Sunday, January 29, 2017

Using "fw monitor" command is even easier than you think

Arguably, fw monitor is one the most important troubleshooting tools with Check Point firewalls. It is flexible, extremely powerful and versatile. It is also one of the most frequently misused tools. There is a single compelling reason for both cases.

fw monitor uses INSPECT, an internal C-like language that is used by Check Point to build kernel-based security. Same language is used to define any object, action, protocol and even IPS protections. It is also a huge piece of knowledge that Check Point never shared in full.

Here is a conundrum. You can write extremely complex and very effective filter with fw monitor. The only condition is, you need to possess an intimate knowledge of INSPECT. In other words, to do so, you have to be a Check Point developer.

There are some documents and references about fw monitor usage. There is a well known long-read from 2003, for example. The doc is compelling, very details and yet mostly useless on the field. Who would use IP header offset to filter traffic, really? I have never done that in more than 17 years of working with CP FWs.

There is also a fantastically well written SK30583. It has quite nice set of examples, large list of filtering options and a very elaborate syntax explanation.

However, there is something even better. Imagine you are stuck in a datacenter dungeon, no internet access and some pressing matter to resolve. Where can you find a good reference to fw monitor syntax and options, if SecureKnowledge is not available, and your personal notes are at the office on your desk?

Well, you do not have to pull your hair out. You are working with Check Point FWs, remember? Just get on CLI and look into $FWDIR/lib/fwmonitor.def on one of the firewalls.

The file has a list of all fw monitor macroses you can use.

For example, remember my line from the previous post about kernel debug filter? Here it is:

fw ctl debug -e "accept host(;" 

I use here host macros that automatically generates filter for source and destination IP addresses.

Now, this is how this macros is described in fwmonitor.def file:

#define host(_addr) (ip_src=(_addr) or ip_dst=(_addr))

Also, remember how annoying it is when your own SSH session is creeping into fw monitor output when you are trying to run a trace? Here is a no_term macros:

#define no_term ((not ssh) and (not telnet)) /* remote terminal */

And just in case you ever forget the rest of traffic filtering syntax, you can always look into $FWDIR/lib/tcpip.def file for reference.

The author thanks Sergei Shir, Check Point SecureKnowledge content developer, for his dedicated work and references provided in the comments to the previous post in this blog.

No comments:

Post a Comment