fw monitor

Description

Firewall Monitor is the Check Point traffic capture tool.

In a Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources., traffic passes through different inspection points - Chain Modules in the Inbound direction and then in the Outbound direction (see the "fw ctl chain" command.

The FW Monitor tool captures the traffic at each Chain Module in both directions.

You can later analyze the captured traffic with the same FW Monitor tool, or with special tools like Wireshark.

Notes:

Syntax for IPv4

fw monitor {-h | -help}

fw monitor [-d] [-D] [-ci <Number of Inbound Packets>] [-co <Number of Outbound Packets>] [-e <INSPECT Expression> | -f {<INSPECT Filter File> | -}] [-F "<Source IP>,<Source Port>,<Dest IP>,<Dest Port>,<Protocol Number>"] [-i] [-l <Length>] [-m {i,I,o,O,e,E}] [-o <Output File> [-w]] [[-pi <Position>] [-pI <Position>] [-po <Position>] [-pO <Position>] | -p all [-a]] [-T] [-u | -s] [-U] [-v <VSID>] [-x <Offset>[,<Length>] [-w]]

Syntax for IPv6

fw6 monitor {-h | -help}

fw6 monitor [-d] [-D] [-ci <Number of Inbound Packets>] [-co <Number of Outbound Packets>] [-e <INSPECT Expression> | -f {<INSPECT Filter File> | -}] [-F "<Source IP>,<Source Port>,<Dest IP>,<Dest Port>,<Protocol Number>"] [-i] [-l <Length>] [-m {i,I,o,O,e,E}] [-o <Output File> [-w]] [[-pi <Position>] [-pI <Position>] [-po <Position>] [-pO <Position>] | -p all [-a]] [-T] [-u | -s] [-U] [-v <VSID>] [-x <Offset>[,<Length>] [-w]]

Parameters

Parameter

Description

{-h | -help}

Shows the built-in usage.

-d

-D

Runs the command in debug mode and shows some information about how the FW Monitor starts and compiles the specified INSPECT filter:

  • -d

    Simple debug output.

  • -D

    Verbose output.

Note - You can specify both parameters to show more information.

-ci <Number of Inbound Packets>

-co <Number of Outbound Packets>

Specifies how many packets to capture.

The FW Monitor stops the traffic capture if it counted the specified number of packets.

  • -ci

    Specifies the number of inbound packets to count.

  • -co

    Specifies the number of inbound packets to count

Best Practice - You can use the "-ci" and the "-co" parameters together. This is especially useful during large volumes of traffic. In such scenarios, FW Monitor may bind so many resources (for writing to the console, or to a file) that recognizing the break sequence (CTRL+C) might take a very long time.

-e <INSPECT Expression>

or

-f {<INSPECT Filter File> | -}

Captures only specific packets of non-accelerated traffic:

  • "-e <INSPECT Expression>"

    Defines the INSPECT filter expression on the command line.

  • "-f <INSPECT Filter File>"

    Reads the INSPECT filter expression from the specified file. You must enter the full path and name of the plain-text file that contains the INSPECT filter expression.

  • "-f -"

    Reads the INSPECT filter expression from the standard input. After you enter the INSPECT filter expression, you must enter the ^D (CTRL+D) as the EOF (End Of File) character.

 

Warning - These INSPECT filters do not apply to the accelerated traffic.

Important - Make sure to enclose the INSPECT filter expression correctly in single quotes (ASCII value 39) or double quotes (ASCII value 34).

Notes:

-F "<Source IP>,<Source Port>,<Dest IP>,<Dest Port>,<Protocol Number>"

Specifies the capture filter (for both accelerated and non-accelerated traffic):

 

Notes:

  • See syntax examples below (Examples for the "-F" parameter).

  • The "-F" parameter uses these Kernel Debug Filters.

    For more information, see Kernel Debug Filters.

    • For the Source IP address:

      simple_debug_filter_saddr_<N> "<IP Address>"

    • For the Source Ports:

      simple_debug_filter_sport_<N> <1-65535>

    • For the Destination IP address:

      simple_debug_filter_daddr_<N> "<IP Address>"

    • For the Destination Ports:

      simple_debug_filter_dport_<N> <1-65535>

    • For the Protocol Number:

      command_simple_debug_filter_proto_<N> <0-254>

  • Value 0 means "any".

  • This parameter supports up to 5 capture filters (up to 5 instances of the "-F" parameter in the syntax).

    The FW Monitor performs the logical "OR" between all specified simple capture filters.

-H

Creates an IP address filter.

For more information, see Kernel Debug Filters.

This parameter supports up to 3 capture filters (up to 3 instances of the "-H" parameter in the syntax).

Example - Capture only HTTP traffic to and from the Host 1.1.1.1:

fw ctl debug –H "1.1.1.1"

-i

Flushes the standard output.

Note - This parameter is valid only with the "-v <VSID>" parameter.

Best Practice - Use this parameter to make sure FW Monitor immediately writes the captured data for each packet to the standard output. This is especially useful if you want to kill a running FW Monitor process, and want to be sure that FW Monitor writes all the data to the specified file.

-l <Length>

Specifies the maximal length of the captured packets. FW Monitor reads only the specified number of bytes from each packet.

Notes:

  • This parameter is optional.

  • With this parameter you can capture only the headers from each packet (for example, IP and TCP) and omit the payload. This decreases the size of the output file. This also helps the internal FW Monitor buffer not to fill too fast.

  • Make sure to capture the minimal required number of bytes, to capture the Layer 3 IP header and Layer 4 Transport header.

-m {i, I, o, O, e, E}

Specifies the capture mask (inspection point) in relation to Chain Modules, in which the FW Monitor captures the traffic.

These are the inspection points, through which each packet passes on a Security Gateway.

  • -m i

    Pre-Inbound only (before the packet enters a Chain Module in the inbound direction)

  • -m I

    Post-Inbound only (after the packet passes a Chain Module in the inbound direction)

  • -m o

    Pre-Outbound only (before the packet enters a Chain Module in the outbound direction)

  • -m O

    Post-Outbound only (after the packet passes through a Chain Module in the outbound direction)

  • -m e

    Pre-Outbound VPN only (before the packet enters a VPN Chain Module in the outbound direction)

  • -m E

    Post-Outbound VPN only (after the packet passes through a VPN Chain Module in the outbound direction)

 

Notes:

  • You can specify several capture masks (for example, to see NAT on the egress packets, enter "... -m o O ...").

  • You can use this capture mask parameter "-m {i, I, o, O, e, E}" together with the chain module position parameter "-p{i | I | o | O}".

  • In the inbound direction:

    • All chain positions before the FireWall Virtual Machine module are Pre-Inbound (the "fw ctl chain" command shows this module as "fw VM inbound").

    • All chain modules after the FireWall Virtual Machine module are Post-Inbound.

  • In the outbound direction:

    • All chain position before the FireWall Virtual Machine module are Pre-Outbound.

    • All chain modules after the FireWall Virtual Machine module are Post-Outbound.

  • By default, the FW Monitor captures the traffic only in the FireWall Virtual Machine module.

  • The packet direction relates to each specific packet, and not to the connection's direction.

  • The letters "q" and "Q" after the inspection point mean that the QoSClosed Check Point Software Blade on a Security Gateway that provides policy-based traffic bandwidth management to prioritize business-critical traffic and guarantee bandwidth and control latency. policy is applied to the interface.

 

Example packet flows:

  • From a Client to a Server through the FireWall Virtual Machine module:

    [Client] --> ("i") {FW VM attached to eth1} ("I") [Security Gateway] ("o") {FW VM attached to eth2} ("O") --> [Server]

  • From a Server to a Client through the FireWall Virtual Machine module:

    [Client] <-- ("O") {FW VM attached to eth1} ("o") [Security Gateway] ("I") {FW VM attached to eth2} ("i") <-- [Server]

-o <Output File>

Specifies the output file, to which FW Monitor writes the captured raw data.

Important - If you do not specify the path explicitly, FW Monitor creates this output file in the current working directory. Because this output file can grow very fast to very large size, we always recommend to specify the full path to the largest partition /var/log/.

The format of this output file is the same format used by tools like snoop (refer to RFC 1761).

You can later analyze the captured traffic with the same FW Monitor tool, or with special tools like Wireshark.

-pi <Position>

-pI <Position>

-po <Position>

-pO <Position>

or

-p all [-a]

Inserts the FW Monitor Chain Module at the specified position between the kernel Chain Modules (see the "fw ctl chain" command).

If the FW Monitor writes the captured data to the specified output file (with the parameter "-o <Output File>"), it also writes the position of the FW Monitor chain module as one of the fields.

You can insert the FW Monitor Chain Module in these positions only:

  • -pi <Position>

    Inserts the FW Monitor Chain Module in the specified Pre-Inbound position.

  • -pI <Position>

    Inserts the FW Monitor Chain Module in the specified Post-Inbound position.

  • -po <Position>

    Inserts the FW Monitor Chain Module in the specified Pre-Outbound position.

  • -pO <Position>

    Inserts the FW Monitor Chain Module in the specified Post-Outbound position

  • -p all [-a]

    Inserts the FW Monitor Chain Module at all positions (both Inbound and Outbound).

    Warning - This parameter causes very high load on the CPU, but provides the most complete traffic capture.

    The "-a" parameter specifies to use absolute chain positions. This parameter changes the chain ID from a relative value (which only makes sense with the matching output from the "fw ctl chain" command) to an absolute value.

 

Notes:

  • <Position> can be one of these:

    • A relative position number

      In the output of the "fw ctl chain" command, refer to the numbers in the leftmost column (for example, 0, 5, 14).

