Check Point Firewall: The Difference Between ZDEBUG, FW MONITOR, And TCPDump

Ok.  I said a few days ago that I would write this post about the differences between these three commands.  Here it is.  I had a lot of info I wanted to put into this, but for the sake of just getting the info out there, I decided to just give the basics of the commands.  Just FYI, these three commands have been very helpful to me in troubleshooting.  And honestly, in the beginning of this, I could only tell you the difference between two of these three commands.  Now, its different and I hope this helps you as well.

FW CTL ZDEBUG is a CLI command that is for seeing dropped packets in real-time on the firewall.  This can include packets that are dropped from the Check Point application OR from the OS of the box.  From the application, this could mean the Rulebase, IPS, etc.  From the OS, this could mean dropped packets due to a full queue, etc.  ZDEBUG is especially helpful in determining the reason a packet is dropped.  The reality is that some packets that are dropped just do not show up in SmartView Tracker. 

Below is an example of some dropped packets and the reasons:

;[cpu_9];[fw4_6];fw_log_drop_ex: Packet proto=6 157.216.110.162:36299 -> 64.25.9.4:23 dropped by fw_handle_first_packet Reason: Rulebase drop - rule 10;  <-- This was dropped because of the Check Point firewall rulebase.  Rule 10 was a rule that it matched and dropped.

;[cpu_10];[fw4_5];fw_log_drop_ex: Packet proto=6 195.88.209.216:51921 -> 64.25.9.22:33909 dropped by fw_handle_first_packet Reason: Geo Protection;  <-- Simple enough.  This packet is from Russia, which is blocked on this firewall.

fw ctl zdebug drop is the CLI command.  This captures all packets that are dropped.  You can use the grep option to cut down on the amount of traffic you see and specifically search for traffic you want to see.

fw ctl zdebug drop | grep 10.19.4.4  will search for any dropped packet with a source or destination IP address of 10.19.4.4.

FW MONITOR is a CLI command that is for packet capturing through the firewall in real-time.  This command does not show dropped packets.  fw monitor allows you to capture packets at multiple capture positions within the FireWall-1 kernel module chain; both for inbound and outbound packets. This enables you to trace a packet through the different functionalities of the firewall. The primary mode of troubleshooting would be to use the something like the following to see packets for source of 29.27.7.2 or destination of 29.27.7.2:

fw monitor -e "accept src=29.27.7.2 or dst=29.27.7.2;"  This will show you the stages of the IP of 29.27.7.2 as a source or destination. 

Most of the time, you want to see the packet go all the way through the kernel.  Your command might look something like this: 

fw monitor -e "accept host (29.27.7.2);"  This will show you the 4 stages that this particular IP goes through, and is most likely what you will use the most.  You are basically looking at this view of the packet traversal below.  This will help you determine if packets are coming through, and if NAT’ing and routing is working.  

You can also expand this view by using the –p all option, as show below:

fw monitor –p all -e "accept host (29.27.7.2);" 

You are basically looking at a multiple point view of the packet traversal through the firewall:

TCPDump is a CLI command that allows you to capture packets on the interface.  You see packets, real-time, as they hit the interface, but not through the firewall.  Only on the interface is where you are capturing on.  This is similar to the way packet captures work on a Cisco ASA or what you would see in Wireshark.  If you see a packet coming in an interface, but not out an interface, you will probably need to run the fw monitor command to find out where it is failing.  If you suspect dropped packets, you can use the zdebug command.

tcpdump -i eth1 host 172.24.8.200     <---- Tells to monitor eth1 for this hosts.

NOTES***

'tcpdump -i' captures traffic on specific interface.

'tcpdump -e' displays Source and Destination MAC addresses.

CTRL+C stops 'tcpdump'.

By default, only the first 68 bytes of every packet are captures, unless the capture size is increased with '-s' flag. For users running without data encryption, passwords are also copied into this file.