CP-The Difference Between ZDEBUG, FW MONITOR, And TCPDump

The Difference Between ZDEBUG, FW MONITOR, And TCPDump

Ok.  I said a few days ago that I would write this post about the differences between these three commands.  Here it is.  I had a lot of info I wanted to put into this, but for the sake of just getting the info out there, I decided to just give the basics of the commands.  Just FYI, these three commands have been very helpful to me in troubleshooting.  And honestly, in the beginning of this, I could only tell you the difference between two of these three commands.  Now, it’s different and I hope this helps you as well.

FW CTL ZDEBUG is a CLI command that is for seeing dropped packets in real-time on the firewall.  This can include packets that are dropped from the Check Point application OR from the OS of the box.  From the application, this could mean the Rulebase, IPS, etc.  From the OS, this could mean dropped packets due to a full queue, etc.  ZDEBUG is especially helpful in determining the reason a packet is dropped.  The reality is that some packets that are dropped just do not show up in SmartView Tracker. 

Below is an example of some dropped packets and the reasons:

;[cpu_9];[fw4_6];fw_log_drop_ex: Packet proto=6 157.216.110.162:36299 -> 64.25.9.4:23 dropped by fw_handle_first_packet Reason: Rulebase drop - rule 10;  <-- This was dropped because of the Check Point firewall rulebase.  Rule 10 was a rule that it matched and dropped.

;[cpu_10];[fw4_5];fw_log_drop_ex: Packet proto=6 195.88.209.216:51921 -> 64.25.9.22:33909 dropped by fw_handle_first_packetReason: Geo Protection;  <-- Simple enough.  This packet is from Russia, which is blocked on this firewall.

fw ctl zdebug drop is the CLI command.  This captures all packets that are dropped.  You can use the grep option to cut down on the amount of traffic you see and specifically search for traffic you want to see.

fw ctl zdebug drop | grep 10.19.4.4  will search for any dropped packet with a source or destination IP address of 10.19.4.4.

FW MONITOR is a CLI command that is for packet capturing through the firewall in real-time.  This command does not show dropped packets.  fw monitor allows you to capture packets at multiple capture positions within the FireWall-1 kernel module chain; both for inbound and outbound packets. This enables you to trace a packet through the different functionalities of the firewall. The primary mode of troubleshooting would be to use the something like the following to see packets for source of 29.27.7.2 or destination of 29.27.7.2:

fw monitor -e "accept src=29.27.7.2 or dst=29.27.7.2;"  This will show you the stages of the IP of 29.27.7.2 as a source or destination. 

Most of the time, you want to see the packet go all the way through the kernel.  Your command might look something like this: 

fw monitor -e "accept host (29.27.7.2);"  This will show you the 4 stages that this particular IP goes through, and is most likely what you will use the most.  You are basically looking at this view of the packet traversal below.  This will help you determine if packets are coming through, and if NAT’ing and routing is working.  

You can also expand this view by using the –p all option, as show below:

fw monitor –p all -e "accept host (29.27.7.2);" 

You are basically looking at a multiple point view of the packet traversal through the firewall:

TCPDump is a CLI command that allows you to capture packets on the interface.  You see packets, real-time, as they hit the interface, but not through the firewall.  Only on the interface is where you are capturing on.  This is similar to the way packet captures work on a Cisco ASA or what you would see in Wireshark.  If you see a packet coming in an interface, but not out an interface, you will probably need to run the fw monitor command to find out where it is failing.  If you suspect dropped packets, you can use the zdebug command.

tcpdump -i eth1 host 172.24.8.200     <---- Tells to monitor eth1 for this hosts.

NOTES***

'tcpdump -i' captures traffic on specific interface.

'tcpdump -e' displays Source and Destination MAC addresses.

CTRL+C stops 'tcpdump'.

By default, only the first 68 bytes of every packet are captures, unless the capture size is increased with '-s' flag. For users running without data encryption, passwords are also copied into this file.

Checkpoint - tcpdump and fw monitor

What’s the difference between tcpdump and fw monitor ?

Tcpdump displays traffic coming or leaving to/from a firewall interface while fw monitor would also tell you how the packet is going through the firewall including routing and NAT decisions.

Let’s get deeper

FW MONITOR

It captures traffic at 4 important points in the firewall namely i, I, o & O. You would see them in the capture in the same sequence.
i – Preinbound, just where the packet is received on the interface. If you see only this then the packet is dropped by address spoofing or the access rule.
I – Postinbound, where the packet has gone across the incoming interface. If you don’t see the next line in capture after this at ‘o’, you could infer that it’s a routing issue.
For both i & I the interface is the incoming, where the packet enters the firewall.
o – Preoutbound, the place where the packet is received at the exit interface within the firewall. If this is the point beyond which the capture is not seen, then you may need to check NAT.
O- Postoutbound, If you see this then make you are sure that the packet has left the firewall and the ACL, route and NAT all are working as expected.

