Checkpoint fw monitor to debug and trace traffic.

tcpdump is good, but for checkpoints to find out exactly what is happening to your traffic fw monitor is the way to go.

its usage is as follows to live debug traffic according to your filter:

# fw monitor -e “accept src=10.0.0.x;”

This will output in realtime the traffic going into your firewall from ip address 10.0.0.x

You will see output similar to the below:

Lan1:i[84]: 192.168.232.12 -> 172.16.100.40 (ICMP) len=84 id=0
ICMP: type=8 code=0 echo request id=64597 seq=5025
Lan1:I[84]: 192.168.232.12 -> 172.16.100.40 (ICMP) len=84 id=0
ICMP: type=8 code=0 echo request id=64597 seq=5025
Lan5:o[84]: 192.168.232.12 -> 172.16.100.40 (ICMP) len=84 id=0
ICMP: type=8 code=0 echo request id=64597 seq=5025
Lan5:O[84]: 192.168.232.12 -> 172.16.100.40 (ICMP) len=84 id=0

Lan1:i[84]: 10.0.0.1 ->192.168.0.1 (ICMP) len=84 id=0 <———– This shows traffic coming into interface Lan1 but before rules have been processed thats the lowercase i.

ICMP: type=8 code=0 echo request id=64597 seq=5025

Lan1:I[84]: 10.0.0.1 -> 192.168.0.1 (ICMP) len=84 id=0 <——— This shows traffic still on interface Lan1 but after rules have been processed hence the uppercase I, if firewalls were dropping this packet you would not see this.

ICMP: type=8 code=0 echo request id=64597 seq=5025

Lan5:o[84]: 10.0.0.1 -> 192.168.0.1 (ICMP) len=84 id=0 <———-Now we see traffic going out of the destination interface Lan5 but again before the rules have been processed – lowercase o.

ICMP: type=8 code=0 echo request id=64597 seq=5025

Lan5:O[84]: 10.0.0.1 ->192.168.0.1 (ICMP) len=84 id=0 <———-Finally we see traffic going out of the destination interface Lan 5 after successfully traversing the rules – uppercase O

There is a load of filters you can apply, the example above uses src, but you can also use keywords such as dst, sport, dport etc..

Check this doc for a full list of what you can and can’t do..

http://www.checkpoint.com/techsupport/downloads/html/ethereal/fw_monitor_rev1_01.pdf

You can follow any responses to this entry through the RSS 2.0 feed.

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This blog is kept spam free by WP-SpamFree.