fw up_execute
Description
Executes the offline Unified Policy on the Security Gateway.
You can examine the Security Gateway behavior for the specified traffic in the current Access Control and NAT Policy.
For example, view the reason why a packet was not matched to a specified rule.
Requirement - You must install a user-defined Access Control Policy on the Security Gateway.
This tool:
-
Creates a packet based on the specified parameters.
-
Runs the current Access Control and NAT Policy on this packet.
-
Shows all the classification information.
|
|
Note - You can also use the Gaia API v1.8 call " |
This command only supports:
-
Source IP address, Destination IP address, and objects that contain an IP address.
-
Simple services objects (based on a destination port, source port, and protocol).
-
Protocol detection.
-
Application detection.
-
First packet match.
Explanation:
The Security Gateway must inspect several data packets to determine an application or an involved data protocol.
If it is necessary to simulate a packet from an application or a data protocol, you must specify these explicitly in the syntax.
-
TCP v4 and TCP v6 traffic (protocol #6).
-
UDP v4 and UDP v6 traffic (protocol #17).
-
ICMP v4 and ICMPv6 traffic (protocol #1).
-
Security Zone.
-
Access Roles.
-
Domain Objects.
-
Updatable Objects.
-
Other Service, only if:
-
In the IP Protocol field, you configured the number of the supported protocols (TCP - 6, UDP - 17, ICMP - 1).
-
You did not configure a Match expression (on the Advanced page).
-
-
Time Objects.
Limitations:
-
These are not supported: DCE-RPC service, Content Awareness Software Blade, VPN traffic, Resource object, Mobile Access applications.
-
NAT64 rules are not supported
-
NAT46 rules are not supported
-
CGNAT settings are not supported
-
When you run the tool in the NAT policy mode, the tool ignores the checkbox "Disable NAT inside the VPN community" in the VPN Community objects.
|
|
Important:
|
Syntax for an Access Control Rule for TCP / UDP traffic
|
|
Syntax for an Access Control Rule for ICMP traffic
|
|
Syntax for a NAT Rule
|
|
|
|
Note - For IPv6, use the " |
Parameters
The order of the parameters does not matter.
|
Parameter |
Description |
||
|---|---|---|---|
|
No Parameters |
Shows the built-in usage. |
||
|
|
Runs the command in debug mode. Use only if you troubleshoot the command itself.
To see more information, run:
|
||
|
|
Specifies the rule mode:
|
||
|
|
Specifies the name of the interface:
|
||
|
|
Specifies the IANA Protocol Number in the Hexadecimal format. Supported protocols:
|
||
|
|
Optional parameter. Specifies the Source IP address. Default value: 12345. |
||
|
|
Specifies the Destination IP address. |
||
|
|
Specifies the Source Port number in the Decimal format. |
||
|
|
Specifies the Destination Port number in the Decimal format. |
||
|
|
Specifies the ICMP Type and ICMP Code. For ICMPv4, only these pairs are supported:
For ICMPv6:
|
||
|
|
Optional parameter. Specifies the protocol detection name (HTTP, HTTPS, and so on), if the "Protocol Signature" option is enabled in the applicable service. |
||
|
|
Optional parameter. Specifies the name of the Application/Category as defined in SmartConsole. You can specify multiple applications. If the Application/Category name contains spaces, you must enclose it in double quotes (example: |
||
|
|
Specifies the UID of an Access Control rule to examine why the packet did not match this rule. In the Access Control policy, in the applicable rule, right-click the No. column and click Copy Rule UID. |
Syntax Examples:
|
|
|
|
|
|
|
|
Example Outputs
Example Access Control Policy - Network Layer:
Example Access Control Policy - Application Control Layer):
Example NAT Policy:
Where:
-
United States= An Updatable object -
MyServer= A Host object with IPv4 10.10.10.1 -
MyServer_NAT_IP= A Host object with IPv4 194.1.1.1 -
MyClient= A Host object with IPv4 192.168.1.1 -
MyClient_NAT_IP= A Host object with IPv4 172.16.4.1 -
MyNetwork= A Network object with IPv4 172.29.113.200 -
.checkpoint.com= A Domain object
Output Example 1 - Access Control - incoming traffic is matched to a user-defined rule
[Expert@MyGW:0]# fw up_execute mode=access in_ifn=eth0 ipp=6 src=209.87.209.100 dst=10.10.10.1 dport=443
Rulebase execution ended successfully.
Overall status:
----------------
Match status: MATCH
Match action: Accept
Object types required for matching: None
Object types required for logging: None
Per Layer:
------------
Layer name: Network
Layer uuid: xxx-xxx-xxx-xxx-xxx
Layer id: 0
Match status: MATCH
Match action: Accept
Matched rule: 1
Matched rule uuid: xxx-xxx-xxx-xxx-xxx
Possible rules: 1 3 4
Reported clobs:
------------
Type 4 (SERVICE):
https [xxx-xxx-xxx-xxx]
Type 7 (SOURCE_ACCESS_ROLE):
Unknown [xxx-xxx-xxx-xxx]
Type 8 (DESTINATION_ACCESS_ROLE):
Unknown [xxx-xxx-xxx-xxx]
Type 17 (SOURCE_DYNOBJ):
CP_GEO_US [xxx-xxx-xxx-xxx]
Type 29 (MAB_APPLICATION):
Unknown [xxx-xxx-xxx-xxx]
Type 32 (SOURCE_FQDN_DOMAIN):
.checkpoint.com [xxx-xxx-xxx-xxx]
[Expert@MyGW:0]#
|
Output Example 2 - Access Control - outgoing traffic is matched to an implied rule
[Expert@MyGW:0]# fw up_execute mode=access in_ifn=localhost ipp=6 src=172.29.113.201 dst=10.10.10.1 dport=443
Rulebase execution ended successfully.
Overall status:
----------------
Match status: MATCH
Match action: Accept
Object types required for matching: None
Object types required for logging: None
Per Layer:
------------
Layer name: Network
Layer uuid: xxx-xxx-xxx-xxx-xxx
Layer id: 0
Match status: Override by implied rule before last: accept_outgoing (id 69)
Match action: Accept
Reported clobs:
------------
Type 1 (APPLICATION):
Unknown Traffic [xxx-xxx-xxx-xxx]
Unknown Traffic (appi category) [xxx-xxx-xxx-xxx]
Unknown Traffic (urlf category) [xxx-xxx-xxx-xxx]
Type 4 (SERVICE):
https [xxx-xxx-xxx-xxx]
Type 7 (SOURCE_ACCESS_ROLE):
Unknown [xxx-xxx-xxx-xxx]
Type 8 (DESTINATION_ACCESS_ROLE):
Unknown [xxx-xxx-xxx-xxx]
Type 29 (MAB_APPLICATION):
Unknown [xxx-xxx-xxx-xxx]
Type 32 (SOURCE_FQDN_DOMAIN):
Unknown [xxx-xxx-xxx-xxx]
Type 41 (FILE):
Unknown [xxx-xxx-xxx-xxx]
Type 42 (CONTENT):
Unknown [xxx-xxx-xxx-xxx]
[Expert@MyGW:0]#
|
Output Example 3 - Access Control - incoming traffic is matched to a user-defined rule
[Expert@MyGW:0]# fw up_execute mode=access in_ifn=eth1 ipp=6 src=192.168.1.1 dst=157.240.252.35 dport=443 application="Facebook"
Rulebase execution ended successfully.