fw monitor -e "accept src=10.1.1.201 or dst=10.1.1.201;" -o monitor2.out

###FW MONITOR  Examples###

fw monitor -e ‘accept host(192.168.1.12);’                        [Show packets with IP 192.168.1.12 as SRC or DST:]

fw monitor -e ‘accept src=192.168.1.12 and dst=192.168.3.3;’                    [Show all packets from 192.168.1.12 to 192.168.3.3:]

fw monitor -pi ipopt_strip -e ‘accept udpport(53);’                                        [Show UDP port 53 (DNS) packets, pre-in position is before ‘ippot_strip’:]

fw monitor -m O -e ‘accept udp and (sport>1023 or dport>1023);’                [Show UPD traffic from or to unprivileged ports, only show post-out]

fw monitor -e ‘accept host(192.168.1.12) and tracert;’                                [Show Windows traceroute (ICMP, TTL<30) from and to 192.168.1.12]

fw monitor -v 23 -e ‘accept tcpport(80);’                                                    [Show Capture web traffic for VSX virtual system ID 23]

fw monitor -e ‘accept ip_p=50 and ifid=0;’                                                    [Show all ESP (IP protocol 50) packets on the interface with the ID 0.
(List interfaces and corresponding IDs with fw ctl iflist)]

srfw monitor -o output_file.cap                                                                    [Show traffic on a SecuRemote/SecureClient client into a file.
srfw.exe is in $SRDIR/bin (C:\Program Files\CheckPoint\SecuRemote\bin)]

fw monitor -m iIoO “(accpet  dst=172.31.10.100;)” | grep ICMP                     [This is standard fw monitor on the destionation and grepping for ICMP (ICMP in capital impotant here, ass the out put is in capitals)]

fw monitor -e ‘accept ip_p=1;’ -o ping.cap

fw monitor -m iIoO –e ‘(accept src=10.0.1.30 and dst=4.2.2.2) and [9:1] = 1;’ -o output.cap

fw monitor -m iIoO –e ‘accept src=10.0.1.30 or dst=10.0.1.30 and [9:1] = 1;’ -o output.cap

fw monitor -m iIoO –e ‘accept (src=10.0.1.30 or dst=10.0.1.30) and no (sport=443 or dport=443);’ -o output.cap  [open this file in wire shark.]

fw monitor -m iIoO –e “accept (src=10.0.1.30 or dst=10.0.1.30);” this is a goood fw monitor to run which wil just output to the CPShell, the “-m iIoO” Just means “- Monitor pre (i)nbound post(I)nbound pre (o)utbound post (O)utbound interfaces”

TCPDUMP.

It captures at position i & O of firewall monitor, and you can be sure the traffic has left the firewall. This is similar to the way captures work on a Cisco PIX/ASA.

So, which one you use ?

Consider you run tcpdump and see the incoming traffic but don’t see the traffic leaving the exit interface. You can guess it’s a routing or a NAT issue. But to make a sure shot without wasting time by looking in routes or the NAT rules you could run fw monitor and know what the issue is.

Checkpoint Firewall commands

cphaprob stat	List cluster status
cphaprob -a if	List status of interfaces
cphaprob syncstat	shows the sync status
cphaprob list	Shows a status in list form
cphastart/stop	Stops clustering on the specfic node
cp_conf sic	SIC stuff
cpconfig	config util
cplic print	prints the license
cprestart	Restarts all Check Point Services
cpstart	Starts all Check Point Services
cpstop	Stops all Check Point Services
cpstop -fwflag -proc	Stops all checkpoint Services but keeps policy active in kernel
cpwd_admin list	List checkpoint processes
cplic print	Print all the licensing information.
cpstat -f all polsrv	Show VPN Policy Server Stats
cpstat	Shows the status of the firewall
fw tab -t sam_blocked_ips	Block IPS via SmartTracker
fw tab -t connections -s	Show connection stats
fw tab -t connections -f	Show connections with IP instead of HEX
fw tab -t fwx_alloc -f	Show fwx_alloc with IP instead of HEX
fw tab -t peers_count -s	Shows VPN stats
fw tab -t userc_users -s	Shows VPN stats
fw checklic	Check license details
fw ctl get int [global kernel parameter]	Shows the current value of a global kernel parameter
fw ctl set int [global kernel parameter]  [value]	Sets the current value of a global keneral parameter. Only Temp ; Cleared after reboot.
fw ctl arp	Shows arp table
fw ctl install	Install hosts internal interfaces
fw ctl ip_forwarding	Control IP forwarding
fw ctl pstat	System Resource stats
fw ctl uninstall	Uninstall hosts internal interfaces
fw exportlog .o	Export current log file to ascii file
fw fetch	Fetch security policy and install
fw fetch localhost	Installs (on gateway) the last installed policy.
fw hastat	Shows Cluster statistics
fw lichosts	Display protected hosts
fw log -f	Tail the current log file
fw log -s -e	Retrieve logs between times
fw logswitch	Rotate current log file
fw lslogs	Display remote machine log-file list
fw monitor	Packet sniffer
fw printlic -p	Print current Firewall modules
fw printlic	Print current license details
fw putkey	Install authenication key onto host
fw stat -l	Long stat list, shows which policies are installed
fw stat -s	Short stat list, shows which policies are installed
fw unloadlocal	Unload policy
fw ver -k	Returns version, patch info and Kernal info
fwstart	Starts the firewall
fwstop	Stop the firewall
fwm lock_admin -v	View locked admin accounts
fwm dbexport -f user.txt	used to export users , can also use dbimport
fwm_start	starts the management processes
fwm -p	Print a list of Admin users
fwm -a	Adds an Admin
fwm -r	Delete an administrator