Tuesday, January 13, 2015

Check Point: Live Captures On The Enforcement Module

Sometimes you just need to see more that what SmartTracker will give you.  Well, I do.  To effectively troubleshoot, you need to know where things are failing in the firewall, IF its failing there.  I've written about packet captures on the Check Point before, but if you can do this in CLI in any firewall, its preferable.  In this case, I needed to troubleshoot if a packet was actually making it through or not.  Sure, I could see this in Tracker, but I wanted to see the whole picture.  See the packets from 192.168.50.10 destined to 172.16.2.59?  Also, in Check Point, you can tell what stage you are in by the lettering (in orange).  Refer to this post for more info on that.

CheckPoint> fw monitor -e "host (172.16.2.59) or host (4.4.4.231) and port (25), accept;"
 monitor: getting filter (from command line)
 monitor: compiling
monitorfilter:
Compiled OK.
 monitor: loading
 monitor: monitoring (control-C to stop)
[vs_0][fw_1] eth1:o[60]: 192.168.50.10 -> 172.16.2.59 (TCP) len=60 id=4464
TCP: 55909 -> 25 .S.... seq=107657ca ack=00000000
[vs_0][fw_1] eth1:O[60]: 192.168.50.10 -> 172.16.2.59 (TCP) len=60 id=4464
TCP: 55909 -> 25 .S.... seq=107657ca ack=00000000
[vs_0][fw_1] eth1:i[60]: 172.16.2.59 -> 192.168.50.10 (TCP) len=60 id=0
TCP: 25 -> 55909 .S..A. seq=a227cfab ack=107657cb
[vs_0][fw_1] eth1:I[60]: 172.16.2.59 -> 192.168.50.10 (TCP) len=60 id=0
TCP: 25 -> 55909 .S..A. seq=a227cfab ack=107657cb
[vs_0][fw_1] eth1:o[52]: 192.168.50.10 -> 172.16.2.59 (TCP) len=52 id=4465
TCP: 55909 -> 25 ....A. seq=107657cb ack=a227cfac
[vs_0][fw_1] eth1:O[52]: 192.168.50.10 -> 172.16.2.59 (TCP) len=52 id=4465
TCP: 55909 -> 25 ....A. seq=107657cb ack=a227cfac
[vs_0][fw_1] eth1:i[89]: 172.16.2.59 -> 192.168.50.10 (TCP) len=89 id=55140
TCP: 25 -> 55909 ...PA. seq=a227cfac ack=107657cb
[vs_0][fw_1] eth1:I[89]: 172.16.2.59 -> 192.168.50.10 (TCP) len=89 id=55140
TCP: 25 -> 55909 ...PA. seq=a227cfac ack=107657cb
[vs_0][fw_1] eth1:o[52]: 192.168.50.10 -> 172.16.2.59 (TCP) len=52 id=4466
TCP: 55909 -> 25 ....A. seq=107657cb ack=a227cfd1
[vs_0][fw_1] eth1:O[52]: 192.168.50.10 -> 172.16.2.59 (TCP) len=52 id=4466
TCP: 55909 -> 25 ....A. seq=107657cb ack=a227cfd1
[vs_0][fw_1] eth1:o[77]: 192.168.50.10 -> 172.16.2.59 (TCP) len=77 id=4467
TCP: 55909 -> 25 ...PA. seq=107657cb ack=a227cfd1
[vs_0][fw_1] eth1:O[77]: 192.168.50.10 -> 172.16.2.59 (TCP) len=77 id=4467
TCP: 55909 -> 25 ...PA. seq=107657cb ack=a227cfd1
[vs_0][fw_1] eth1:i[52]: 172.16.2.59 -> 192.168.50.10 (TCP) len=52 id=55141
TCP: 25 -> 55909 ....A. seq=a227cfd1 ack=107657e4
[vs_0][fw_1] eth1:I[52]: 172.16.2.59 -> 192.168.50.10 (TCP) len=52 id=55141
TCP: 25 -> 55909 ....A. seq=a227cfd1 ack=107657e4
[vs_0][fw_1] eth1:i[75]: 172.16.2.59 -> 192.168.50.10 (TCP) len=75 id=55142
TCP: 25 -> 55909 ...PA. seq=a227cfd1 ack=107657e4
[vs_0][fw_1] eth1:I[75]: 172.16.2.59 -> 192.168.50.10 (TCP) len=75 id=55142
TCP: 25 -> 55909 ...PA. seq=a227cfd1 ack=107657e4
[vs_0][fw_1] eth1:o[84]: 192.168.50.10 -> 172.16.2.59 (TCP) len=84 id=4468
TCP: 55909 -> 25 ...PA. seq=107657e4 ack=a227cfe8
[vs_0][fw_1] eth1:O[84]: 192.168.50.10 -> 172.16.2.59 (TCP) len=84 id=4468
TCP: 55909 -> 25 ...PA. seq=107657e4 ack=a227cfe8
[vs_0][fw_1] eth1:i[66]: 172.16.2.59 -> 192.168.50.10 (TCP) len=66 id=55143
TCP: 25 -> 55909 ...PA. seq=a227cfe8 ack=10765804
[vs_0][fw_1] eth1:I[66]: 172.16.2.59 -> 192.168.50.10 (TCP) len=66 id=55143
TCP: 25 -> 55909 ...PA. seq=a227cfe8 ack=10765804
