Checkpoint Packet Capture Creator

| Comments

The CLI of Checkpoint allows users to create packet captures. This webpage will help create the config needed to be used for Checkpoint packet captures. The user must be in expert mode in order to conduct the packet capture from the command line.


Inputs

Source IP: (example: 192.168.1.1, any)
Destination IP:
Destination port: (example: 80, any)
Dump to filename. Leave blank to output results to screen. (example: capture.pcap).

Config

fw monitor

Understanding the Output

Suppose there is a capture to see all packets going to or coming from 99.99.99.99. The capture statement would look like this: fw monitor -e 'accept (([16:4,b]=99.99.99.99) or ([12:4,b]=99.99.99.99));'
Then we have an inside host attempt to go to that IP over port 80. We will see the following output: 

[fw_1] Lan1:i[64]: 10.22.22.22 -> 99.99.99.99 (TCP) len=64 id=641
TCP: 35592 -> 80 .S.... seq=a830ff8b ack=00000000
[fw_1] Lan1:I[64]: 10.22.22.22 -> 99.99.99.99 (TCP) len=64 id=641
TCP: 35592 -> 80 .S.... seq=a830ff8b ack=00000000
[fw_1] Lan8:o[64]: 10.22.22.22 -> 99.99.99.99 (TCP) len=64 id=641
TCP: 35592 -> 80 .S.... seq=a830ff8b ack=00000000
[fw_1] Lan8:O[64]: 44.44.44.44 -> 99.99.99.99 (TCP) len=64 id=641
TCP: 27026 -> 80 .S.... seq=a830ff8b ack=00000000
The above is only the SYN packet going out to the destination host. Dissecting the results we can understand more:
  • Lan1 means the packet is being processed on the Lan1 interface
  • Lan1:i indicates this packet is captured pre-inbound rules
  • Lan1:I indicates this packet is captured post-Inbound rules
  • Lan8 indicates the interface the packet will be routed out of
  • Lan8:o indicates the packet was captured pre-outbound rules
  • Lan8:O indicates the packet was captured post-Outbound rules. You can see the source IP has changed due to NAT during the outbound rules.
  • TCP: 35592 -> 80 indicates this packet is a TCP packet with a source port of 35592 and destination port of 80
  • .S.... indicates this packet has the SYN flag set
Now let’s look at the return packet, the SYN-ACK packet and how it looks coming back through the firewall: 
[fw_1] Lan8:i[44]: 99.99.99.99 -> 44.44.44.44 (TCP) len=44 id=45516
TCP: 80 -> 27026 .S..A. seq=b0e2ca42 ack=a830ff8c
[fw_1] Lan8:I[44]: 99.99.99.99 -> 10.22.22.22 (TCP) len=44 id=45516
TCP: 80 -> 35592 .S..A. seq=b0e2ca42 ack=a830ff8c
[fw_1] Lan1:o[44]: 99.99.99.99 -> 10.22.22.22 (TCP) len=44 id=45516
TCP: 80 -> 35592 .S..A. seq=b0e2ca42 ack=a830ff8c
[fw_1] Lan1:O[44]: 99.99.99.99 -> 10.22.22.22 (TCP) len=44 id=45516
TCP: 80 -> 35592 .S..A. seq=b0e2ca42 ack=a830ff8c
  • .S..A. indicates this packet has the SYN ACK flags set.
Take note:
A denied packet due a policy will be denied in the inbound rules.
A NAT will take place in the outbound rules.

Posted by Jack checkpoint, tools

Comments