fw monitor add-on - using tables in Checkpoint fw monitor capture tool
There is something I didn’t include in the previous post fw monitor command reference about fw monitor as I think it is rather optional and you can do well without it . I talk about using tables in defining filter expressions. INSPECT – proprietary scripting language by the Checkpoint on which filtering expressions are based allows creating tables. I won’t delve into INSPECT syntax (for today) but will list the following examples you can easily modify to suit your needs.
Legend:
{} – delimit the table
<,> - specify range of values inside (e.g. <22,25> means from 22 up to 25 inclusive)
ifid – interface identifier
#fw monitor -e "bad_ports = static {22,25,443}; accept dport in bad_ports;"
packets with destination port being equal to 22,25 or 443
#fw monitor -e " bad_ports = static {<22,25>} ; accept dport in bad_ports;"
packets with destination ports being equal to 22,23,24 or 25
# fw monitor -e " bad_ports = static {<22,25>,<80,443>} ; accept dport in bad_ports;"
packets with destination ports being in ranges 22-25 or 80-443
#fw monitor -e "bad_nets = static {<194.1.0.0,194.1.255.255>} ;accept src in bad_nets;"
packets originated in range of networks 194.1.0.0 - 194.1.255.255
#fw ctl iflist Here we can see what are the index values of each interface card
0 : Internal
1 : External
#fw monitor -e "bad_nets = static {<194.1.0.0,194.1.255.255>} ;accept src in bad_nets and ifid=0;"
packets originated from the range of networks 194.1.0.0 - 194.1.255.255 and captured on interface eth3 only
Follow me on https://www.linkedin.com/in/yurislobodyanyuk/ not to miss what I publish on Linkedin, Github, blog, and more.