Table of Contents:
-
Introduction
-
Warnings
-
FW Monitor Features
-
FW Monitor Functionality
-
FW Monitor Documentation
-
FW Monitor Syntax
-
SecureClient Syntax
-
Examples
-
Related solutions
Introduction
Check Point's 'FW Monitor' is a powerful built-in tool for capturing network traffic at the packet level. The 'FW Monitor' utility captures network packets at multiple capture points along the FireWall inspection chains. These captured packets can be inspected later using the WireShark (available for free from www.wireshark.org).
Warnings
- Anything related to policy installation or policy unloading on Security Gateway, will cause '
FW Monitor' to exit.
- It is supported to run only a single instance of '
FW Monitor' at any given time.
- Do not modify Check Point kernel tables used in the security policy while '
FW Monitor' is running, otherwise unexpected behavior may result (including a system crash).
- Packets are defragmented as they leave the Security Gateway in both the inbound and outbound directions.
- If SecureXL is enabled on the Security Gateway, then '
FW Monitor' and 'tcpdump' will show only the non-accelerated packets (e.g., 'TCP SYN' will be shown, and 'TCP ACK' will not).
- * NOTE * - Traffic captures can be misleading when working with SecureXL since both FW Monitor and TCPdump do not always show 'real' packets that are going out to the network. This is related to the way the SecureXL kernel driver is attached to the network adapter itself. When using SecureXL to confirm whether packets are being handled correctly, either capture the traffic on the directly connected router / switch, or disable SecureXL.
FW Monitor Features
In many deployment and support scenarios, capturing network packets is an essential functionality. The 'tcpdump' / 'snoop' utilities are normally used for this task. The 'FW Monitor' utility provides an even better functionality, but omits many of the requirements and the risks associated with these tools:
- No Security Flaws
'tcpdump' / 'snoop' are normally used with NICs in promiscuous mode. Unfortunately, promiscuous mode allows remote attacks against these tools. Check Point's 'FW Monitor' does not use promiscuous mode to capture packets. In addition, most firewalls' operating systems are hardened. In most cases, this hardening includes the removal of tools like 'tcpdump' / 'snoop', because of their security risks.
- Available on FireWall Installations
'FW Monitor' is a built-in tool that does not need a separate installation, or licensing.
- Multiple Capture Positions within the FireWall Kernel Module Chains
'FW Monitor' allows to capture packets at multiple capture positions within the Security Gateway kernel module chains, both for inbound and outbound packets. This enables to trace a packet through the different layers of the Security Gateway.
- Same Tool and Syntax on All Platforms
'FW Monitor' is available on all different platforms. 'tcpdump' / 'snoop' are often platform-dependent, or have specific "enhancements" on certain platforms. 'FW Monitor' and all its related functionality and syntax are identical across all platforms.
Normally, Check Point kernel modules are used to perform several functions on packets, such as filtering, encryption and decryption, QoS, etc. 'FW Monitor' adds its own modules to capture packets. 'FW Monitor' can capture all packets that are seen and/or forwarded by the Security Gateway.
FW Monitor Functionality
There are four inspection points when a packet passes through a Security Gateway:
- Before the FireWall Virtual Machine, in the inbound direction -
Pre-Inbound - marked as 'i'
- After the FireWall Virtual Machine, in the inbound direction -
Post-Inbound - marked as 'I'
- Before the FireWall Virtual Machine, in the outbound direction -
Pre-Outbound - marked as 'o'
- After the FireWall Virtual Machine, in the outbound direction -
Post-Outbound - marked as 'O'
- Note:
The direction (inbound/outbound) relates to each specific packet, and not to the connection.
Let us examine a TCP handshake in the following topology:
[Source/Client] --- (eth1)[Security Gateway](eth2) --- [Destination/Server]
TCP SYN from [Source/Client] will pass through Pre-Inbound and Post-Inbound on interface eth1TCP SYN from [Source/Client] will pass through Pre-Outbound and Post-Outbound on interface eth2TCP SYN-ACK from [Destination/Server] will pass through Pre-Inbound and Post-Inbound on interface eth2TCP SYN-ACK from [Destination/Server] will pass through Pre-Outbound and Post-Outbound on interface eth1TCP ACK from [Source/Client] will pass through Pre-Inbound and Post-Inbound on interface eth1TCP ACK from [Source/Client] will pass through Pre-Outbound and Post-Outbound on interface eth2
Once started, the 'FW Monitor' compiles the INSPECT filter (created as $FWDIR/tmp/monitorfilter.pf) based on the specified syntax (which packets to capture), and loads it to the Check Point kernel (not replacing the Security Policy). The 'FW Monitor' will then continuously get packets from the Check Point kernel, and depending on the syntax, will either display them on the terminal window , or will save them in the output capture file. Upon an interrupt signal (key combination CTRL + C), the 'FW Monitor' stops, unloads the INSPECT filter, and exits.
FW Monitor Documentation
Detailed information regarding the usage of the 'fw monitor' command can be found in the "How to use FW Monitor" document.
This document applies to Security Gateways of all existing Check Point versions, regardless of operating system.
Note: please ignore the links provided in the document in the "Secure Knowledge Links" section.
FW Monitor Syntax
[HostName]# fw monitor [-h] [-u|-s] [-i] [-d] [-D] [-t] [{-e <expr>}+ | -f <filter_file_name>|-] [-l length] [-m i|I|o|O] [-x offset[,length]] [-o <output_file_name>] <[-pi position] [-pI position] [-po position] [-pO position] | -p all> [-a] [-ci count] [-co count] [-vs VSID]
| Flag |
Explanation |
| [-h] |
Displays the usage. |
| [-u|-s] |
Prints connection's Universal-Unique-ID (UUID), or connection's Session UUID (SUUID) for every packet. Note that it is only possible to print the UUID or the SUUID - not both.
For further information, refer to "How to use FW Monitor" document. |
| [-i] |
Flushes the standard output. Use this flag to make sure that captured data for each packet is at once written to standard output. This is especially useful if you want to kill a running 'FW Monitor' process, and want to be sure that all data is written to a file. |
[-d]
[-D] |
Debugs the 'FW Monitor'. The '-d' flag is used to start 'FW Monitor' in debug mode. This will give you an insight into 'FW Monitor's' inner workings, although this option is only rarely used outside Check Point. Use the '-D' flag will produce an even more verbose output. |
| [-t] |
When compiling the INSPECT filter, includes $FWDIR/lib/tcpip.def, which allows using TCP/IP macros.
Warning: do not modify anything in $FWDIR/lib/tcpip.def or in any other $FWDIR/lib/*.def file by yourself. Check Point does not support any configuration with changed *.def files. An exception are modifications done together with Check Point Support (according to a Service Request) or found on SecureKnowldege. |
| [{-e <expr>}+ | -f <filter_file_name>|-] |
Captures only specific packets:
- set the filter expression on the command line using the '
-e <expr>' switch
- read the filter expression from a file using the '
-f <filter_file_name>' switch
- read the filter expression from the standard input using the '
-f -' switch
For further information, refer to "How to use FW Monitor" document.
Note:
When using filter expressions on the command line (using '-e <expr>' switch), make sure that the expressions are properly quoted.
On Windows and UNIX operating systems, this can be done by surrounding the expression with single quote - ' (ASCII value 39), or double quotes " (ASCII value 34).
Depending on the given operating system and shell, there might be differences between the two forms - especially when using special characters, or (shell) variables in the filter expression. |
| [-l length] |
Limits the length of the captured packets. 'FW Monitor' will read only as many bytes from the kernel as specified by the length.
Make sure to capture as least as many bytes, so that the L3 IP header and L4 Transport header are included. This option allows capturing only the headers of a packet (e.g., IP and TCP), while omitting the actual payload, and thus decreases the size of the output file (by omitting the payload).
'FW Monitor' uses a buffer to transfer the packets from Check Point kernel to user space. If the size of the captured packets is reduced, this buffer will not fill up so fast. |
| [-m i|I|o|O] |
Capture masks. By default, 'FW Monitor' captures packets before and after the FireWall Virtual Machine in both directions. This flag allows to specify the position(s), where the traffic should be captured.
For further information, refer to "How to use FW Monitor" document. |
| [-x offset[,length]] |
Prints packet/payload raw data in addition to the IP and Transport headers. Optionally it is also possible to limit the data written to the screen.
For further information, refer to "How to use FW Monitor" document. |
| [-o <output_file_name>] |
Writes the captured raw data into an output file. The format of an output file is the same format used by tools like snoop (refer RFC 1761 for further information). This output file can be later analyzed by tools like WireShark. |
| <[-pi position] [-pI position] [-po position] [-pO position] | -p all> |
Inserts 'FW Monitor' chain module at a specific position between Check Point kernel chains. In addition to capture masks (which give the ability to specify a specific position), this flag defines where exactly (in Check Point kernel chains) the packets should be captured.
For further information, refer to "How to use FW Monitor" document. |
| [-a] |
Uses absolute chain positions (in Check Point kernel chains). This flag changes the chain ID from a relative value (which only makes sense with the matching output from 'fw ctl chain' command) to an absolute value.
If the captured data is saved into an output file (using the '-o <output_file_name>' switch), one of the fields written into the output file would be the chain position of the 'FW Monitor' chain module. Together with a simultaneous execution of 'fw ctl chain' command you can determine where the packet was captured. Especially when using '-p all' switch, you will find the same packet captured multiples times at different chain positions. |
[-ci count]
[-co count] |
Captures a specific number of packets. This is especially useful in situations where the FireWall is filtering high amounts of traffic. In such scenarios, 'FW Monitor' may bind so many resources (for writing to the console, or to a file) that recognizing the break sequence (CTRL+C) might take very long time.
