FW Monitor
From FrogspawnWiki
|
In a network world you might set up a span port on a switch and hook wireshark or your network analyser of choice up, but Check Point firewalls have a built in utility that can do that capturing - fw monitor.
fw monitor operates at the Virtual Machine layer of a Check Point firewall, so it is able to capture traffic both before and after the fw1 process sees the traffic. It can do this in both an inbound and outbound direction.
There follows an overview on the use of fw monitor, as I would use it to perform captures on the firewalls that I myself manage. I have included some examples of filter files as I feel that these are the best way to filter the capture.
We start with a concept that is important to keep in mind when dealing with fw monitor - the FW1 inspection chain.
The FW1 Chain
An important concept for fw monitor is the FireWall-1 chain.
A packet travelling through the firewall module is seen by fw monitor at four different points:
- pre-inbound - as it enters the firewall module's ingress interface
- post-inbound - after fw1 first inspects the packet in the inbound direction but before the routing process
- pre-outbound - after the routing process but before fw1 inspects the packet in the outbound direction
- post-outbound - as the packet exits the egress interface of the firewall module
These positions in the fw1 chain are denoted by fw monitor using masks as follows
| mask value | chain position |
|---|---|
| i (lowercase indigo) | pre-inbound |
| I (uppercase INDIGO) | post-inbound |
| o (lowercase oscar) | pre-outbound |
| O (uppercase OSCAR) | post-outbound |
These masks are used for defining capture masks, and are also present in the capture output.
Command Syntax
fw monitor [-u|s] [-i] [-d] [-D] <{-e expr}+|-f <filter-file|->> [-l len] [-m mask]
[-x offset[,len]] [-o <file>] <[-pi pos] [-pI pos] [-po pos]
[-pO pos] | -p all > [-a] [-ci count] [-co count] [-vs vsid or vsname]
There are plenty of options you can give fw monitor to modify what it captures and outputs, these are some of the more useful and common:
- -o <file> specifies an output file which fw monitor will output to in pcap format.
- -e <filter pattern> specifies a filter pattern for the capture. See below
- -f <filter-file> specifies a filter file to use. See below
- -m mask - specifies the position in the fw1 chain that you want to capture packets from
- -ci <count> - specifies that the capture will end after <count> input packets are captured
- -co <count> - specifies that the capture will end after <count> output packets are captured
If you run fw monitor without the '-o <file>' option the firewall will capture all packets passing through the module which match the current filter (or all packets if no filter is selected) and display in your terminal the header details which vary based on the protocol of the packet.
- For ICMP you'll see the interface the packet was captured on, the position of the packet in the chain, the source and destination addresses and the ICMP type and code.
- For UDP you'll see the interface, the position of the packet in the chain, and the source and destination addresses and port numbers
- For TCP you'll see the interface, the position of the packet in the chain, source and destination addresses and port numbers, and the TCP flags of the packet.
If you use the -o option to output to a capture file you won't see the captured packets in real-time, but you will be given a count of the number of captured packets.
Filtering
When you run a capture you don't typically want to see all data going through the firewall, you'll want to focus in on a specific subset of that traffic. FW Monitor has two options for filtering - you can either specify the filter on the command line, or you can create a filter file to define the filter. Specifying on the command line is quicker if filtering a single host, for a range of hosts or more complex filtering a filter file is better.
Command Line
For simple captures, where I want to see all traffic to/from a certain host, it's quickest to use the command line.
So say I want to see all traffic to/from 10.1.1.5, I can use this command line:
fw monitor -e "accept src=10.1.1.5 or dst=10.1.1.5;"
To save to a file, use the -o option
Filter File
As mentioned above, it is possible to filter a capture without using a filter file, but if you want to go beyond basic filtering the command line can quickly become complicated. Worse, every time you want to re-run that filter you'll have to enter the whole filter string again.
The use of a filter file can make it easier to specify more complicated capture filters, and it will be possible to re-use the filter file to run the same capture at a later date.
Examples
There follow a few examples, any of these could be saved into a text file (the .pf extension is usual) and used with the -f option as a filter file.
Single IP
This filter will capture all packets with a source or destination IP of 10.1.1.5
#define src ip_src
#define dst ip_dst
#define sport th_sport
#define dport th_dport
#include "tcpip.def"
interesting = { 10.1.1.5 };
accept ((src in interesting) or (dst in interesting));
IP Range
This filter captures any packet that has a source or destination IP in the 10.1.1.0/24 range
#define src ip_src
#define dst ip_dst
#define sport th_sport
#define dport th_dport
#include "tcpip.def"
interesting = { <10.1.1.0, 10.1.1.254> };
accept ((src in interesting) or (dst in interesting));
Two Hosts
This one captures all traffic between two hosts or IP addresses
#define src ip_src
#define dst ip_dst
#define sport th_sport
#define dport th_dport
#include "tcpip.def"
interesting = { 10.1.1.3, 10.1.2.4 };
accept ((src in interesting) and (dst in interesting));
Usage
Place your capture filter into a text file, in this example that file is called filter.pf. To apply the filter use the -f flag
fw monitor -f filter.pf
You can also use the -o flag as above to save the output directly to a capture file.
fw monitor -f filter.pf -o capture.cap
Viewing a Capture File in Wireshark
If you've captured to a file (using the -o option), that capture can be viewed using a network protocol analyser such as Wireshark. Note however that you will see packets up to four times (once for each position in the fw1 chain) depending on your capture filters. It is possible to configure wireshark to understand this and filter based on the packet's position in the fw1 chain when recorded, however it will still consider packets at the different positions in the fw1 chain to be duplicates and will flag them up as such.
Enabling FW1 Decoding
- Open up Wireshark and go to Edit > Preferences (or hit Shift+Ctrl+P).
- Expand the Protocols tree and scroll down to click on Ethernet.
- You'll see a tickbox labelled "Attempt to interpret as FireWall-1 monitor file"
Display filters
Once Wireshark is configured to decode fw monitor output it will give you display filter options
- fw1.direction allows you to specify the fw1 chain mask
- fw1.interface specifies the firewall interface
