Check Point's FW Monitor is a powerful built-in tool for capturing network traffic at the packet level. The FW Monitor utility captures network packets at multiple capture points along the FireWall inspection chains. These captured packets can be inspected later using the WireShark (available for free from www.wireshark.org).
Check Point's FW Monitor is a powerful built-in tool for capturing network traffic at the packet level. The FW Monitor utility captures network packets at multiple capture points along the FireWall inspection chains. These captured packets can be inspected later using the WireShark (available for free from www.wireshark.org).
(2) Warnings
Anything related to policy installation or policy unloading on Security Gateway, will cause FW Monitor to exit.
It is supported to run only a single instance of FW Monitor at any given time.
Do not modify Check Point kernel tables used in the security policy while FW Monitor is running, otherwise unexpected behavior may result (including a system crash).
Packets are defragmented as they leave the Security Gateway in both the inbound and outbound directions.
If SecureXL is enabled on the Security Gateway, then FW Monitor and tcpdump will show only the non-accelerated packets (e.g., 'TCP SYN' will be shown, and 'TCP ACK' will not).
Important Note: Traffic captures can be misleading when working with SecureXL since both FW Monitor and TCPdump do not always show 'real' packets that are going out to the network. This is related to the way the SecureXL kernel driver is attached to the network adapter itself. When using SecureXL to confirm whether packets are being handled correctly, either capture the traffic on the directly connected router / switch, or disable SecureXL.
From R80.20 Jumbo HotFix - Ongoing Take 73, added ability to FW Monitor to support monitoring of accelerated traffic by default.
From R80.30 Jumbo HotFix - General Availability Take 215, added ability to FW Monitor to support monitoring of accelerated traffic by default, except for the "-e" flag for FW Monitor, which is not supported on SecureXL.
Monitored traffic
Since R80.20, 1st Accelerated packet will be monitored only in inbound (i).
Since R80.20 Jumbo take 73, Accelerated traffic in fast path will monitor inbound and outbound.
Since R80.20 Jumbo take 117, Slow Path, Med Path and Fast Path are monitored.
In R80.30, default behavior is like R80.20 prior to Jumbo take 72.
In R80.40, Default behavior will be to monitor all traffic.
Filtering options
Since R80.20 Jumbo take 73, using the "-e" flag will not filter accelerated traffic (all accelerated traffic will be monitored). To Filter accelerated traffic use the "-F" flag (exists from Jumbo take 73)
Since R80.20 Jumbo take 117, using the "-e" flag will filter out all accelerated traffic. To filter and monitor Accelerated traffic use "-F" (exists from Jumbo take 73)
R80.40 and higher users, as well as R80.20 and R80.30 users with the latest Jumbo Hotfix Accumulator take, can freely use the “-F” flag. If they use the “-e” flag, the filtering will be done on non-accelerated traffic, and accelerated traffic will not be displayed at all.
(3) FW Monitor Features
In many deployment and support scenarios, capturing network packets is an essential functionality. The tcpdump / snoop utilities are normally used for this task. The FW Monitor utility provides an even better functionality, but omits many of the requirements and the risks associated with these tools:
No Security Flaws
tcpdump / snoop are normally used with NICs in promiscuous mode. Unfortunately, promiscuous mode allows remote attacks against these tools. Check Point's FW Monitor does not use promiscuous mode to capture packets. In addition, most firewalls' operating systems are hardened. In most cases, this hardening includes the removal of tools like tcpdump / snoop, because of their security risks.
Available on FireWall Installations
FW Monitor is a built-in tool that does not need a separate installation, or licensing.
Multiple Capture Positions within the FireWall Kernel Module Chains
FW Monitor allows to capture packets at multiple capture positions within the Security Gateway kernel module chains, both for inbound and outbound packets. This enables to trace a packet through the different layers of the Security Gateway.
Same Tool and Syntax on All Platforms
FW Monitor is available on all different platforms. tcpdump / snoop are often platform-dependent, or have specific "enhancements" on certain platforms. FW Monitor and all its related functionality and syntax are identical across all platforms.
Normally, Check Point kernel modules are used to perform several functions on packets, such as filtering, encryption and decryption, QoS, etc. FW Monitor adds its own modules to capture packets. FW Monitor can capture all packets that are seen and/or forwarded by the Security Gateway.
(4) FW Monitor Functionality
There are four inspection points when a packet passes through a Security Gateway:
#
Traffic direction (*)
Relation to FireWall Virtual Machine
Name of inspection point
Notion of inspection point
1
Inbound
Before the inbound FW VM
Pre-Inbound
"i"
2
Inbound
After the inbound FW VM
Post-Inbound
"I"
3
Outbound
Before the outbound FW VM
Pre-Outbound
"o"
4
Outbound
After the outbound FW VM
Post-Outbound
"O"
(*) The traffic direction (inbound/outbound) relates to each specific packet, and not to the connection.
Note: When VPN is enabled, additional inspection points are added:
e - before VPN encryption
E - after VPN encryption
d - before VPN decryption
D - after VPN decryption
Note: When QOS is enabled, additional inspection points are added:
q - before QOS chain module
Q - after QOS chain module
Let us examine a TCP handshake in the following topology:
TCP SYN from [Client] will pass through Pre-Inbound and Post-Inbound on interface eth1:[Client] --- (eth1) {Pre-Inbound + Post-Inbound} [Security Gateway](eth2) --- [Server]
TCP SYN from [Client] will pass through Pre-Outbound and Post-Outbound on interface eth2:
[Client] --- (eth1)[Security Gateway] {Pre-Outbound and Post-Outbound} (eth2) --- [Server]
TCP SYN-ACK from [Server] will pass through Pre-Inbound and Post-Inbound on interface eth2:
TCP ACK from [Client] will pass through Pre-Outbound and Post-Outbound on interface eth2:
[Client] --- (eth1)[Security Gateway] {Pre-Outbound and Post-Outbound} (eth2) --- [Server]
Once started, the FW Monitor compiles the INSPECT filter (created as $FWDIR/tmp/monitorfilter.pf) based on the specified syntax (which packets to capture), and loads it to the Check Point kernel (not replacing the Security Policy). The FW Monitor will then continuously get packets from the Check Point kernel, and depending on the syntax, will either display them on the terminal window , or will save them in the output capture file. Upon an interrupt signal (key combination CTRL + C), the FW Monitor stops, unloads the INSPECT filter, and exits.
Use this flag to make sure that captured data for each packet is at once written to standard output. This is especially useful if you want to kill a running FW Monitor process, and want to be sure that all data is written to a file.
-d -D
Starts the FW Monitor in debug mode.
This will give you an insight into FW Monitor's inner workings, although this option is only rarely used outside Check Point. Use the "-D" flag will produce an even more verbose output.
-t
When compiling the INSPECT filter, includes $FWDIR/lib/tcpip.def, which allows using TCP/IP macros.
Warning: Do not modify anything in $FWDIR/lib/tcpip.def or in any other $FWDIR/lib/*.def file by yourself. Check Point does not support any configuration with changed *.def files. An exception are modifications done together with Check Point Support (according to a Service Request) or found in SecureKnowldege.
Note: When using filter expressions on the command line (using "-e <expr>" switch), make sure that the expressions are properly quoted. On Windows and UNIX operating systems, this can be done by surrounding the expression with single quote ' (ASCII value 39), or double quotes " (ASCII value 34). Depending on the given operating system and shell, there might be differences between the two forms - especially when using special characters, or (shell) variables in the filter expression.
-l length
Limits the length of the captured packets. FW Monitor will read only as many bytes from the kernel as specified by the length.
Make sure to capture as least as many bytes, so that the L3 IP header and L4 Transport header are included. This option allows capturing only the headers of a packet (e.g., IP and TCP), while omitting the actual payload, and thus decreases the size of the output file (by omitting the payload).
FW Monitor uses a buffer to transfer the packets from Check Point kernel to user space. If the size of the captured packets is reduced, this buffer will not fill up so fast.
-m i -m I -m o -m O
Capture masks. By default, FW Monitor captures packets before and after the FireWall Virtual Machine in both directions. This flag allows to specify the positions (kernel chains), where the traffic should be captured:
Writes the captured raw data into an output file. The format of an output file is the same format used by tools like snoop (refer to RFC 1761 for further information). This output file can be later analyzed by tools like WireShark.
-pi position -pI position -po position -pO position -p all
Inserts FW Monitor chain module at a specific position between Check Point kernel chains.
In addition to capture masks (which give the ability to specify a specific position), this flag defines where exactly (in Check Point kernel chains) the packets should be captured.
Uses absolute chain positions (in Check Point kernel chains). This flag changes the chain ID from a relative value (which only makes sense with the matching output from fw ctl chain command) to an absolute value.
If the captured data is saved into an output file (using the "-o <output_file_name>" switch), one of the fields written into the output file would be the chain position of the FW Monitor chain module. Together with a simultaneous execution of "fw ctl chain" command you can determine where the packet was captured. Especially when using "-p all" switch, you will find the same packet captured multiples times at different chain positions.
-ci count -co count
Captures a specific number of packets.
This is especially useful in situations where the FireWall is filtering high amounts of traffic. In such scenarios, FW Monitor may bind so many resources (for writing to the console, or to a file) that recognizing the break sequence (CTRL+C) might take very long time.
It is possible to use the "-ci" and the "-co" switches together. FW Monitor will stop capturing packets if the number of packets for one of the two counters reaches the specified "count".
-u | -s
Prints connection's Universal-Unique-ID (UUID), or connection's Session UUID (SUUID) for every packet.
Note that it is only possible to print the UUID or the SUUID - not both.
For further information, refer to "(5-C) FW Monitor Syntax and Usage - Using the UUID feature" section and to "How to use FW Monitor" document.
-v VSID
Applies only to VSX NG, VSX NGX, and VSX NGX R6x versions.
Captures the packets on a specific Virtual Router or Virtual System on VSX Gateway (Example: fw monitor -v 4 -e "accept;" -o /var/log/fw_mon.cap)
-w
When using -o/ -x flag, there is an option to print whole raw data of packet.
Note: Relevant for R80.20 from Jumbo Hotfix Accumulator for R80.20 (Take 73). Currently, not relevant for R80.30.
Setting snaplen to 0 sets it to the default of 65535 bytes
For FW Monitor:
By default, not needed
Refer to the table above
Automatically exit after specified number of packets was captured
-c count
-ci count -co count
For FW Monitor:
Refer to the table above
Print payload content
-X
-x offset[,length]
For TCPdump:
In addition to printing the headers of each packet, prints the data of each packet (minus its Link Level header) in Hex and ASCII
For FW Monitor:
Refer to the table above
Display timestamps on CLI (when not saving output into a file)
-tt
N/A
For TCPdump:
Prints an unformatted timestamp on each dump line.
-ttt
-T
For TCPdump:
Prints a delta (micro-second resolution) between current and previous line on each dump line.
-ttt
N/A
For TCPdump:
Prints a delta (micro-second resolution) between current and previous line on each dump line.
-tttt
N/A
For TCPdump:
Prints a timestamp in default format preceeded by date on each dump line.
-ttttt
N/A
For TCPdump:
Print a delta (micro-second resolution) between current and first line on each dump line.
Display verbose output on CLI (when not saving output into a file)
-v
-d
For TCPdump:
Produces slightly more verbose output. For example, the TTL, Identification, total length and options in an IP packet are printed. Also enables additional packet integrity checks, such as verifying the IP and ICMP header checksum.
For FW Monitor:
Refer to the table above
-vv
-D
For TCPdump:
Produces even more verbose output. For example, additional fields are printed from NFS reply packets, and SMB packets are fully decoded.
For FW Monitor:
Refer to the table above
-vvv
-D
For TCPdump:
Produces even more verbose output. For example, telnet SB ... SE options are printed in full. With "-X", Telnet options are printed in Hex as well.
For FW Monitor:
Refer to the table above
(5-C) FW Monitor Syntax and Usage - Using the UUID feature
Background
The purpose of the new FW Monitor feature is to use the UUID feature (that was introduced in NG AI family) in order to follow connections passing through the FireWall.
Following connections through the FireWall is not always a trivial task since in many cases the FireWall modifies information in the original packet. These cases include:
NAT, both Static and Dynamic (Hide)
Security Servers
VPN Encryption
In Check Point NG AI version, a Universal-Unique-IDentifier (UUID) was introduced as the basis for the log unification mechanism. A UUID is given to every new connection passing through the FireWall. This way, all packets that belong to the connection can be identified and can later be unified on Security Management Server.
This new infrastructure has given us the ability to enhance the "FW Monitor" utility. The FW Monitor utility is a tcpdump/snoop-like tool that allows us to monitor packets as they pass through the FireWall. The FW Monitor module registers itself as the first and the last module on the chain, allowing us to see any modifications done by the FireWall on the original packet. With the addition of the UUID field to the FW Monitor, entire connections can be monitored as they pass through the FireWall.
The UUID feature
The original UUID is an array, composed of 4 unsigned 32-bit integers, in which only the first two integers are relevant: UUID[0] is a timestamp. UUID[1] is a counter used whenever UUID[0] is not unique. UUID[2] is the IP address of the local firewall (constant) UUID[3] is a process number (currently a constant that can be ignored).
The UUID feature can be activated with one of the following switches:
-u = displays the UUID
-s = displays the session UUID, meaning, display a single (parent) UUID of complex connections involving data/control connections (such as FTP, H.323, etc.)
Since we are pressed for space in the header fields of the captured packet, the original UUID has been manipulated to be 1 unsigned long 32-bit integer. It is currently composed of the 2 least significant bytes of UUID[1] (16 bits) attached to the 2 least significant bytes of UUID[0] (16 bits). This gives us the following amount of unique IDs:
216 IDs per second
216 seconds
This UUID is then placed in the last four bytes of the Ethernet MAC Source header field.
