CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


CPUG Challenge 2018?? We will be holding another CPUG Challenge for 2018.
The plan is to time it around CPX again (earlier this year), but not necessarily limit it to those in attendance.
I'll provide more details as we get a bit closer, but be ready! -E

 

Results 1 to 6 of 6

Thread: Real Time Policy-Rule Processing

  1. #1
    Join Date
    2016-10-27
    Posts
    7
    Rep Power
    0

    Default Real Time Policy-Rule Processing Dump

    Hi everyone,

    I'm trying to pull up some specific data which fwmonitor/tcpdump cannot do. I remember there was a command for it but totally forgot.

    I'm trying to pull up data via the CLI for a specific source and destination and would like to get an output on which rule is processing this traffic on the given firewall. The rule in question does not have logging enabled due to the enormous amount of hits it gets, therefore, smartlog and smartview tracker are not options. I want some prooft that this traffic is hitting this rule and being processed by the fw. I'm pretty sure there is a CLI command to pull up the data for the traffic and the rule it's hitting and processing.

    Thank you!
    Last edited by kkzc97; 2017-01-11 at 15:14.

  2. #2
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,090
    Rep Power
    12

    Default Re: Real Time Policy-Rule Processing Dump

    Quote Originally Posted by kkzc97 View Post
    Hi everyone,

    I'm trying to pull up some specific data which fwmonitor/tcpdump cannot do. I remember there was a command for it but totally forgot.

    I'm trying to pull up data via the CLI for a specific source and destination and would like to get an output on which rule is processing this traffic on the given firewall. The rule in question does not have logging enabled due to the enormous amount of hits it gets, therefore, smartlog and smartview tracker are not options. I want some prooft that this traffic is hitting this rule and being processed by the fw. I'm pretty sure there is a CLI command to pull up the data for the traffic and the rule it's hitting and processing.

    Thank you!
    fw ctl zdebug drop could be used to see what live traffic is being dropped by the firewall. There is probably some kind of equivalent for accepted traffic, but the output would be massive.

    How about Packet Injector? sk110865. Kind of like Cisco's packet tracer tool.
    --
    My Book "Max Power: Check Point Firewall Performance Optimization"
    Second Edition Coming Soon

  3. #3
    Join Date
    2006-03-21
    Posts
    68
    Rep Power
    12

    Default Re: Real Time Policy-Rule Processing Dump

    Quote Originally Posted by kkzc97 View Post
    Hi everyone,

    I'm trying to pull up some specific data which fwmonitor/tcpdump cannot do. I remember there was a command for it but totally forgot.

    I'm trying to pull up data via the CLI for a specific source and destination and would like to get an output on which rule is processing this traffic on the given firewall. The rule in question does not have logging enabled due to the enormous amount of hits it gets, therefore, smartlog and smartview tracker are not options. I want some prooft that this traffic is hitting this rule and being processed by the fw. I'm pretty sure there is a CLI command to pull up the data for the traffic and the rule it's hitting and processing.

    Thank you!
    I would not recommend to enable debugs as the CPU can easily increase to 100% getting too busy even to stop the debugging.

    In addition, SecureXL can make your statistics inaccurate as probably the traffic is being accelerated. Is the rule allowing or denying traffic?

    If it's being allowed, why don't you try dumping the connection table and see if the rule is being used. If it's a cluster it is safer to run it on the standby gateway

    fw tab -t connections -u -f


    Output Example

    [Expert@labstne:0]# fw tab -t connections -u -f
    Using cptfmt
    Formatting table's data - this might take a while...

