R80.10: fw monitor – new inspection points (eE)
Earlier today a colleague found out that when he used fw monitor on R80.10 he saw two extra inspection points in the output. For years we’ve all seen iIoO but since R80.10 there is eE too! We’ve tried to find documentation about it but basically this is still undocumented.
[vs_0][fw_1] eth1:i[212]: 192.168.103.65 -> 10.11.11.23 (TCP) len=212 id=28330
TCP: 3421 -> 443
[vs_0][fw_1] eth1:I[212]: 192.168.103.65 -> 10.11.11.23 (TCP) len=212 id=28330
TCP: 3421 -> 443
[vs_0][fw_1] eth3:o[212]: 192.168.103.65 -> 10.11.11.23 (TCP) len=212 id=28330
TCP: 3421 -> 443
[vs_0][fw_1] eth3:O[212]: 192.168.103.65 -> 10.11.11.23 (TCP) len=212 id=28330
TCP: 3421 -> 443
[vs_0][fw_0] eth3:e[212]: 192.168.103.65 -> 10.11.11.23 (TCP) len=212 id=28330
TCP: 3421 -> 443
[vs_0][fw_0] eth3:E[212]: 192.168.103.65 -> 10.11.11.23 (TCP) len=212 id=28330
TCP: 3421 -> 443
We expected the e’s would have something to do with encryption.
The only info about eE we found was on CheckMates in this thread started by Tom Coussement. Their thought was also that it has to do with VPN handling.
Today we’ve contacted Check Point TAC to find out more and started a chat. This is their response:
“e is before the encryption and E is after the encryption. It’s a new feature in R80.10.”
I asked if there would be a dD for decryption.
“No, you won’t see the d D, as the e stands for the status when it is not encrypted yet, and E is when it is encrypted. So for outbound traffic, you will see e E, and for inbound, you will see E e.”
Regarding documentation…I guess sk30583 should be updated something like this:
There are six inspection points when a packet passes through a R80.10 Security Gateway:
direction (*)
FireWall
Virtual Machine
inspection
point
inspection
point
(*) The traffic direction (inbound/outbound) relates to each specific packet, and not to the connection.
If anyone has more information please share it here or in this thread on Check Point CheckMates.