The new Ethernet header MAC fields are now:
2 bytes - i/I/o/O
6 bytes - Interface Name
4 bytes - UUID
In addition, it is possible to redirect the FW Monitor output to an ASCII file instead of saving it in a tcpdump/snoop format. If this is the case, the 32-bit manipulated UUID is displayed as the first field of each line followed by the entire UUID array.
Filtering
When viewing the captured file, it is now possible to view the connection by filtering the file by the UUID. This is done by first opening the captured file, finding a packet that belongs to the connection, and getting the last four bytes of the Source MAC address. Then, convert these four bytes to Decimal format and filter the captured file as follows:
where HHHH is the decimal equivalent of the last four bytes of the Source MAC address.
Debugging
The UUID feature can be debugged by collecting the "fw ctl debug -m fw + chain conn" debug.
Note: The 'filter' flag may also provide some information, but also produces many irrelevant printouts.
Notes
The UUID of the first packet of every new connection before the VM is always 0.
The UUID on encrypted packets is also 0.
When running the UUID feature and redirecting the output to a captured file, only the first 6 bytes of the interface name will be displayed.
The compressed UUID can be similar if taken on two different machines (since the IP address portion of the original UUID was not taken into consideration). In addition, it can also be similar if taken days apart (since the counter portion of the compressed UUID will repeat every 18 hours).
(6) SecureClient Syntax
SecurRemote and SecureClient R56 / R60 uses an abridged version of FW Monitor - called srfw monitor:
%SRDIR%\bin\srfw monitor [-d] [{-e <expr>}+ | -f <filter_file_name> | -] [-l length] [-m i | I | o | O] [-x offset[,length]] [-o <output_file_name>]
To specify a host, you can use the following expression:
Either use "host(<IP_Address_in_Doted_Decimal_format>)", which applies to both Source IP address and Destination IP address
Or use specific Source IP address "src=<IP_Address_in_Doted_Decimal_format>" and specific Destination IP address "dst=<IP_Address_in_Doted_Decimal_format>"
Capture everything between hosts X,Z and hosts Y,Z on all Check Point kernel chains:
[Expert@HostName]# fw monitor -p all -e "((src=x.x.x.x or dst=z.z.z.z) and (src=y.y.y.y or dst=z.z.z.z)), accept ;" -o /var/log/fw_mon.cap
Capture everything to/from host X or to/from host Y or to/from host Z:
[Expert@HostName]# fw monitor -e "host(x.x.x.x) or host(y.y.y.y) or host(z.z.z.z), accept;" -o /var/log/fw_mon.cap [Expert@HostName]# fw monitor -e "((src=x.x.x.x or dst=x.x.x.x) or (src=y.y.y.y or dst=y.y.y.y) or (src=z.z.z.z or dst=z.z.z.z)), accept;" -o /var/log/fw_mon.cap
Filter out the usual garbage (SMTP, POP3, SSH, Microsoft NetBIOS, Check Point ClusterXL CCP):
[Expert@HostName]# fw monitor -e "(sport!=25) and (dport!=25) and (sport!=110) and (dport!=110) and (sport!=22) and (dport!=22) and (sport!=137) and (dport!=137) and (sport!=8116) and (dport!=8116), accept;" -o /var/log/fw_mon.cap > /dev/null 2>&1 &
Filter out the usual garbage (filter in only TCP protocol, and HTTP and HTTPS ports ; filter out the SSH and FW Logs):
[Expert@HostName]# fw monitor -e "accept (ip_p=6) and (not (sport=22 or dport=22)) and (not (sport=257 or dport=257)) and ((dport=80 or dport=443) or (sport=80 or sport=443);" -o /var/log/fw_mon.cap > /dev/null 2>&1 &
Capture Edge communication between 10.10.10.10, or 20.20.20.20, or 30.30.30.30 and on UDP ports 9281, or 9282, or 9283:
[Expert@HostName]# fw monitor -e "ip_p=17, (host(10.10.10.10) or host(20.20.20.20) or host(30.30.30.30)) and (port(9281) or port(9282) or port(9283)), accept;" -o /var/log/fw_mon.cap
(8) Capture Examples of "-F" flag
(8-A) Usual Capture
Capture everything, you can use the following expression:
-F "0,0,0,0,0"
(8-B) Host Specific Capture
To specify a host, you can use the following expression:
-F "x.x.x.x,0,y.y.y.y,0,0"
This will filter connection with source ip x.x.x.x and destination ip: y.y.y.y.
Protocol number and ports number can be any value.
Note: This means the filter will only catch one direction of the connection, so set a second (set of) filter to catch the other direction.