It is possible to use the '-ci' and the '-co' switches together. 'FW Monitor' will stop capturing packets if the number of packets for one of the two counters reaches the specified count. |
| [-vs VSID] |
Captures the packets on a specific Virtual Router or Virtual System on VSX Gateway
(example: fw monitor -vs 4 -e "accept;" -o /var/log/fw_mon.cap) |
SecureClient Syntax
-
SecurRemote and SecureClient R56 / R60 uses an abridged version of 'FW Monitor' - called 'srfw monitor':
%SRDIR%\bin\srfw monitor [-d] [{-e <expr>}+ | -f <filter_file_name> |-] [-l length] [-m i|I|o|O] [-x offset[,length]] [-o <output_file_name>]
Refer to SecureClient R56 for Mac OS X Release Notes (Mac OS X 10.3, Mac OS X 10.4) and to Debugging SecuRemote/SecureClient.
-
Starting in E75.30, SecurRemote and SecureClient uses command line packet monitoring utility (PacketMon.exe) - called 'packetmon':
packetmon [-d] [-h] [-t] [-T] [-i] [-I] [-r] [{-e <expr>}+ | -f <filter_file_name> | -] [-l length] [-m i|I|o|O] [-x offset[,length]] [-o <output_file_name>] [-ci count] [-co count]
Refer to Remote Access Clients for Windows 32/64-bit Administration Guide (E75.30, E80.41, E80.50) - Chapter 'Monitoring and Troubleshooting' - Troubleshooting the Firewall - Desktop Firewall Monitoring.
Examples
Refer to $FWDIR/lib/fwmonitor.def file for useful macro definitions.
Refer to "How to use FW Monitor" document - 'Logical and Relational Operators' section.
Usual Capture
Capture everything, save the data into the file:
[Expert@HostName]# fw monitor -e "accept;" -o /var/log/fw_mon.cap
Capture everything between host X and host Y:
[Expert@HostName]# fw monitor -e "((src=x.x.x.x , dst=y.y.y.y) or (src=y.y.y.y , dst=x.x.x.x)), accept;" -o /var/log/fw_mon.cap
[Expert@HostName]# fw monitor -e "host(x.x.x.x) and host(y.y.y.y), accept;" -o /var/log/fw_mon.cap
Capture everything between hosts X,Z and hosts Y,Z on all Check Point kernel chains:
[Expert@HostName]# fw monitor -p all -e "((src=x.x.x.x or dst=z.z.z.z) and (src=y.y.y.y or dst=z.z.z.z)), accept ;" -o /var/log/fw_mon.cap
Capture everything to/from host X or to/from host Y or to/from host Z:
[Expert@HostName]# fw monitor -e "((accept (src=x.x.x.x or dst=x.x.x.x)) or (accept (src=y.y.y.y or dst=y.y.y.y)) or (accept (src=z.z.z.z or dst=z.z.z.z)));" -o /var/log/fw_mon.cap
[Expert@HostName]# fw monitor -e "host(x.x.x.x) or host(=y.y.y.y) or host(=z.z.z.z), accept;" -o /var/log/fw_mon.cap
Port Specific Capture
Capture everything to/from port X:
[Expert@HostName]# fw monitor -e "accept (sport=x or dport=x);" -o /var/log/fw_mon.cap
[Expert@HostName]# fw monitor -e "port(x), accept;" -o /var/log/fw_mon.cap
Capture everything except port X:
[Expert@HostName]# fw monitor -e "accept not (sport=x or dport=x);" -o /var/log/fw_mon.cap
[Expert@HostName]# fw monitor -e "((sport=!x) or (dport=!x)), accept;" -o /var/log/fw_mon.cap
Capture everything except SSH:
[Expert@HostName]# fw monitor -e "accept not (sport=22 or dport=22);" -o /var/log/fw_mon.cap
[Expert@HostName]# fw monitor -e "((sport!=22) or (dport!=22)), accept;" -o /var/log/fw_mon.cap
Capture everything to/from host X except SSH:
[Expert@HostName]# fw monitor -e "((accept (src=x.x.x.x or dst=x.x.x.x)) and (accept not (sport=22 or dport=22)));" -o /var/log/fw_mon.cap
[Expert@HostName]# fw monitor -e "((host(x.x.x.x) and (sport!=22 or dport!=22)), accept;" -o /var/log/fw_mon.cap
Protocol Specific Capture
Note: Protocol number in the syntax has to be provided in Decimal format. Refer to '/etc/protocols' file on the machine, or to 'www.iana.org/assignments/protocol-numbers/'
Capture everything on protocol X:
[Expert@HostName]# fw monitor -e "ip_p=X, accept;" -o /var/log/fw_mon.cap
Everything on protocol X and port Z on protocol Y:
[Expert@HostName]# fw monitor -e "(ip_p=X) or (ip_p=Y, port(Z)), accept;" -o /var/log/fw_mon.cap
