R80.10: fw monitor – new inspection points (eE)

Earlier today a colleague found out that when he used fw monitor on R80.10 he saw two extra inspection points in the output. For years we’ve all seen iIoO but since R80.10 there is eE too! We’ve tried to find documentation about it but basically this is still undocumented.


[vs_0][fw_1] eth1:i[212]: 192.168.103.65 -> 10.11.11.23 (TCP) len=212 id=28330
TCP: 3421 -> 443
[vs_0][fw_1] eth1:I[212]: 192.168.103.65 -> 10.11.11.23 (TCP) len=212 id=28330
TCP: 3421 -> 443
[vs_0][fw_1] eth3:o[212]: 192.168.103.65 -> 10.11.11.23 (TCP) len=212 id=28330
TCP: 3421 -> 443
[vs_0][fw_1] eth3:O[212]: 192.168.103.65 -> 10.11.11.23 (TCP) len=212 id=28330
TCP: 3421 -> 443
[vs_0][fw_0] eth3:e[212]: 192.168.103.65 -> 10.11.11.23 (TCP) len=212 id=28330
TCP: 3421 -> 443
[vs_0][fw_0] eth3:E[212]: 192.168.103.65 -> 10.11.11.23 (TCP) len=212 id=28330
TCP: 3421 -> 443

We expected the e’s would have something to do with encryption.

The only info about eE we found was on CheckMates in this thread started by Tom Coussement. Their thought was also that it has to do with VPN handling.

Today we’ve contacted Check Point TAC to find out more and started a chat. This is their response:

e is before the encryption and E is after the encryption. It’s a new feature in R80.10.”

I asked if there would be a dD for decryption.

No, you won’t see the d D, as the e stands for the status when it is not encrypted yet, and E is when it is encrypted. So for outbound traffic, you will see e E, and for inbound, you will see E e.”

Regarding documentation…I guess sk30583  should be updated something like this:

There are six inspection points when a packet passes through a R80.10 Security Gateway:

# Traffic
direction (*)
Relation to
FireWall
Virtual Machine
Name of
inspection
point
Notion of
inspection
point
1 Inbound Before the inbound FW VM Pre-Inbound “i”
2 Inbound After the inbound FW VM Post-Inbound “I”
3 Outbound Before the outbound FW VM Pre-Outbound “o”
4 Outbound After the outbound FW VM Post-Outbound “O”
5 Outbound Before the VPN encrypt Pre-Encrypt “e”
6 Outbound After the VPN encrypt Post-Encrypt “E”

(*) The traffic direction (inbound/outbound) relates to each specific packet, and not to the connection.

If anyone has more information please share it here or in this thread on Check Point CheckMates.

 

Your comments

 

 

  • 1
  •  
  •  
  •  
  •  
  •  
  •  
    1
    Share