Skip to content

yurisk.info
Yuri Slobodyanyuk's blog on IT Security and Networking
About
Log in
Search
Categories:
Awk weekly
Checkpoint NG/NGX
Cisco
ASA/PIX Cisco
IOS Cisco
Cisco IPS
Esafe
Firewall
Fortigate
Linux
Networking
Privacy
Scan of the week
Solaris
Uncategorized
fw monitor command reference
This is a quick reference sheet of all usable options for the fw monitor tool .At the end I put a list of fw monitor
examples. The previous experience with the tool is assumed, ill just say that if you are serious about debugging
Checkpoint products learn it and learn it well.
By default the fw monitor sniffing driver is inserted into the 4 locations on
the Firewall kernel chain .
Here they are:
i (PREIN) inbound direction before firewall Virtual
Machine (VM, and it is CP terminology) . Most important fact to know about that
is that this packet capturing location shows packets BEFORE any security rule
in the policy is applied. That is, no matter what rules say a packet should at
least be seen here, this would prove that packets actually reach the firewall
at all.
I (POSTIN) inbound direction after firewall VM.
o (PREOUT) outbound direction before firewall VM,
O (POSTOUT) outbound direction after firewall VM.
You can change point of insertion within the fw chain with :
# fw monitor p<i|I|O|o> <where to
insert>
easiest way to specify where to insert is to first see the chain:
# fw ctl chain
then give relative to any module you see there <+|->module_name
Now the usage itself:
# fw monitor
Usage: fw monitor [- u|s] [-i] [-d] [-T] <{-e
expression}+|-f <filter-file|->> [-l len] [-m mask] [-x offset[,len]]
[-o <file>] <[-pi pos] [-pI pos] [-po pos] [-pO pos] | -p all [-a
]> [-ci count] [-co count]
Round up of options:
-m mask , which point of capture is to be displayed, possible: i,I,o,O
-d/-D debug output from fw monitor itself, not very useful IMO.
-u|s print also connection/session Universal ID
- i after writing each packet flush stdout
-T add timestamp, not interesting
-e expr expression to filter the packets (in detail later)
-f filter_file the same as above but read expression from file
-l <len> packet length to capture
Expressions
On the very low level fw monitor understands byte offsets from the header
start. So to specify for example 20th byte of the IP packet (that is source IP)
you can just use:
# fw monitor -e 'accept [12,b]=8.8.8.8;'
Where:
12 offset in bytes from the beginning of the packet
b mandatory, means big endian order.
4 not seen here but size (in bytes) of how many bytes to look for from the
starting offset (default is 4 )
To look for source port 53 (UDP/TCP) in raw packet:
# fw monitor -m i -e 'accept [20:2,b]=53;'
Here I say to fw monitor to look at 2 bytes at offset 20.
While this way of looking at packets is the most general and therefore includes
all cases, you rarely have the need for such a granular looking glass. In 99%
of the cases you will be doing alright with a limited known set of expressions.
Just for that Checkpoint defined and kindly provided us in every Splat
installation with definition files that give meaningful synonyms to the most
used patterns. There are few definition files but they circularly reference
each other providing multiple synonyms for the same pattern.
I put all those predefined patterns in the list below for the easy to use
reference.
Summary table of possible expressions to be fed to the fw
monitor
Specifying
Hosts
host(IP_address) to or from this host
src=IP_address where source ip = IP_address
dst=IP_address where destination ip = IP_address
net(network_address,netmask) to or from this network
to_net(network_address,netmask) to this network
from_net(network_address,netmask) from this network

Specifying ports
port(port_number) having this source or destination port
sport=port_number having this source port
dport=port_number having this destination port
tcpport(port_number) having this source or destination port that is also TCP
udpport(port_number) having this source or destination port that is also UDP

Specifying protocols
ip_p=
<protocol_number_as_per_IANA>
this way you can specifiy any known protocol by its registered
number in IANAFor detailed list of protocol numbers see
www.iana.org/assignments/protocol-numbers
icmp what it says , icmp protocol
tcp TCP
udp UDP

Protocol specific oprions
IP
ip_tos = <value> TOS field of the IP packet
ip_len = <length_in_bytes> Length of the IP packet in bytes
ip_src/ ip_dst = <IP_address> Source or destination IP address of the packet
ip_p =
<protocol_number_as_per_IANA>
See above
ICMP
echo_reply ICMP reply packets
echo_req Echo requests
ping Echo requests and echo replies
icmp_error
ICMP error messages (Redirect,Unreachables,Time exceeded,Source
quench,Parameter problem)
traceroute Traceroute as implemented in Unix (UDP packets to high ports)
tracert
Traceroute as implemented in Windows (ICMP packets , TTL
<30)
icmp_type = <ICMP types as per
RFC>
catch packets of certain type
icmp_code = <ICMP type as per
RFC>
catch packets of certain code
ICMP types and where applicable respective codes:ICMP_ECHOREPLY
ICMP_UNREACH
ICMP_UNREACH_NET
ICMP_UNREACH_HOST
ICMP_UNREACH_PROTOCOL
ICMP_UNREACH_PORT
ICMP_UNREACH_NEEDFRAG
ICMP_UNREACH_SRCFAIL
ICMP_SOURCEQUENCH
ICMP_REDIRECT
ICMP_REDIRECT_NET
ICMP_REDIRECT_HOST
ICMP_REDIRECT_TOSNET
ICMP_REDIRECT_TOSHOST
ICMP_ECHO
ICMP_ROUTERADVERT
ICMP_ROUTERSOLICIT
ICMP_TIMXCEED
ICMP_TIMXCEED_INTRANS
ICMP_TIMXCEED_REASS
ICMP_PARAMPROB
ICMP_TSTAMP
ICMP_TSTAMPREPLY
ICMP_IREQ
ICMP_IREQREPLY
ICMP_MASKREQ
ICMP_MASKREPLY
icmp_ip_len = <length> Length of ICMP packet
icmp_ip_ttl = <TTL>
TTL of ICMP packet, use with icmp protocol otherwise will catch
ANY
packet with TTL given
< cut here-bunch of other icmp-related fields
like ID ,sequence I dont see any value in bringing here>

