https://community.checkpoint.com/t5/General-Topics/How-to-listing-TCP-services-with-non-default-tcp-idle-timout/m-p/71652#M14517 <P>Hello everyone,</P><P>Is there a way listing&nbsp;TCP services with non-default tcp idle timout?</P><P>We must to put another non checkpoint firewall before the main cluster, and we need to know which tcp services has configured specific virtual session timout.</P><P>many thanks,</P><P>norbert</P> Mon, 06 Jan 2020 11:42:39 GMT Norbert_Papirny 2020-01-06T11:42:39Z https://community.checkpoint.com/t5/General-Topics/How-to-listing-TCP-services-with-non-default-tcp-idle-timout/m-p/71652#M14517 <P>Hello everyone,</P><P>Is there a way listing&nbsp;TCP services with non-default tcp idle timout?</P><P>We must to put another non checkpoint firewall before the main cluster, and we need to know which tcp services has configured specific virtual session timout.</P><P>many thanks,</P><P>norbert</P> Mon, 06 Jan 2020 11:42:39 GMT https://community.checkpoint.com/t5/General-Topics/How-to-listing-TCP-services-with-non-default-tcp-idle-timout/m-p/71652#M14517 Norbert_Papirny 2020-01-06T11:42:39Z https://community.checkpoint.com/t5/General-Topics/How-to-listing-TCP-services-with-non-default-tcp-idle-timout/m-p/71659#M14520 <P>(Had to delete my original reply as it was erroneous)</P> <P>Okay, so we have two different cases:</P> <P>&nbsp;</P> <P>1. Timeouts are lower than global settings, .ie. aggressive aging. Should not be problematic and does not need extraction.</P> <P>2. Timeouts are higher than global. That only happens if you modify the service manually. I did not find an option to query those parameter on per service basis, but there is a way:</P> <UL> <LI>find all services that were modified from default. Open object explorer and sort by "Modifier". Anything non-default will show with particular user names instead of "system"</LI> <LI>Manually go over advanced to see which modifications were affecting&nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2020-01-06 at 14.09.11.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/3927i3E23EACF4597A293/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2020-01-06 at 14.09.11.png" alt="Screenshot 2020-01-06 at 14.09.11.png" /></span></LI> </UL> <P>&nbsp;</P> <P>If I find a better way, I will let you know</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 06 Jan 2020 13:12:40 GMT https://community.checkpoint.com/t5/General-Topics/How-to-listing-TCP-services-with-non-default-tcp-idle-timout/m-p/71659#M14520 _Val_ 2020-01-06T13:12:40Z https://community.checkpoint.com/t5/General-Topics/How-to-listing-TCP-services-with-non-default-tcp-idle-timout/m-p/71662#M14522 <P>You can also dump all TCP services into a file with dbedit command something like:</P> <PRE class="p1"><SPAN class="s1">echo -e "query services, type='tcp' \n-q\n" | dbedit -local &gt; tcp.txt&nbsp;</SPAN></PRE> <P class="p1"><SPAN class="s1">and then search there. Or event extend command to a script comparing default and actual timeout for each server.</SPAN></P> Mon, 06 Jan 2020 13:38:08 GMT https://community.checkpoint.com/t5/General-Topics/How-to-listing-TCP-services-with-non-default-tcp-idle-timout/m-p/71662#M14522 _Val_ 2020-01-06T13:38:08Z https://community.checkpoint.com/t5/General-Topics/How-to-listing-TCP-services-with-non-default-tcp-idle-timout/m-p/71681#M14524 <P>The third and last option is to get TCP services though API:</P> <PRE class="p1"><SPAN class="s1">mgmt_cli -r true show-services-tcp details-level full</SPAN></PRE> <P class="p1"><SPAN class="s1">and then run it through analysis, comparing default and actual timeout on all services.