Check Point's FW Monitor is a powerful built-in tool for capturing network traffic at the packet level. The FW Monitor utility captures network packets at multiple capture points along the FireWall inspection chains. These captured packets can be inspected later using the WireShark (available for free from www.wireshark.org).
Check Point's FW Monitor is a powerful built-in tool for capturing network traffic at the packet level. The FW Monitor utility captures network packets at multiple capture points along the FireWall inspection chains. These captured packets can be inspected later using the WireShark (available for free from www.wireshark.org).
(II) Warnings
Anything related to policy installation or policy unloading on Security Gateway, will cause FW Monitor to exit.
It is supported to run only a single instance of FW Monitor at any given time.
Do not modify Check Point kernel tables used in the security policy while FW Monitor is running, otherwise unexpected behavior may result (including a system crash).
Packets are defragmented as they leave the Security Gateway in both the inbound and outbound directions.
If SecureXL is enabled on the Security Gateway, then FW Monitor and tcpdump will show only the non-accelerated packets (e.g., 'TCP SYN' will be shown, and 'TCP ACK' will not).
* NOTE * - Traffic captures can be misleading when working with SecureXL since both FW Monitor and TCPdump do not always show 'real' packets that are going out to the network. This is related to the way the SecureXL kernel driver is attached to the network adapter itself. When using SecureXL to confirm whether packets are being handled correctly, either capture the traffic on the directly connected router / switch, or disable SecureXL.
(III) FW Monitor Features
In many deployment and support scenarios, capturing network packets is an essential functionality. The tcpdump / snoop utilities are normally used for this task. The FW Monitor utility provides an even better functionality, but omits many of the requirements and the risks associated with these tools:
No Security Flaws
tcpdump / snoop are normally used with NICs in promiscuous mode. Unfortunately, promiscuous mode allows remote attacks against these tools. Check Point's FW Monitor does not use promiscuous mode to capture packets. In addition, most firewalls' operating systems are hardened. In most cases, this hardening includes the removal of tools like tcpdump / snoop, because of their security risks.
Available on FireWall Installations
FW Monitor is a built-in tool that does not need a separate installation, or licensing.
Multiple Capture Positions within the FireWall Kernel Module Chains
FW Monitor allows to capture packets at multiple capture positions within the Security Gateway kernel module chains, both for inbound and outbound packets. This enables to trace a packet through the different layers of the Security Gateway.
Same Tool and Syntax on All Platforms
FW Monitor is available on all different platforms. tcpdump / snoop are often platform-dependent, or have specific "enhancements" on certain platforms. FW Monitor and all its related functionality and syntax are identical across all platforms.
Normally, Check Point kernel modules are used to perform several functions on packets, such as filtering, encryption and decryption, QoS, etc. FW Monitor adds its own modules to capture packets. FW Monitor can capture all packets that are seen and/or forwarded by the Security Gateway.
(IV) FW Monitor Functionality
There are four inspection points when a packet passes through a Security Gateway:
Before the FireWall Virtual Machine, in the inbound direction - Pre-Inbound - marked as i
After the FireWall Virtual Machine, in the inbound direction - Post-Inbound - marked as I
Before the FireWall Virtual Machine, in the outbound direction - Pre-Outbound - marked as o
After the FireWall Virtual Machine, in the outbound direction - Post-Outbound - marked as O
Note: The direction (inbound/outbound) relates to each specific packet, and not to the connection.
Let us examine a TCP handshake in the following topology: [Source/Client] --- (eth1)[Security Gateway](eth2) --- [Destination/Server]
TCP SYN from [Source/Client] will pass through Pre-Inbound and Post-Inbound on interface eth1
TCP SYN from [Source/Client] will pass through Pre-Outbound and Post-Outbound on interface eth2
TCP SYN-ACK from [Destination/Server] will pass through Pre-Inbound and Post-Inbound on interface eth2
TCP SYN-ACK from [Destination/Server] will pass through Pre-Outbound and Post-Outbound on interface eth1
TCP ACK from [Source/Client] will pass through Pre-Inbound and Post-Inbound on interface eth1
TCP ACK from [Source/Client] will pass through Pre-Outbound and Post-Outbound on interface eth2
Once started, the FW Monitor compiles the INSPECT filter (created as $FWDIR/tmp/monitorfilter.pf) based on the specified syntax (which packets to capture), and loads it to the Check Point kernel (not replacing the Security Policy). The FW Monitor will then continuously get packets from the Check Point kernel, and depending on the syntax, will either display them on the terminal window , or will save them in the output capture file. Upon an interrupt signal (key combination CTRL + C), the FW Monitor stops, unloads the INSPECT filter, and exits.
Use this flag to make sure that captured data for each packet is at once written to standard output. This is especially useful if you want to kill a running FW Monitor process, and want to be sure that all data is written to a file.
[-d] [-D]
Starts the FW Monitor in debug mode.
This will give you an insight into FW Monitor's inner workings, although this option is only rarely used outside Check Point. Use the "-D" flag will produce an even more verbose output.
[-t]
When compiling the INSPECT filter, includes $FWDIR/lib/tcpip.def, which allows using TCP/IP macros.
Warning: Do not modify anything in $FWDIR/lib/tcpip.def or in any other $FWDIR/lib/*.def file by yourself. Check Point does not support any configuration with changed *.def files. An exception are modifications done together with Check Point Support (according to a Service Request) or found in SecureKnowldege.
[{-e <expr>}+ | -f <filter_file_name> | -]
Captures only specific packets:
Set the filter expression on the command line using the -e <expr> switch
Read the filter expression from a file using the -f <filter_file_name> switch
Read the filter expression from the standard input using the -f - switch
Note: When using filter expressions on the command line (using "-e <expr>" switch), make sure that the expressions are properly quoted. On Windows and UNIX operating systems, this can be done by surrounding the expression with single quote ' (ASCII value 39), or double quotes " (ASCII value 34). Depending on the given operating system and shell, there might be differences between the two forms - especially when using special characters, or (shell) variables in the filter expression.
[-l length]
Limits the length of the captured packets. FW Monitor will read only as many bytes from the kernel as specified by the length.
Make sure to capture as least as many bytes, so that the L3 IP header and L4 Transport header are included. This option allows capturing only the headers of a packet (e.g., IP and TCP), while omitting the actual payload, and thus decreases the size of the output file (by omitting the payload).
FW Monitor uses a buffer to transfer the packets from Check Point kernel to user space. If the size of the captured packets is reduced, this buffer will not fill up so fast.
[-m i] [-m I] [-m o] [-m O]
Capture masks. By default, FW Monitor captures packets before and after the FireWall Virtual Machine in both directions. This flag allows to specify the positions (kernel chains), where the traffic should be captured:
Writes the captured raw data into an output file. The format of an output file is the same format used by tools like snoop (refer to RFC 1761 for further information). This output file can be later analyzed by tools like WireShark.
[-pi position] [-pI position] [-po position] [-pO position] -p all
Inserts FW Monitor chain module at a specific position between Check Point kernel chains.
In addition to capture masks (which give the ability to specify a specific position), this flag defines where exactly (in Check Point kernel chains) the packets should be captured.
Uses absolute chain positions (in Check Point kernel chains). This flag changes the chain ID from a relative value (which only makes sense with the matching output from fw ctl chain command) to an absolute value.
If the captured data is saved into an output file (using the "-o <output_file_name>" switch), one of the fields written into the output file would be the chain position of the FW Monitor chain module. Together with a simultaneous execution of "fw ctl chain" command you can determine where the packet was captured. Especially when using "-p all" switch, you will find the same packet captured multiples times at different chain positions.
[-ci count] [-co count]
Captures a specific number of packets.
This is especially useful in situations where the FireWall is filtering high amounts of traffic. In such scenarios, FW Monitor may bind so many resources (for writing to the console, or to a file) that recognizing the break sequence (CTRL+C) might take very long time.
It is possible to use the "-ci" and the "-co" switches together. FW Monitor will stop capturing packets if the number of packets for one of the two counters reaches the specified "count".
[-v VSID]
Applies only to VSX NG, VSX NGX, and VSX NGX R6x versions.
Captures the packets on a specific Virtual Router or Virtual System on VSX Gateway (Example: fw monitor -v 4 -e "accept;" -o /var/log/fw_mon.cap)
(VI) SecureClient Syntax
SecurRemote and SecureClient R56 / R60 uses an abridged version of FW Monitor - called srfw monitor:
%SRDIR%\bin\srfw monitor [-d] [{-e <expr>}+ | -f <filter_file_name> | -] [-l length] [-m i | I | o | O] [-x offset[,length]] [-o <output_file_name>]
Refer to Remote Access Clients for Windows 32/64-bit Administration Guide (E75.30, E80.41, E80.50) - Chapter 'Monitoring and Troubleshooting' - Troubleshooting the Firewall - Desktop Firewall Monitoring.
(VII) Capture Examples
Refer to $FWDIR/lib/fwmonitor.def file for useful macro definitions.
Refer to "How to use FW Monitor" document - 'Logical and Relational Operators' section.
