Check Point Quick Reference – FW Monitor


FW Monitor is a built-in firewall tool which needs no separate install on the device you wish to capture packets and interrogate connections. It is a functionality provided with the installation of the FW-1 package and syntax is also identical across all FW-1 installations. FW Monitor allows for sampling the connection from 4 different points in the firewall, can show NAT assignments or see if routing is working right. FW Monitor happens at the kernel level, but is not a packet capture tool like tcpdump, and is only useful if SecureXL is turned off.

FW Monitor allows you to capture packets at multiple capture positions within the FW-1 kernel module chain; both for inbound and outbound packets. This enables you to trace a packet through the different functionalities of the firewall:

[Expert@FIREWALL-1]# fw ctl chain
in chain (9):
          0: -7f800000 (ca8d9698) IP Options Strip (ipopt_strip)
          1: - 2000000 (cb1c1c64) vpn decrypt (vpn)
          2: - 1fffff6 (ca8da0f8) Stateless verifications (asm)
          3: - 1fffff0 (cb1c17f0) vpn decrypt verify (vpn_ver)
          4: - 1000000 (ca8eb688) SecureXL connection syn (secxl_sync)
          5: 0 (ca8aa0c0) fw VM inbound (fw)
          6: 2000000 (cb1c2aa0) vpn policy inbound (vpn_pol)
          7: 10000000 (ca8eb728) SecureXL inbound (secxl)
          8: 7f800000 (ca8d98e4) IP Options Restore (ipopt_res)
out chain (8):
          0: -7f800000 (ca8d9698) IP Options Strip (ipopt_strip)
          1: - 1ffffff (cb1c16fc) vpn nat outbound (vpn_nat)
          2: - 1f00000 (ca8da0f8) Stateless verifications (asm)
          3: 0 (ca8aa0c0) fw VM outbound (fw)
          4: 2000000 (cb1c26e0) vpn policy outbound (vpn_pol)
          5: 10000000 (ca8eb728) SecureXL outbound (secxl)
          6: 20000000 (cb1c2164) vpn encrypt (vpn)
          7: 7f800000 (ca8d98e4) IP Options Restore (ipopt_res)
  • pre-inbound inspection ( i )
  • post-inbound inspection ( I )
  • pre-outbound inspection ( o )
  • post-outbound inspection ( O )

Limitations of fw monitor:

fw monitor operates above layer 2 and does not include mac address information – cant see ARP messages.
tcpdump can see layer 2 ARP messages

Unlike other pcap utilities, fw monitor can’t show layer-2 or lower protocol information (datalink & physical layers). The NIC strips the layer-2 info before pushing the packet to VPN-1/FW-1. However, fw monitor can, show the packet at different inbound and outbound capture points along the way. Before attempting to troubleshoot an issue using fw monitor, make sure that layer-2 traffic flow is functioning as it should. If a layer-2 issue is suspected, tcpdump can be used to check the flow at layer-2. For more on tcpdump click here.

Misconfigured Proxy ARP is an example of a problem that fw monitor simply cannot solve. If hosts are not transmitting the frames to the firewall’s NIC, VPN-1/FW-1 will never inspect the packet and fw monitor will never provide any lines of decode to analyze. However, tcpdump can capture traffic not transmitted directly to the firewall’s NIC and can display the incorrect hardware addressing.

Syntax for fw monitor:

fw monitor [-u|s] [-i] [-d] [-D] <{-e expr}+|-f <filter-file|->> [-l len] [-m mask] [-x offset[,len]] [-o ] <[-pi pos] [-pI pos] [-po pos] [-pO pos] | -p all > [-a] [-ci count] [-co count] [-vs vsid or vsname]

The easiest way to use fw monitor is to invoke it without any parameter “fw monitor”. This will output every packet from every interface that passes (or at least reaches) the enforcement module. However, nobody uses this in high traffic environments, and it is much smarter to filter it down a bit. NOTE: Break sequence = ctrl+c to stop fw monitor from capturing packets.

Capture Masks:

Capture traffic from a host:

fw monitor -e “accept src=xx.xx.xx.xx;”

Write output to file [-o ]

fw monitor –o monitor.pcap -e “accept src=xx.xx.xx.xx;”

Capturing all traffic to or from a host

fw monitor -e “accept src=xx.xx.xx.xx or dst=xx.xx.xx.xx;”

Capture http traffic

fw monitor -e “accept sport=80 or dport=80;”

Capture all port 80 traffic to AND from source and dest hosts (the / character implies a line break)

fw monitor -e “accept src=NATIVE-xx.xx.xx.xx and dst=NAT-xx.xx.xx.xx and
sport=80 ; \
accept src=NAT-xx.xx.xx.xx and dst=NATIVE-xx.xx.xx.xx and
dport=80) ;”


View traffic for virtual system with ID . Attn: with fw monitor use -v instead of -vs

fw monitor -v  -e 'accept;'

Capture web traffic for VSX virtual system ID 3

fw monitor -v 3 -e 'accept tcpport(80);'

The capture point in the decode is the most import feature of fw monitor troubleshooting purposes. VPN-1/FW-1, compares (runs it thru INSPECT engine) network traffic against its policy and state tables when the packet is received (inbound) as well as immediately before the packet is transmitted (outbound). The four primary capture points correspond to points immediately before and after the VPN-1/FW-1 inspection points. If we see that a packet was captured only prior to an inspection but not after and inspection, we can conclude that some aspect of firewall policy is the cause of our network problem.

Ex 1: If a packet only generates one line of output marked with the pre-inbound inspection ( i ) identifier, we can be confident that the VPN-1/FW-1 policy is causing the packet to be dropped. Tracker can be used to figure out which rule is causing the problem.

Ex 2: If only lines for inbound inspection ( i, I ) are shown but outbound inspection ( o,O ) are missing. This would indicate that the packet is either terminating at the firewall itself or that routing has been misconfigured and the routing engine of the firewall is blackholing the packet.

Ex 3: If the expected packet doesn’t even produce any inbound inspection decode lines, this means either that the filter expression is incorrect or that the packet is never making it to the Enforcement Module for inspection. Other tools would then be needed to see what is going on outside the firewall.

fw monitor command reference