmonitor (IP side)

11: 7f000000 (ffffffff8b7fd6c0) (00000001) fw accounting outbound (acct)

12: 7f700000 (ffffffff8b0e4660) (00000001) TCP streaming post VM (cpas)

13: 7f800000 (ffffffff8b671870) (ffffffff) IP Options Restore (out) (ipopt_res)

14: 7f900000 (0000000000000000) (00000000) SecureXL outbound (sxl_out)

15: 7fa00000 (0000000000000000) (00000000) SecureXL deliver (sxl_deliver)

monitor: monitoring (control-C to stop)

[vs_0][fw_1] eth0:oq1 (TCP streaming (out))[1228]: 192.168.204.40 -> 192.168.204.1 (TCP) len=1228 id=37575

TCP: 22 -> 51702 ...PA. seq=34e2af31 ack=e6c995ce

[vs_0][fw_1] eth0:OQ10 (TCP streaming post VM)[1228]: 192.168.204.40 -> 192.168.204.1 (TCP) len=1228 id=37575

TCP: 22 -> 51702 ...PA. seq=34e2af31 ack=e6c995ce

[vs_0][fw_1] eth0:iq2 (IP Options Strip (in))[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40 id=32022

TCP: 51702 -> 22 ....A. seq=e6c995ce ack=34e2af31

[vs_0][fw_1] eth0:IQ13 (TCP streaming (in))[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40 id=32022

TCP: 51702 -> 22 ....A. seq=e6c995ce ack=34e2af31

[vs_0][fw_1] eth0:oq1 (TCP streaming (out))[1356]: 192.168.204.40 -> 192.168.204.1 (TCP) len=1356 id=37576

TCP: 22 -> 51702 ...PA. seq=34e2b3d5 ack=e6c995ce

[vs_0][fw_1] eth0:OQ10 (TCP streaming post VM)[1356]: 192.168.204.40 -> 192.168.204.1 (TCP) len=1356 id=37576

TCP: 22 -> 51702 ...PA. seq=34e2b3d5 ack=e6c995ce

[vs_0][fw_1] eth0:iq2 (IP Options Strip (in))[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40 id=32023

TCP: 51702 -> 22 ....A. seq=e6c995ce ack=34e2b8f9

[vs_0][fw_1] eth0:IQ13 (TCP streaming (in))[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40 id=32023

TCP: 51702 -> 22 ....A. seq=e6c995ce ack=34e2b8f9

[vs_0][fw_1] eth0:oq1 (TCP streaming (out))[1356]: 192.168.204.40 -> 192.168.204.1 (TCP) len=1356 id=37577

TCP: 22 -> 51702 ...PA. seq=34e2b8f9 ack=e6c995ce

[vs_0][fw_1] eth0:OQ10 (TCP streaming post VM)[1356]: 192.168.204.40 -> 192.168.204.1 (TCP) len=1356 id=37577

TCP: 22 -> 51702 ...PA. seq=34e2b8f9 ack=e6c995ce

[vs_0][fw_1] eth0:oq1 (TCP streaming (out))[412]: 192.168.204.40 -> 192.168.204.1 (TCP) len=412 id=37578

TCP: 22 -> 51702 ...PA. seq=34e2be1d ack=e6c995ce

[vs_0][fw_1] eth0:OQ10 (TCP streaming post VM)[412]: 192.168.204.40 -> 192.168.204.1 (TCP) len=412 id=37578

TCP: 22 -> 51702 ...PA. seq=34e2be1d ack=e6c995ce

[vs_0][fw_1] eth0:iq2 (IP Options Strip (in))[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40 id=32024

TCP: 51702 -> 22 ....A. seq=e6c995ce ack=34e2bf91

[vs_0][fw_1] eth0:IQ13 (TCP streaming (in))[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40 id=32024

TCP: 51702 -> 22 ....A. seq=e6c995ce ack=34e2bf91

[vs_0][fw_1] eth0:oq1 (TCP streaming (out))[716]: 192.168.204.40 -> 192.168.204.1 (TCP) len=716 id=37579

TCP: 22 -> 51702 ...PA. seq=34e2bf91 ack=e6c995ce

[vs_0][fw_1] eth0:OQ10 (TCP streaming post VM)[716]: 192.168.204.40 -> 192.168.204.1 (TCP) len=716 id=37579

TCP: 22 -> 51702 ...PA. seq=34e2bf91 ack=e6c995ce

monitor: unloading

Read 3 inbound packets and 5 outbound packets

[Expert@MyGW:0]#

[Expert@MyGW:0]# fw monitor -T

monitor: getting filter (from command line)

monitor: compiling

monitorfilter:

Compiled OK.

monitor: loading

monitor: monitoring (control-C to stop)

[vs_0][fw_1] 12Sep2018 19:08:05.453947 eth0:oq[124]: 192.168.3.53 -> 172.20.168.16 (TCP) len=124 id=38414

TCP: 22 -> 64424 ...PA. seq=1c23924a ack=3c951092

[vs_0][fw_1] 12Sep2018 19:08:05.453960 eth0:OQ[124]: 192.168.3.53 -> 172.20.168.16 (TCP) len=124 id=38414

TCP: 22 -> 64424 ...PA. seq=1c23924a ack=3c951092

[vs_0][fw_1] 12Sep2018 19:08:05.454059 eth0:oq[252]: 192.168.3.53 -> 172.20.168.16 (TCP) len=252 id=38415

TCP: 22 -> 64424 ...PA. seq=1c23929e ack=3c951092

[vs_0][fw_1] 12Sep2018 19:08:05.454064 eth0:OQ[252]: 192.168.3.53 -> 172.20.168.16 (TCP) len=252 id=38415

TCP: 22 -> 64424 ...PA. seq=1c23929e ack=3c951092

[vs_0][fw_1] 12Sep2018 19:08:05.454072 eth0:oq[252]: 192.168.3.53 -> 172.20.168.16 (TCP) len=252 id=38416

TCP: 22 -> 64424 ...PA. seq=1c239372 ack=3c951092

[vs_0][fw_1] 12Sep2018 19:08:05.454074 eth0:OQ[252]: 192.168.3.53 -> 172.20.168.16 (TCP) len=252 id=38416

TCP: 22 -> 64424 ...PA. seq=1c239372 ack=3c951092

[vs_0][fw_1] 12Sep2018 19:08:05.463165 eth0:iq[40]: 172.20.168.16 -> 192.168.3.53 (TCP) len=40 id=17398

TCP: 64424 -> 22 ....A. seq=3c951092 ack=1c239446

[vs_0][fw_1] 12Sep2018 19:08:05.463177 eth0:IQ[40]: 172.20.168.16 -> 192.168.3.53 (TCP) len=40 id=17398

TCP: 64424 -> 22 ....A. seq=3c951092 ack=1c239446

monitor: unloading

[Expert@MyGW:0]#

[Expert@MyGW:0]# fw ctl chain

in chain (17):

0: -7fffffff (0000000000000000) (00000000) SecureXL inbound (sxl_in)

1: -7ffffffe (0000000000000000) (00000000) SecureXL inbound CT (sxl_ct)

2: -7f800000 (ffffffff8b6718c0) (ffffffff) IP Options Strip (in) (ipopt_strip)

3: -70000000 (ffffffff8b6774d0) (ffffffff) fwmonitor (i/f side)

4: - 1fffff8 (ffffffff8b66f6f0) (00000001) Stateless verifications (in) (asm)

5: - 1fffff7 (ffffffff8b66f210) (00000001) fw multik misc proto forwarding

6: 0 (ffffffff8b8506a0) (00000001) fw VM inbound (fw)

7: 2 (ffffffff8b671d10) (00000001) fw SCV inbound (scv)

8: 4 (ffffffff8b061ed0) (00000003) QoS inbound offload chain module

9: 5 (ffffffff8b564d30) (00000003) fw offload inbound (offload_in)

10: 10 (ffffffff8b842710) (00000001) fw post VM inbound (post_vm)

11: 100000 (ffffffff8b7fd6c0) (00000001) fw accounting inbound (acct)

12: 22000000 (ffffffff8b0638d0) (00000003) QoS slowpath inbound chain mod (fg_sched)

13: 70000000 (ffffffff8b6774d0) (ffffffff) fwmonitor (IP side)

14: 7f730000 (ffffffff8b3c40b0) (00000001) passive streaming (in) (pass_str)

15: 7f750000 (ffffffff8b0e5b40) (00000001) TCP streaming (in) (cpas)

16: 7f800000 (ffffffff8b671870) (ffffffff) IP Options Restore (in) (ipopt_res)

out chain (16):

0: -7f800000 (ffffffff8b6718c0) (ffffffff) IP Options Strip (out) (ipopt_strip)

1: -70000000 (ffffffff8b6774d0) (ffffffff) fwmonitor (i/f side)

2: - 1fffff0 (ffffffff8b0d0190) (00000001) TCP streaming (out) (cpas)

3: - 1ffff50 (ffffffff8b3c40b0) (00000001) passive streaming (out) (pass_str)

4: - 1f00000 (ffffffff8b66f6f0) (00000001) Stateless verifications (out) (asm)

5: - 1ff (ffffffff8aeec0a0) (00000001) NAC Packet Outbound (nac_tag)

6: 0 (ffffffff8b8506a0) (00000001) fw VM outbound (fw)

7: 10 (ffffffff8b842710) (00000001) fw post VM outbound (post_vm)

8: 15000000 (ffffffff8b062540) (00000003) QoS outbound offload chain modul (fg_pol)

9: 21000000 (ffffffff8b0638d0) (00000003) QoS slowpath outbound chain mod (fg_sched)

10: 70000000 (ffffffff8b6774d0) (ffffffff) fwmonitor (IP side)

11: 7f000000 (ffffffff8b7fd6c0) (00000001) fw accounting outbound (acct)

12: 7f700000 (ffffffff8b0e4660) (00000001) TCP streaming post VM (cpas)

13: 7f800000 (ffffffff8b671870) (ffffffff) IP Options Restore (out) (ipopt_res)

14: 7f900000 (0000000000000000) (00000000) SecureXL outbound (sxl_out)

15: 7fa00000 (0000000000000000) (00000000) SecureXL deliver (sxl_deliver)

[Expert@MyGW:0]#