Capture everything TCP between host X and host Y:
[Expert@HostName]# fw monitor -e "ip_p=6, host(x.x.x.x) or host(=y.y.y.y), accept;" -o /var/log/fw_mon.cap
[Expert@HostName]# fw monitor -e "accept [9:1]=9 , ((src=x.x.x.x , dst=y.y.y.y) or (src=y.y.y.y , dst=x.x.x.x));"
[Expert@HostName]# fw monitor -e "ip_p=6, ((src=x.x.x.x , dst=y.y.y.y) or (src=y.y.y.y , dst=x.x.x.x)), accept;" -o /var/log/fw_mon.cap
Bytes Specific Capture
Simple checks are used to check for a value at a specific offset in the packet:
[Expert@HostName]# fw monitor -e "accept [ offset : length , order ] relational-operator value;"
| Field |
Explanation |
offset |
specifies the offset relative to the beginning of the IP packet from where the value should be read. |
length |
specifies the number of bytes and can be 1 (byte), 2 (word), or 4 (dword). If length is not specified, 'FW Monitor' assumes 4 (dword). |
order |
specifies the byte order. Possible values are b (big endian), or l (little endian, or host order). If order is not specified, 'FW Monitor' assumes little endian byte order. |
relational-operator |
is a relational operator to express the relation between the packet data and the value:
< less than> greater than<= less than or equal to>= greater than= or is equal to!= or is not not equal to
|
value |
is one of the data types known to INSPECT (e.g., an IP address, or an integer). |
- The IP-based protocols are stored in the IP packet as a byte at offset 9:
- To filter based on a Protocol encapsulated into IP, use "
accept [9:1]=Protocol_Number_in_Decimal_format;" syntax
- The Layer 3 IP Addresses are stored in the IP packet as double words at offset 12 (Source address) and at offset 16 (Destination address):
- To filter based on a Source IP address, use "
accept [12:4,b]=IP_Address_in_Doted_Decimal_format;" syntax
- To filter based on a Destination IP address, use "
accept [16:4,b]=IP_Address_in_Doted_Decimal_format;" syntax
- The Layer 4 Ports are stored in the IP packet as a word at offset 20 (Source port) and at offset 22 (Destination port):
- To filter based on a Source port, use "
accept [20:2,b]=Port_Number_in_Decimal_format;" syntax
- To filter based on a Destination port, use "
accept [22:2,b]=Port_Number_in_Decimal_format;" syntax
Capture everything between host X and host Y:
[Expert@HostName]# fw monitor -e "accept (([12:4,b]=x.x.x.x , [16:4,b]=y.y.y.y) or ([12:4,b]=y.y.y.y , [16:4,b]=x.x.x.x));" Capture everything on port X:
[Expert@HostName]# fw monitor -e "accept [20:2,b]=x or [22:2,b]=x;" -o /var/log/fw_mon.cap
Network Specific Capture
Capture everything on network 192.168.33.0/24:
[Expert@HostName]# fw monitor -e "net={<192.168.33.0,192.168.33.255>}; dst in net, accept;"
Examples
Capture ESP protocol or UDP port 161 (SNMP):
[Expert@HostName]# fw monitor -e "(ip_p=50) or (ip_p=17, port(161)), accept;" -o /var/log/fw_mon.cap > /dev/null 2>&1 &
Filter out the usual garbage (SMTP, POP3, SSH, Microsoft NetBIOS, Check Point ClusterXL CCP):
[Expert@HostName]# fw monitor -e "(sport!=25) and (dport!=25) and (sport!=110) and (dport!=110) and (sport!=22) and (dport!=22) and (sport!=137) and (dport!=137) and (sport!=8116) and (dport!=8116), accept;" -o /var/log/fw_mon.cap > /dev/null 2>&1 &
Filter out the usual garbage (filter in only TCP protocol, and HTTP and HTTPS ports ; filter out the SSH and FW Logs):
[Expert@HostName]# fw monitor -e "accept (ip_p=6) and (not (sport=22 or dport=22)) and (not (sport=257 or dport=257)) and ((dport=80 or dport=443) or (sport=80 or sport=443);" -o /var/log/fw_mon.cap > /dev/null 2>&1 &
Capture Edge communication on UDP ports 9281, 9282, 9283:
[Expert@HostName]# fw monitor -e "ip_p=17, (host(10.10.10.10) or host(20.20.20.20) or host(30.30.30.30)) and (port(9281) or port(9282) or port(9283)), accept;" -o /var/log/fw_mon.cap
Print
Email