    • A relative position alias

      In the output of the "fw ctl chain" command, refer to the internal chain module names in the rightmost column in the parentheses (for example, sxl_in, fw, cpas).

    • An absolute position

      In the output of the "fw ctl chain" command, refer to the numbers in the second column from the left (for example, -7fffffff, -1fffff8, 7f730000). In the syntax, you must write these numbers in the hexadecimal format (for example, -0x7fffffff, -0x1fffff8, 0x7f730000).

  • You can use this chain module position parameter "-p{i | I| o | O} ..." together with the capture mask parameter "-m {i, I, o, O, e, E}".

  • In the inbound direction:

    • All chain positions before the FireWall Virtual Machine module are Pre-Inbound (the "fw ctl chain" command shows this module as "fw VM inbound").

    • All chain modules after the FireWall Virtual Machine module are Post-Inbound.

  • In the outbound direction:

    • All chain position before the FireWall Virtual Machine module are Pre-Outbound.

    • All chain modules after the FireWall Virtual Machine module are Post-Outbound.

  • By default, the FW Monitor captures the traffic only in the FireWall Virtual Machine module.

  • The chain module position parameters "-p{i | I| o | O} ..." parameters do not apply to the accelerated traffic, which is still monitored at the default inbound and outbound positions.

  • For more information about the inspection points, see the applicable table below.

-T

Shows the timestamp for each packet:

DDMMMYYYY HH:MM:SS.mmmmmm

Best Practice - Use this parameter if you do not save the output to a file, but print it on the screen.

-u

or

-s

Shows UUID for each packet (it is only possible to print either the UUID, or the SUUID - not both):

  • -u

    Prints connection's Universal-Unique-ID (UUID) for each packet

  • -s

    Prints connection's Session UUID (SUUID) for each packet

-U

Removes the simple capture filters specified with this parameter:

-F "<Source IP>,<Source Port>,<Dest IP>,<Dest Port>,<Protocol Number>"

-v <VSID>

On a VSX GatewayClosed Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0. or VSXClosed Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. Cluster MemberClosed Security Gateway that is part of a cluster., captures the packets on the specified Virtual System or Virtual Router.

By default, FW Monitor captures the packets on all Virtual Systems and Virtual Routers.

Example:

fw monitor -v 4 -e "accept;" -o /var/log/fw_mon.cap

-w

Captures the entire packet, instead of only the header.

Must be used together with one of these parameters:

  • -o <Output File>

  • -x <Offset>[,<Length>]

-x <Offset>[,<Length>]

Specifies the position in each packet, where the FW Monitor starts to capture the data from each packet.

Optionally, it is also possible to limit the amount of data the FW Monitor captures.

  • <Offset>

    Specifies how many bytes to skip from the beginning of each packet. FW Monitor starts to capture the data from each packet only after the specified number of bytes.

  • <Length>

    Specifies the maximal length of the captured packets. FW Monitor reads only the specified number of bytes from each packet.

For example, to skip over the IP header and TCP header, enter "-x 52,96"

Inspection points in Security Gateway and in the FW Monitor output

Note - The Inbound and Outbound traffic direction relates to each specific packet, and not to the connection.

  • Inbound

    Name of inspection point

    Relation to the FireWall
    Virtual Machine

    Notion of inspection point
    in the FW Monitor output

    Pre-Inbound

    Before the inbound FireWall VM

    i (for example, eth4:i)

    Post-Inbound

    After the inbound FireWall VM

    I (for example, eth4:I)

    Pre-Inbound VPN

    Inbound before decrypt

    id (for example, eth4:id)

    Post-Inbound VPN

    Inbound after decrypt

    ID (for example, eth4:ID)

    Pre-Inbound QoS

    Inbound before QoS

    iq (for example, eth4:iq)

    Post-Inbound QoS

    Inbound after QoS

    IQ (for example, eth4:IQ)

  • Outbound

    Name of inspection point

    Relation to the FireWall
    Virtual Machine

    Notion of inspection point
    in the FW Monitor output

    Pre-Outbound

    Before the outbound FireWall VM

    o (for example, eth4:o)

    Post-Outbound

    After the outbound FireWall VM

    O (for example, eth4:O)

    Pre-Outbound VPN

    Outbound before encrypt

    e (for example, eth4:e)

    Post-Outbound VPN

    Outbound after encrypt

    E (for example, eth4:E)

    Pre-Outbound QoS

    Outbound before QoS

    oq (for example, eth4:oq)

    Post-Outbound QoS

    Outbound after QoS

    OQ (for example, eth4:OQ)

Generic Examples

Examples for the "-e" parameter

Examples for the "-F" parameter

You can specify up to 5 capture filters with this parameter (up to 5 instances of the "-F" parameter in the syntax).

The FW Monitor performs the logical "OR" between all specified simple capture filters.

Value 0 is used as "any".