    localhost:
    Date: Jan 12, 2017
    14:00:43 10.1.1.52 > :(+)====================================(+);Table_ Name:connections;:(+);Attributes:dynamic, id 8158, attributes: keep, sync, aggressive aging, kbufs 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34, expires 60, refresh, , hashsize 32768, limit 25000;product:VPN-1 & FireWall-1;product_family:Network
    14:00:43 10.1.1.52 > :-----------------------------------(+);Direction:0;Source:192.168.2.100;SPort:61789;D est:192.168.2.1;DPort:22;Protocol:tcp;CPTFMT_sep:; ;Type:114689;Rule:0;Timeout:3600;Handler:0;Ifncin:2;Ifncout:2;Ifnsin:-1;Ifnsout:-1;Bits:0000000000000000;SeqVerifier_Kbuf_ID:226498 7648;Expires:3599/3600;product:VPN-1 & FireWall-1;product_family:Network
    14:00:43 10.1.1.52 > :-----------------------------------(+);Direction:1;Source:192.168.2.1;SPort:22;Dest:1 92.168.2.100;DPort:61789;Protocol:tcp;CPTFMT_sep_1 :->;Direction_1:0;Source_1:192.168.2.100;SPort_1:617 89;Dest_1:192.168.2.1;DPort_1:22;Protocol_1:tcp;FW _symval:5;product:VPN-1 & FireWall-1;product_family:Network




    Regards,

    Ed

  4. #4
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    1,016
    Rep Power
    13

    Default Re: Real Time Policy-Rule Processing Dump

    Quote Originally Posted by eduardoxmunoz View Post

    fw tab -t connections -u -f

    Ed
    This will work if the rule in question has Accept action.

    fw ctl debug drop only shows you dropped connections, while connections table is for accepted ones. You could also run extended fw kernel debug to see how the packets are processed, but that is much more complex and intrusive than anything else.
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  5. #5
    Join Date
    2016-10-27
    Posts
    7
    Rep Power
    0

    Default Re: Real Time Policy-Rule Processing

    Thanks everyone! Yes, the fw ctl zdebug drop command is of no help, I'm looking at allowed traffic.

    Is there a way to grep or trim down the information based on source or dest IP when using: fw tab -t connections -u -f

    This fw is one of the busiest on the network and I'm a little worried about unloading the entire connection table!

  6. #6
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,090
    Rep Power
    12

    Default Re: Real Time Policy-Rule Processing

    Quote Originally Posted by kkzc97 View Post
    Thanks everyone! Yes, the fw ctl zdebug drop command is of no help, I'm looking at allowed traffic.

    Is there a way to grep or trim down the information based on source or dest IP when using: fw tab -t connections -u -f

    This fw is one of the busiest on the network and I'm a little worried about unloading the entire connection table!
    Sort of. First off if the firewall is very busy using the -f option to format values like IP addresses into decimal is a bad idea as it will cause the command to run pretty slowly and consume a lot of resources.

    If you can convert the IP addresses in question to hex (0a1e0b53: 0a=10, 1e=30, 0b=11, 53=83 or 10.30.11.83 for example) you could do the following. Assume we want to look for all connections between 10.30.11.83 and 10.30.11.84:

    fw tab -t connections -u | grep 0a1e0b53 | grep 0a1e0b54

    You can also use the Active tab of SmartView Tracker and set up filters there.
    Last edited by ShadowPeak.com; 2017-01-13 at 13:28. Reason: fixed grep syntax
    --
    My Book "Max Power: Check Point Firewall Performance Optimization"
    Second Edition Coming Soon

Similar Threads

  1. Finding real IPs used at NAT in policy
    By vbavbalist in forum NAT (Network Address Translation)
    Replies: 2
    Last Post: 2009-12-09, 09:22
  2. Real-Time logs are not being displayed in SV Tracker.
    By sarvo_uk in forum SmartView Tracker
    Replies: 1
    Last Post: 2009-08-19, 10:08
  3. Real time monitoring of connections?
    By Spacetrucker in forum Check Point SecurePlatform (SPLAT)
    Replies: 1
    Last Post: 2008-09-04, 22:30
  4. Rule processing order
    By kj1978 in forum Miscellaneous
    Replies: 3
    Last Post: 2008-05-02, 22:28
  5. Real-time monitoring and analysis of entire FW logs
    By Clon32 in forum SmartView Tracker
    Replies: 8
    Last Post: 2006-09-27, 09:59

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •