Telnet from inside Checkpoint firewall

Wed 10 September 2008 in Checkpoint NG/NGX

#Checkpoint

UPDATE 2021: While all the below is still correct and works, nowadays, in GAIA we have a telnet client installed by default.

Yesterday I saw a strange problem - connection from outside to Exchange in a LAN times out, while in Tracker all connections to port 25 are in green. Strange was that through VPN client-to-site and from inside LAN all worked prefectly well. So I wasn't sure 100% it wasn't a firewall causing this. The next best way to check it would be telnet from inside NGX (R65 in this case) to port 25 of Exchange by its LAN IP ... only that Checkpoint don't have telnet client included in their Splat . If I had enough time I'd compile telnet client statically on some Linux box with the same kernel/libraries then'd copy it to NGX for testing, but to do it ASAP I hacked a small AWK script that emulates (just enough for a test) telnet, below these scripts .

BTW this script made it 100% clear there was some problem with Exchange over which I had no control - from firewall its port 25 answered very erratically - once ok , 10 times connection refused. So after a double check client found that from LAN and VPN it also wasn't stable as he first thought .

General telnet client script :

[Expert@cp]# awk -v ip=192.168.0.1 -v port=25 -f telnet.awk

Where:
ip- IP to connect to
port - port to connect to

    #!/usr/bin/awk
    #This is a simple telnet emulation script purpose of which
    # is to try to connect to a given IP on a given port using TCP
    # and print to the terminal few lines received from the server
    # if session is established. It has no functionality but to
    # establish a TCP connection and print out received text from the
    # server, after that it just exits.It was created to debug
    # connectivity issues on Checkpoint NGX firewall that has no built
    # in telnet client .
    # Client
         BEGIN {
           ("/inet/tcp/0/" ip "/" port ) |& getline
           print $0
           close(("/inet/tcp/0/" ip "/" port ))
         }

    Next is the same cript with add on for port 80 - to get some response from web server:

    #!/usr/bin/awk
         BEGIN {
       Portandip = ("/inet/tcp/0/" ip "/" port )
       print "GET /  HTTP/1.1\n\n" |& Portandip
       while  ( (("/inet/tcp/0/" ip "/" port ) |& getline)>0)
           print $0
           close(("/inet/tcp/0/" ip "/" port ))
         }

PS Thanks to Aibulat (see comments) for info, turns out there is a telnet client available on Splat cd-rom .It is just not installed by default when installing Splat.

Follow me on https://www.linkedin.com/in/yurislobodyanyuk/ not to miss what I publish on Linkedin, Github, blog, and more.