(VII-A) Capture Examples - Usual Capture
Capture everything, save the data into the file: [Expert@HostName]# fw monitor -e "accept;" -o /var/log/fw_mon.cap
(VII-B) Capture Examples - Host Specific Capture
To specify a host, you can use the following syntax:
Either use "host(<IP_Address_in_Doted_Decimal_format>)", which applies to both Source IP address and Destination IP address
Or use specific Source IP address "src=<IP_Address_in_Doted_Decimal_format>" and specific Destination IP address "dst=<IP_Address_in_Doted_Decimal_format>"
Examples:
Capture everything between host X and host Y: [Expert@HostName]# fw monitor -e "host(x.x.x.x) and host(y.y.y.y), accept;" -o /var/log/fw_mon.cap [Expert@HostName]# fw monitor -e "((src=x.x.x.x , dst=y.y.y.y) or (src=y.y.y.y , dst=x.x.x.x)), accept;" -o /var/log/fw_mon.cap
Capture everything between hosts X,Z and hosts Y,Z on all Check Point kernel chains: [Expert@HostName]# fw monitor -p all -e "((src=x.x.x.x or dst=z.z.z.z) and (src=y.y.y.y or dst=z.z.z.z)), accept ;" -o /var/log/fw_mon.cap
Capture everything to/from host X or to/from host Y or to/from host Z: [Expert@HostName]# fw monitor -e "host(x.x.x.x) or host(y.y.y.y) or host(z.z.z.z), accept;" -o /var/log/fw_mon.cap [Expert@HostName]# fw monitor -e "((src=x.x.x.x or dst=x.x.x.x) or (src=y.y.y.y or dst=y.y.y.y) or (src=z.z.z.z or dst=z.z.z.z)), accept;" -o /var/log/fw_mon.cap
To specify a protocol, you can use the following syntax:
Either use "ip_p=<IANA_Protocol_Number>"
Examples:
To specify TCP protocol with byte offset, use "ip_p=6"
To specify UDP protocol with byte offset, use "ip_p=11"
To specify ICMP protocol with byte offset, use "ip_p=1"
Or use "accept [9:1]=<IANA_Protocol_Number>" (This byte offset syntax is described in the "Capture Examples - Bytes Specific Capture" section)
Examples:
To specify TCP protocol with byte offset, use "accept [9:1]=6"
To specify UDP protocol with byte offset, use "accept [9:1]=11"
To specify ICMP protocol with byte offset, use "accept [9:1]=1"
In addition:
To specify TCP protocol, you can explicitly use "tcp, accept;"
To specify UDP protocol, you can explicitly use "udp, accept;"
To specify ICMPv4 protocol, you can explicitly use "icmp, accept;" or "icmp4, accept;"
To specify ICMPv6 protocol, you can explicitly use "icmp6, accept;"
To specify HTTP protocol (port 80), you can explicitly use "http, accept;"
To specify HTTPS protocol (port 443), you can explicitly use "https, accept;"
To specify PROXY protocol (port 8080), you can explicitly use "proxy, accept;"
To specify DNS protocol (port 53), you can explicitly use "dns, accept;"
To specify SSH protocol (port 22), you can explicitly use "ssh, accept;"
To specify FTP protocol (both port 20 and 21), you can explicitly use "ftp, accept;"
To specify Telnet protocol (port 23), you can explicitly use "telnet, accept;"
To specify SMTP protocol (port 25), you can explicitly use "smtp, accept;"
To specify POP3 protocol (port 110), you can explicitly use "pop3, accept;"
To specify IKE protocol (port 500), you can explicitly use "ike, accept;"
To specify NAT Traversal (NAT-T) protocol (port 4500), you can explicitly use "natt, accept;"
To specify both ESP (ip 50) and IKE protocol (port 500), you can explicitly use "vpn, accept;"
To capture Multi-Portal connections (port 443 or port 444), you can explicitly use "multi, accept;"
To capture all VPN-related data [ESP (ip 50), IPsec over UDP (port 2746), IKE (port 500), NAT-T (port 4500), CRL (port 18264), RDP (port 259), Tunnel Test (port 18234), Topology (port 264), L2TP (port 1701), SCV (port 18233), Multi-Portal (port 443 or port 444), etc.], you can explicitly use "vpnall, accept;"
Specifies the offset relative to the beginning of the IP packet from where the value should be read.
length
Specifies the number of bytes:
1 = byte
2 = word
4 = dword
If length is not specified, FW Monitor assumes 4 (dword).
order
Specifies the byte order:
b = big endian, or network order
l = little endian, or host order
If order is not specified, FW Monitor assumes little endian byte order.
relational-operator
Relational operator to express the relation between the packet data and the value:
<
less than
>
greater than
<=
less than or equal to
>=
greater than
=
equal to
is
!=
not equal to
is not
value
One of the data types known to INSPECT (e.g., an IP address, or an integer).
