FW monitor – the new way.

The other day i was performing troubleshooting on a firewall, and wanted to make a capture using fw monitor.

As i normally do, i performed the commands mentioned in sk30583 with the ”-e” flag, but the other day i got an error.

Then i remembered… going forward from R80.x they made some new commands.

I don´t really know when or why this only impacts some of the R80 systems, (and i have not spend time researching this topic) but my guess is that it is dependant on the patchlevel of the system.

Anyway – the new commands can also be found at checkpoint Sk30583.

Go to chapter 8 ”Capture Examples of “-F” flag”

Example.

(Remove the brackets from the command)

fw monitor -F ”{src IP}, {src port}, {dst IP}, {dst port}, {protocol number}”:

Example captureing ssl trafic on port 443.

fw monitor -F ”0, 0, 0, 443, 0”

Example capturing traffic from source ip

fw monitor -F ”10.10.10.10, 0, 0, 0, 0”

For more fw monitor

R81 is out in Early Availability

It looks like Checkpoints R81 is comming soon. It is now available in the Public Early Availability program.

This means that if you have a Checkpoint subscription, you can now participate in EA, and download the EA release.

And there is a lot of changes, but here is a few…

  • Custom intelligence feeds can now be managed through SmartConsole. Add, delete or modify feeds fetched by the Security Gateways as well as import files in a CSV or STIX 1.x formats.
  • Out of the box policy profiles based on business and IT security needs.
  • Azure Active Directory support in Identity Awareness – Use Azure AD users and groups for authentication and authorization using Identity Awareness Access Role picker.
  • Hit count for NAT rules.
  • Cross-Domain Management Server Search lets you search for objects across multiple Domain Management Server databases.

And much more…

The Checkmates forum have the improvements listed.

https://community.checkpoint.com/t5/Product-Announcements/R81-EA-Program-Production/ba-p/86945