topic Re: Concurrent Connections in Firewall and Security Management

Concurrent Connections

Scheer — Thu, 08 Dec 2022 10:33:34 GMT

Hi,

I need to know that how to find out concurrent session count per single IP Address.. As a example, how many https session for Single web server concurrently..

Also need to know that, what is the meaning of below highlighted count (Attached snap shot)..

Thanks

Re: Concurrent Connections

Lloyd_Braun — Thu, 08 Dec 2022 14:10:54 GMT

fw ctl conntab | grep ip.add.ress | wc -l from the gateway should do it

Re: Concurrent Connections

PhoneBoy — Thu, 08 Dec 2022 15:12:23 GMT

Number of records refers to the number of log entries in that file.

Of course, the fact you're showing a screenshot from SmartView Tracker tells me you're probably on a pre-R80 release, which is no longer supported.
SmartView Tracker on R8x isn't supported either (though the binaries are still there).

Re: Concurrent Connections

Scheer — Thu, 08 Dec 2022 15:23:20 GMT

Our Management Server is R81.10 and Security Gateway is R80.30. I am using C:\Program Files (x86)\CheckPoint\SmartConsole\R81.10\PROGRAM\CPlgv.exe to track the concurrent sessions.

Is there other method to fulfill my requirement?

Re: Concurrent Connections

the_rock — Thu, 08 Dec 2022 15:30:19 GMT

Thats a good command, never seen it before.

Re: Concurrent Connections

PhoneBoy — Thu, 08 Dec 2022 15:45:38 GMT

Even though we include the SmartView Tracker binaries as part of the SmartConsole installation still, it's no longer supported as of R80.
Which means you should find a different way to achieve the same result.

The method @Lloyd_Braun specified is the best way to do it.

Re: Concurrent Connections

Scheer — Thu, 08 Dec 2022 15:47:53 GMT

Thanks for your reply. How can I identify that this session is relevant to the service like http https exactly?

Re: Concurrent Connections

Scheer — Thu, 08 Dec 2022 15:58:11 GMT

@PhoneBoy How can I identify that this session is relevant to the service like http https exactly?

Re: Concurrent Connections

Scheer — Thu, 08 Dec 2022 16:37:46 GMT

@Lloyd_Braun Is this result for session count or request count?

Re: Concurrent Connections

PhoneBoy — Thu, 08 Dec 2022 18:04:40 GMT

If you look at the output of fw ctl conntab, you have your answer:

<(outbound, src=[10.6.5.251,44738], dest=[3.234.44.184,443], TCP); 2503/3600, rule=0, tcp state=DST_FIN, service=nfsd(393), Ifnsin=1, Ifnsout=1, conn modules: Authentication, FG-1, ISP-Redundancy, SynDoSDefender>

This connection is related to https (TCP 443, as bolded in the above output).
If you just want to see the number of https connections from a specific IP, from expert mode:

fw ctl conntab | grep x.y.z.w | grep ",443], TCP" | wc -l

Re: Concurrent Connections

PhoneBoy — Thu, 08 Dec 2022 19:46:36 GMT

It's active sessions (i.e. TCP connection is still open).

Re: Concurrent Connections

Blason_R — Fri, 09 Dec 2022 02:42:20 GMT

I still feel that could be wrong use case from CP perspective and correct one is you will always get it or should get it from your web server directly. I mean any one even just telnetting to server on port 443 and killing session; firewall will keep this entry idle for 3600 seconds as per a default timer and he might not be browsing the pages however firewall could still consider this as a session though not valid.

Re: Concurrent Connections

Scheer — Fri, 09 Dec 2022 03:23:32 GMT

@Blason_R Currently we are using cloud WAF and only permitted public IP addresses can access the web server. We need to figure out LB issue. Therefore, need to check concurrent session count from the firewall level (Sessions or Request count).

Re: Concurrent Connections

Blason_R — Fri, 09 Dec 2022 03:26:39 GMT

Correct !! In this case you can easily get the actual hits on your WAF rather than your firewall because firewall is only going to see the traffic single source or pool of ip addresses belongs to your waf cloud provider.

Re: Concurrent Connections

Scheer — Fri, 09 Dec 2022 03:37:42 GMT

@Blason_R Yes we can get that information on WAF. Unfortunately App support team inform that, https web traffic is not balancing among the servers (04 web servers). They use Zabbix to monitor their utilization. WAF provide details with TCP connections and Zabbix provides details with per-request. That is why we need to figure out concurrent session count.

Also, is there any way to get old logs detail (Currently we have one month logs in our MGMT) ? like traffic distribution per IP with tcp level...!

Re: Concurrent Connections

PhoneBoy — Fri, 09 Dec 2022 15:02:34 GMT

You’d have to create a custom report in SmartEvent.
That assumes you’ve logged all the relevant traffic, of course.

cpview might be another option.

Why are you not checking this on the web servers directly, though?

Re: Concurrent Connections

genisis__ — Fri, 03 Feb 2023 10:32:21 GMT

Is there a way to determine top ten high concurrent connections? I have high spikes of connections on a regular bases and want to determine the IPs involved during this spike event.

Re: Concurrent Connections

_Val_ — Fri, 03 Feb 2023 10:43:37 GMT

Look into sk172229. Also, there are tools like connstat.exe from sk85780, and at least a couple of third-party tools in the ToolBox, by Heiko

Re: Concurrent Connections

genisis__ — Fri, 03 Feb 2023 12:22:56 GMT

Will take a look, thanks.