https://community.checkpoint.com/t5/Firewall-and-Security-Management/Number-of-concurrent-connections-shown-in-CPView-Utility-depends/m-p/29069#M2296 <HTML><HEAD></HEAD><BODY><P>Yes, you are perfectly right.</P><P></P><P><SPAN style="color: #333333; background-color: #ffffff; font-family: 'courier new', courier, monospace;">&nbsp;&nbsp;&nbsp;fw tab -t connections -s</SPAN></P><P></P><P>or</P><P></P><P>&nbsp;&nbsp;&nbsp;<SPAN style="font-family: 'courier new', courier, monospace;">cphacu stat</SPAN></P><P></P><P>are right choices for&nbsp;sure. I simply supposed that the Cpview is reading always "fw tab -t connections -s" and then it should be similar on both cluster nodes. But it is not true or at least in normal case when SecureXL is active. It is good to know that the&nbsp;Cpview is not right shortcut to check sync of connection table and CLI&nbsp; is right way.</P></BODY></HTML> Fri, 08 Jun 2018 05:45:26 GMT Petr_Hantak 2018-06-08T05:45:26Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Number-of-concurrent-connections-shown-in-CPView-Utility-depends/m-p/29067#M2294 <HTML><HEAD></HEAD><BODY><P><SPAN style="font-size: 15px;">I have question about n<SPAN style="color: #333333; background-color: #ffffff;">umber of concurrent connections shown in CPView Utility.&nbsp; </SPAN></SPAN></P><P></P><P><SPAN style="background-color: #ffffff; color: #333333; font-size: 15px;">CPView utility is nice and for most of my colleagues very easy understable utility for quick performance check. Usually we are running cluster solution and I must admit that it is quite confusing what we can see on Active and Standby nodes about connections. When SecureXL is active it shows only active connections on STANDBY node but not all synchronized connection summary from connection table.&nbsp;</SPAN></P><P></P><P><SPAN style="background-color: #ffffff; color: #333333; font-size: 15px;"><STRONG>Active node:</STRONG></SPAN></P><P><SPAN style="background-color: #ffffff; color: #333333; font-size: 15px;"><IMG alt="ACTIVE-member concurent connections" class="image-1 jive-image j-img-original" src="https://community.checkpoint.com/legacyfs/online/checkpoint/66262_cpview-active.PNG" /></SPAN></P><P></P><P><STRONG style="background-color: #ffffff; : ; color: #333333; font-size: 15px;">Standby node:&nbsp;</STRONG></P><P><SPAN style="background-color: #ffffff; color: #333333; font-size: 15px;"><IMG alt="STANDBY-member concurent connections" class="image-2 jive-image j-img-original" src="https://community.checkpoint.com/legacyfs/online/checkpoint/66266_cpview-standby.PNG" /></SPAN></P><P></P><P><SPAN style="background-color: #ffffff; color: #333333; font-size: 15px;">This situation is correct according to&nbsp;<STRONG style="background-color: #ffffff; color: #000000; font-size: 14px;">sk103496:</STRONG></SPAN></P><BLOCKQUOTE class="jive_macro_quote jive-quote jive_text_macro"><DIV class="" style="color: #333333; font-weight: bold; font-size: 22px;">Symptoms</DIV><DIV class=""><UL><LI><P>The number of concurrent connections shown in<SPAN>&nbsp;</SPAN><A href="http://supportcontent.checkpoint.com/solutions?id=sk101878" style="color: #905690; text-decoration: none;" target="_blank">CPView Utility</A><SPAN>&nbsp;</SPAN>is less than shown in the output of '<CODE>fw ctl pstat</CODE>' or in the output of '<CODE>fw tab -t connections -s</CODE>' command.</P></LI><LI><P>The number of concurrent connections shown in<SPAN>&nbsp;</SPAN><A href="http://supportcontent.checkpoint.com/solutions?id=sk101878" style="color: #905690; text-decoration: none;" target="_blank">CPView Utility</A><SPAN>&nbsp;</SPAN>differs depending on whether SecureXL is enabled or disabled.</P></LI></UL></DIV><DIV class="" style="color: #333333; font-weight: bold; font-size: 22px;">Cause</DIV><DIV class=""><P>The command '<CODE>fwaccel stats</CODE>' (counter "<CODE>C total conns</CODE>") shows the connections in SecureXL FWAccel module.<BR />The command '<CODE>fw ctl pstat</CODE>' (counter "<CODE>Concurrent Connections</CODE>") shows the connections in FW module.</P><P>CPView Utility is designed to show the actual amount of connections that currently pass through the Security Gateway. This counter is adjusted according to which Check Point kernel module is handling the traffic:</P><UL><LI>When SecureXL is<SPAN>&nbsp;</SPAN><EM>enabled</EM>, CPView Utility shows the connections from the<SPAN>&nbsp;</SPAN><EM>SecureXL FWAccel</EM><SPAN>&nbsp;</SPAN>module (run the command<SPAN>&nbsp;</SPAN><EM>fwaccel stats | grep "C total conns"</EM>)</LI><LI>When SecureXL is<SPAN>&nbsp;</SPAN><EM>disabled</EM>, CPView Utility shows the connections from the<SPAN>&nbsp;</SPAN><EM>FW</EM><SPAN>&nbsp;</SPAN>module (run the command<SPAN>&nbsp;</SPAN><EM>fw tab -t connections -s</EM><SPAN>&nbsp;</SPAN>and refer to<SPAN>&nbsp;</SPAN><EM>#VALS</EM><SPAN>&nbsp;</SPAN>column)</LI></UL><P>&nbsp;</P><P>The difference in the number of connections when SecureXL is enabled or disabled is due to the fact that:</P><UL><LI>SecureXL SIM module does<SPAN>&nbsp;</SPAN><EM>not</EM><SPAN>&nbsp;</SPAN>show certain connections - e.g., ClusterXL synchronization connections.</LI><LI>FW module does<SPAN>&nbsp;</SPAN><EM>not</EM><SPAN>&nbsp;</SPAN>show certain connections - e.g., Delayed connections.</LI></UL><P>In addition, the big difference between the output of '<CODE>fwaccel conns -s</CODE>' command and output of '<CODE>fwaccel stats | grep "C total conns"</CODE>' is due to the fact that the command '<CODE>fwaccel conns -s</CODE>' shows both Client-to-Server<SPAN>&nbsp;</SPAN><EM><STRONG>and</STRONG></EM><SPAN>&nbsp;</SPAN>Server-to-Client connections, while the command '<CODE>fwaccel stats grep "C total conns"</CODE>'| compresses these connections into<SPAN>&nbsp;</SPAN><EM>one</EM><SPAN>&nbsp;</SPAN>connection.</P></DIV><DIV class="" style="color: #333333; font-weight: bold; font-size: 22px;">Solution</DIV><DIV class=""><P>No fix is required; the system is functioning as designed.</P></DIV></BLOCKQUOTE><DIV class=""><P></P><P>At least for me it makes sense to see concurent connections equal in CPView for both cluster members. In that case we can see easily that it is synchronized.</P><P></P><P>Do you know anyone what is behind current design?</P><P></P><P>Do you prefer to keep it as is or change it to equal view?</P></DIV></BODY></HTML> Thu, 07 Jun 2018 13:44:54 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Number-of-concurrent-connections-shown-in-CPView-Utility-depends/m-p/29067#M2294 Petr_Hantak 2018-06-07T13:44:54Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Number-of-concurrent-connections-shown-in-CPView-Utility-depends/m-p/29068#M2295 <HTML><HEAD></HEAD><BODY><P>Actually that SK does not apply to your question. Cpview is just showing ACTIVE concurrent connections running through your firewall. And since standby firewall will only have a handful of active connections (to/from itself) then output is correct. If you want to see that connections table is more or less the same in the cluster just use</P><P style="padding-left: 30px;"></P><P style="padding-left: 30px;"><SPAN style="font-family: 'courier new', courier, monospace;">fw tab -t connections -s</SPAN></P><P></P><P>that will be fairly close on both.</P><P>Cpview will show combined values from fwaccel stat</P><P><img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://community.checkpoint.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /></P></BODY></HTML> Thu, 07 Jun 2018 18:15:52 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Number-of-concurrent-connections-shown-in-CPView-Utility-depends/m-p/29068#M2295 Kaspars_Zibarts 2018-06-07T18:15:52Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Number-of-concurrent-connections-shown-in-CPView-Utility-depends/m-p/29069#M2296 <HTML><HEAD></HEAD><BODY><P>Yes, you are perfectly right.</P><P></P><P><SPAN style="color: #333333; background-color: #ffffff; font-family: 'courier new', courier, monospace;">&nbsp;&nbsp;&nbsp;fw tab -t connections -s</SPAN></P><P></P><P>or</P><P></P><P>&nbsp;&nbsp;&nbsp;<SPAN style="font-family: 'courier new', courier, monospace;">cphacu stat</SPAN></P><P></P><P>are right choices for&nbsp;sure. I simply supposed that the Cpview is reading always "fw tab -t connections -s" and then it should be similar on both cluster nodes. But it is not true or at least in normal case when SecureXL is active. It is good to know that the&nbsp;Cpview is not right shortcut to check sync of connection table and CLI&nbsp; is right way.</P></BODY></HTML> Fri, 08 Jun 2018 05:45:26 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Number-of-concurrent-connections-shown-in-CPView-Utility-depends/m-p/29069#M2296 Petr_Hantak 2018-06-08T05:45:26Z