Checkpoint-Fwmonitor-Troubleshooting-Tool:

  • FW Monitor is a powerful built-in tool for capturing network traffic at the packet level. The FW Monitor utility captures network packets at multiple capture points along the FireWall inspection chains.
  • Syntax to capture fwmonitor is mentioned below:
  • fw monitor -e ‘accept src=10.1.1.1 or dst=10.1.1.1;’  -o test.out
  • Fwmonitor  captures traffic at 4 important points in the firewall namely i, I, o & O. You would see them in the capture in the same sequence.

i – Preinbound, just where the packet is received on the interface. If you see only this then the packet is dropped by address spoofing or the access rule.

I – Postinbound, where the packet has gone across the incoming interface. If you don’t see the next line in capture after this at ‘o’, you could infer that it’s a routing issue.

For both i & I the interface is the incoming, where the packet enters the firewall.

o – Preoutbound, the place where the packet is received at the exit interface within the firewall. If this is the point beyond which the capture is not seen, then you may need to check NAT.

O- Postoutbound, If you see this then make you are sure that the packet has left the firewall and the ACL, route and NAT all are working as expected.

Example:

eth0:i[284]: 10.1.1.1 -> 172.1.1.1 (ICMP) len=284 id=40220
ICMP: type=8 code=0 echo request id=6373 seq=12289
eth0:I[284]: 10.1.1.1 -> 192.168.1.2 (ICMP) len=284 id=40220
ICMP: type=8 code=0 echo request id=6373 seq=12289
eth2:o[284]: 10.1.1.1 -> 192.168.1.2 (ICMP) len=284 id=40220
ICMP: type=8 code=0 echo request id=6373 seq=12289
eth2:O[284]: 10.4.1.1 -> 192.168.1.2 (ICMP) len=284 id=40220
ICMP: type=8 code=0 echo request id=6373 seq=12289

10.1.1.1 — Source.

172.1.1.1 –Destination

10.4.1.1 –Source NAT

192.168.1.2 –Destination NAT

 

 

 

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s