Tuesday, June 1, 2010

Checkpoint : How to check what is happening in my checkpoint firewall??

FW MONITOR - Monitor your KERNEL..
---------------------------------


Purpose:

Many People have problems with their daily life, is just bcoz they dont know what is/was happening INSIDE, I could never trouble shoot the KERNEL of Mine, but definitely did in my Favorite Product CheckPoint..

Yes.. Always monitor the each points (don't simply believe ALL IZZZ WELL..) Nothing gonna be Well untill and unless you have the control on each point of the Process..

Here we go,, FW Monitor,

Why fw monitor?

The fw monitor utility is similar to 'snoop' and 'tcpdump' in being able to capture and display packet information. Unlike snoop or tcpdump, fw monitor is always available on FW-1, can show all interfaces at once and can have insertion points between different Check Point modules. The fw monitor commands are the same on every platform.

Fw monitor syntax:

There are many options for the fw monitor command and these can be seen by typing fw monitor –h on the command line;



fw monitor -h

Usage: fw monitor [- u|s] [-i] [-d] <{-e expr}+|-f > [-l len] [-m mask] [-x offset[,len]] [-o ] <[-pi pos] [-pI pos] [-po pos] [-pO pos] | -p all [-a ]> [-ci count] [-co count]

Each option is fully explained in the Check Point document How to use fw monitor.

Brief option description:

-u|s, is used to show the uuid which is the same number during the entire connection
-i, is used to make sure that all info is written to standard output immediately
-d|D, is used to put fw monitor in debug or more Debug modes
-e, is used for the user defined expressions
-f, for the filter file
-l, is used to limit the packet length captured
-m, is a mask of interface such as the default mask of iIoO
-x, prints the packet data to the screen
-o, output file
-p[x] pos, is used to set the insertion point of the monitor
-p all, places insertion points between each module
-ci count, is used to break out of fw monitor after incoming packets
-co count, is used to break out of fw monitor after outgoing packets

Reading the output:

El59x1:i[48]: 10.10.10.20 -> 192.168.10.95 (TCP) len=48 id=944



TCP: 1034 -> 21 .S.... seq=78caaa74 ack=00000000

Filter expressions:

A great reference for filter expressions is the tcpip.def file located at $FWDIR/lib.
In this document we will just describe a few and how they work.
#define ip_tos [ 1 : 1]
#define ip_len [ 2 : 2, b]
#define ip_id [ 4 : 2, b]
#define ip_off [ 6 : 2, b]
#define ip_ttl [ 8 : 1]
#define ip_p [ 9 : 1]
#define ip_sum [ 10 : 2, b]
#define ip_src [ 12 , b]
#define ip_dst [ 16 , b]
#define PROTO_icmp 1
#ifdef IPV6_ENABLED
#define PROTO_icmp6 58

No comments: