- List of files that you want to run on a regular schedule
- Displays on the monitor screen the user name of the owner of the current session
[Expert]#id -un
[Expert]#who
- Watching how quickly a logfile is growing
[Expert]#watch -n 1 'cphaprob -a if'
- Ping
Route on windows
Adding a TCP/IP Route to the Windows Routing Table ( windows )
>route ADD “network” MASK “subnet mask” “gateway ip”
>route ADD 10.10.10.0 MASK 255.255.255.0 192.168.1.12
>route -p ADD 10.10.10.0 MASK 255.255.255.0 192.168.1.12
- Ftp command
/opt/CPsuite-R75.20/fw1/bin/upgrade_tools
[Expert@dlpws]# ftp 192.168.80.80
Connected to 192.168.80.80 (192.168.80.80).
220 Welcome to Quick 'n Easy FTP Server
Name (192.168.80.80:admin): admin
331 Password required for admin
Password:
230 User successfully logged in.
Remote system type is UNIX.
ftp> !ls
dlpws.tgz migrate migrate.conf upgrade_export upgrade_import
ftp> put dlpws.tgz
local: dlpws.tgz remote: dlpws.tgz
227 Entering Passive Mode (192,168,80,80,4,0)
150 Opening BINARY mode data connection for file transfer.
226 Transfer complete
97100209 bytes sent in 22.6 secs (4.2e+03 Kbytes/sec)
ftp>
N.B: ! specifica comando locale e non sul server ftp : ftp> !ls
- Netstat
netstat -an | egrep -e "(:260|:161)"-------------------------------------------------------------
SETUP
#cpconfig reconfigures an existing VPN-1/Firewall-1 installation
#cpstart starts all Check Point applications running on a machine
(invokes fwstart, fgstart, uagstart, etc.)
#cpstop stops all Check Point applications running on a machine
#fwstart loads the VPN-1/Firewall-1 Module and starts:
VPN-1/Firewall-1 daemon (fwd)
The Management Server (fwm)
VPN-1/Firewall-1 SNMP daemon (snmpd)
The authentication daemons
#fwstop kills the following processes:
VPN-1/Firewall-1 daemon (fwd)
The Management Server (fwm)
VPN-1/Firewall-1 SNMP daemon (snmpd)
The authentication daemons
It also unloads the VPN-1/Firewall-1 Module
#cp_permission sets up the permissions for CPMI
CONTROL
#fw load compiles and installs a Security Policy to the targets VPN-1/
Firewall-1 Modules. This is done in two ways:
1. fw load compiles and installs an Inspection Script (*.pf) file to
the designated VPN-1/Firewall-1 Modules.
2. fw load converts a Rule Base (*.W) file created by the GUI into an
Inspection Script (*.pf) file, then installs it to the
designated VPN-1/Firewall-1 Modules.
#fw bload compiles and installs a Security Policy to the targets embedded
VPN-1/Firewall-1 Modules. This is done in one of two ways.
1. fw bload compiles and installs an Inspection Script (*.pf) file to the
Firewall-1 embedded system specified by
targets.
2. fw bload converts a Rule Base (*.W) file created by the GUI
into an Inspection Script (*.pf) file and then compiles and
installs it to the Firewall-1 embedded system specified by
targets.
#fw unload uninstalls the currently loaded Inspection Code from selected
targets
#fw fetch fetches the Inspection Code from the specified host and installs
it to the kernel
#fw putkey installs a VPN-1/Firewall-1 authentication password on a host.
This password is used to authenticate internal communications
between VPN-1/Firewall-1 Modules and between a Check
Point Module and Management Server. That is, the password
is used to authenticate the control channel the first time
communication is established.
#fw dbload downloads the user database and network object information
(for example, encryption keys) to selected targets
MONITOR
#cpstat displays the status of target hosts in various formats
(replaces fwstat, fw fgstat, fgate state, etc.)
#cpstat_monitor a utility that runs on the Check Point Management Station
which can trigger pre-defined actions when the system
changes its status or when an event has occurred.
This is done by defining limits (or thresholds) on status
Parameters, and actions to be taken.
#fw lichosts prints a list of hosts protected by the VPN-1/Firewall-1/n
products. The list of hosts is in the file $FWDIR/database/
fwd.h
#fw ver displays the VPN-1/Firewall-1 major version number, the build
number, and a copyright notice
#fw sam inhibits (blocks) connections to and from specific IP addresses
without the need to change the Security Policy. The command is
logged
UTILITIES
#fw ctl sends control information to the VPN-1/Firewall-1 Kernel Module
#pstat displays VPN-1/Firewall-1 internal statistics
#iflist displays the IP interfaces known to the kernel by name and
internal number
#arp displays ARP proxy table
#fw kill sends a signal to a VPN-1/Firewall-1 daemon
#fwm the VPN-1/Firewall-1 Management Server in the Client/Server
implementation of the Management Server, and is used for commu-
nicating with the GUI and adding, updating, and removing admini-
strators.
#fwell manages Access Lists for Wellfleet (Bay Networks) routers
#fw tab displays the content of INSPECT tables on the target hosts in
various formats.
#snmp_trap sends an SNMP trap to the specified host. The message may
appear in the command line, or as one in the program input
(stdin)
#dynamic_objects specifies an IP address to which the dynamic object will
be resolved on this machine
#dbedit edits the objects file on the Management Server
#queryDB_util enables searching the object database according to search
parameters
Log File Management
#fw log displays the content of Log Files
#fw logswitch creates a new Log File. The current Log File is
closed and renamed $FWDIR/log/date.log and a new Log
File with the default name ($FWDIR/log/fw.log) is created
#fw logexport exports the Log File to an ASCII file
#fw repairlog rebuilds a Log files pointer files. The three files fw.logptr,
fw.loginitial_ptr and fw.logaccount_ptr are recreated from
data in the specified Log file
HIGH AVAILABILITY
#cphastart - enables the High Availability feature on the machine. In NT,
this is done when the VPN-1/Firewall-1 Module is started. In
Solaris, the cphastart command is part of the fwstart script
#cphastop - disables the High Availability feature on the machine
#cphaprob - defines critical processes. When a critical process fails, the
machine is considered to have failed.
cpha_export (Solaris only) writes MAC address information to stdout. If
the output is redirected to a file, it can be
input (stdin) to cpha_import on another
machine.
cpha_import (Solaris only) imports MAC address information from stdin
and updates the machines MAC address
accordingly. The normal procedure is to
redirect stdin to read a file created by
cpha_export on the primary machine
#fw hastat displays information about High Availability machines and their
states.
sk20576: How to set ClusterXL Control Protocol (CCP) in Broadcast / Multicast mode in ClusterXL
*blog clustering-security-gateway-ha-clusterxl/9245-sync-interface-flapping
To change the CCP mode to broadcast mode, run:
Note: this change must be done on all members of the cluster. To change the CCP mode to multicast mode, run:
Note: this change must be done on all members of the cluster. To check the current mode, run:
sk20576: How to set ClusterXL Control Protocol (CCP) in Broadcast / Multicast mode in ClusterXL
*blog clustering-security-gateway-ha-clusterxl/9245-sync-interface-flapping
[Expert@HostName]# cphaconf set_ccp broadcastNote: this change must be done on all members of the cluster.
[Expert@HostName]# cphaconf set_ccp multicastNote: this change must be done on all members of the cluster.
[Expert@HostName]# cphaprob -a ifUSER DATABASE MANAGEMENT
#fw dbimport imports users into the VPN-1/Firewall-1 User Database from
an external file. You can create this file yourself, or use a file
generated by fw dbexport
#fw dbexport - exports the VPN-1/Firewall-1 User Database to a file. The
file may be in one of the following formats:
1. the same Usage as the import file for fw dbimport
2. LDIF Usage, which can be imported into an LDAP
Server using ldapmodify
#ldapmodify - imports users to an LDAP server. The input file must be in
the LDIF format
#fw ldapsearch - queries an LDAP directory and returns the results
#fw expdate - changes the expiration date of users (but not templates) in the
VPN-1/Firewall-1 User Database to the date specified by the
first parameter. This change can be optionally applied only to
selected users by specifying the second parameter
Certificates
#fw ca putkey distributes the Certificate Authority Key to a Check Point
Module
#fw ca genkey - is used to generate the Certificate Authority Key on a
Management Server
#fw certify ssl is used to generate a Certificate Authority certificate on a
Check Point Module
#fw internalca - enables hybrid authentication mode, which allows the
server to perform IKE key exchange with the clients using
authentication schemes non-interoperable with IKE.
Instructs the Management Server to initiate an Internal CA,
which involves creating an Internal CA database, gener-
ating public and private keys, issuing a certificate and
saving it.
#fw ikecrypt - encrypts the password of a SecuRemote user using IKE.
The resulting string must then be stored in the LDAP
database.
#fw sic_reset - resets Secure Internal Communication (SIC) on the
Management Server. The user will be prompted before
the operation actually takes place.
This command deletes the internal Certificate Authority,
deletes the Management Server certificate, deletes the
Certificate Revocation List (CRL), and updates the objects
database.
LICENSING
#cplic put - is used to install one or more Local licenses. This command
installs a license on a local machine it cannot be performed
remotely.
#cplic print - prints details of Check Point licenses on the local machine.
On a Module, this command will print all licenses that are
installed on the local machine both Local and Central
licenses.
#cplic del - deletes a single Check Point license on a host. Use it to delete
unwanted evaluation, expired and other licenses. On a Module,
this command will work only for a Local license.
#cplic check is used to check whether the license on the machine will allow
a given feature to be used. This command is used mainly for
Technical Support purposes.
#cprlic put can be used only from the Management Server, to attach
(install) one or more:
- Central licenses on an NG Module
- Local licenses on the appropriate NG Module
- Version 4.1 licenses on the appropriate version 4.1 Module
#cprlic add - is used to add one or more licenses to the license repository
on the Management Server.
#cprlic print - displays the details of Check Point licenses stored in the
license repository on the Management Server
#cprlic del used to detach a Central license from an NG Module. This
command deletes the license from the Module. A Central
license remains in the repository an an unattached license.
The license is available for attachment to another Module.
This command can be executed only on a Management
Server.
#cprlic rm - removes a license from the license repository on the
Management Server. It can be executed ONLY after the
license was detached using the cprlic del command.
Once the license has been removed from the repository,
it can no longer be used. To re-use it, use the cprlic add
Or cprlic put command.
#cprlic get - retrieves all licenses from a Module into the license
repository on the Management Server. Do this to synchronize
the repository with the Module, if NG and version 4.1 Local
licenses were added (or deleted) locally, and hence do not yet
(or still) exist in the license repository. Retrieving licenses
will also delete from the repository Local licenses that do
not exist on the Module.
INSTALLATION MANAGEMENT
#cppkg add is used to add an installation package file to the Product
Repository. The package file can be located on a CD or a
local or network drive. Cppkg does not overwrite existing
packages. Only SecureUpdate packages can be added to the
Product Repository.
#cppkg delete is used to delete a product package from the repository.
#cppkg search - is used to list the contents of the Product Repository. Use
this command to see the product and OS strings required
to install a product package using the cprinstall command,
or to delete a package using the cppkg delete command.
#cppkg setroot - is used to create a new repository root directory location,
and to move existing product packages into the new
repository. The default Product Repository location is
created when the Management Server is installed.
#cppkg getroot - is used to find out the location of the Product Repository
#cprinstall get - is used to obtain details of the products and the Operating
System installed on the specified Module, and to update
the Product Repository database.
#cprinstall test - is used to test whether the product can be installed on
the
remote Module. It verifies that the Operating System and
currently installed products are appropriate for the package,
and that there is enough disk space to install the product.
