fw monitor command reference CheckPoint firewall

Updated: 07 July 2020
This is a quick reference sheet of all usable options for the fw monitor tool .At the end I put a list of fw monitor examples. The previous experience with the tool is assumed, i'll just say that if you are serious about debugging Checkpoint products learn it and learn it well.

Note: Before R80.20 you would have to disable SecureXL acceleration with fwaccel off for fw monitor to see ALL the connection packets and filter them as needed. Starting with R80.20 you don't have to do it anymore, fw monitor sees accelerated traffic as well. BUT ... in such case the fw monitor filters given with -e do NOT work - that is, even if you set a filter, fw monitor will show ALL accelerated packets ignoring the filter. So turning off fwaccel off before sniffing, then turning back on fwaccel on might still be a good idea. As alternative for such a case, Checkpoint offer -F filter that DOES filter accelerated packets without fwaccel off, but it can filter only on IP address and ports, a fraction of capabilities of the -e filters. Also it is not implemented on R80.30.

For IPv6 traffic you would use fw6 monitor.

By default the fw monitor sniffing driver is inserted into the 4 locations on the Firewall kernel chain . Here they are:

i (PREIN) – inbound direction before firewall Virtual Machine (VM, and it is CP terminology) . Most important fact to know about that is that this packet capturing location shows packets BEFORE any security rule in the policy is applied. That is, no matter what rules say a packet should at least be seen here, this would prove that packets actually reach the firewall at all.
I (POSTIN) – inbound direction after firewall VM.
o (PREOUT) – outbound direction before firewall VM,
O (POSTOUT) - outbound direction after firewall VM.

You can change point of insertion within the fw chain with :

fw monitor –pi|I|O|o position

Frequently, for debug purposes, you need to insert in ALL positions, be aware causes CPU load:

fw monitor -p all

The easiest way to specify where to insert is to first see the chain:

fw ctl chain

Then give position relative to any module you see there:

[Expert@CP80.30T200:0]# fw ctl chain
in chain (11):
        0: -7fffffff (0000000000000000) (00000000) SecureXL inbound (sxl_in)
        1: -7ffffffe (0000000000000000) (00000000) SecureXL inbound CT (sxl_ct)
        2: - 1fffff8 (ffffffff89f8de30) (00000001) Stateless verifications (in) (asm)
        3: - 1fffff7 (ffffffff89f91ef0) (00000001) fw multik misc proto forwarding
        4:         0 (ffffffff8a4233e0) (00000001) fw VM inbound  (fw)
        5:         2 (ffffffff89f92720) (00000001) fw SCV inbound (scv)
        6:         5 (ffffffff89b454f0) (00000003) fw offload inbound (offload_in)
        7:        10 (ffffffff8a4152a0) (00000001) fw post VM inbound  (post_vm)
        8:    100000 (ffffffff8a3cb780) (00000001) fw accounting inbound (acct)
        9:  7f730000 (ffffffff89523010) (00000001) passive streaming (in) (pass_str)
        10:  7f750000 (ffffffff8a171d10) (00000001) TCP streaming (in) (cpas)
out chain (9):
        0: - 1fffff0 (ffffffff8a167e70) (00000001) TCP streaming (out) (cpas)
        1: - 1ffff50 (ffffffff89523010) (00000001) passive streaming (out) (pass_str)
        2: - 1f00000 (ffffffff89f8de30) (00000001) Stateless verifications (out) (asm)
        3:         0 (ffffffff8a4233e0) (00000001) fw VM outbound (fw)
        4:        10 (ffffffff8a4152a0) (00000001) fw post VM outbound  (post_vm)
        5:  7f000000 (ffffffff8a3cb780) (00000001) fw accounting outbound (acct)
        6:  7f700000 (ffffffff8a168820) (00000001) TCP streaming post VM (cpas)
        7:  7f900000 (0000000000000000) (00000000) SecureXL outbound (sxl_out)
        8:  7fa00000 (0000000000000000) (00000000) SecureXL deliver (sxl_deliver)

E.g. to insert pre-inbound before the asm module: fw monitor -pi asm
Note: you can insert the sniffer where the Checkpoint will allow, e.g. trying to insert before SecureXL chain point sxl_in will give warning and will insert before the asm point anyway.

Now the usage itself:

fw monitor

Usage: fw monitor [- u|s] [-i] [-d] [-T] <{-e
expression}+|-f <filter-file|->> [-l len] [-m mask] [-x offset[,len]]
[-o <file>] <[-pi pos] [-pI pos] [-po pos] [-pO pos] | -p all [-a
]> [-ci count] [-co count]

Round up of options:

-m mask , which point of capture is to be displayed, possible values: i,I,o,O
-d/-D debug output from fw monitor itself, not very useful IMO.
-u|s print also connection/session Universal ID
-i after writing each packet flush stdout
-T add timestamp
-e expr expression to filter the packets (in detail later)
-f filter-file the same as above but read filter expression from file
-l len packet length to capture

On the very low level fw monitor understands byte offsets from the header start. So to specify for example 20th byte of the IP packet (that is source IP) you can just use:

fw monitor -e 'accept [12,b]=;'

12 – offset in bytes from the beginning of the packet
b – mandatory, means big endian order.
4 – not seen here but size (in bytes) of how many bytes to look for from the starting offset (default is 4 )

To look for source port 53 (UDP/TCP) in raw packet:

fw monitor -m i -e 'accept [20:2,b]=53;'

Here I say to fw monitor to look at 2 bytes at offset 20.

