I’ve recently found myself capturing network traffic to troubleshoot reported issues. To successfully capture packets the use of tcpdump is required.  And while you may be familiar with using this tool, the use is slightly different on Checkpoint devices.

The devices in this reference is Checkpoint R77.30 and R80 devices.

To capture the correct network packets you must first disable Checkpoints SecureXL feature which is an acceleration solution that maximizes network performance of the Firewall.

To disable SecureXL, run the command:

fwaccel off

To check the overall SecureXL status:

fwaccel stat

Now that SecureXL has been disabled, continue to the capture steps below:

To capture packets, issue the following command:

tcpdump -s 0 -nni <interface_name> -w capture_file_name.pcap

Press Control-C (Ctrl C) to break the capture

Re-enable SecureXL, by running the following command:

fwaccel on

Retrieve the capture file and review using a tool such a Wireshark