cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

Interpreting the output of fwaccel conns table

I'm struggling to find documentation on interpreting the output of the fwaccel conns table. Src and dst IP addresses and ports are obviously self-explanatory but the rest are not as clear.

Is there any documentation I could be directed to? 

Thanks in advance.

7 Replies

Re: Interpreting the output of fwaccel conns table

DanW
Ivory

Re: Interpreting the output of fwaccel conns table

Hi Nick

Hope you are well chap. Just stumbled across your post while looking for the same thing 🙂

Does this help:

[Expert@LAB-R80-FW1:0]# fwaccel conns ?
Usage: fwaccel conns <options>

Options:
-m <max entries> - max number of entries to print
-f <filter> - print only entries matching the filter
-s - print only number of connections
-h - this help message

Filter (one or more of the below flags):
F/f - forwarded to firewall/cut-through
U/u - unidirectional/bidirectional
N/n - entries with/without NAT
A/a - accounted/not accounted
C/c - encrypted/not encrypted
S/s - pxl enabled/disabled
Q/q - qos enabled/disabled
H/h - offloaded to SAM hardware/created in SAM hardware
L/l - link/not link

[Expert@LAB-R80-FW1:0]#

Re: Interpreting the output of fwaccel conns table

Hello Checkmates

 

iam also curious about this values and codes .. .furthermore to bring all my traffic to Accelerated Path, not just PXL.

i have seen this:

10.1.14.39 50038 10.1.100.100 55559 6 ...AC..S...... 1/8 8/1 0 0
10.1.100.100 55559 10.1.22.20 50076 6 ...AC..S...... 1/8 8/1 0 0
10.1.20.103 50077 10.1.100.100 55559 6 ......P....... -/- -/- 2 0
10.1.100.100 55559 10.1.24.1 62061 6 ...AC..S...... 1/8 8/1 2 0
10.1.100.100 55559 10.1.3.65 49161 6 ...AC..S...... 1/8 8/1 1 0
10.1.14.63 50266 10.1.100.100 55559 6 ...AC..S...... 1/8 8/1 2 0
10.1.100.100 55559 10.1.22.23 50067 6 ...AC..S...... 1/8 8/1 1 0

what does ......P....... stand for?

what are the number at the end?

i have excluded the TCP Port 55559 from any IPS inspection in the hope have it at Accelerated Path ... but it still all at PXL ...
honestly i dont know what kind of traffic is inside TCP/55559, it must be some kind of database traffic.

any idea what P is ... and how does Accelerated Path woul look like?


 

best regards
Thomas.

Re: Interpreting the output of fwaccel conns table

Hello, 

 

update to my question:

 

......P....... will most likey stand for a dropped/failed/ connection 

[Expert@SDAZFW01(active)]# fwaccel conns | grep 10.1.20.103
10.1.20.103 50077 10.1.100.100 55559 6 ......P....... -/- -/- 2 0
10.1.20.103 50082 10.1.100.100 55559 6 ...AC..S...... 1/8 8/1 0 0
10.1.100.100 55559 10.1.20.103 50082 6 ...AC..S...... 1/8 8/1 0 0
10.1.100.100 55559 10.1.20.103 50077 6 ......P....... -/- -/- 2 0

just saw it in the logs

....P.....png

so my qustion is ...AC..S...... just PXL or Accelerated Path?

Re: Interpreting the output of fwaccel conns table

P indicates the connection is "partial", which means it exists in the Firewall Worker connections state table but not in the SecureXL connections table.  This can happen if a connection already existed when a state change occurred in SecureXL (disabled then enabled, or if other SecureXL features like NAT Templates or Drop Templates had their configuration changed).  This is normal and just keeps SecureXL from accidentally dropping those packets, to ensure they reach a Firewall Worker for correct handling; obviously that traffic will not be fully accelerated by SecureXL.

Fully accelerated traffic will normally have no flags set, but A (Accounting), N (NAT), and C (encrypted) may appear depending on the connection attributes and it will still be fully accelerated.  Generally speaking the presence of any flags other than these three indicates the connection is not fully accelerated and being handled on a Firewall Worker in the PXL/F2F/QXL paths.  So your "...AC..S......" connections are Medium Path (PXL). I don't know what the numbers mean at the end of the line.

You said "I have excluded the TCP Port 55559 from any IPS inspection".  If you used an IPS/TP exception to do this it will have no effect on acceleration status; an exception simply changes the decision rendered after inspection.  You need to use what I call a "null profile" to make that traffic eligible to be fully accelerated, in your TP policy create a rule matching the 55559 traffic and match it to a TP profile action that has IPS completely unchecked.  Even if you do so, there may still be some other blade keeping the traffic from being fully accelerated depending on your configuration.

Dependent on the minor version of your gateway and Jumbo HFA level you may also be able to force the 55559 traffic to be fully accelerated with the "fast_accel" directive, but this option should be exercised with caution.

 

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
0 Kudos

Re: Interpreting the output of fwaccel conns table

One thing that is no explained in the documentation is that the C2S i/f and S2C i/f are the interfaces where the packet is received and then transmited by the firewall, in the Client to Server and Server to Client directions. In the end of the list of connections appears another table, mapping the interfaces and the ids associated to each one. For example:

Idx    Interface

0        lo

1        eth0

2        eth1

 

Re: Interpreting the output of fwaccel conns table

did you report within SK feedback option?
0 Kudos