Check Point Firewall - fw monitor

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi and welcome to my channel my name is magnus and today i was going to talk about firewall monitor firewall monitor is a capture tool from checkpoint and this is something that is installed by default on your gateways and this is something that has been existing in checkpoint for a long long time this is not really ccsa it's more like ccse but it's really good to be aware of how firewall monitor works and how to make it easier because firewall monitor can be quite complicated the firewall monitor tool can capture traffic when it comes to different part of the checkpoint it can do the inbound interface and outbound interface and both of them and before specific modules so if we check the administrator guide and we can see the firewall monitor part in this one is quite large and if you just glance on it it's quite complicated there is a lot of variables that you can enter how to use this command and you really need to well read it through if you want to use it in an efficient way and there's also difference in it between the different versions that you're running on the gateways so there's a new and an old way and an issue with this new and old way is not actually consistent so if we bring up the sk for firewall monitor and that's 3583 and they say basic i wouldn't agree with basic but let's go with it then you can see here there is a lot of warnings for example you can only run one instance of firewall monitor at the time and that's fine and the second part comes with secure excel and it's different depending on what version that you're running on on newer versions like r8040 all traffic will be monitored but when it comes to rit 20 and rit 30 it's a bit complicated and more or less it's stated here so you need to make sure to have the correct jumbo on your boxes and more or less if you're running r8040 the default behavior will be to monitor all traffic so if you're running like rit 10 then you need to turn off secure excel to be able to see all the traffic in firewall monitor and turning off secure excel within production that can be an issue because the cpu load on the gate will will increase by a lot secure excel is about accelerating traffic and more or less limiting the amount of traffic that need to be processed by the cpu when it comes to firewall monitor you can also see like the packet depending on where they are and you have inspection points and in checkpoint they are referred to small i big i small o and capital o and within the newer ones there is even added more so for r80 30 and 40 you have more than these four so you can see more of the firewall chain so to see when it comes to the filters that you can use in firewall monitor well that's a lot so it can be quite well advanced to really get the filters that you want and i will show you things to help you for example danny from the forum he has made a firewall monitor super tool i was planning to show you that one and there's also like a tcpdump101.com that has like a filter generator where you can actually put in a website and get the filter that you desire as i mentioned before there is a difference between the versions so this part for example is not valid for rit30 that we're currently running and this is the new way to do the filters but we need to use the old way because the old way is for rit30 for r8040 this part is also included so i'm logged into my windows 10 host and i'm logged into user mode in gateway 1 and let's go into expert and if i'm in expert mode i can actually type firewall monitor right away the problem with this one is that it will show a lot of things and it will take all the traffic with no filters whatsoever so ctrl c to stop this and if you just have this mumbo jumbo wrapping on your screen in a full production one well you will not find anything of course you can grep and so on and really find things but the first thing is to start to use the filters so one thing that we can start with is just to add dash t for time because all these lines they don't have any time stamps you don't know when it happens so if we just do the dash t and we see the traffic so now you can see that we have a timestamp so let's see us take here 13th of september 2020 1350 12. so all of this is actually the timestamp then this part is the interface itself and this is the inspection point so this is small o and small o is referring to here before outbound firewall vm so this is before it leaves the machine so if you want to follow a complete section well there's actually four types that you need to check so you need to find the small i this the big i the small o and the big o but this is not really enough to find stuff within a production network anyway so let's add some more filters and then you can do firewall monitor t for the time stamps and then you can add dash e because we are on the older version so to say r8020 actually has more functionalities when it comes to the firewall monitor than r8030 so well and then we can type accept host and then we can put in the host ip of our machine that we want to check for and in this case it will be our windows 10 machine so 192 168 1.50 and then bracket them in and we need to finish the command like this press enter and here we see that filter is applied keep in mind we haven't filter on like source or destination so we're still getting a lot of outputs well let's fix this as well so for example if you want to do an output to a file where it's easier to check well then we can just type o and then firewall then the path firewall mon dot cap so here we get the the stuff into a file instead and you see here that's the number of lines that is in this file so let's stop it and it's not possible to like open it with like cat and so on uh you actually need to open it in something else and a better option is to open it within wireshark so let's do clear ah it took a while to get it to really stop um but let's download this one so we have win csp win sap here and i'm actually logged in with sap user that we have created in the previous video and then we go to var so let's go into var log and here we have our file so if we try to download this one now well we actually got failed because it's not we that has created a file we are creating this with admin user and i'm trying to download it with sap user so you can do like this and this is the quick and dirty way so to say you can do change mod 777 and then more log and then the file and this change the permission on the file so let's try to download it again and now i have downloaded and let's see if it contains anything so i have wireshark on this one so here you can see the file a lot easier to read this and then you can apply the filters in wireshark to find the traffic that you want to but how to make this easier well first of all i can show you like this there is a website called tcp dump 101 and here you can actually have a tool for firewall monitor and here you can pick like which is the original version or the new uh f version so we are on rit 30 and that's the original version so currently you can see the command here the firewall monitor e and then it check only the accepted one and you can add more filters here so for example we want to have we want to enter it to file so we can do like youtube and here it will add the dash o for the output and in youtube it's better to do it in like watchlog and like this dot cap and you see here that the output is now changed keep in mind that special characters and so on may generate errors so you need to make sure if you put in here that you actually know what you're doing you can do uh specific here if you don't want to see everything then you can pick like which part of the where do you want to see the packages uh we want to see it everywhere and then you don't need to remove anything here you can add filters so for example if you want to add a source of destination so let's do like a source or host then we can do our ip and here you see the host and this is source and destination if we only want to do the source for example we need to change that and we see how the the command is actually changing here so that's really good so this is a way to help you to write the correct file monitor syntax of course in an exam things you need to know this but this is a good way to practice on how to fix it and of course you can add more filters so if you want to do like icmp only it show you how to do this so let's test this we skipped the output and we only do this one and we're only checking for icmp so copy and back in our windows host paste i think we need to do like this let's try like this instead and icmp ah that's working better so let's do some icmp instead so cmdb here and then ping google and now i see the icmp of google so well it's not a hundred percent bulletproof but at least you get the id and then ctrl c to abort it so that was the website so to say let's clear this and if you want to do the easiest way possible well check out this one so danny has made something called the firewall monitor super tool and this is a one-liner to assist you to run firewall monitor and more or less copy-paste all this in expert mode so we go into our windows 10 host and paste and all this mumbo jumbo either you can just check it out or trust me that this is working perfectly so just press enter so here we get an a guide where we can put like the ip address of what we want to check and let's check for our host 192 168 1.50 and we can of course add more things here and we can put like specific port numbers so let's do 443 and port 80. and let's check for both tcp and udp and do we want to put it out somewhere well let's skip that but enter and here you see the line that it's supposed to want to run do you want to do this executing yes now it should only show you 443 and port 80. so let's do some web surfing so we do like this so we can see both open google chrome and we see here already that we have traffic so one thing that i think that danny should add is the timestamp but well let's go to youtube and we see traffic to a lot of strange eyepiece and if you want to stop this well just press ctrl c and it stopped and if you want to do this the the best way possible well always do it to an output file so you can do it in wireshark and then you can check it or if you do like this well then use enough filters or use enough grip commands to figure out what you actually want and i think that's it for the firewall monitor part at least a brief introduction on how to use it and how to make it easier for you to use the firewall monitor super tool on this website to figure out how the filter should look like if you did enjoy this content please comment like and share the video and just as a reminder please make sure to check out the checkmate community so you can see the awesome new tools that the community is actually building together so it makes your and my life easier to work with checkpoint and that's it thank you for watching take care hope to see in the next one bye

Info

Channel: Magnus Holmberg

Views: 6,238

Rating: undefined out of 5

Keywords: check point software, cyber security, ccsa, ccse, checkpoint, check point, network, secuirty, firewall, checkpoint training, r80, r80.40, checkpoint firewall, checkpoint firewall training videos, next generation firewall

Id: ztFbgHUjEdo

Channel Id: undefined

Length: 15min 22sec (922 seconds)

Published: Sun Sep 13 2020