https://community.checkpoint.com/t5/Firewall-and-Security-Management/Interpreting-fwaccel-conns/m-p/227525#M43783 <P>thanks for this explanation and confirmation</P> Mon, 23 Sep 2024 09:52:11 GMT waschminator 2024-09-23T09:52:11Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Interpreting-fwaccel-conns/m-p/227186#M43779 <P>hi,</P><P>if i check out fwaccel conns i get 2 entries per session. fine so far. the weird thing: it is hwoing the same througput in both directions ...this is incorrect in theory.&nbsp;</P><P>we are talking of a filetransfer here and i would have expected maybe 494 GB in one directon and in the other direction maybe 100Mbyte becuase this are just ACKs. can anybody explain this?</P><P>&nbsp;</P><P>10.101.68.43 2049 10.222.242.148 34889 6 .........T.L.........&nbsp; 494.05GB 0s 11h28m51s 86400/86400<BR />10.222.242.148 34889 10.101.68.43 2049 6 .........T...........&nbsp; &nbsp;494.05GB 0s 11h28m51s 86400/86400</P> Thu, 19 Sep 2024 11:01:07 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Interpreting-fwaccel-conns/m-p/227186#M43779 waschminator 2024-09-19T11:01:07Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Interpreting-fwaccel-conns/m-p/227256#M43780 <P>Not sure it's actually supposed to show the directional volume or not.<BR />This probably needs a TAC case to confirm the correct/expected behavior.</P> Thu, 19 Sep 2024 15:22:32 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Interpreting-fwaccel-conns/m-p/227256#M43780 PhoneBoy 2024-09-19T15:22:32Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Interpreting-fwaccel-conns/m-p/227325#M43781 <P>thx for reply. it seems that the amount of transported traffic is correct. only the bidirectional stuff seems to be incorrect. but i guess it has something todo with the way this connection is handled within this table.</P><P>let´s see if somebody else has experience. worst case i ask our support partner or vendor.&nbsp;</P> Fri, 20 Sep 2024 06:50:02 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Interpreting-fwaccel-conns/m-p/227325#M43781 waschminator 2024-09-20T06:50:02Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Interpreting-fwaccel-conns/m-p/227374#M43782 <P>The key is the "L" (link) flag on one of those entries in your screenshot.&nbsp; SecureXL and Check Point in general track what we would consider a "connection" as separate flows of packets.&nbsp; For a connection not subject to NAT there are just two flows (c2s and s2c).&nbsp; The second line in your output is the original initiating c2s flow (looks like the 10.222 host initiated a NFS connection to 10.101), and the first line is the corresponding linked s2c response flow for that single NFS connection.&nbsp; Because the two flows are linked together as being associated with the same connection, many of their elements such as consumed bandwidth, idle timeout, and duration are synchronized which is why they are the same value.</P> Tue, 01 Oct 2024 12:41:41 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Interpreting-fwaccel-conns/m-p/227374#M43782 Timothy_Hall 2024-10-01T12:41:41Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Interpreting-fwaccel-conns/m-p/227525#M43783 <P>thanks for this explanation and confirmation</P> Mon, 23 Sep 2024 09:52:11 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Interpreting-fwaccel-conns/m-p/227525#M43783 waschminator 2024-09-23T09:52:11Z