https://community.checkpoint.com/t5/Firewall-and-Security-Management/Unrealistic-number-sent-on-SNMP/m-p/230453#M44341 <P>I know P is for push in tcpdump, but here, comparing screenshots you sent, from the 2nd one, number matches in billions, so logically, sounds like it would imply 15 billion packets? Just my ecucated guess...</P> <P>Andy</P> Tue, 22 Oct 2024 13:48:49 GMT the_rock 2024-10-22T13:48:49Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Unrealistic-number-sent-on-SNMP/m-p/230423#M44338 <P>Hello everyone!</P><P>Could anyone illuminate me if the number I see in Skyline actually is realistic?</P><P>We see a "P" suffix in TCP Established column in cpview:</P><DIV class="">&nbsp;</DIV><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="1.png" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/28158i648790A5F12A5E2B/image-size/medium?v=v2&amp;px=400" role="button" title="1.png" alt="1.png" /></span></P><P>&nbsp;</P><P>And in Skyline we see this number:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2.png" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/28159i9E3E369E2AA56D27/image-size/medium?v=v2&amp;px=400" role="button" title="2.png" alt="2.png" /></span></P><P>&nbsp;</P><P>Now, I'm pretty sure that the "P" doesn't stand for Psycho. But the number we see there surely is!</P><P>asg_perf -v shows this:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2024-10-22 155846.png" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/28160i8B8E86F28EF50E05/image-size/medium?v=v2&amp;px=400" role="button" title="Screenshot 2024-10-22 155846.png" alt="Screenshot 2024-10-22 155846.png" /></span></P><P>To be honest, I want to say that there is no problem, given the numbers here. But without knowing what P means, I can't really be confident.</P><P>Any opinions would be much appreciated.</P><P>&nbsp;</P><P>Cheers!</P><P>&nbsp;</P> Tue, 22 Oct 2024 13:01:28 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Unrealistic-number-sent-on-SNMP/m-p/230423#M44338 kamilazat 2024-10-22T13:01:28Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Unrealistic-number-sent-on-SNMP/m-p/230447#M44339 <P>Which SNMP (OID) number are you comparing, are you confusing Skyline vs SNMP?</P> Sun, 27 Oct 2024 22:29:19 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Unrealistic-number-sent-on-SNMP/m-p/230447#M44339 Chris_Atkinson 2024-10-27T22:29:19Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Unrealistic-number-sent-on-SNMP/m-p/230453#M44341 <P>I know P is for push in tcpdump, but here, comparing screenshots you sent, from the 2nd one, number matches in billions, so logically, sounds like it would imply 15 billion packets? Just my ecucated guess...</P> <P>Andy</P> Tue, 22 Oct 2024 13:48:49 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Unrealistic-number-sent-on-SNMP/m-p/230453#M44341 the_rock 2024-10-22T13:48:49Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Unrealistic-number-sent-on-SNMP/m-p/230664#M44388 <P>Hi&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/3630">@Chris_Atkinson</a>&nbsp;sorry for the late answer.&nbsp;</P><P><SPAN>We have monitoring configured via Skyline (metrics from cpview are sent from the SGM to the Prometheus DB, after which they are visualized in Grafana).</SPAN></P><P><SPAN>Do you happen to know what "P" stands for in cpview?</SPAN></P> Thu, 24 Oct 2024 07:08:02 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Unrealistic-number-sent-on-SNMP/m-p/230664#M44388 kamilazat 2024-10-24T07:08:02Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Unrealistic-number-sent-on-SNMP/m-p/230674#M44393 <P>Hi&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/38213">@the_rock</a>&nbsp;I've tested the behavior of the "TCP Established" column in a lab, and the moment connections close, the number decreases. And it increases as new connections are made (I wrote a bash script to create concurrent connections).</P><P>Could it be that that Maestro is receiving an attack?&nbsp;</P> Thu, 24 Oct 2024 08:33:12 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Unrealistic-number-sent-on-SNMP/m-p/230674#M44393 kamilazat 2024-10-24T08:33:12Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Unrealistic-number-sent-on-SNMP/m-p/230919#M44456 <P>I think that number means "Peta", considering the number in Grafana starts with the same 5 digits. At least math check out there. So this means SNMPD actually sends the correct number ("18446P") from CPView.</P><P>Then my question is, whether the value in TCP Establised column decreases as the connections close. In my lab, I tried establishing some 500 connections from a host and I see the increase in numbers, but when I close the connections it goes back down.&nbsp;</P><P>So which one is the correct behavior, the total values of all times, or only the value of active TCP connections?</P> Sun, 27 Oct 2024 18:10:36 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Unrealistic-number-sent-on-SNMP/m-p/230919#M44456 kamilazat 2024-10-27T18:10:36Z