While this way of looking at packets is the most general and therefore includes all cases, you rarely have the need for such a granular looking glass. In 99% of the cases you will be doing alright with a limited known set of expressions. Just for that Checkpoint predefined and kindly provided us in every Splat/Gaia installation with definition files that give meaningful synonyms to the most used patterns. There are few definition files but they circularly reference each other providing multiple synonyms for the same pattern. I put all those predefined patterns in the list below for the easy to use reference.

Summary table of possible filter expressions to be fed to the fw monitor
Specifying Hosts
 host(IP-address)  to or from this host
 src=IP-address  where source ip = IP-address
 dst=IP_address  where destination ip = IP_address
 net(network_address,netmask)  to or from this network
 to_net(network_address,netmask)  to this network
 from_net(network_address,netmask)  from this network
Specifying ports
 port(port_number)  having this source or destination port
 sport=port_number  having this source port
 dport=port_number  having this destination port
 tcpport(port_number)  having this source or destination port that is also TCP
 udpport(port_number)  having this source or destination port that is also UDP
 Specifying protocols  
 ip_p=  this way you can specifiy any known protocol by its registered number in IANA. For detailed list of protocol numbers see IANA Protocol Numbers
 icmp  what it says , icmp protocol
 tcp  TCP
 udp  UDP
 Protocol specific options  
 ip_tos =  TOS field of the IP packet
 ip_len =  Length of the IP packet in bytes
 ip_src/ ip_dst =  Source or destination IP address of the packet
 ip_p =  See above
  echo_reply  ICMP reply packets
  echo_req  Echo requests
  ping  Echo requests and echo replies
  icmp_error  ICMP error messages (Redirect,Unreachables,Time exceeded,Source quench,Parameter problem)
  traceroute  Traceroute as implemented in Unix (UDP packets to high ports)
  tracert  Traceroute as implemented in Windows (ICMP packets , TTL <30)
  icmp_type =  catch packets of certain type
  icmp_code =  catch packets of certain code
  icmp_ip_len =  Length of ICMP packet
 icmp_ip_ttl =  TTL of ICMP packet, use with icmp protocol otherwise will catch ANY packet with TTL given
 < cut here----bunch of other icmp-related fields like ID ,sequence I don’t see any value in bringing here-->
 syn  SYN flag set
 fin  FIN flag set
 rst  RST flag set
 ack  ACK flag set
 first  first packet (means SYN is set but ACK is not)
 not_first  not first packet (SYN is not set)
 established  established connection (means ACK is set but SYN is not)
 last  last packet in stream (ACK and FIN are set)
 tcpdone  RST or FIN are set
 th_flags - more general way to match the flags inside TCP packets
 th_flags = TH_PUSH  Push flag set
 th_flags = TH_URG  Urgent flag set
 uh_ulen =  Length of the UDP header (doesnt include IP header)

And the last thing to remember before we move to examples - expressions support logical operators and numerical values support relative operators:

and - logical AND
or - logical OR
not- logical NOT
> MORE than
< LESS than
>= MORE than or EQUAL to
<= LESS than or EQUAL to
You can combine logical expressions and influence order by using () to group.

Below is laundry list of examples to showcase the reference table above.

fw monitor -m i -e 'accept host( ;'

packets where the source or destination IP is, show before "i" chain point.

fw monitor -e 'accept src= ;'

packets where source ip =

fw monitor -e 'accept src= or dst=;'

packets where source or destination ip =

fw monitor -e 'accept port(25) ;'

packets where destination or source port = 25

fw monitor -e 'accept dport=80 ;'

packets where destination port = 80

fw monitor -e 'accept sport>22 and dport>22 ; '

packets with source and destination ports greater than 22

fw monitor -e 'accept ip_len = 1477;'

packets where their length equals exactly 1477 bytes

fw monitor -e 'accept icmp_type=ICMP_UNREACH;'

ICMP packets of Unreachable type

fw monitor -e 'accept from_net(,24);'

packets having source IP in the network

fw monitor -e 'accept from_net(,24) and port(25) and dst= ;'

packets coming from network that are destined to the host and having source or destination port = 25

fw monitor -m i -x 40,450 -e 'accept port(80);'

incoming packets before any rules are applied also display contents of the packet starting at 40th byte of 450 bytes length

fw monitor -m i -pi -ipopt_strip -e 'accept host(;'

incoming packets from/to host , insert sniffer before module named ipopt_strip

fw monitor -D -m i -pi -ipopt_strip -e 'accept host(;'

same as above but add debug info


Follow me on https://www.linkedin.com/in/yurislobodyanyuk/ not to miss what I publish on Linkedin, Github, blog, and more.