Checkpoint Logs from Command Line

skywalker101
skywalker101 used Ask the Experts™
on
Hi,

Is it possible to see if connections is being dropped by a rule on the firewall by using the command line. I have a fw which do not have access via SCS but I have access via SSH.

Will a tcpdump command work to filter for traffic ?

I am running Checkpoint on Nokia with ipso 4.2
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Sadly, the CP logs are propriety and trying to read them via CLI is pretty hard to understand.

However, what you can do, is run a quick and dirty debug command to see what packets are indeed being dropped.

Run:
fw ctl zdebug drop > drops.txt

After the traffic has been sent to the firewall, use ctl C to stop the debug and then view the resulting drops.txt file.

This basically creates an entry for every single packet that the firewall drops, ie anti spoofing, firewall rule, etc.  Its not a great solution but it does allow a quick view on what is being dropped

Note, depending on how busy your firewall is, this can impact performance so use with caution.

As an aside, the tcpdump traffic will only show traffic hitting interfaces, not what the firewall does with them when it gets there sadly

HTH

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial