Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 

Interpreting the output of fwaccel conns table

I'm struggling to find documentation on interpreting the output of the fwaccel conns table. Src and dst IP addresses and ports are obviously self-explanatory but the rest are not as clear.

Is there any documentation I could be directed to? 

Thanks in advance.

12 Replies
Champion
Champion

Explorer

Hi Nick

Hope you are well chap. Just stumbled across your post while looking for the same thing 🙂

Does this help:

[Expert@LAB-R80-FW1:0]# fwaccel conns ?
Usage: fwaccel conns <options>

Options:
-m <max entries> - max number of entries to print
-f <filter> - print only entries matching the filter
-s - print only number of connections
-h - this help message

Filter (one or more of the below flags):
F/f - forwarded to firewall/cut-through
U/u - unidirectional/bidirectional
N/n - entries with/without NAT
A/a - accounted/not accounted
C/c - encrypted/not encrypted
S/s - pxl enabled/disabled
Q/q - qos enabled/disabled
H/h - offloaded to SAM hardware/created in SAM hardware
L/l - link/not link

[Expert@LAB-R80-FW1:0]#
Collaborator

Hello Checkmates

 

iam also curious about this values and codes .. .furthermore to bring all my traffic to Accelerated Path, not just PXL.

i have seen this:

10.1.14.39 50038 10.1.100.100 55559 6 ...AC..S...... 1/8 8/1 0 0
10.1.100.100 55559 10.1.22.20 50076 6 ...AC..S...... 1/8 8/1 0 0
10.1.20.103 50077 10.1.100.100 55559 6 ......P....... -/- -/- 2 0
10.1.100.100 55559 10.1.24.1 62061 6 ...AC..S...... 1/8 8/1 2 0
10.1.100.100 55559 10.1.3.65 49161 6 ...AC..S...... 1/8 8/1 1 0
10.1.14.63 50266 10.1.100.100 55559 6 ...AC..S...... 1/8 8/1 2 0
10.1.100.100 55559 10.1.22.23 50067 6 ...AC..S...... 1/8 8/1 1 0

what does ......P....... stand for?

what are the number at the end?

i have excluded the TCP Port 55559 from any IPS inspection in the hope have it at Accelerated Path ... but it still all at PXL ...
honestly i dont know what kind of traffic is inside TCP/55559, it must be some kind of database traffic.

any idea what P is ... and how does Accelerated Path woul look like?


 

best regards
Thomas.

Collaborator

Hello, 

 

update to my question:

 

......P....... will most likey stand for a dropped/failed/ connection 

[Expert@SDAZFW01(active)]# fwaccel conns | grep 10.1.20.103
10.1.20.103 50077 10.1.100.100 55559 6 ......P....... -/- -/- 2 0
10.1.20.103 50082 10.1.100.100 55559 6 ...AC..S...... 1/8 8/1 0 0
10.1.100.100 55559 10.1.20.103 50082 6 ...AC..S...... 1/8 8/1 0 0
10.1.100.100 55559 10.1.20.103 50077 6 ......P....... -/- -/- 2 0

just saw it in the logs

....P.....png

so my qustion is ...AC..S...... just PXL or Accelerated Path?

Champion
Champion

P indicates the connection is "partial", which means it exists in the Firewall Worker connections state table but not in the SecureXL connections table.  This can happen if a connection already existed when a state change occurred in SecureXL (disabled then enabled, or if other SecureXL features like NAT Templates or Drop Templates had their configuration changed).  This is normal and just keeps SecureXL from accidentally dropping those packets, to ensure they reach a Firewall Worker for correct handling; obviously that traffic will not be fully accelerated by SecureXL.

Fully accelerated traffic will normally have no flags set, but A (Accounting), N (NAT), and C (encrypted) may appear depending on the connection attributes and it will still be fully accelerated.  Generally speaking the presence of any flags other than these three indicates the connection is not fully accelerated and being handled on a Firewall Worker in the PXL/F2F/QXL paths.  So your "...AC..S......" connections are Medium Path (PXL). I don't know what the numbers mean at the end of the line.

You said "I have excluded the TCP Port 55559 from any IPS inspection".  If you used an IPS/TP exception to do this it will have no effect on acceleration status; an exception simply changes the decision rendered after inspection.  You need to use what I call a "null profile" to make that traffic eligible to be fully accelerated, in your TP policy create a rule matching the 55559 traffic and match it to a TP profile action that has IPS completely unchecked.  Even if you do so, there may still be some other blade keeping the traffic from being fully accelerated depending on your configuration.

Dependent on the minor version of your gateway and Jumbo HFA level you may also be able to force the 55559 traffic to be fully accelerated with the "fast_accel" directive, but this option should be exercised with caution.

 

Gaia 3.10 Immersion Self-paced Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
Reply
Explorer

Hi Timothy,

Thank you for your explanation.

In this example in attachement, what does the F.N flag means ?

N for NAT that's OK, but F for Firewall ?

 

 

0 Kudos
Reply
Champion
Champion

Yes, the "F" flag means Firewall/F2F path.  You can run fwaccel conns -h to see all the possible flags, or see here: sk31404: How to Debug SecureXL.

Gaia 3.10 Immersion Self-paced Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
Reply
Explorer

I ran fwaccel conns -h but I didn't see the flags before I posted my question.

Despite this, thank you.

0 Kudos
Reply

CUT>>>
...AC..S...... 1/8 8/1 0 0
<<<CUT

A       = Shows accounted connections (for which SecureXL counted the number of packets and bytes).
C       = Shows encrypted (VPN) connections.
S       = Shows connections that undergo PXL.

1/8    =  Client to Server interface index 1 in and 8 out
8/1    =  Server to Client interface index 8 in and 1 out
0        =  Instance
0        =  Identity

Available filter flags are:

A - Shows accounted connections (for which SecureXL counted the number of packets and bytes).
a - Shows not accounted connections.
C - Shows encrypted (VPN) connections.
c - Shows clear-text (not encrypted) connections.
F - Shows connections that SecureXL forwarded to Firewall.
Note - In R80.30/R80.40, SecureXL does not support this parameter.
f - Shows cut-through connections (which SecureXL accelerated).
Note - In R80.30/R80.40, SecureXL does not support this parameter.
H - Shows connections offloaded to the SAM card.
Note - R80.30/R80.40, does not support the SAM card (Known Limitation PMTR-18774).
h - Shows connections created in the SAM card.
Note - R80.30/R80.40, does not support the SAM card (Known Limitation PMTR-18774).
L - Shows connections, for which SecureXL created internal links.
l - Shows connections, for which SecureXL did not create internal links.
N - Shows connections that undergo NAT.
Note - In R80.30/R80.40, SecureXL does not support this parameter.
n - Shows connections that do not undergo NAT.
Note - In R80.30/R80.40, SecureXL does not support this parameter.
Q - Shows connections that undergo QoS.
q - Shows connections that do not undergo QoS.
S - Shows connections that undergo PXL.
s - Shows connections that do not undergo PXL.
U - Shows unidirectional connections.
u - Shows bidirectional connections.
P - Shows partial
p - Shows not partial

0 Kudos
Reply

Hi @Thomas_Eichelbu,

to your question:

P - Shows partial
p - Shows not partial

0 Kudos
Reply
Contributor

One thing that is no explained in the documentation is that the C2S i/f and S2C i/f are the interfaces where the packet is received and then transmited by the firewall, in the Client to Server and Server to Client directions. In the end of the list of connections appears another table, mapping the interfaces and the ids associated to each one. For example:

Idx    Interface

0        lo

1        eth0

2        eth1

 

did you report within SK feedback option?
0 Kudos
Reply