#cprinstall install is used to install Check Point products on remote
modules
#cprinstall uninstall is used to uninstall products on remote Modules
#cprinstall boot is used to boot the remote computer
#cprinstall stop is used to stop the operation of other cprinstall commands.
In particular, this command stops the remote installation of
a product even during transfer of files, file extraction,
and pre-installation testing. The operation can be stopped
at any time up to the actual installation.
VPN-1 ACCELERATOR CARD
#vpn accel - used for turning on (or off) the accelerator card. When it is
installed, it is enabled by default. You can also check its
status with the command vpn accel stat
#lunadiag - a software diagnostics utility specific to the Luna accelerator
card in the Luna package. The utility is documented in the
file lunadiag.txt
VPN COMMANDS
#vpn ver - displays the VPN-1 major version number, the build number, and
a copyright notice. Usage and options are the same as for fw ver
#vpn debug - debug the VPN-1 daemon
#vpn drv - installs the VPN-1 kernel (vpnk) and connects to the Firewall-1
kernel (fwk)
#vpn intelrng - displays the status of the Intel RNG (random number
generator). This command is a Windows NT and Windows
2000 only command.
DAEMONS
#cpwd_admin - is used to show the status of processes, and to configure
cpwd
#cpridstop used to stop cprid
#cpridstart - used to start cprid (cprid is independent of cpstart and
cpstop)
FLOODGATE-1 COMMANDS
#etmstart - loads the FloodGate Module and starts the FloodGate-1 daemon
(fgd). Also starts the Management Server, provided it is on the
same machine as the FloodGate Module.
#etmstop - kills the FloodGate-1 daemon (fgd) and then unloads the
FloodGate Module. Also stops the Management Server,
Provided it is on the same machine as the FloodGate Module.
#fgate load - installs a QoS Policy on the specified FloodGate Modules.
If targets is not specified, the QoS Policy is installed on
the local host.
#fgate unload - uninstalls a QoS Policy from the specified FloodGate
Modules
#fgate fetch - fetches the FloodGate QoS Policy that was last installed on
the local host. You must specify the machine where the
FloodGate QoS Policy is found. Use localhost in case
there is no Management Server or if the Management
Server is down.
#fgate stat - displays the status of target hosts in various formats. The
default format displays the following information for each
host: host name, Rule Base (or FloodGate Module) file name,
date and time loaded, and the interface and direction loaded.
#fgate ver - displays the FloodGate-1 version number. The version of the
GUI is displayed in the opening screen, and can be viewed
at any time from the Help menu.
#fgate kill - sends a signal to a FloodGate-1 daemon
OPSEC COMMANDS
#upgrade_fwopsec - upgrades OPSEC configuration information on the
Management Server from pre-NG to NG format, based
on the upgraded Module information. If you have not
changed any of the defaults, then there is no need to
run the upgrade_fwopsec command. However, if you
have changed the defaults, then you should run the
upgrade_fwopsec command.
BOOT SECURITY
#fwstop-default - kills VPN-1/Firewall-1 processes and loads the Default
Filter
#fwstop-proc - kills VPN-1/Firewall-1 processes but keeps the current
kernel policy. The Security Policy remains loaded in the
kernel, though user mode processes (cpd, fwd, fwm, vpnd,
fwssd) dont work. Logs, kernel traps, resources, all
security server connections will all stop working. The state
of the kernel remains unchanged. Whatever was loaded in
the kernel is kept. Therefore, rules with generic allow/
reject/drop rules, based only on service will continue
working.
#control_bootsec enables or disables Boot Security. The command turns
both the Default Filter and the initial policy off or on,
in the correct sequence.
#fwboot bootconf use to change IP Forwarding or Defaultfilter settings.
This command is located in $FWDIR/boot
#comp_init_policy u - removes the current initial policy, and ensures that
it wont be generated in the future when cpconfig
is run
#comp_init_policy g - generates the initial policy and ensures that it will
be loaded the next time a policy is fetched (at
fwstart, or at next boot, or via the fw fetch localhost
command). After running this command, cpconfig
will add an initial policy when needed.
