Wednesday, May 19, 2010

Checkpoint FW Monitor examples

fw monitor shows you what the checkpoint kernel sees, and monitors all interfaces at once

Flag


Description

-d


Turn on debug flag

-D




Specify an INSPECT program line (multiple -e options can be used)

-f


INSPECT filter name. '-' can be used to specify standard input. The -f and -e options are mutually exclusive

-l


Specify how many bytes of the packet should be transferred from the kernel.

-m


Specify inspection points mask, any one or more of i, I, o, O as explained above. This feature only works on 4.0 SP3 or later.

-o


Specify an output file, which can be viewer with the 'snoop' command on Solaris.

-x


Perform a hex dump of the received data, starting at specified offset and printing out 'len' bytes.



Examples:
fw monitor -m iIoO -e "accept src=192.168.191.18;"
fw monitor -m iIoO -e "accept dport=500;"
fw monitor -m iIoO -e "accept dst=192.168.27.198;"
fw monitor -m iIoO -e "accept dst=192.168.2.3;" -o /var/tmp/SOCD00008413514
fw monitor -m iIoO -e "accept src=192.168.160.45 or dst=172.16.160.45;"

fw monitor -m iIOo -e 'accept src=10.33.76.82 and dst=10.33.76.82;'


VIEWING OUTPUT:


The little "i" means the packet is incoming to the interface specified.

The big "I" means the packet is incoming to the checkpoint filter

The little "o" means the packet is leaving the filter

the big "o" means the packet is hitting the wire on the interface specified

No comments: