Packet Captures on Firewalls


If you have used Check Point for any period of time, you’ve probably run into the ‘fw monitor’ command which is a very useful troubleshooting tool in a variety of scenarios.

Basically, this command comes in handy when you’re troubleshooting any sort of network or firewall issue where you need a packet traced but want more visibility than tcpdump can give you about the flow of a packet through the whole firewall. The fw monitor will likely do the trick since it gives you far more visibility into each step that a packet takes through the firewall than a normal tcpdump would and it is not hindered by SecureXL being enabled.

Should you manage IT internally? Find out in this free guide.

An example would be a scenario where we look at any traffic to or from a particular host with a source port of 80.

fw monitor -e 'accept PROTO_tcp,dport=80 or sport=80,src= or dst=;' 

One of the benefits of the fw monitor command is that it will show you the traffic regardless of the interface it passes through, both before and after the firewall kernel as indicated by the following:

  Before the Security Gateway processes the packet in the inbound direction (i or PREIN)

  After the Security Gateway processes packet in the inbound direction (I or POSTIN)

  Before the Security Gateway processes the packet in the outbound direction (o or PREOUT)

  After the Security Gateway process the packet in the outbound direction (O or POSTOUT)


Of course, if you need layer 2 information (such as MAC addresses) you’ll still need to rely on tcpdump to get this information.

If you are a Check Point customer with a valid usercenter account and want more information about fw monitor, make sure you check out the following documentation:

SK41041 – the fw monitor command 

SK41059 - How to interpret fw monitor output files in Wireshark

To learn more about how we can help with your IT security needs, schedule a free assessment.

Hiring a technology solutions provider vs hiring internally