Overall status:
----------------
Match status: MATCH
Match action: Drop
Object types required for matching: None
Object types required for logging: None
Per Layer:
------------
Layer name: Network
Layer uuid: xxx-xxx-xxx-xxx-xxx
Layer id: 0
Match status: MATCH
Match action: Accept
Matched rule: 4
Matched rule uuid: xxx-xxx-xxx-xxx-xxx
Possible rules: 4
Layer name: Application Control
Layer uuid: xxx-xxx-xxx-xxx-xxx
Layer id: 1
Match status: MATCH
Match action: Drop
Matched rule: 1
Matched rule uuid: xxx-xxx-xxx-xxx-xxx
Possible rules: 1 2 3
Reported clobs:
------------
Type 1 (APPLICATION):
Facebook [xxx-xxx-xxx-xxx]
Social Networking (appi category) [xxx-xxx-xxx-xxx]
Low Risk (urlf category) [xxx-xxx-xxx-xxx]
Social Networking (urlf category) [xxx-xxx-xxx-xxx]
Type 4 (SERVICE):
https [xxx-xxx-xxx-xxx]
cp_tcp_XXX_XXX_XXX_XXX_XXX [xxx-xxx-xxx-xxx]
Type 7 (SOURCE_ACCESS_ROLE):
Unknown [xxx-xxx-xxx-xxx]
Type 8 (DESTINATION_ACCESS_ROLE):
Unknown [xxx-xxx-xxx-xxx]
Type 29 (MAB_APPLICATION):
Unknown [xxx-xxx-xxx-xxx]
Type 32 (SOURCE_FQDN_DOMAIN):
Unknown [xxx-xxx-xxx-xxx]
[Expert@MyGW:0]#
|
Output Example 4 - Access Control - viewing the reason why a packet was not matched to a specified rule (rule #1 in the Network Layer in our example)
[Expert@MyGW:0]# fw up_execute mode=access in_ifn=eth0 ipp=6 src=209.87.209.100 dst=10.10.10.1 dport=123 access_rule_search_uid=ee08d7d8-1283-44e6-934d-3c9db769d826
Rulebase execution ended successfully.
Overall status:
----------------
Match status: MATCH
Match action: Accept
Object types required for matching: None
Object types required for logging: None
Per Layer:
------------
Layer name: Network
Layer uuid: xxx-xxx-xxx-xxx-xxx
Layer id: 0
Match status: MATCH
Match action: Accept
Matched rule: 4
Matched rule uuid: xxx-xxx-xxx-xxx-xxx
Possible rules: 4
Reported clobs:
------------
Type 4 (SERVICE):
https [xxx-xxx-xxx-xxx-xxx]
ntp-tcp [xxx-xxx-xxx-xxx-xxx]
Type 17 (SOURCE_DYNOBJ):
CP_GEO_US [xxx-xxx-xxx-xxx-xxx]
Type 32 (SOURCE_FQDN_DOMAIN):
Unknown [xxx-xxx-xxx-xxx-xxx]
******************************************************************************************************************
Access Control Rulebase Search Result for the Rule UID: ee08d7d8-1283-44e6-934d-3c9db769d826
******************************************************************************************************************
Layer name: Network
Rule number: 1
Search status code : CHECK_ACCESS_RULE_CODE_COLUMN_DIDNT_MATCH
Search status reason : Did not match because of the 'Service Application' column
Objects in that column:
'http'
'https'
Object types in column:
'SERVICE_APPLICATION'
Is column negated? no
[Expert@MyGW:0]#
|
Output Example 5 - NAT - incoming traffic is matched to a user-defined rule
[Expert@MyGW:0]# fw up_execute mode=nat in_ifn=eth0 ipp=6 src=192.168.1.1 dst=10.10.10.1 dport=443 NAT rulebase execution ended successfully. Matched rule: 1 Matched rule's uuid: xxx-xxx-xxx-xxx-xxx Possible rules: 1 Connection after NAT: <dir 0, 172.16.4.1:100001 -> 194.1.1.1:443 IPP 6> Nat decisions: ----------------- Server side Hide translation on Source (192.168.1.1)->(172.16.4.1) Server side Hide translation on Source Port (12345)->(10001) Server side Hide translation on Destination (10.10.10.1)->(194.1.1.1) [Expert@MyGW:0]# |