#defaultfilter.boot - installed by default. It allows:
- all outgoing communications
- incoming communications on ports through which there were previous
outgoing communications
- ICMP packets
- broadcast packets
#defaultfilter.drop - drops all communications in and out of the gateway
during the period of vulnerability. If the boot process
requires that the gateway communicate with other
hosts, then the drop default Security Policy should not
be used.
#fw defaultgen - use to compile the default filter
TCP DUMP
How can I show ALL traffic on a specified interface?
#tcpdump -i eth0
Will show ALL traffic on interface eth0.
How can I capture a specified number of packets?
#tcpdump -c 20 -i eth0
The -c argument specifies the number of packets to capture. For example, this command will capture 20 packets on the specified interface eth0 and quit:
How do I show the MAC address in the capture?
#tcpdump -e -i eth0
This filter will display the MAC address as well as the basic information.
How can I look for the Welchia Worm with TCPDUMP?
#tcpdump -tnn -i eth0 "icmp[icmptype]==icmp-echo && icmp[8]==0xAA && icmp[9]==0xAA && icmp[10]==0xAA && icmp[11]==0xAA"
Sure can. Try this script. Keep in mind that your sniffer will need to be located where it can see all traffic on your network for this to be useful.
How can I use TCPDUMP to determine the top talker on my network?
#tcpdump -tnn -c 20000 -i eth0 | awk -F "." '{print $1"."$2"."$3"."$4}' | sort | uniq -c | sort -nr | awk ' $1 > 100 '
Depending on how busy your network is, you might want to lower the `-c 20000' (packet count) to fit your needs. This script will capture 20,000 packets and sort by top talkers
http://firewalltips.blogspot.com
http://danielmiessler.com/study/tcpdump/
FW MONITOR
TCP DUMP
How can I show ALL traffic on a specified interface?
#tcpdump -i eth0
Will show ALL traffic on interface eth0.
How can I capture a specified number of packets?
#tcpdump -c 20 -i eth0
The -c argument specifies the number of packets to capture. For example, this command will capture 20 packets on the specified interface eth0 and quit:
How do I show the MAC address in the capture?
#tcpdump -e -i eth0
This filter will display the MAC address as well as the basic information.
How can I look for the Welchia Worm with TCPDUMP?
#tcpdump -tnn -i eth0 "icmp[icmptype]==icmp-echo && icmp[8]==0xAA && icmp[9]==0xAA && icmp[10]==0xAA && icmp[11]==0xAA"
Sure can. Try this script. Keep in mind that your sniffer will need to be located where it can see all traffic on your network for this to be useful.
How can I use TCPDUMP to determine the top talker on my network?
#tcpdump -tnn -c 20000 -i eth0 | awk -F "." '{print $1"."$2"."$3"."$4}' | sort | uniq -c | sort -nr | awk ' $1 > 100 '
Depending on how busy your network is, you might want to lower the `-c 20000' (packet count) to fit your needs. This script will capture 20,000 packets and sort by top talkers
http://firewalltips.blogspot.com
http://danielmiessler.com/study/tcpdump/
FW MONITOR
Check Point's fw monitor is a powerful built-in tool to assist with inspecting and capturing network traffic at the packet level. The fw monitor utility captures network packets at multiple capture points along the VPN-1/FireWall-1 inspection chain. These packets can be inspected using either Wireshark or Check Point's CPethereal. Wireshark is available from www.wireshark.org, and the capture viewer is free.
FW MONITOR FEATURES
In many deployment and support scenarios, capturing network packets is an essential functionality. The utilities tcpdump or snoop are normally used for this task. The fw monitor utility provides an even better functionality, but omits many of the requirements and the risks associated with these tools.
