topic Re: Checkpoint Bandwidth utilization check for the uneven spike in the traffic . in Firewall and Security Management

Checkpoint Bandwidth utilization check for the uneven spike in the traffic .

bookman — Thu, 11 Nov 2021 01:15:26 GMT

Hi Team ,

I need a way to understand if Checkpoint can show the data of Bandwidth consumed ( per source/network basis ) for the specific time of the day.

What are the possible ways i can verify the above.

Checkpoint version : R80.20

Blades enabled : Firewall , app control and content awareness

Thanks in advance.

Re: Checkpoint Bandwidth utilization check for the uneven spike in the traffic .

the_rock — Thu, 11 Nov 2021 01:34:22 GMT

I believe smart view monitor can show this (under logs and monitor tab in dashboard). Do you have monitoring blade enabled on the firewall?

Re: Checkpoint Bandwidth utilization check for the uneven spike in the traffic .

bookman — Thu, 11 Nov 2021 01:40:37 GMT

Hi @the_rock ,

Thanks for your response.

Monitoring blade is not enabled ( not licensed ) , and the only blades that are enabled in the gateway are Firewall , app control and content awareness.

Do we have any other options please ?

Re: Checkpoint Bandwidth utilization check for the uneven spike in the traffic .

the_rock — Thu, 11 Nov 2021 01:43:09 GMT

Sorry, I saw you mentioned that in the description as far as blades, my bad. Hm, not really sure without monitoring blade, but I can test it in the lab tomorrow. Because, quite honestly, I dont believe there is an easy way (or any way for that matter) to filter for something like this from regular logs, but will confirm.

Re: Checkpoint Bandwidth utilization check for the uneven spike in the traffic .

bookman — Thu, 11 Nov 2021 03:23:36 GMT

Thanks for your response. Very much appreciated.

Re: Checkpoint Bandwidth utilization check for the uneven spike in the traffic .

the_rock — Thu, 11 Nov 2021 03:45:47 GMT

I see there is an option for bandwidth when searching in logs, but not sure what value to search for, as I never used it before. I will check more tomorrow and let you know. Its under field Other Fields: and then bandwidth,

Re: Checkpoint Bandwidth utilization check for the uneven spike in the traffic .

PhoneBoy — Thu, 11 Nov 2021 18:59:11 GMT

cpview on the gateway is one possibility, at least in real-time.
Make sure you are on a recent JHF.

Re: Checkpoint Bandwidth utilization check for the uneven spike in the traffic .

bookman — Fri, 12 Nov 2021 00:39:02 GMT

Hi @PhoneBoy ,

Thanks for your response.

Does the cpview also shows the historical bandwidth usage per source/dest ? If not do we have any other options like cpviewer and Smartview or any other options we can really on.

@the_rock That's correct there is a bandwidth option in the other fields but not sure what option to enter since even i haven't used that before.

Re: Checkpoint Bandwidth utilization check for the uneven spike in the traffic .

the_rock — Fri, 12 Nov 2021 01:35:30 GMT

I did not forget about you, just been a busy day, apologies. I had been trying to figure out how to actually run that filter, but no luck so far. Will definitely work on it Friday morning and update you in this thread.

Andy

Re: Checkpoint Bandwidth utilization check for the uneven spike in the traffic .

bookman — Fri, 12 Nov 2021 02:14:33 GMT

No worries , really appreciate your kind support.

Re: Checkpoint Bandwidth utilization check for the uneven spike in the traffic .

PhoneBoy — Fri, 12 Nov 2021 03:14:51 GMT

cpview has historical options (i.e. you can see what was going on at a given point in time), but I don't know that it tracks specific top connections over time or not.

Re: Checkpoint Bandwidth utilization check for the uneven spike in the traffic .

bookman — Fri, 12 Nov 2021 03:17:28 GMT

Thank you for your response.

So what are the other options we can rely on to check the historical bandwidth usage per source/network basis.

Re: Checkpoint Bandwidth utilization check for the uneven spike in the traffic .

the_rock — Fri, 12 Nov 2021 13:49:00 GMT

Im really sorry, tried every possible option I could think of for that bandwidth setting and no luck : (. Maybe you could confirm with TAC or someone else here can chime in.

Re: Checkpoint Bandwidth utilization check for the uneven spike in the traffic .

Timothy_Hall — Sat, 13 Nov 2021 21:43:49 GMT

Try running the fw ctl multik print_heavy_conn command every day, it will show all connections that were classified by the firewall as "heavy" (a.k.a. an elephant flow) over the last 24 hours. It won't show the top connections per se, but will help identify any bandwidth-hogging connections historically. To clarify what constitutes a "heavy" connection see here: sk164215: How to Detect and Handle Heavy Connections

Re: Checkpoint Bandwidth utilization check for the uneven spike in the traffic .

bookman — Mon, 15 Nov 2021 06:53:37 GMT

Thanks for your response.

Does the command help to identify the connection which had heavy flow a week ago ?

Since the issue occurred only once and usually this is occurring whenever the Microsoft patch upgrade over the systems ( happens once in a month ) . So basically wanted to know and get proof is this because of patch upgrade it happens or does any other traffic constituting to this.

Bandwidth spike occurrences are taking from the SolarWinds monitoring , and from the CP want to identify the historical bandwidth hogging connection for that particular time.

Re: Checkpoint Bandwidth utilization check for the uneven spike in the traffic .

Timothy_Hall — Mon, 15 Nov 2021 12:51:48 GMT

No just the last 24 hours and that can't duration be changed, which is why I suggested running it once a day.

Re: Checkpoint Bandwidth utilization check for the uneven spike in the traffic .

Antonis_Hassiot — Tue, 16 Nov 2021 09:44:12 GMT

Another way to catch real time high bandwidth sources is to run a tcpdump on the gateway for say 10 seconds and then export it to wireshark and sort by Bytes Down