cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

How to determine top talker host IP

Jump to solution

Want to determine top talker host in checkpoint via cli. Any idea how?

OS: IPSO Kernel Ver. 4.2

1 Solution

Accepted Solutions

Re: How to determine top talker host IP

Jump to solution

Source IP Top 10

fwaccel conns | awk '{print $1}' | sort | uniq -c | sort -n -r | head -n 10

 Destination IP Top 10

fwaccel conns | awk '{print $3}' | sort | uniq -c | sort -n -r | head -n 10

 

Tags (1)
6 Replies

Re: How to determine top talker host IP

Jump to solution

Assuming SecureXL (flows) is enabled, you should be able to use the Top Talkers script by @Craig_Dods, not sure if it will work on IPSO but worth a try:

http😕/expert-mode.blogspot.com/2013/05/checkpoint-top-talkers-script-display.html

 

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
Admin
Admin

Re: How to determine top talker host IP

Jump to solution

IPSO 4.2 implies you're running R65 or earlier, which hasn't been supported for quite a while. Pretty sure there is no facility for this in those releases. You might be able to write a script to parse the connections table to see who the top talker is "right now."

SmartView Monitor may be an option assuming you have a license for it and it runs on IPSO (don't remember if it's supported or not). Otherwise, you'd have to parse the logs to figure this out.

Re: How to determine top talker host IP

Jump to solution

Source IP Top 10

fwaccel conns | awk '{print $1}' | sort | uniq -c | sort -n -r | head -n 10

 Destination IP Top 10

fwaccel conns | awk '{print $3}' | sort | uniq -c | sort -n -r | head -n 10

 

Tags (1)

Re: How to determine top talker host IP

Jump to solution

You can also use "fw tab -t connections -u -f" and change the parameter for the "print $x" command.

Tags (1)

Re: How to determine top talker host IP

Jump to solution

Appreciate it! Thanks

Bryce_Myers
Nickel

Re: How to determine top talker host IP

Jump to solution

You can use Smartview Monitor from the CLI with rtm monitor.

For example:

# rtm monitor -k src -v wb sort=top -i 60

Will give you an output every 60 seconds of top source addresses.