No Security Flaws
tcpdump and snoop are normally used with NICs in promiscuous mode. Unfortunately, promiscuous mode allows remote attacks against these tools. Check Point's fw monitor does not use promiscuous mode to capture packets. In addition, most firewalls' operating systems are hardened. In most cases, this hardening includes the removal of tools like tcpdump or snoop, because of their security risks.
Available on All VPN-1/FireWall-1 Installations
fw monitor is a built-in firewall tool that needs no separate installation.
Multiple Capture Positions within the VPN-1/FireWall-1 Kernel Module Chain
fw monitor allows you to capture packets at multiple capture positions within the VPN-1/FireWall-1 kernel module chain, both for inbound and outbound packets. This enables you to trace a packet through the different functionalities of the firewall.
Same Tool and Syntax on All Platforms
fw monitor is available on all different platforms; tools like snoop or tcpdump are often platform-dependent, or have specific "enhancements" on certain platforms. fw monitor and all it's related functionality and syntax is identical across all platforms.
Normally, Check Point kernel modules are used to perform several functions on packets, such as filtering, encryption and decryption, QoS. fw monitor adds its own modules to capture packets. fw monitor can capture all packets that are seen and/or forwarded by the firewall.
HOW FW MONITOR WORKS
There are four inspection points along the passage of a packet through a firewall:
Once started, the command will compile the specified INSPECT filter program, and load it to the kernel (not replacing the Security Policy). The program will then continuously get packets from the kernel, and display them in the terminal window (from which the command was issued). Upon an interrupt signal (key combination Ctrl + C) or other user initiated signal, the program will stop displaying packets, unload the monitor filter and exit.
FW MONITOR SYNTAX
The fw monitor command has an extensive number of associated options for capturing packets. Not all of these options and their combinations are listed below. The idea is to load a special INSPECT filter (separate from the one that is used to implement the Security Policy) that will be used to filter out packets of interest. The fw monitor syntax for capturing all packets crossing a firewall is:
Additional Options:
Detailed information regarding the usage of the
FW MONITOR FEATURES
In many deployment and support scenarios, capturing network packets is an essential functionality. The utilities tcpdump or snoop are normally used for this task. The fw monitor utility provides an even better functionality, but omits many of the requirements and the risks associated with these tools.
No Security Flaws
tcpdump and snoop are normally used with NICs in promiscuous mode. Unfortunately, promiscuous mode allows remote attacks against these tools. Check Point's fw monitor does not use promiscuous mode to capture packets. In addition, most firewalls' operating systems are hardened. In most cases, this hardening includes the removal of tools like tcpdump or snoop, because of their security risks.
Available on All VPN-1/FireWall-1 Installations
fw monitor is a built-in firewall tool that needs no separate installation.
Multiple Capture Positions within the VPN-1/FireWall-1 Kernel Module Chain
fw monitor allows you to capture packets at multiple capture positions within the VPN-1/FireWall-1 kernel module chain, both for inbound and outbound packets. This enables you to trace a packet through the different functionalities of the firewall.
Same Tool and Syntax on All Platforms
fw monitor is available on all different platforms; tools like snoop or tcpdump are often platform-dependent, or have specific "enhancements" on certain platforms. fw monitor and all it's related functionality and syntax is identical across all platforms.
Normally, Check Point kernel modules are used to perform several functions on packets, such as filtering, encryption and decryption, QoS. fw monitor adds its own modules to capture packets. fw monitor can capture all packets that are seen and/or forwarded by the firewall.
HOW FW MONITOR WORKS
There are four inspection points along the passage of a packet through a firewall:
- Before the virtual machine, in the inbound direction (i or PREIN)
- After the virtual machine, in the inbound direction (I or POSTIN)
- Before the virtual machine, in the outbound direction (o or PREOUT)
- After the virtual machine, in the outbound direction (O or POSTOUT)
Once started, the command will compile the specified INSPECT filter program, and load it to the kernel (not replacing the Security Policy). The program will then continuously get packets from the kernel, and display them in the terminal window (from which the command was issued). Upon an interrupt signal (key combination Ctrl + C) or other user initiated signal, the program will stop displaying packets, unload the monitor filter and exit.
FW MONITOR SYNTAX
The fw monitor command has an extensive number of associated options for capturing packets. Not all of these options and their combinations are listed below. The idea is to load a special INSPECT filter (separate from the one that is used to implement the Security Policy) that will be used to filter out packets of interest. The fw monitor syntax for capturing all packets crossing a firewall is:
fw monitor -o filename.txt Additional Options:
- -h: displays a usage string
- -d / -D: prints debug messages (two different debug levels)
- -m: shows a combination of the four instances (i / I / o / O); this parameter should be followed by a string consisting of some of these four characters. Only those instances will be monitored. For example, use "-m iI" to monitor only inbound traffic, or "-m IO" to see only packets that pass through the firewall. The default is "iIoO" for all packets.
- -x <offset>, <length>: prints packet data; specify the starting offset to print, and the number of bytes to print.
- -l <length>: limits the packet length; determines the number of bytes read from the kernel for each packet. If you use this option, include enough bytes, so the IP and protocol headers fit. If you use "-x" to print packet data, ensure the data you requested also fits. The default is calculated, so it will have all headers and data used by -x.
- -o <filename>: prints to the specified file, in snoop format. To read the file, use the snoop utility. If used, the -x and -i options will be ignored. (All data will be printed.)
- -u: prints the connection's unique ID (UUID)
- -s: prints the connection's session UUID; for FTP data connections, prints the control connections
- -t: when compiling the INSPECT script, includes tcpip.def; allows TCP/IP macros in the script.
- -i: after writing each packet, flushes the standard output; useful if you want to kill the monitor, but be sure that all data is written to the file.
- -ci <count>, -co <count>: limits the number of inbound and/or outbound packets; once the specified number has been reached, the monitor will stop. The default is to stop on the key combination Ctrl + C only.
- -p: monitor position
- -vs <vsid> or <vsname>: specifies on which virtual component the packets should be captured; this option is only available for VSX.
- fw monitor -o fwmon.out -e '((src=10.9.190.180 and dst=194.20.144.132) or (dst=10.9.190.180 and src=194.20.144.132)), accept;'
- The following command will monitor all HTTP packets:
fw monitor -m iIoO -e "accept [20:2,b]=80 or [22:2,b]=80;" -o monitor.out - The following command will monitor all packets with either a source IP address of WWW.xxx.YYY.zzz, or a destination IP address of AAA.bbb.CCC.ddd:
fw monitor -m iIoO -e "accept [12,b]= WWW.xxx.YYY.zzz or [16,b]=AAA.bbb.CCC.ddd;" -o monitor.out
Detailed information regarding the usage of the
fw monitor command can be found in the "How to use fw monitor" document.Viewing Checkpoint fw monitor files in Wireshark
Checkpoints fw monitor utility performs packet captures similar to tcpdump and wireshark. Unlike these utilities it operates above layer 2 and contains no mac address information. It does contain additional information from the firewall on interface and direction.
To view this additional information in wireshark some extra configuration is required.
To view this additional information in wireshark some extra configuration is required.
- Select edit/preferences/protocols/ethernet
- Check the box labelled “Attempt to interpret as Firewall-1 monitor file” and press ok
- Select edit/preferences/User Interface/columns
- Click add to add a new column and name it interface.
- From the format dropdown listbox select FW-1 monitor if/direction and press ok
# DO NOT EDIT THIS FILE! It was created by Wireshark
@FW-Mon-i @ fw1.direction contains "i"@[65535,65535,0][0,0,0]
@FW-Mon-I @fw1.direction contains "I"@[37008,61166,37008][0,0,0]
@[email protected] contains "o"@[44461,55512,59110][0,0,0]
@FW-Mon-O@ fw1.direction contains "O"@[31161,49051,54875][0,0,0]- Select View/coloring rules
- Click import and open the saved file from above
- Select the last 4 rules and move them to the top of the list by clicking the up button
- Press ok
No comments:
Post a Comment