Tcpdump displays traffic coming or leaving to/from a firewall interface while fw monitor would also tell you how the packet is going through the firewall including routing and NAT decisions.
Let’s get deeper
FW MONITOR
It captures traffic at 4 important points in the firewall namely i, I, o & O. You would see them in the capture in the same sequence.
i – Preinbound, just where the packet is received on the interface. If you see only this then the packet is dropped by address spoofing or the access rule.
I – Postinbound, where the packet has gone across the incoming interface. If you don’t see the next line in capture after this at ‘o’, you could infer that it’s a routing issue.
For both i & I the interface is the incoming, where the packet enters the firewall.
o – Preoutbound, the place where the packet is received at the exit interface within the firewall. If this is the point beyond which the capture is not seen, then you may need to check NAT.
O- Postoutbound, If you see this then make you are sure that the packet has left the firewall and the ACL, route and NAT all are working as expected.
fw monitor -e "accept src=10.1.1.201 or dst=10.1.1.201;" -o monitor2.out
TCPDUMP.
It captures at position i & O of firewall monitor, and you can be sure the traffic has left the firewall. This is similar to the way captures work on a Cisco PIX/ASA.
So, which one you use ?
Consider you run tcpdump and see the incoming traffic but don’t see the traffic leaving the exit interface. You can guess it’s a routing or a NAT issue. But to make a sure shot without wasting time by looking in routes or the NAT rules you could run fw monitor and know what the issue is.
Excellent nice and clear information
ReplyDeleteWhat Is The Packet Flow Of Checkpoint Firewall? Could you please explain ?
ReplyDelete1) SAM DB
Delete2) Anti spoofing
3) Session Lookup
4) Policy lookup
5) D.Nat
6) Route lookup
7) S.Nat
8) Utm/L7
9) VPN
10) Session Creation
11) Routing