CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


I'd like to thank everyone involved for making "The CPUG Challenge" a great success.
We helped a lot of people see and learn a bit more about R80.10, while having some fun.
We will be using this success to try and bring more events to more locations soon. -E

 

Results 1 to 4 of 4

Thread: FW Monitor - Seeing only small i

  1. #1
    Join Date
    2014-01-17
    Posts
    6
    Rep Power
    0

    Default FW Monitor - Seeing only small i

    Hi All,

    I was troubleshooting one of the issue and while applying FW Monitor to capture traffic between specific source and destination i was only seeing small i. What does it mean if I was seeing only small i during packet capture.

    Source: Public IP from Internet
    Destination: translated IP address of internal server.

  2. #2
    Join Date
    2008-07-31
    Location
    Netherlands, Europe
    Posts
    1,094
    Rep Power
    11

    Default Re: FW Monitor - Seeing only small i

    Lets say you are doing the following command
    fw monitor -e "accept host(1.1.1.1) and (host(2.2.2.2) or host(3.3.3.3));"
    where
    1.1.1.1 is the source public IP
    2.2.2.2 is the destination Public NAT IP of your server
    3.3.3.3 is the destination internal IP of your server

    That would give you all 4 packets of the chain, unless there was a VPN in play.
    also make sure fwaccel is off, check with fwaccel stat
    Regards, Maarten.
    Dual P1 R77.30, VSX, IPSO, SPLAT, GAIA mostly.

  3. #3
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,041
    Rep Power
    12

    Default Re: FW Monitor - Seeing only small i

    Quote Originally Posted by Aakil View Post
    Hi All,

    I was troubleshooting one of the issue and while applying FW Monitor to capture traffic between specific source and destination i was only seeing small i. What does it mean if I was seeing only small i during packet capture.

    Source: Public IP from Internet
    Destination: translated IP address of internal server.
    Either SecureXL is on, you are filtering based only on the pre-NAT destination address and not seeing anything after i as the destination address is NATted between i and I, or the packet is being dropped by INSPECT. Either disable SecureXL, include the post-NAT destination address in your filter, or run "fw ctl zdebug drop" to determine why the INSPECT driver dropped it.
    --
    My book "Max Power: Check Point Firewall Performance Optimization"
    now available via http://maxpowerfirewalls.com.

  4. #4
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    965
    Rep Power
    12

    Default Re: FW Monitor - Seeing only small i

    Two potential cases:

    1. If traffic is crossing FW buy you can only see occasional i packets (SYN for TCP - SecureXL is taking care of the rest
    2. If traffic is not passing FW, it is being dropped
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

Similar Threads

  1. Replies: 1
    Last Post: 2017-04-06, 00:01
  2. R77.20.30 for Small and Medium Business Appliances
    By PhoneBoy in forum Check Point Release Notifications
    Replies: 2
    Last Post: 2016-07-22, 15:30
  3. Small Packet Transfer
    By iain grant in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 3
    Last Post: 2011-03-08, 06:43
  4. How to analyze cst-small log
    By vijay_vya in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 0
    Last Post: 2009-11-18, 05:58
  5. Nokia Firewall performance on small packets
    By tohhwee72 in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 6
    Last Post: 2008-04-30, 07:39

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •