Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Kaspars_Zibarts
Employee Employee
Employee

NAT table (fwx_alloc) specific NAT IP address analyses

This is a child of my other script

https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/NAT-table-fwx-alloc-top-users/m-p...

purely born for purpose of monitoring IP pool usage for our O365 NATs. 

Idea is that you can display NAT stats for specific IPs instead of just top users like in my first script

Below is a partial screenshot for list o 16 NAT IPs:

image.png

Just update line inputIPs="1.2.3.4 5.6.7.8" with your own IPs separated by space

And switch to correct VSX context if you are using VSX

 

#!/bin/bash
source /opt/CPsuite-R80.30/fw1/scripts/vsenv.sh

# Script to interpret fwx_alloc table top users
# Only interpreting rows that start with TCP or UDP <00000006 or <00000011
# For VSX set to correct environment manually
# NAT pool does not take into considertaion dst port as per SK156852

inputIPs="1.2.3.4 5.6.7.8"

topcount=4  # Set how many top users to display
redthreshold=40000  # Highlight to show high usage
RED='\033[0;31m'
GRN='\033[0;32m'
CYN='\033[0;36m'
NC='\033[0m' # No Color

fw tab -t fwx_alloc -u > nat_table.raw

echo -e "${GRN}"
echo -e "==== TOTOAL COUNT PER IP ====${NC}"
echo -e "------------------------------"
for inputIP in ${inputIPs[@]}; do

  # Get top NAT IPs
  inputIPhex=`printf '%02x' ${inputIP//./ }; echo`
  count=`cat nat_table.raw | sed 's/[><,;]//g' | egrep "^00000006|^00000011" | grep $inputIPhex | wc -l`
  while [ ${#inputIP} -lt 20 ]; do inputIP="$inputIP "; done
  echo -e "  $inputIP $count"

done
echo; echo


for inputIP in ${inputIPs[@]}; do

  echo -e "${GRN}"
  echo -e "==== $inputIP DETAILS ====${NC}"
  echo -e "------------------------------"
  inputIPhex=`printf '%02x' ${inputIP//./ }; echo`

  # Get top destination IPs
  echo -e "   TOP DST IP ADDRESSES"
  echo -e "   ------------------------------"
  cat nat_table.raw | sed 's/[><,;]//g' | egrep "^00000006|^00000011" | grep $inputIPhex | awk '{print $4}' | sort | uniq -c | sort -r | head -$topcount | while read line; do

    count=`echo "$line" | awk '{print $1}'`
    ipaddr=`printf '%d.%d.%d.%d\n' $(echo $line | awk '{print $2}' | sed 's/../0x& /g')`
    while [ ${#ipaddr} -lt 20 ]; do ipaddr="$ipaddr "; done
    echo "     $ipaddr $count"
  done
  echo

  # Get top destination IPs
  echo -e "   TOP SRC IP ADDRESSES"
  echo -e "   ------------------------------"
  cat nat_table.raw | sed 's/[><,;]//g' | egrep "^00000006|^00000011" | grep $inputIPhex | awk '{print $5}' | sort | uniq -c | sort -r | head -$topcount | while read line; do

    count=`echo "$line" | awk '{print $1}'`
    ipaddr=`printf '%d.%d.%d.%d\n' $(echo $line | awk '{print $2}' | sed 's/../0x& /g')`
    while [ ${#ipaddr} -lt 20 ]; do ipaddr="$ipaddr "; done
    echo "     $ipaddr $count"
  done
  echo

done

 

 

0 Kudos
4 Replies
Danny
Champion Champion
Champion

Cool. Thanks Kaspars!

I suggest changing the env sourcing to:

source /etc/profile.d/CP.sh
if [[ -e /etc/profile.d/vsenv.sh ]]; then
    source /etc/profile.d/vsenv.sh
fi
Kaspars_Zibarts
Employee Employee
Employee

Thanks Danny!
0 Kudos
Kaspars_Zibarts
Employee Employee
Employee

Adding per core version:

 

2020-10-08_16-17-54.jpg

 

#!/bin/bash
source /etc/profile.d/CP.sh
if [[ -e /etc/profile.d/vsenv.sh ]]; then
    source /etc/profile.d/vsenv.sh
fi

RED='\033[0;31m'
GRN='\033[0;32m'
CYN='\033[0;36m'
NC='\033[0m' # No Color

vsenv 6   # For VS on VSX
topcount=3  # Set pools to show

corexlcount=`fw ctl multik stat | wc -l`
let corexlcount=corexlcount-2

i=0
while [ $i -lt $corexlcount ]; do
  totalcount=`wc -l nat_table.raw | awk '{print $1}'`
  echo -e "${GRN}"
  echo -e "=== Core-$i Total count: $totalcount ===${NC}"
  echo -e "-----------------------------------------------"

  fw -i $i tab -t fwx_alloc -u > nat_table.raw

  cat nat_table.raw | sed 's/[><,;]//g' | egrep "^00000006|^00000011" | awk '{print $1" "$2" "$4}' | sort -k1 -k2 -k3 | uniq -c |  sort -r | head -$topcount | while read line; do

    count=`echo "$line" | awk '{print $1}'`
    if [ $count -gt 8200 ]; then count="${RED}${count}"; fi

    proto="TCP"
    if [ `echo $line | awk '{print $2}' | grep -c "00000006"` -eq 0 ]; then proto="UDP"; fi


    natIPhex=`echo $line | awk '{print $3}'`
    dstIPhex=`echo $line | awk '{print $4}'`
    natIP=`printf '%d.%d.%d.%d\n' $(echo $line | awk '{print $3}' | sed 's/../0x& /g')`
    dstIP=`printf '%d.%d.%d.%d\n' $(echo $line | awk '{print $4}' | sed 's/../0x& /g')`
    while [ ${#natIP} -lt 15 ]; do natIP="$natIP "; done
    while [ ${#dstIP} -lt 15 ]; do dstIP="$dstIP "; done
    echo -e "${CYN}  $proto $natIP > $dstIP  : $count${NC}"
  done
  let i++
  echo
done
Danny
Champion Champion
Champion

+1 Kaspars for Champion! 👍

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events