Solved: Re: Adding an entry to the connections table

kamilazat · ‎2024-07-12

Hi all!

In the R81.20 CLI Reference Guide, under fw tab section it shows this:

-a -e "<Entry>"

Adds the specified entry to the specified kernel table.

If a kernel table has the expire attribute, when you add an entry with the "-a -e <Entry>" parameter, the new entry gets the default table timeout.

You can use this parameter only on the local Security Gateway.

Warning - If you add a wrong entry, you can make your Security Gateway unresponsive.

I tried adding an entry in different formats in my lab, but every time the gateway became unresponsive (as warned). Now I have questions:

1. What is the 'right' entry that will not render the GW unresponsive? I used the 5-tuple format as stated in sk65133 to no avail.

2. Does connections table have an expire attribute? If yes where can I learn more about it?

Thanks as always!

PhoneBoy · ‎2024-07-16

Not that I’m aware of, unfortunately.
Some of these tables have changed with versions.

If this is something that happens with a specific connection regularly, you might want to exempt it from state checking instead.
This way, you don’t have to manually try and patch it into the connections table(s).
See: https://support.checkpoint.com/results/sk/sk11088

View solution in original post

the_rock · ‎2024-07-12

Can you send an example you used? Happy to try in my lab.

Andy

PhoneBoy · ‎2024-07-12

An exact example of what you tried would be helpful.
Having said that, adding or removing connection table entries from a live gateway is dangerous at best and not recommend.
Can you provide more details around WHY you are attempting to do this?

kamilazat · ‎2024-07-15

Thank you for the inquiries.

I found out that it was possible while looking up potential solutions to "resurrecting" a connection back into connections table (as mentioned by Tim Hall in this post) for a customer. I found out in the documentation that it actually is possible to add an entry to kernel tables. So I started playing in my dummy lab.
What I tried is to blindly add a connection entry using the 5-tuple format (from sk65133). And, of course, it rendered the gateway unresponsive and I had to revert to the previous snapshot.

We have opened a TAC case to troubleshoot the issue at hand. But since I started playing with connections table in a completely destroyable lab, I wanted to learn more about how it works and the reasons I'm failing in this. Maybe manually adding an entry is not possible in terms of connections table?

PhoneBoy · ‎2024-07-15

Note that a given connection flowing through the gateway can have FOUR entries, particularly if NAT is involved.
There are entries in other tables that may need to be added/modified as well.

kamilazat · ‎2024-07-16

I see, thank you very much for your answer. NAT is involved in that lab. So if I wanted to add an entry to connections table, I would have to simultaneously add entries to other tables, such as fwx_alloc_global, fwx_cache etc.

Is there a resource I can study the details of these tables, like I can for connections table?

PhoneBoy · ‎2024-07-16

Not that I’m aware of, unfortunately.
Some of these tables have changed with versions.

If this is something that happens with a specific connection regularly, you might want to exempt it from state checking instead.
This way, you don’t have to manually try and patch it into the connections table(s).
See: https://support.checkpoint.com/results/sk/sk11088

Are you a member of CheckMates?

Adding an entry to the connections table