The IP-based protocols are stored in the IP packet as a byte at offset 9:
To filter based on a Protocol encapsulated into IP, use this syntax: [Expert@HostName]# fw monitor -e "accept [9:1]=<IANA_Protocol_Number>;"
The Layer 3 IP Addresses are stored in the IP packet as double words at offset 12 (Source address) and at offset 16 (Destination address):
To filter based on a Source IP address, use this syntax: [Expert@HostName]# fw monitor -e "accept [12:4,b]=<IP_Address_in_Doted_Decimal_format>;"
To filter based on a Destination IP address, use this syntax: [Expert@HostName]# fw monitor -e "accept [16:4,b]=<IP_Address_in_Doted_Decimal_format>;"
The Layer 4 Ports are stored in the IP packet as a word at offset 20 (Source port) and at offset 22 (Destination port):
To filter based on a Source port, use this syntax: [Expert@HostName]# fw monitor -e "accept [20:2,b]=<Port_Number_in_Decimal_format>;"
To filter based on a Destination port, use this syntax: [Expert@HostName]# fw monitor -e "accept [22:2,b]=<Port_Number_in_Decimal_format>;"
Examples:
Capture everything between host X and host Y: [Expert@HostName]# fw monitor -e "accept (([12:4,b]=x.x.x.x , [16:4,b]=y.y.y.y) or ([12:4,b]=y.y.y.y , [16:4,b]=x.x.x.x));"
Capture everything on port X: [Expert@HostName]# fw monitor -e "accept [20:2,b]=x or [22:2,b]=x;" -o /var/log/fw_mon.cap
(VII-G) Capture Examples - Network Specific Capture
To capture traffic to/from a network, you need to specify the network address and length of network mask (number of bits).
There are 3 options:
To capture traffic to/from a network, use "net(<Network_IP_Address>, <Mask_Length>), accept;"
To capture traffic to a network, use "to_net(<Network_IP_Address>, <Mask_Length>), accept;"
To capture traffic from a network, use "from_net(<Network_IP_Address>, <Mask_Length>), accept;"
Capture everything sent to network 192.168.33.0 / 24: [Expert@HostName]# fw monitor -e "to_net(192.168.33.0, 24), accept;"
Capture everything sent from network 192.168.33.0 / 24: [Expert@HostName]# fw monitor -e "from_net(192.168.33.0, 24), accept;"
(VII-H) Capture Examples - Some Examples
Capture ESP protocol or UDP port 161 (SNMP): [Expert@HostName]# fw monitor -e "(ip_p=50) or (ip_p=17, port(161)), accept;" -o /var/log/fw_mon.cap > /dev/null 2>&1 &
Filter out the usual garbage (SMTP, POP3, SSH, Microsoft NetBIOS, Check Point ClusterXL CCP): [Expert@HostName]# fw monitor -e "(sport!=25) and (dport!=25) and (sport!=110) and (dport!=110) and (sport!=22) and (dport!=22) and (sport!=137) and (dport!=137) and (sport!=8116) and (dport!=8116), accept;" -o /var/log/fw_mon.cap > /dev/null 2>&1 &
Filter out the usual garbage (filter in only TCP protocol, and HTTP and HTTPS ports ; filter out the SSH and FW Logs): [Expert@HostName]# fw monitor -e "accept (ip_p=6) and (not (sport=22 or dport=22)) and (not (sport=257 or dport=257)) and ((dport=80 or dport=443) or (sport=80 or sport=443);" -o /var/log/fw_mon.cap > /dev/null 2>&1 &
Capture Edge communication between 10.10.10.10, or 20.20.20.20, or 30.30.30.30 and on UDP ports 9281, or 9282, or 9283: [Expert@HostName]# fw monitor -e "ip_p=17, (host(10.10.10.10) or host(20.20.20.20) or host(30.30.30.30)) and (port(9281) or port(9282) or port(9283)), accept;" -o /var/log/fw_mon.cap
(VIII) Related Documentation
Detailed information regarding the usage of the fw monitor command can be found in the "How to use FW Monitor" document.
Notes:
This document applies to Security Gateways of all existing Check Point versions, regardless of operating system.
Ignore the outdated links provided in the document in the "Secure Knowledge Links" section.