[vs_0][fw_1] eth1:o[74]: 192.168.50.10 -> 172.16.2.59 (TCP) len=74 id=4469
TCP: 55909 -> 25 ...PA. seq=10765804 ack=a227cff6
[vs_0][fw_1] eth1:O[74]: 192.168.50.10 -> 172.16.2.59 (TCP) len=74 id=4469
TCP: 55909 -> 25 ...PA. seq=10765804 ack=a227cff6
[vs_0][fw_1] eth1:i[66]: 172.16.2.59 -> 192.168.50.10 (TCP) len=66 id=55144
TCP: 25 -> 55909 ...PA. seq=a227cff6 ack=1076581a
[vs_0][fw_1] eth1:I[66]: 172.16.2.59 -> 192.168.50.10 (TCP) len=66 id=55144
TCP: 25 -> 55909 ...PA. seq=a227cff6 ack=1076581a
[vs_0][fw_1] eth1:o[58]: 192.168.50.10 -> 172.16.2.59 (TCP) len=58 id=4470
TCP: 55909 -> 25 ...PA. seq=1076581a ack=a227d004
[vs_0][fw_1] eth1:O[58]: 192.168.50.10 -> 172.16.2.59 (TCP) len=58 id=4470
TCP: 55909 -> 25 ...PA. seq=1076581a ack=a227d004
[vs_0][fw_1] eth1:i[89]: 172.16.2.59 -> 192.168.50.10 (TCP) len=89 id=55145
TCP: 25 -> 55909 ...PA. seq=a227d004 ack=10765820
[vs_0][fw_1] eth1:I[89]: 172.16.2.59 -> 192.168.50.10 (TCP) len=89 id=55145
TCP: 25 -> 55909 ...PA. seq=a227d004 ack=10765820
[vs_0][fw_1] eth1:o[78]: 192.168.50.10 -> 172.16.2.59 (TCP) len=78 id=4471
TCP: 55909 -> 25 ...PA. seq=10765820 ack=a227d029
[vs_0][fw_1] eth1:O[78]: 192.168.50.10 -> 172.16.2.59 (TCP) len=78 id=4471
TCP: 55909 -> 25 ...PA. seq=10765820 ack=a227d029
[vs_0][fw_1] eth1:i[52]: 172.16.2.59 -> 192.168.50.10 (TCP) len=52 id=55146
TCP: 25 -> 55909 ....A. seq=a227d029 ack=1076583a
[vs_0][fw_1] eth1:I[52]: 172.16.2.59 -> 192.168.50.10 (TCP) len=52 id=55146
TCP: 25 -> 55909 ....A. seq=a227d029 ack=1076583a
[vs_0][fw_1] eth1:o[162]: 192.168.50.10 -> 172.16.2.59 (TCP) len=162 id=4472
TCP: 55909 -> 25 ...PA. seq=1076583a ack=a227d029
[vs_0][fw_1] eth1:O[162]: 192.168.50.10 -> 172.16.2.59 (TCP) len=162 id=4472
TCP: 55909 -> 25 ...PA. seq=1076583a ack=a227d029
[vs_0][fw_1] eth1:i[52]: 172.16.2.59 -> 192.168.50.10 (TCP) len=52 id=55147
TCP: 25 -> 55909 ....A. seq=a227d029 ack=107658a8
[vs_0][fw_1] eth1:I[52]: 172.16.2.59 -> 192.168.50.10 (TCP) len=52 id=55147
TCP: 25 -> 55909 ....A. seq=a227d029 ack=107658a8
[vs_0][fw_1] eth1:i[89]: 172.16.2.59 -> 192.168.50.10 (TCP) len=89 id=55148
TCP: 25 -> 55909 ...PA. seq=a227d029 ack=107658a8
[vs_0][fw_1] eth1:I[89]: 172.16.2.59 -> 192.168.50.10 (TCP) len=89 id=55148
TCP: 25 -> 55909 ...PA. seq=a227d029 ack=107658a8
[vs_0][fw_1] eth1:o[56]: 192.168.50.10 -> 172.16.2.59 (TCP) len=56 id=4473
TCP: 55909 -> 25 ...PA. seq=107658a8 ack=a227d04e
[vs_0][fw_1] eth1:O[56]: 192.168.50.10 -> 172.16.2.59 (TCP) len=56 id=4473
TCP: 55909 -> 25 ...PA. seq=107658a8 ack=a227d04e
[vs_0][fw_1] eth1:o[52]: 192.168.50.10 -> 172.16.2.59 (TCP) len=52 id=4474
TCP: 55909 -> 25 F...A. seq=107658ac ack=a227d04e
[vs_0][fw_1] eth1:O[52]: 192.168.50.10 -> 172.16.2.59 (TCP) len=52 id=4474
TCP: 55909 -> 25 F...A. seq=107658ac ack=a227d04e
[vs_0][fw_1] eth1:i[52]: 172.16.2.59 -> 192.168.50.10 (TCP) len=52 id=55149
TCP: 25 -> 55909 F...A. seq=a227d04e ack=107658ad
[vs_0][fw_1] eth1:I[52]: 172.16.2.59 -> 192.168.50.10 (TCP) len=52 id=55149
TCP: 25 -> 55909 F...A. seq=a227d04e ack=107658ad
[vs_0][fw_1] eth1:o[52]: 192.168.50.10 -> 172.16.2.59 (TCP) len=52 id=4475
TCP: 55909 -> 25 ....A. seq=107658ad ack=a227d04f
[vs_0][fw_1] eth1:O[52]: 192.168.50.10 -> 172.16.2.59 (TCP) len=52 id=4475
TCP: 55909 -> 25 ....A. seq=107658ad ack=a227d04f
 monitor: caught sig 2
 monitor: unloading
Posted by

No comments:

Post a Comment

Your comment will be reviewed for approval. Thank you for submitting your comments.

Subscribe to: Post Comments (Atom)