topic Re: NAT table (fwx_alloc) specific NAT IP address analyses in API / CLI Discussion

NAT table (fwx_alloc) specific NAT IP address analyses

Kaspars_Zibarts — Fri, 19 Feb 2021 09:20:13 GMT

This is a child of my other script

https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/NAT-table-fwx-alloc-top-users/m-p/87260#M4936

purely born for purpose of monitoring IP pool usage for our O365 NATs.

Idea is that you can display NAT stats for specific IPs instead of just top users like in my first script

Below is a partial screenshot for list o 16 NAT IPs:

Just update line inputIPs="1.2.3.4 5.6.7.8" with your own IPs separated by space

And switch to correct VSX context if you are using VSX

#!/bin/bash source /opt/CPsuite-R80.30/fw1/scripts/vsenv.sh # Script to interpret fwx_alloc table top users # Only interpreting rows that start with TCP or UDP <00000006 or <00000011 # For VSX set to correct environment manually # NAT pool does not take into considertaion dst port as per SK156852 inputIPs="1.2.3.4 5.6.7.8" topcount=4 # Set how many top users to display redthreshold=40000 # Highlight to show high usage RED='\033[0;31m' GRN='\033[0;32m' CYN='\033[0;36m' NC='\033[0m' # No Color fw tab -t fwx_alloc -u > nat_table.raw echo -e "${GRN}" echo -e "==== TOTOAL COUNT PER IP ====${NC}" echo -e "------------------------------" for inputIP in ${inputIPs[@]}; do # Get top NAT IPs inputIPhex=`printf '%02x' ${inputIP//./ }; echo` count=`cat nat_table.raw | sed 's/[><,;]//g' | egrep "^00000006|^00000011" | grep $inputIPhex | wc -l` while [ ${#inputIP} -lt 20 ]; do inputIP="$inputIP "; done echo -e " $inputIP $count" done echo; echo for inputIP in ${inputIPs[@]}; do echo -e "${GRN}" echo -e "==== $inputIP DETAILS ====${NC}" echo -e "------------------------------" inputIPhex=`printf '%02x' ${inputIP//./ }; echo` # Get top destination IPs echo -e " TOP DST IP ADDRESSES" echo -e " ------------------------------" cat nat_table.raw | sed 's/[><,;]//g' | egrep "^00000006|^00000011" | grep $inputIPhex | awk '{print $4}' | sort | uniq -c | sort -r | head -$topcount | while read line; do count=`echo "$line" | awk '{print $1}'` ipaddr=`printf '%d.%d.%d.%d\n' $(echo $line | awk '{print $2}' | sed 's/../0x& /g')` while [ ${#ipaddr} -lt 20 ]; do ipaddr="$ipaddr "; done echo " $ipaddr $count" done echo # Get top destination IPs echo -e " TOP SRC IP ADDRESSES" echo -e " ------------------------------" cat nat_table.raw | sed 's/[><,;]//g' | egrep "^00000006|^00000011" | grep $inputIPhex | awk '{print $5}' | sort | uniq -c | sort -r | head -$topcount | while read line; do count=`echo "$line" | awk '{print $1}'` ipaddr=`printf '%d.%d.%d.%d\n' $(echo $line | awk '{print $2}' | sed 's/../0x& /g')` while [ ${#ipaddr} -lt 20 ]; do ipaddr="$ipaddr "; done echo " $ipaddr $count" done echo done

Re: NAT table (fwx_alloc) specific NAT IP address analyses

Danny — Wed, 24 Jun 2020 08:12:18 GMT

Cool. Thanks Kaspars!

I suggest changing the env sourcing to:

source /etc/profile.d/CP.sh if [[ -e /etc/profile.d/vsenv.sh ]]; then source /etc/profile.d/vsenv.sh fi

Re: NAT table (fwx_alloc) specific NAT IP address analyses

Kaspars_Zibarts — Wed, 24 Jun 2020 09:02:30 GMT

Thanks Danny!

Re: NAT table (fwx_alloc) specific NAT IP address analyses

Kaspars_Zibarts — Thu, 08 Oct 2020 14:21:44 GMT

Adding per core version:

#!/bin/bash source /etc/profile.d/CP.sh if [[ -e /etc/profile.d/vsenv.sh ]]; then source /etc/profile.d/vsenv.sh fi RED='\033[0;31m' GRN='\033[0;32m' CYN='\033[0;36m' NC='\033[0m' # No Color vsenv 6 # For VS on VSX topcount=3 # Set pools to show corexlcount=`fw ctl multik stat | wc -l` let corexlcount=corexlcount-2 i=0 while [ $i -lt $corexlcount ]; do totalcount=`wc -l nat_table.raw | awk '{print $1}'` echo -e "${GRN}" echo -e "=== Core-$i Total count: $totalcount ===${NC}" echo -e "-----------------------------------------------" fw -i $i tab -t fwx_alloc -u > nat_table.raw cat nat_table.raw | sed 's/[><,;]//g' | egrep "^00000006|^00000011" | awk '{print $1" "$2" "$4}' | sort -k1 -k2 -k3 | uniq -c | sort -r | head -$topcount | while read line; do count=`echo "$line" | awk '{print $1}'` if [ $count -gt 8200 ]; then count="${RED}${count}"; fi proto="TCP" if [ `echo $line | awk '{print $2}' | grep -c "00000006"` -eq 0 ]; then proto="UDP"; fi natIPhex=`echo $line | awk '{print $3}'` dstIPhex=`echo $line | awk '{print $4}'` natIP=`printf '%d.%d.%d.%d\n' $(echo $line | awk '{print $3}' | sed 's/../0x& /g')` dstIP=`printf '%d.%d.%d.%d\n' $(echo $line | awk '{print $4}' | sed 's/../0x& /g')` while [ ${#natIP} -lt 15 ]; do natIP="$natIP "; done while [ ${#dstIP} -lt 15 ]; do dstIP="$dstIP "; done echo -e "${CYN} $proto $natIP > $dstIP : $count${NC}" done let i++ echo done

Re: NAT table (fwx_alloc) specific NAT IP address analyses

Danny — Thu, 08 Oct 2020 14:23:57 GMT

+1 Kaspars for Champion! 👍