topic Re: How to manually delete an entry from the Connections Table in Firewall and Security Management

How to manually delete an entry from the Connections Table

Kaspars_Zibarts — Fri, 19 Feb 2021 09:23:30 GMT

Not that you really need to use this often but it has saved my day once or twice a year. Great SK103876 is available but in a stressful situation calculating HEX numbers is the last thing you want to do and then compiling a complex command out of it is even more challenging

This one-liner actually gives you an opportunity to generate all fw tab kill commands in one file for a pair of given IP addresses. Tested on R80.10 GW but I'm fairly confident it would work in R77.

IPA="x.x.x.x"; IPB="y.y.y.y"; IPAHEX=`printf '%02x' ${IPA//./ }`; IPBHEX=`printf '%02x' ${IPB//./ }`; grep "$IPAHEX" table | grep "$IPBHEX" | grep "^<0000000" | awk '{print $1" "$2" "$3" "$4" "$5" "$6}'|sed 's/ //g'|sed 's/</fw tab -t connections -x -e /g'|sed 's/>//g'|sed 's/;//g' > listofall

You will need to dump all your current connections into a file called table first of course. You may add this to front of the above to make it true one-liner.. But I found it easier to do this in two steps as you have more control

fw tab -t connections -u > table

And result is in file called listofall. Then you just execute those commands by copy-paste for example or chmod the file itself and run it.

Here's an example

And of course, you can add port numbers if needed

Re: How to manually delete an entry from the Connections Table

PhoneBoy — Tue, 21 Nov 2017 00:18:48 GMT

Bravo!

Re: How to manually delete an entry from the Connections Table

EdesLC — Thu, 04 Jan 2018 17:29:23 GMT

Nice.

Re: How to manually delete an entry from the Connections Table

Simon_Garay — Tue, 24 Jul 2018 16:38:23 GMT

Thank you very much for sharing this information.

Re: How to manually delete an entry from the Connections Table

MKIT_NMG — Wed, 28 Nov 2018 14:58:05 GMT

Modified it a bit, it's still ugly but we don't have to do anything now, apart from providing the values for IPA & IPB

#!/bin/bash

#Dump latest copy of connection table
fw tab -t connections -u > table

#Read input for IPA & IPB values
read -p "IPA: " IPAI
read -p "IPB: " IPBI

#The Decimal to Hex conversion takes place and generates the command file
IPA=${IPAI}; IPB=${IPBI}; IPAHEX=`printf '%02x' ${IPA//./ }`; IPBHEX=`printf '%02x' ${IPB//./ }`; grep "$IPAHEX" table | grep "$IPBHEX" | grep "^<0000000" | awk '{print $1" "$2" "$3" "$4" "$5" "$6}'|sed 's/ //g'|sed 's/</fw tab -t connections -x -e /g'|sed 's/>//g'|sed 's/;//g' > listofall

#Execute commands generated in the file
/bin/bash listofall

Re: How to manually delete an entry from the Connections Table

taladrovs — Mon, 22 Apr 2019 17:52:19 GMT

Hi,

Great post!

I tried to use this on R80.20 version but it didn´t work. Can anyone knows if I have to change something in the script?

Thanks a lot.

Re: How to manually delete an entry from the Connections Table

Duc_Nguyen_Anh — Mon, 10 Jun 2019 04:22:25 GMT

Greate !!

Many thank,

Re: How to manually delete an entry from the Connections Table

Brandon_Cotter — Fri, 31 Jan 2020 19:22:40 GMT

This really really saved the day for me today after SIP issues following a policy install (sk140112 "Traffic is dropped with error: "fw_handle_old_conn_recovery Reason: old packet rulebase drop"" for the Googlers). Thank you so much!

Re: How to manually delete an entry from the Connections Table

_Daniel_ — Tue, 21 Jul 2020 04:02:02 GMT

A wonderful post which saved us after changing a NAT rule to not to NAT but kept natting based on existing connections.

It was perfectly tested on R80.30

THANK you

Re: How to manually delete an entry from the Connections Table

Andrew_Rawlinso — Wed, 24 Feb 2021 17:32:39 GMT

Hi @Kaspars_Zibarts how would you go about using this including port numbers? We have a need to reset some connections coming in from particular source ports but leaving the other connections in place.

Re: How to manually delete an entry from the Connections Table

Kaspars_Zibarts — Thu, 25 Feb 2021 08:51:30 GMT

You can try this, seems to do the trick, I have highlighted the changed sections

IPA="x.x.x.x"; IPB="y.y.y.y"; SPORT="zzz"; DPORT="zzz"; SPORTHEX=`printf '%08x' ${SPORT}`; DPORTHEX=`printf '%08x' ${DPORT}`; IPAHEX=`printf '%02x' ${IPA//./ }`; IPBHEX=`printf '%02x' ${IPB//./ }`; grep "$IPAHEX" table | grep "$IPBHEX" | grep "$SPORTHEX" | grep "$DPORTHEX" | grep "^<0000000" | awk '{print $1" "$2" "$3" "$4" "$5" "$6}' |sed 's/ //g'|sed 's/</fw tab -t connections -x -e /g'|sed 's/>//g'|sed 's/;//g' > listofall

Re: How to manually delete an entry from the Connections Table

Andrew_Rawlinso — Thu, 25 Feb 2021 11:18:50 GMT

Thank you for your quick response - we will give this a try. Really appreciate the help.

Re: How to manually delete an entry from the Connections Table

Lukas_Sosnovec — Fri, 04 Feb 2022 12:51:03 GMT

Hi Brandon,

I am facing the same problem, after policy install SIP VoIP streams is dropped on old packer rulebase drop, although the newly installed policy allows it. Deleting the connections from the fw table resolves the issue, so does rebooting the VoIP gateways. It seems that the old SIP sessions which can be active for a long time are somehow disrupted after policy install so the firewall 'forgets' corresponding UDP ports for VoIP data stream and I have to force the SIP session to be initiated again.

This happens only sometimes, I didn't figure the conditions yet.

Did you make any progress with this issue?

Re: How to manually delete an entry from the Connections Table

Kaspars_Zibarts — Fri, 04 Feb 2022 13:10:36 GMT

Hi Lukas - it's not really relevant to the topic here 🙂 best would we to start a new thread.

But my two cents: check the settings on connectivity persistence

Re: How to manually delete an entry from the Connections Table

Lukas_Sosnovec — Fri, 04 Feb 2022 13:32:29 GMT

Hi Kaspar, I tried it already and it seem to help. But from the security view this can be considered just as a w/a...

Thanks for your point, i will no longer spam here and create a new thread.

Re: How to manually delete an entry from the Connections Table

akhhc — Fri, 01 Apr 2022 18:53:20 GMT

Here's how to clear sessions on Check Point Maestro. I was only concerned with traffic between IPA and IPB, no matter what port is was on, so I removed that part of your script.

# let's work in the temp directory cd /var/log/tmp # collect the tables from all SGMs in Maestro cluster, save to a file called 'table' g_fw tab -t connections -u > table # filter for IP addresses we wish to clear, format the command, save to a file called 'listofall' IPA="10.1.1.1"; IPB="10.2.2.2"; IPAHEX=`printf '%02x' ${IPA//./ }`; IPBHEX=`printf '%02x' ${IPB//./ }`; grep "$IPAHEX" table | grep "$IPBHEX" | grep "^<0000000" | awk '{print $1" "$2" "$3" "$4" "$5" "$6}' |sed 's/ //g'|sed 's/</fw tab -t connections -x -e /g'|sed 's/>//g'|sed 's/;//g' > listofall # copy command file to all SGMs asg_cp2blades /var/log/tmp/listofall # run script on all SGMs g_all bash /var/log/tmp/listofall # you will get errors for 'not found in table connections' these can be ignored.

Re: How to manually delete an entry from the Connections Table

cosmos — Wed, 08 Mar 2023 01:01:34 GMT

Going through my bit buckets of useful Check Point stuff, here's a version I wrote that validates the input and asks before deleting.

#!/bin/bash # # Check Point Firewall Connection Killer # # Version 0.02 # # Changelog # v0.01 # First release # v0.02 # Added valid_ip # # # Based on the post at https://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/How-to-manually-delete-an-entry-from-the-Connections-Table/td-p/13122 # # It's crude and uses temporary files instead of stored arrays, could do with a fair bit of improvement BUT IT WORKS. # # Limited to IP's for now... conn table format at https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk65133 # for whoever wants to nail it down to ports. # # Credits: Kaspars_Zibarts https://community.checkpoint.com/t5/user/viewprofilepage/user-id/11456 # MKIT_NMG https://community.checkpoint.com/t5/user/viewprofilepage/user-id/4907 # Mitch Frazier for valid_ip https://www.linuxjournal.com/content/validating-ip-address-bash-script echo "Check Point Firewall Connection Killer" # fns display_usage() { echo -e "\nPlease ensure you are in the correct VS" echo -e "\nUsage:\ncpfck IP1 IP2\n" } valid_ip() { local ip=$1 local stat=1 if [[ $ip =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then OIFS=$IFS IFS='.' ip=($ip) IFS=$OIFS [[ ${ip[0]} -le 255 && ${ip[1]} -le 255 \ && ${ip[2]} -le 255 && ${ip[3]} -le 255 ]] stat=$? fi return $stat } # usage if [ $# -le 1 ] then display_usage exit 1 fi if [[ ( $# == "--help") || $# == "-h" ]] then display_usage exit 0 fi #Read input for IPA & IPB values and test IPA=$1 IPB=$2 #IP Test for IP in "$@" do if ! valid_ip $IP then echo -e "\nBad IP: $IP! Please correct and try again." display_usage exit 1 fi done #The Decimal to Hex conversion IPAHEX=$(printf '%02x' ${IPA//./ }) IPBHEX=$(printf '%02x' ${IPB//./ }) echo Checking connection table for VS $vsname... echo # dump connection table, do stuff fw tab -t connections -u | grep "$IPAHEX" | grep "$IPBHEX" | grep "^<0000000" | awk '{print $1" "$2" "$3" "$4" "$5" "$6}'|sed 's/ //g'|sed 's/</fw tab -t connections -x -e /g'|sed 's/>//g'|sed 's/;//g' > listofall #Execute commands generated in the file echo -e "\nThe following connections were found in the connection table:" echo cat listofall echo "do you wish to delete them?" select yn in "Yes" "No"; do case $yn in Yes ) echo ; echo "deleting connections..."; /bin/bash listofall; echo "the specified connections were deleted"; break;; No ) echo "no connections were deleted"; exit;; esac done

Re: How to manually delete an entry from the Connections Table

cosmos — Wed, 08 Mar 2023 01:03:56 GMT

Aaaand for those out there still upgrading your SMS/MDS from R77.30 who have just implemented the new DHCP services, this one's for you,

#!/bin/bash # # Check Point Firewall DHCP Connection Killer # # Version 0.01 # # Tired of your DHCP traffic dropped by fw_conn_post_inspect Reason: Handler 'dhcp_request_code' drop? # # This script does one thing: queries the connection table for DHCP _requests_ (dest port:67 protocol: UDP) and kills them, if you allow it # # Developed for using the new dhcp_request and dhcp_reply services in a policy - see sk104114 # https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk104114 CPPROFILE_PATH=tmp/.CPprofile.sh . $CPDIR/$CPPROFILE_PATH; echo "Check Point Firewall DHCP Connection Killer" echo echo Checking connection table for DHCP traffic on VS ${vsname}... # dump connection table, do stuff fw tab -t connections -u | grep "00000043, 00000011" | grep "^<0000000" | awk '{print $1" "$2" "$3" "$4" "$5" "$6}'|sed 's/ //g'|sed 's/</fw tab -t connections -x -e /g'|sed 's/>//g'|sed 's/;//g' > listofall # do same for dhcp replies, if necessary # fw tab -t connections -u | grep "00000044, 00000011" | grep "^<0000000" | awk '{print $1" "$2" "$3" "$4" "$5" "$6}'|sed 's/ //g'|sed 's/</fw tab -t connections -x -e /g'|sed 's/>//g'|sed 's/;//g' >> listofall #Execute commands generated in the file echo -e "\nThe following DHCP connections were found in the connection table:" echo cat listofall echo "do you wish to delete them?" select yn in "Yes" "No"; do case $yn in Yes ) echo ; echo "deleting connections..."; /bin/bash listofall; echo "the specified connections were deleted"; break;; No ) echo "no connections were deleted"; exit;; esac done rm listofall

Re: How to manually delete an entry from the Connections Table

Kaspars_Zibarts — Wed, 08 Mar 2023 08:09:08 GMT

wow! its still alive after 5 years! haha

Re: How to manually delete an entry from the Connections Table

yura_k — Fri, 07 Jun 2024 08:22:02 GMT

Colleagues, please help me to adapt this wonderful one-liner to solve the task of removing all UDP connections from the connection table.

I'm currently using fw ctl conntab -proto=17 -x , but perhaps there are more elegant options. We found that if ISP Redundancy is enabled, TCP sessions are reset when the ISP fails, but UDP sessions continue to be translated according to the old NAT rules until they are manually removed from the connection table or by timeout.