Wednesday, May 30, 2018

fw monitor

If you want to check the traffic flowing through a Checkpoint firewall without using the SmartView Tracker, you can use “fw monitor” command.
I will show you how to use fw monitor the way I use it for my troubleshooting process.
Take into consideration the following:
1. If you have a cluster, this command will show traffic flowing through the active firewall.
a. To check active status issue: cphaprob state
2. If you have SecureXL enabled, some commands may not show everything.
a. To disable SecureXL: fwaccel off
b. To enable SecureXL: fwaccel on

Traffic to/from a Host

You can check the traffic that a host is receiving or sending with the following command:
fw monitor -e “accept host(x.x.x.x);”
Example
CP-Firewall> fw monitor -e "accept host(192.168.1.86);"
Compiled OK.
monitor: loading
monitor: monitoring (control-C to stop)
[vs_0][fw_6] eth3:i[71]: 173.16.25.44 -> 192.168.1.86 (TCP) len=71 id=0
TCP: 43637 -> 443 F..PA. seq=4a5c5909 ack=df3170c0
[vs_0][fw_6] eth3:I[71]: 173.16.25.44 -> 192.168.1.86 (TCP) len=71 id=0
TCP: 43637 -> 443 F..PA. seq=4a5c5909 ack=df3170c0
[vs_0][fw_6] eth1:o[41]: 173.16.25.44 -> 192.168.1.86 (TCP) len=41 id=0
TCP: 43637 -> 443 F...A. seq=4a5c5927 ack=df3170c0
[vs_0][fw_6] eth1:O[41]: 173.16.25.44 -> 192.168.1.86 (TCP) len=41 id=0
TCP: 43637 -> 443 F...A. seq=4a5c5927 ack=df3170c0
monitor: caught sig 2
monitor: unloading
CP-Firewall>

In this example, you can see the ingress interface (eth3) and the egress interface (eth1). Also, you can see the 4 capture points (iIoO):
pre-inboundi (lowercase i)
post-inboundI (uppercase i)
pre-outboundo (lowercase o)
post-outboundO (uppercase o)

You can also use set the capture points:
CP-Firewall> fw monitor -e "accept host(192.168.1.86);" -m iO
 Compiled OK.
 monitor: loading
 monitor: monitoring (control-C to stop)
 [vs_0][fw_6] eth3:i[64]: 173.16.25.44 -> 192.168.1.86 (TCP) len=64 id=0
 TCP: 3932 -> 443 .S.... seq=ccbcc90f ack=00000000
 [vs_0][fw_6] eth1:O[64]: 173.16.25.44 -> 192.168.1.86 (TCP) len=64 id=0
 TCP: 3932 -> 443 .S.... seq=ccbcc90f ack=00000000

Traffic to/from a Network

You can check the traffic to a network with the following command. You can use 32 as netmask and would work like a host as well.
fw monitor -e "accept net(x.x.x.x,yy); "

Example (network 192.168.1.64/26)
CP-Firewall> fw monitor -e "accept net(192.168.1.64,26); "
 Compiled OK.
 monitor: loading
 monitor: monitoring (control-C to stop)
 [vs_0][fw_11] eth2:i[44]: 172.16.10.149 -> 192.168.1.89 (TCP) len=44 id=36544
 TCP: 7480 -> 443 .S.... seq=25d68d6c ack=00000000
 [vs_0][fw_11] eth2:I[44]: 172.16.10.149 -> 192.168.1.89 (TCP) len=44 id=36544
 TCP: 7480 -> 443 .S.... seq=25d68d6c ack=00000000
 [vs_0][fw_11] eth1:o[44]: 172.16.10.149 -> 192.168.1.89 (TCP) len=44 id=36544
 TCP: 7480 -> 443 .S.... seq=25d68d6c ack=00000000
 [vs_0][fw_11] eth1:O[44]: 172.16.10.149 -> 192.168.1.89 (TCP) len=44 id=36544
 TCP: 7480 -> 443 .S.... seq=25d68d6c ack=00000000

To see a one-way network flow:

You can check the traffic to a source and destination in one direction:
fw monitor -e “accept (src=x.x.x.x and dst=x.x.x.x); ”
Example (from 173.16.25.44 to 192.168.2.134)
CP-Firewall> fw monitor -e "accept (src=173.16.25.44 and dst=192.168.2.134); "
 monitorfilter:
 Compiled OK.
 monitor: loading
 monitor: monitoring (control-C to stop)
 [vs_0][fw_0] eth3:i[64]: 173.16.25.44 -> 192.168.2.134 (TCP) len=64 id=0
 TCP: 31668 -> 443 .S.... seq=334241eb ack=00000000
 [vs_0][fw_0] eth3:i[64]: 173.16.25.44 -> 192.168.2.134 (TCP) len=64 id=0
 TCP: 10589 -> 443 .S.... seq=96f7c1ab ack=00000000
 [vs_0][fw_0] eth3:i[64]: 173.16.25.44 -> 192.168.2.134 (TCP) len=64 id=0
 TCP: 59589 -> 443 .S.... seq=b00da993 ack=00000000
 [vs_0][fw_0] eth3:i[64]: 173.16.25.44 -> 192.168.2.134 (TCP) len=64 id=0
 TCP: 24452 -> 443 .S.... seq=b7eab2df ack=00000000
 [vs_0][fw_0] eth3:i[71]: 173.16.25.44 -> 192.168.2.134 (TCP) len=71 id=0
 TCP: 24452 -> 443 F..PA. seq=b7eac473 ack=aaeba7f0
 [vs_0][fw_0] eth3:i[71]: 173.16.25.44 -> 192.168.2.134 (TCP) len=71 id=0
 TCP: 31668 -> 443 F..PA. seq=33425c0a ack=39f1e2fa
 [vs_0][fw_0] eth3:i[71]: 173.16.25.44 -> 192.168.2.134 (TCP) len=71 id=0
 TCP: 59589 -> 443 F..PA. seq=b00db2f8 ack=5c949cea
 [vs_0][fw_0] eth3:i[71]: 173.16.25.44 -> 192.168.2.134 (TCP) len=71 id=0
 TCP: 10589 -> 443 F..PA. seq=96f7c6d9 ack=9c027709
 monitor: caught sig 2
 monitor: unloading
 CP-Firewall>

To see a 2-way network flow:

You can check the traffic to a source and destination in both directions:
fw monitor -e "accept (src=x.x.x.x and dst=x.x.x.x) or (src=x.x.x.x and dst=x.x.x.x);"

Example (from/to 172.16.125.81 to 192.168.1.84)
CP-Firewall> fw monitor -e "accept (src=172.16.125.81 and dst=192.168.1.84) or (src=192.168.1.84 and dst=172.16.125.81);"
 monitorfilter:
 Compiled OK.
 monitor: loading
 monitor: monitoring (control-C to stop)
 [vs_0][fw_17] bond1.102:i[84]: 192.168.1.84 -> 172.16.125.81 (ICMP) len=84 id=52498
 ICMP: type=8 code=0 echo request id=22608 seq=1
 [vs_0][fw_17] bond1.102:I[84]: 192.168.1.84 -> 172.16.125.81 (ICMP) len=84 id=52498
 ICMP: type=8 code=0 echo request id=22608 seq=1
 [vs_0][fw_17] bond1.101:o[84]: 192.168.1.84 -> 172.16.125.81 (ICMP) len=84 id=52498
 ICMP: type=8 code=0 echo request id=22608 seq=1
 [vs_0][fw_17] bond1.101:O[84]: 192.168.1.84 -> 172.16.125.81 (ICMP) len=84 id=52498
 ICMP: type=8 code=0 echo request id=22608 seq=1
 [vs_0][fw_4] bond1.101:i[84]: 172.16.125.81 -> 192.168.1.84 (ICMP) len=84 id=24621
 ICMP: type=8 code=0 echo request id=13742 seq=30840
 [vs_0][fw_4] bond1.101:I[84]: 172.16.125.81 -> 192.168.1.84 (ICMP) len=84 id=24621
 ICMP: type=8 code=0 echo request id=13742 seq=30840
 [vs_0][fw_4] bond1.102:o[84]: 172.16.125.81 -> 192.168.1.84 (ICMP) len=84 id=24621
 ICMP: type=8 code=0 echo request id=13742 seq=30840
 [vs_0][fw_4] bond1.102:O[84]: 172.16.125.81 -> 192.168.1.84 (ICMP) len=84 id=24621
 monitor: caught sig 2
 monitor: unloading
 CP-Firewall>

As you can see, this is a very helpful and flexible command, you can combine the OR and AND operators as you need and capture the information into a .pcap file and analyze it later with Wireshark.