Wireshark configuration for Check Point fw monitor

Here is how to set-up correctly wireshark in order to read fw monitor output friendly:

  1. ctrl+shift+p
  2. Protocols / Ethernet / Attempt to interpret as Firewall-1 monitor file
  3. Protocols / FW-1 / Monitor file includes UUID and Interface list includes chain position
  4. User Interface / Columns / Add : fw-1 chain|FW-1 monitor if/direction
  5. Apply preferences
  6. View / Coloring rules / New
  7. preIn / fw1.direction==i
  8. postIn / fw1.direction==I
  9. preOut / fw1.direction==o
  10. postOut / fw1.direction==O

Good luck!

Recent comments

Blog comments powered by Disqus