</SPAN></P> Tue, 07 Jan 2020 09:10:08 GMT https://community.checkpoint.com/t5/General-Topics/How-to-listing-TCP-services-with-non-default-tcp-idle-timout/m-p/71681#M14524 _Val_ 2020-01-07T09:10:08Z https://community.checkpoint.com/t5/General-Topics/How-to-listing-TCP-services-with-non-default-tcp-idle-timout/m-p/71688#M14527 <P>To follow-up on <a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/181">@_Val_</a>'s responses, there are two different settings within a TCP service object that might be beneficial in your search. The <EM>"<STRONG>use-default-session-timeout</STRONG>" </EM>and<EM>"<STRONG>session-timeout</STRONG>"</EM>&nbsp;parameters can be used with with a select statement with&nbsp;<EM>jq</EM> in order to filter the service objects.&nbsp;</P> <PRE><STRONG>[admin@vMgmt01]#</STRONG> mgmt_cli -s session show services-tcp details-level full -f json limit 500 | <STRONG>jq -r '.objects[]| select(."use-default-session-timeout"==false</STRONG>)|.name'<BR /><EM>http_test1</EM><BR /><EM>http_test2<BR /></EM><BR /><STRONG>[admin@vMgmt01]#</STRONG> mgmt_cli -s session show services-tcp details-level full -f json limit 500 | <STRONG>jq -r '.objects[]| select(."session-timeout"&lt;3600</STRONG>)|.name'<BR /><EM>http_test1</EM><BR /><EM>icap</EM><BR /><EM>IKE_NAT_TRAVERSAL_TCP</EM><BR /><EM>...</EM><BR /><STRONG>[admin@vMgmt01]#</STRONG> mgmt_cli -s session show services-tcp details-level full -f json limit 500 | <STRONG>jq -r '.objects[]| select(."session-timeout"&gt;3600</STRONG>)|.name'<BR /><EM>http_test</EM></PRE> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 06 Jan 2020 17:46:42 GMT https://community.checkpoint.com/t5/General-Topics/How-to-listing-TCP-services-with-non-default-tcp-idle-timout/m-p/71688#M14527 masher 2020-01-06T17:46:42Z https://community.checkpoint.com/t5/General-Topics/How-to-listing-TCP-services-with-non-default-tcp-idle-timout/m-p/71725#M14533 Hi,<BR />thank for your your replies!<BR />I used "details-level" instead of "default-level" and its worked! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span><BR /><BR /> Tue, 07 Jan 2020 08:48:45 GMT https://community.checkpoint.com/t5/General-Topics/How-to-listing-TCP-services-with-non-default-tcp-idle-timout/m-p/71725#M14533 Norbert_Papirny 2020-01-07T08:48:45Z https://community.checkpoint.com/t5/General-Topics/How-to-listing-TCP-services-with-non-default-tcp-idle-timout/m-p/71729#M14535 <P>uh, it was a typo. fixed</P> Tue, 07 Jan 2020 09:10:34 GMT https://community.checkpoint.com/t5/General-Topics/How-to-listing-TCP-services-with-non-default-tcp-idle-timout/m-p/71729#M14535 _Val_ 2020-01-07T09:10:34Z https://community.checkpoint.com/t5/General-Topics/How-to-listing-TCP-services-with-non-default-tcp-idle-timout/m-p/71832#M14558 <P>I tried to run the command, but I always get this error:</P><P>[Expert@xxxxxx:0]# mgmt_cli show services-tcp details-level full -f json limit 5 | jq -r '.objects[]| select(."session-timeout"&gt;3600)|.name'</P><P><STRONG><SPAN>parse error: Invalid numeric literal at line 1, column 9</SPAN></STRONG></P><P>Do you have any idea what i am doing wrong?</P><P>Many thanks,</P><P>norbert</P> Wed, 08 Jan 2020 09:27:16 GMT https://community.checkpoint.com/t5/General-Topics/How-to-listing-TCP-services-with-non-default-tcp-idle-timout/m-p/71832#M14558 Norbert_Papirny 2020-01-08T09:27:16Z https://community.checkpoint.com/t5/General-Topics/How-to-listing-TCP-services-with-non-default-tcp-idle-timout/m-p/71833#M14559 <P>You need to add authentication. Either add user / password or "<SPAN class="s1">-r true" at the beginning of the command</SPAN></P> <P>&nbsp;</P> Wed, 08 Jan 2020 09:35:52 GMT https://community.checkpoint.com/t5/General-Topics/How-to-listing-TCP-services-with-non-default-tcp-idle-timout/m-p/71833#M14559 _Val_ 2020-01-08T09:35:52Z https://community.checkpoint.com/t5/General-Topics/How-to-listing-TCP-services-with-non-default-tcp-idle-timout/m-p/71837#M14560 yes, that was my fault, i forgot to put login information to the session file...<BR />"mgmt_cli login&gt;session"<BR /><BR />thanks a lot, everything is working now!<BR /><span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> Wed, 08 Jan 2020 10:09:29 GMT https://community.checkpoint.com/t5/General-Topics/How-to-listing-TCP-services-with-non-default-tcp-idle-timout/m-p/71837#M14560 Norbert_Papirny 2020-01-08T10:09:29Z