CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 5 of 5

Thread: capture traffic on outbound

  1. #1
    Join Date
    2019-06-13
    Posts
    4
    Rep Power
    0

    Exclamation capture traffic on outbound

    As am using checkpoint R77, I have task to create rule for client to access a server, which I have done
    The client has a Natted IP address.
    I feel I have completed the task but something is still not right.
    I was ask to capture traffic; I was able to capture the Inbound interface traffic (which says traffic is getting into out firewall) but cant seems capture the outbound interface either from src or natted dst.

    What steps can I take to resolve this?

  2. #2
    Join Date
    2007-06-04
    Posts
    3,309
    Rep Power
    17

    Default Re: capture traffic on outbound

    Quote Originally Posted by Don_Doc View Post
    As am using checkpoint R77, I have task to create rule for client to access a server, which I have done
    The client has a Natted IP address.
    I feel I have completed the task but something is still not right.
    I was ask to capture traffic; I was able to capture the Inbound interface traffic (which says traffic is getting into out firewall) but cant seems capture the outbound interface either from src or natted dst.

    What steps can I take to resolve this?
    Is this a Server being accessed from the Internet, in which case use something like this

    fw monitor -e "accept((dst=server_natted_ip or dst=server_ip) or (src=server_natted_ip or src=server_ip));"

    should show you any traffic destined for either of the ip wether is source or destination.

    Should show the 4 stages of inbound and outbound along with the reply

    That or try

    fw ctl zdebug + drop | grep server_natted_ip

    if nothing shows up try

    fw ctl zdebug + drop | grep server_ip

  3. #3
    Join Date
    2019-06-13
    Posts
    4
    Rep Power
    0

    Default Re: capture traffic on outbound

    Quote Originally Posted by mcnallym View Post
    Is this a Server being accessed from the Internet, in which case use something like this

    fw monitor -e "accept((dst=server_natted_ip or dst=server_ip) or (src=server_natted_ip or src=server_ip));"

    should show you any traffic destined for either of the ip wether is source or destination.

    Should show the 4 stages of inbound and outbound along with the reply

    That or try

    fw ctl zdebug + drop | grep server_natted_ip

    if nothing shows up try

    fw ctl zdebug + drop | grep server_ip
    .................................................. .................................................. .....
    Thanks for the response

    I have tried the below, sent it over and got the response was( Traffic is getting into your firewall and we can only see TCP SYN - "This is inbound interface. We need to see if the traffic is leaving your firewall.
    You should capture traffic on outbound interface where .XXX.XX3 is to capture for either source or natted destination


    [Expert@Chkpt-FW2:0]# tcpdump -i eth3 | grep 1x8.xx5.xx.2xx
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth3, link-type EN10MB (Ethernet), capture size 96 bytes
    13:38:01.933992 IP 1x8.xx5.xx.2xx.51338 > xx5.2xx.xx.xx1.ssh: S 4008206647:40082
    06647(0) win 29200 <mss 1460,sackOK,timestamp 604917298 0,nop,wscale 1>
    13:38:02.931823 IP 1x8.xx5.xx.2xx.51338 > xx5.2xx.xx.xx1.ssh: S 4008206647:40082

    Any more advise will be appreciated

    Thanks

  4. #4
    Join Date
    2019-06-13
    Posts
    4
    Rep Power
    0

    Default Re: capture traffic on outbound

    If its a routing issues, what steps would i take to identify and rectify the issue.

  5. #5
    Join Date
    2007-06-04
    Posts
    3,309
    Rep Power
    17

    Default Re: capture traffic on outbound

    Quote Originally Posted by Don_Doc View Post
    If its a routing issues, what steps would i take to identify and rectify the issue.
    If you do an fw monitor then will show the Interfaces involved

    you can also run the command in clash


    show route destination w.x.y.z

    This will show the next hop that would be used for that specific destination

Similar Threads

  1. What outbound ports should be allowed for http and https traffic
    By terri8369 in forum Firewall Policy Management Best Practices
    Replies: 1
    Last Post: 2019-05-29, 14:14
  2. I only see syn packets when I do a capture
    By tomarseneault in forum fw monitor, tcpdump and Wireshark
    Replies: 4
    Last Post: 2014-11-18, 13:31
  3. Traffic Capture
    By luisrocha in forum Nortel ASF/NSF
    Replies: 2
    Last Post: 2009-08-25, 06:02
  4. Replies: 4
    Last Post: 2009-05-29, 11:26
  5. Restricting ports for web-based traffic outbound
    By ChrisA in forum Services (TCP, UDP, ICMP, etc.)
    Replies: 4
    Last Post: 2007-04-16, 04:27

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •