CheckPoint firewall Packet Inspection stages using FW monitor & TCPDUMP Tools. FW monitor vs TCPDUMP

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello welcome to my channel firewall game i'm going to discuss very important topic today which is checkpoint firewall packet troubleshooting let's understand what is inbound packet flow when packet arrives at the security gateways packet intercepted by the nic network interface card on the inbound once packet intercepted by the nic the firewall kernel inbound chain begins inspecting the packet once the packet is matched against the rule base a log is generated and sent from the kernel to the user mode process which is fwd process fwd process is located at the gateway fwd process on the security gateway sends the logs to fwd on the management server and finally logs are forwarded to the fwm process via cpd process awm process sends the logs to the relevant smart console applications such as smart logs also please note at the same time depending on the routing decision made by the operating system except for the specific scenarios such as vpn routing the packet is routed to a selected nick but the packet must go through the firework kernel again only this time through the outbound change to the appropriate nick and to the network now let's understand built-in tools available to see various stages where packets resides when packet flow from the firewall you can use tcp dump and fw monitor which are built-in tools available inside the checkpoint firewall gateways and the management server let's understand a w monitor fw monitor gives you package stages with the help of inspection points as shown in the screen when packet arrives at the inbound or other world hits to the firewall in the inbound interface firewall shows you notation i this stage we refer as preen bound as well also note packet descriptions also take place at this stage which denotes with denotation number two when packet enters into firewall and verifies against the policy fw monitor gives you notation which is big eye this stage we also refer as post inbound number three when packet passes from the net policy inspection or netting table the fw monitor shows or gives you a notation small o this stage also refer as a pre outbound number four when packet passes after routing process fw monitor shows you big o notation this stage also called post outbound steps five and six are for vpn or encrypted packets for outbound direction for example a packet need to encrypt at the pre encrypt stage the firewall monitors shows small e and once packet encrypted then firewall monitor shows big denotation below are few advantages of fw monitor over the tcp term number one fw monitor gives you the entire flow of packet all the way through the firewall number two it helps to diagnose drops nats related issues or routing related issues number three fw monitor commands are very easy to enter you can refer available simulated filter captures to generate a syntax of the aw monitor every monitor simulators are available freely over a site you can go on those site and you know run those commands i mean you can get the commands as per your requirement just putting the uh necessary details there i'll be putting the details of those uh simulators uh on the description bar just refer them and use that utility for your fw command generation you can easily filter able to monitor uh if you need to do an any sort of troubleshooting so packet capture taking a packet capture with using the aw monitor is very easy it is also possible to see abw monitor packet stages using wireshark you just have to refer steps shown in the screen and just follow the steps to get wire shark also display you the fw monitor stages please pause the video here jot down the steps and just run similar steps on the wireshark how fw monitors helps to troubleshoot your issues let's understand that as we have seen basics about the inbound outbound uh chain model let's consider you have to run away monitor commands to troubleshoot some issues and fw monitor gives you only notations which is small i after running the command in such situation you have to consider below as we discuss and we know the fireball kernel sits between notation small i and big i if you're seeing small i then you have to check if firewall is dropping the connection or due to inappropriate net statement causing any issue or if you have a vpn configurated and the packets are from the vpn tunnel then you have to check if the vpn connections are changing if the ip getting filtered if you are saying only little i and the big i then packet is passing to pre outbound it means packet in either getting lost at the routing table or any applications of the firewalls and lastly if you see little i big i little o but no big o the outbound kernel is dropping that packet you have to consider or changing the ip for the nat or a vpn is causing the issue all right below are few fw monitor command syntax if you want to know more and detail option of fw monitor please check sk30583 and you will be getting a lot of details on fb monitor commands and the syntax and their options why tcp dump we all know and we uh almost we uh in all the situations for the troubleshooting we use tcp term the advantage of the tcb dump or the abw monitor is tcp terms gives you visibility of the packet at layer 2. you can see mac and alp informations which you don't see when you run aw monitor so during troubleshooting you need to run tcp dum as well so that your troubleshooting gives you more details below are a few important commands and the syntax for the tcp dump so if you find this information relevant to you let me know why are commenting it and i will see you in the next video thank you [Music] [Applause] [Applause] [Music] you

Info

Channel: Firewall Gyaan

Views: 861

Rating: undefined out of 5

Keywords: Checkpoint, trainings, education

Id: bmCotAR_vyQ

Channel Id: undefined

Length: 13min 41sec (821 seconds)

Published: Fri Sep 17 2021