Check Point R80.20 update - fw monitor Copyright by Heiko Ankenbrand 1996-2019 v 3.

1
1/2
Basics
fwaccel off  disable SecureXL (not necessary for R80.20) Filter with macros simple expression
Expressions basic
fwaccel
What is FWon
Monitor?  enable SecureXL
SK30583 Macros are defined in two files: [offset:length,order] operator value  simple expression
$FWDIR/lib/tcpip.def  actual expressions for fw monitor macros
fw monitor and SecureXL $FWDIR/lib/fwmonitor.def  macros for fw monitor < less then and logical AND
> greater then , logical AND
SecureXL "fwaccel off" does not have to be disabled on R80.20 to run "fw
fw monitor -e "accept(<filter>);"  start fw monitor with filter (strg+C stop) <= less than or equal to or logical OR
monitor".
>= greater than or equal to xor logical XOR
fwaccel off  disable SecureXL (not necessary for R80.20) Important macros: is equal not logical NOT
fwaccel on  enable SecureXL =
IP address is not not equal
Syntax host(addr) addr as source or destination address. !=
fw monitor [- u|s] [-i] [-d] [-v vsid] [-X] [-T] <{-e expr}+|-f <filter-file|->> [-l len] [-m src(addrs) packets where source address is addr
dst(addr) packets where destination address is addr Examples
mask] [-x offset[,len]] [-o <file>] <[-pi pos] [-pI pos] [-po pos] [-pO pos] | -p all [-a ]>
[-ci count] [-co count] Networks
 write to file
net(net, masklen) packets to or from the network net
fw monitor -e “accept;“ -o dump.cap
-h Print help message from_net(net,masklen) packets from the network net
-i Flushes the standard output. to_net(net, masklen) packets to the network net
 show all chain modules
-d / -D Starts the FW Monitor in debug mode. Ports
fw monitor -p all -e “accept;“
-t Show date and timestamp for every processed packet port(port) packets with port as source or destination port
-e Captures only specific packets sport(port) packets where source port is port
 show payload
-l <length> Limits the length of the captured packets. dport(port) packets where destination address is addr
fw monitor -x 1,1500 -e “accept;“
-m Capture masks tcpport(port) TCP traffic to or from port port
-x Prints packet/payload raw data in addition to the IP and udpport(port) UDP traffic to or from port port
 show VSX virtual system ID 3 traffic
<offset>,<length> Transport headers TCP Flags fw monitor -v 3 -e “accept;“
-o <output_file> Writes the captured raw data into an output file. syn packets with SYN flag set
-p all Inserts FW Monitor chain module at a specific position ack packets with ACK flag set
fin packets with FIN flag set Example filters
-p<position> between Check Point kernel chains.
first packets with the SYN flag but without ACK flag  host with dst or srt IP 192.168.1.1
-ci <count> Captures a specific number of packets. established packets with the ACK flag or without the SYN flag fw monitor -e 'accept host(192.168.1.1);'
-co <count> not_first packets without the SYN flag
-u | -s Prints connection's Universal-Unique-ID (UUID), or last packets with FIN and ACK flags set  host with dst or srt IP 192.168.1.1 and not ssh or telnet
connection's Session UUID (SUUID) Terminal Sessions and CP Sessions fw monitor -e "accept( host(192.168.1.1) and no_term);"
-v <VSID> Captures the packets on a specific Virtual Router no_term everything other than SSH and Telnet traffic
no_mgmt everything other than CP management traffic like  ip traffic from and to network 192.168.1.0/24
CPMI, CPD and AMON fw monitor -e "accept(net(192.168.1.0,24));"
New R80.20 fw monitor inspection points pull SIC certificate pulls from mgmt
push SIC certificate pushes to gateways  all packets with SYN and ACK flags set
There are new fw monitor inspection points available:
IP Proto fw monitor -e 'accept [33:1]=0x12;’
fw monitor inspection point ip_p(proto) packets with matching IANA protoco
fw monitor output:
ICMP  DHCP traffic
icmp_error ICMP packets of the following types: destination fw monitor -e “accept( dport=67 or dport=68);”
[vs_0][fw_0] eth0:i[60]: 192.168.1.1 -> 8.8.8.8 (ICMP) len=60 id=13315
unreachable (3), source quench (4), redirect (5),
ICMP: type=8 code=0 echo request id=4 seq=63187
time exceeded (11) or parameter problem (12)  all packets with TTL <5
ping ICMP echo request and ICMP echo reply packets fw monitor -e "accept([8 :1] < 5);"
Inspection point Relation to firewall VM
tracert packets specific to the Windows tracert command
i Inbound: Before the inbound FireWall VM (ICMP echo requests/time exceeded)
I Inbound: After the inbound FireWall VM packet size between 60 and 70 byte
traceroute Unix traceroute command (UDP fw monitor -e “accept( ip_len > 60 and ip_len<70);”
id Inbound: before decrypt (R80.20+) packets to destination port higher than 33000)
ID Inbound: after decrypt (R80.20+) VPN
iq Inbound: before QoS (R80.20+) SIC check
ike packets with port 500 fw monitor -e “accept(pull or push);”
IQ Inbound: after QoS (R80.20+) natt packets with port 4500
e / oe Outbound: before encrypt (R80.10+) vpnd IKE, NAT traversal, UDP encapsulated IPSec,
E / OE Outbound: after encrypt (R80.10+)  IKE VPN traffic
RDP, CP topology updates, CP tunnel tests, L2TP
oq Outbound: before QoS (R80.20+) fw monitor -e “accept(ike);”
and Secure Client keepalives
OQ Outbound: after QoS (R80.20+) vpnall everything from vpnd
o Outbound: Before the outbound FireWall VM  vpn traffic
O Outbound: After the outbound FireWall VM fw monitor -e “accept(vpnd);”