TCP
syn SYN flag set
fin FIN flag set
rst RST flag set
ack ACK flag set
first first packet (means SYN is set but ACK is not)
not_first not first packet (SYN is not set)
established established connection (means ACK is set but SYN is not)
last last packet in stream (ACK and FIN are set)
tcpdone RST or FIN are set
th_flags more general way to match the flags inside
TCP packets
th_flags = TH_PUSH Push flag set
th_flags = TH_URG Urgent flag set
UDP
uh_ulen = <length_in_bytes> Length of the UDP header (doesnt include IP header)

And the last thing to remember before we move to examples expressions support logical operators and
numerical values support relative operators:
and logical AND
or logical OR
not - logical NOT
> MORE than
< LESS than
>= MORE than or EQUAL to
<= LESS than or EQUAL to
You can combine logical expressions and influence order by using ()
Below is laundry list of examples to showcase the reference table above.
# fw monitor -m i -e 'accept host(208.44.108.136) ;'
# fw monitor -e 'accept src=216.12.145.20 ;' packets where source ip = 216.12.145.20
# fw monitor -e 'accept src=216.12.145.20 or dst= 216.12.145.20;' packets where source or destination ip =
216.12.145.20
# fw monitor -e 'accept port(25) ;' packets where destination or source port = 25
# fw monitor -e 'accept dport=80 ;' packets where destination port = 80
#fw monitor -e 'accept sport>22 and dport>22 ; ' packets with source and destination ports greater than 22
# fw monitor -e 'accept ip_len = 1477;' packets where their length equals exactly 1477 bytes
# fw monitor -e 'accept icmp_type=ICMP_UNREACH;' ICMP packets of Unreachable type
# fw monitor -e 'accept from_net(216.163.137.68,24);' packets having source IP in the network
216.163.137.0/24
# fw monitor -e 'accept from_net(216.163.137.68,24) and port(25) and dst=8.8.8.8 ;' packets coming from
network 216.163.137.0/24 that are destined to the host 8.8.8.8 and hving source or destination port = 25
# fw monitor -m i -x 40,450 -e 'accept port(80);' incoming packets before any rules are applied also
display contents of the packet starting at 40th byte of 450 bytes length
# fw monitor -m i -pi -ipopt_strip -e 'accept host(66.240.206.90);' incoming packets from/to host
66.240.206.90 , insert sniffer before module named ipopt_strip
# fw monitor -D -m i -pi -ipopt_strip -e 'accept host(66.240.206.90);' same as above but add debug info
Resources:
decock.org/ginspect Online fw monitor/tcpdump expressions constructor
PDF version of this article
Posted in Checkpoint NG/NGX, Firewall.
Tagged with Checkpoint.
3 comments
By Yuri December 12, 2009
3 Responses
Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.
1. ori says
Yuri,
Excellent! I have been waiting for something like this. Just one suggestions (maybe a request). How bout a
simple guide of an actual debug which will show output so it will be clearer the use of the commands.
thanks again.
December 13, 2009, 7:22 am
2. Yuri says
Thanks,
there will be follow up , including debug of various problems and how it looks real-time.
December 14, 2009, 11:56 am
3. michael endrizzi says
THis is awesome thanks.
November 11, 2012, 1:13 am
Checkpoint Connectra and Internet Explorer 7 and 8 Increase and rotate SSH log files in Checkpoint
Subscribe
Blogroll
CPUG forum
fw monitor syntax creator
I For Tech blog
Krebs on security
Michael Endrizzi's blog
Packet Life
Ran Golombek blog
SmartSplat utility to manage/debug firewall
The Academy Pro
Tobias Harmes blog
Tobias Lachmann blog
Valentine Gutkin blog
www.108.bz
Most popular posts
Change password for console expert user Checkpoint Splat
Checkpoint SecurePlatform networking FAQ
Checkpoint VPN debug cheat sheet
Cisco ASA user privilege separation
Creating Secure Passwords
Debug VPN in Fortigate seeing is believing
fw monitor command reference
Packet sniffer in IOS
Ping setting don't fragment bit in Linux/FreeBSD/Solaris/Cisco/Juniper
Visio stencils for Cisco, Juniper, Fortinet, Checkpoint, Avaya
You can't set duplex/speed settings of the Fortigate interfaces?
Follow me on Linkedin
Advertisements
Proudly powered by WordPress and Carrington.
Carrington Theme by Crowd Favorite