I’ve recently found myself capturing network traffic to troubleshoot reported issues. To successfully capture packets the use of tcpdump is required. And while you may be familiar with using this tool, the use is slightly different on Checkpoint devices.
The devices in this reference is Checkpoint R77.30 and R80 devices.
To capture the correct network packets you must first disable Checkpoints SecureXL feature which is an acceleration solution that maximizes network performance of the Firewall.
To disable SecureXL, run the command:
fwaccel off
To check the overall SecureXL status:
fwaccel stat
Now that SecureXL has been disabled, continue to the capture steps below:
To capture packets, issue the following command:
tcpdump -s 0 -nni <interface_name> -w capture_file_name.pcap
Press Control-C (Ctrl C) to break the capture
Re-enable SecureXL, by running the following command:
fwaccel on
Retrieve the capture file and review using a tool such a Wireshark