WEB: https://www.ankenbrand24.de LinkedIn: https://www.linkedin.com/in/heiko-ankenbrand/ More interesting articles: https://cp.ankenbrand24.de

Check Point R80.20 update - fw monitor Copyright by Heiko Ankenbrand 1996-2019 v 3.1
2/2
Fw monitor output
Output simple expression
.
virtual system 0 firewall worker 0 interface eth0 fw monitor inspection point source to destination packet len packet id

[vs_0][fw_0] eth0:i[60]: 192.168.1.1 -> 8.8.8.8 (ICMP) len=60 id=13315

ICMP: type=8 code=0 echo request id=4 seq=63187
protocol infos
[vs_0][fw_0] eth0:I[60]: 192.168.1.1 -> 8.8.8.8 (ICMP) len=60 id=13315
ICMP: type=8 code=0 echo request id=4 seq=63187

[vs_0][fw_0] eth2:o[60]: 192.168.1.1 -> 8.8.8.8 (ICMP) len=60 id=13315

ICMP: type=8 code=0 echo request id=4 seq=63187

[vs_0][fw_0] eth2:O[60]: 7.7.7.7 -> 8.8.8.8 (ICMP) len=60 id=13315

ICMP: type=8 code=0 echo request id=10407 seq=63187

New R80.20 chain modules SecureXL

fw ctl chain  show fw monitor chain modules

The new fw monitor chain modules (SecureXL) do not run in the virtual machine (vm).

SecureXL inbound (sxl_in)  Packet received in SecureXL from network

SecureXL inbound CT (sxl_ct)  Accelerated packets moved from inbound to outbound processing (post routing)

SecureXL outbound (sxl_out)  Accelerated packet starts outbound processing

SecureXL deliver (sxl_deliver)  SecureXL transmits accelerated packet

New R80.20 chain modules

There are more new chain modules in R80.20.

vpn before offload (vpn_in)  FW inbound preparing the tunnel for offloading the packet (along with the connection)
fw offload inbound (offload_in)  FW inbound that perform the offload
fw post VM inbound (post_vm)  Packet was not offloaded (slow path) - continue processing in FW inbound

New R80.20 fw monitor chain keys

In Firewall kernel (now also SecureXL), each kernel is associated with a key (red) witch Key Funktion
specifies the type of traffic applicable to the chain modul. ffffffff IP Option Stip/Restore
00000001 new processed flows
00000002 wire mode
00000003 will applied to all ciphered traffic (VPN)
00000000 SecureXL offloading (new in R80.20+)

WEB: https://www.ankenbrand24.de LinkedIn: https://www.linkedin.com/in/heiko-ankenbrand/ More interesting articles: https://cp.ankenbrand24.de