This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Kaspars_Zibarts
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2020-06-24 12:19 AM

NAT table (fwx_alloc) specific NAT IP address analyses

This is a child of my other script

https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/NAT-table-fwx-alloc-top-users/m-p...

purely born for purpose of monitoring IP pool usage for our O365 NATs. 

Idea is that you can display NAT stats for specific IPs instead of just top users like in my first script

Below is a partial screenshot for list o 16 NAT IPs:

image.png

Just update line inputIPs="1.2.3.4 5.6.7.8" with your own IPs separated by space

And switch to correct VSX context if you are using VSX

 

#!/bin/bash
source /opt/CPsuite-R80.30/fw1/scripts/vsenv.sh

# Script to interpret fwx_alloc table top users
# Only interpreting rows that start with TCP or UDP <00000006 or <00000011
# For VSX set to correct environment manually
# NAT pool does not take into considertaion dst port as per SK156852

inputIPs="1.2.3.4 5.6.7.8"

topcount=4  # Set how many top users to display
redthreshold=40000  # Highlight to show high usage
RED='\033[0;31m'
GRN='\033[0;32m'
CYN='\033[0;36m'
NC='\033[0m' # No Color

fw tab -t fwx_alloc -u > nat_table.raw

echo -e "${GRN}"
echo -e "==== TOTOAL COUNT PER IP ====${NC}"
echo -e "------------------------------"
for inputIP in ${inputIPs[@]}; do

  # Get top NAT IPs
  inputIPhex=`printf '%02x' ${inputIP//./ }; echo`
  count=`cat nat_table.raw | sed 's/[><,;]//g' | egrep "^00000006|^00000011" | grep $inputIPhex | wc -l`
  while [ ${#inputIP} -lt 20 ]; do inputIP="$inputIP "; done
  echo -e "  $inputIP $count"

done
echo; echo


for inputIP in ${inputIPs[@]}; do

  echo -e "${GRN}"
  echo -e "==== $inputIP DETAILS ====${NC}"
  echo -e "------------------------------"
  inputIPhex=`printf '%02x' ${inputIP//./ }; echo`

  # Get top destination IPs
  echo -e "   TOP DST IP ADDRESSES"
  echo -e "   ------------------------------"
  cat nat_table.raw | sed 's/[><,;]//g' | egrep "^00000006|^00000011" | grep $inputIPhex | awk '{print $4}' | sort | uniq -c | sort -r | head -$topcount | while read line; do

    count=`echo "$line" | awk '{print $1}'`
    ipaddr=`printf '%d.%d.%d.%d\n' $(echo $line | awk '{print $2}' | sed 's/../0x& /g')`
    while [ ${#ipaddr} -lt 20 ]; do ipaddr="$ipaddr "; done
    echo "     $ipaddr $count"
  done
  echo

  # Get top destination IPs
  echo -e "   TOP SRC IP ADDRESSES"
  echo -e "   ------------------------------"
  cat nat_table.raw | sed 's/[><,;]//g' | egrep "^00000006|^00000011" | grep $inputIPhex | awk '{print $5}' | sort | uniq -c | sort -r | head -$topcount | while read line; do

    count=`echo "$line" | awk '{print $1}'`
    ipaddr=`printf '%d.%d.%d.%d\n' $(echo $line | awk '{print $2}' | sed 's/../0x& /g')`
    while [ ${#ipaddr} -lt 20 ]; do ipaddr="$ipaddr "; done
    echo "     $ipaddr $count"
  done
  echo

done

 

 

0 Kudos
4 Replies
Danny
MVP Platinum
MVP Platinum
‎2020-06-24 01:12 AM

Cool. Thanks Kaspars!

I suggest changing the env sourcing to:

source /etc/profile.d/CP.sh
if [[ -e /etc/profile.d/vsenv.sh ]]; then
    source /etc/profile.d/vsenv.sh
fi
Kaspars_Zibarts
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2020-06-24 02:02 AM
In response to Danny

Thanks Danny!
0 Kudos
Kaspars_Zibarts
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2020-10-08 07:21 AM
In response to Kaspars_Zibarts

Adding per core version:

 

2020-10-08_16-17-54.jpg

 

#!/bin/bash
source /etc/profile.d/CP.sh
if [[ -e /etc/profile.d/vsenv.sh ]]; then
    source /etc/profile.d/vsenv.sh
fi

RED='\033[0;31m'
GRN='\033[0;32m'
CYN='\033[0;36m'
NC='\033[0m' # No Color

vsenv 6   # For VS on VSX
topcount=3  # Set pools to show

corexlcount=`fw ctl multik stat | wc -l`
let corexlcount=corexlcount-2

i=0
while [ $i -lt $corexlcount ]; do
  totalcount=`wc -l nat_table.raw | awk '{print $1}'`
  echo -e "${GRN}"
  echo -e "=== Core-$i Total count: $totalcount ===${NC}"
  echo -e "-----------------------------------------------"

  fw -i $i tab -t fwx_alloc -u > nat_table.raw

  cat nat_table.raw | sed 's/[><,;]//g' | egrep "^00000006|^00000011" | awk '{print $1" "$2" "$4}' | sort -k1 -k2 -k3 | uniq -c |  sort -r | head -$topcount | while read line; do

    count=`echo "$line" | awk '{print $1}'`
    if [ $count -gt 8200 ]; then count="${RED}${count}"; fi

    proto="TCP"
    if [ `echo $line | awk '{print $2}' | grep -c "00000006"` -eq 0 ]; then proto="UDP"; fi


    natIPhex=`echo $line | awk '{print $3}'`
    dstIPhex=`echo $line | awk '{print $4}'`
    natIP=`printf '%d.%d.%d.%d\n' $(echo $line | awk '{print $3}' | sed 's/../0x& /g')`
    dstIP=`printf '%d.%d.%d.%d\n' $(echo $line | awk '{print $4}' | sed 's/../0x& /g')`
    while [ ${#natIP} -lt 15 ]; do natIP="$natIP "; done
    while [ ${#dstIP} -lt 15 ]; do dstIP="$dstIP "; done
    echo -e "${CYN}  $proto $natIP > $dstIP  : $count${NC}"
  done
  let i++
  echo
done
Danny
MVP Platinum
MVP Platinum
‎2020-10-08 07:23 AM
In response to Kaspars_Zibarts

+1 Kaspars for Champion! 👍

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events