fw monitor add-on - using tables in Checkpoint fw monitor capture tool


There is something I didn’t include in the previous post fw monitor command reference about fw monitor as I think it is rather optional and you can do well without it . I talk about using tables in defining filter expressions. INSPECT – proprietary scripting language by the Checkpoint on which filtering expressions are based allows creating tables. I won’t delve into INSPECT syntax (for today) but will list the following examples you can easily modify to suit your needs.

Legend:
{} – delimit the table
<,> - specify range of values inside (e.g. <22,25> means from 22 up to 25 inclusive)
ifid – interface identifier

#fw monitor -e "bad_ports = static {22,25,443}; accept dport in bad_ports;" packets with destination port being equal to 22,25 or 443

#fw monitor -e " bad_ports = static {<22,25>} ; accept dport in bad_ports;" packets with destination ports being equal to 22,23,24 or 25

# fw monitor -e " bad_ports = static {<22,25>,<80,443>} ; accept dport in bad_ports;" packets with destination ports being in ranges 22-25 or 80-443

#fw monitor -e "bad_nets = static {<194.1.0.0,194.1.255.255>} ;accept src in bad_nets;" packets originated in range of networks 194.1.0.0 - 194.1.255.255

#fw ctl iflist Here we can see what are the index values of each interface card

    0  : Internal
    1  : External

#fw monitor -e "bad_nets = static {<194.1.0.0,194.1.255.255>} ;accept src in bad_nets and ifid=0;" packets originated from the range of networks 194.1.0.0 - 194.1.255.255 and captured on interface eth3 only