show routed cluster-state detailed is super useful!  What do the columns "Cluster State SIGQUIT History " indicate?  Because I've got a lot of entries!

>show asset all 

from clish mode, 

that shows information about system, disk, memory etc 

I like this.  I found that you can get the actual IP address in decimal format with this:

Destination
fw tab -u -t connections -f | awk -F\; '{ print $5 }' | sort -n | uniq -c | sort -nr | head -10
               
Source
fw tab -u -t connections -f | awk -F\; '{ print $3 }' | sort -n | uniq -c | sort -nr | head -10

Right, but as I noted in my original post with a very large connection table using -f can take a very long time and use up quite a bit of CPU in the process.

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

Using  this scriptshowtable.sh - it shows statistics of the connections, fxw_cache and sam_blocked_ips tables you could simplify the previous queries:

1) fw tab -u -t connections | awk '{ print $2 }' | sort -n | uniq -c | sort -nr | head -10  by

./showtable.sh connections global list:20:s

2) List of hide NAT ports in use for all your NAT and sorted from top to down

./showtable.sh connections global list:20:lnm:203.0.113.1

if you don't include the <l> flag the scripts connects to the gateway to dump the database data

with the <l> flag, the script runs your query on the local data dumped the last time you run the script without the <l> flag

and you contrast the information of the connections table with the fwx_alloc table

./showtable.sh fwx_alloc global list:20:slm:203.0.113.1

Or you could get a table with all your NATs

./showtable.sh connections global list:20:ln

Timothy Hall‌

Whilst using the commands you detailed, I've got results I don't understand - hoping you or someone could help.

To put this in context, I have a busy proxy with a one-to-one NAT public IP and connecting to and internet service on HTTPs. The traffic is permitted one way and the internet service never initiates connection to my NAT IP.

Only the proxy uses this NAT and only the proxy connects to this internet service.

As expected, the internet service appears at the top of the top 10 sources:

[Expert@my-firewall:0]# fw tab -u -t connections |awk '{ print $2 }'|sort -n |uniq -c|sort -nr|head -10
  24594 0a0b0c0d0e [sanitized HEX value of IP],

it's also the top value of the top 10 destinations:

[Expert@my-firewall:0]# fw tab -u -t connections | awk '{ print $4 }' | sort -n | uniq -c | sort -nr | head -10
  16404 0a0b0c0d0e [sanitized HEX value of IP],

...and when I run the following to check, it looks to be roughly the sum of  the source value and destination (accepting any discrepancy in the sum may be a result of the time taken to process the commands).

[Expert@my-firewall:0]# fw tab -u -t connections | grep -ci 0a0b0c0d0e [sanitized HEX value of IP],

39915

Running the same command to look at the HIDE NAT IP connections

[Expert@my-firewall:0]# fw tab -u -t connections | grep -ci 1a1b1c1d1e [sanitized HEX value of IP],

7942

Q.1 Why is there a difference between the number of source connections and destination connections

Q.2 Why don't I see a matching number when I examine the Hide NAT address

Thanks in advance.

First off, remember that every working connection that is NATted will be shown four separate times in the output of fw tab.

For question 2, do you have no-NATs or anti-NAT manual rules defined for DMZ access?  That would explain why you don't see nearly as many connection flows referencing the NAT address as total connections coming from your proxy server.

For question 1, I'm wondering if you have a quantity of outbound NATed connection attempts by the proxy server to the Internet but they are not successfully connecting.  In that case there would be two c2s source flows counted (one pre-NAT and one post-NAT), but no corresponding two s2c (destination) flows.  Might explain the discrepancy between source and destination counts.

--
"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com

I think I understand what you mean when you say that every working connection that is NAT'd will be shown four separate time in fw tab and I didn't take into consideration I was GREPing the target internet IP so would capture my internal and NAT sources there as well. - Thanks.

REF: Q2 - I do have no-NAT rules for access to and from the proxy for internally but I was GREPing based on target internet IP so didn't think fw tab would count those.

REF: Q1 - The concern that a quantity of connection attempts by the proxy server to the Internet are not successfully connecting is why I'm troubleshooting at this level but I have a packet capture running outside of the firewall and I'm seeing (almost) all SYNs leaving the firewall getting a SYN-ACK and going on to complete the HTTPS transactions.So what's leaving the firewall looks healthy. What I'm seeing from the Proxy point of view is unpredictable, intermittent times when the proxy cannot connect to the target and I see a flurry of "NAT Hide failure - there are currently no available ports for hide operation" (sometimes with log counts of up to 20,000 in a single second showing in the SmartLog Query Results Timeline).

As I have the  dynamic NAT port allocation feature enabled and working, I wanted to understand the fw tab output to check I wasn't blowing the 50K limit and each time I've run the fw tab -u -t connections | grep -ci command, the result stays under 10,000 connections.

Thanks again for your help.

Based on that error message it would indicate that you are running out of Hide NAT ports somewhere, whether it is in the 10,000-60,000 range assigned to "regular" connections or some of the special NAT situations that utilize ports 60,001 through 65,536.  If it is the 50k limit consider setting up a "many to fewer" hide NAT as I detail in this posting (and in my book):

R80.10 - Hide behind many question 

For the special NAT situations north of port 60,000 (called "Extra" or "Global") see these SKs:

sk69480: 'NAT Hide failure - there are currently no available ports for hide operation' log appears ...

sk86401: Connections with Hide NAT are dropped during policy installation due to NAT port allocation...

--
"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com

Gotta agree with the little-known packet injector tool (pinj), especially when used with the -D option.  Can be a bit tricky properly crafting a sent packet to elicit a successful response, but well worth the effort. 

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

pinj provides security device log file , you can monitor the logs ( CLI : sk118521 / SmartLog) to track action .

I use lea connection (FW1-Loggrabber download | SourceForge.net )  to verify response message and automate pinj ( CDT script mode / cprrid_util / API run script command/ Python command and etc.. )

Thx, never knew it existed !

I had my team use these commands as a technical project lead to rebuilt a whole new redundant Provider-1 environment with 70 GWs for a financial (bank) org's project without a moment worth of any 'hiccup'/'downtime' even when all 70 GWs had to be 're-sic'd' to each of respective new CMAs. It was bank's pre-condition 'NO DOWNTIME'. I was at Verizon and these commands were given to us as part of a 'unsupported' solution which I thoroughly tested in a lab simulating bank's env. I had the support of an EXCELLENT Diamond engineer. The execution was flawless, took 24 hours and a team of 8 engineers in rotation but when it was finished, we got standing ovation from the bank and of course, from the Verizon management team. The bank still recognizes it as a legendary work. Hence, I love these commands and will give a you 'Celebration' badge for it :-)!

Rajeev - Just curious.  What commands where you issuing to the remote gateway during your project?

I can't tell you how many times I've used fw unloadlocal (or it's predecessor fw unload localhost) over the last 20 years

I didn't realize you could run a manual forensics report on a file, that's pretty neat functionality! Nice work to https://community.checkpoint.com/people/arzile9338099-64b6-3d9b-be29-fc67dc1788f6 and his team!

manual forensics report:

R77.30.03 Endpoint Security Administration Guide  193-194 

It is available since R77.20.02 : Aug-2016

Manual Analysis with CLI:
You can configure the Forensics blade to analyze incidents that are detected by a third party Anti-Malware solution. To use this, after an incident is triggered you can run analysis manually on the client computer or use a dedicated tool.
To run analysis manually on a client computer with CLI:
Use the command: C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR\cpefrcli.exe <Type>:<Malicious resource> [options]

Examples:
1. C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR\cpefrcli.exe file:c:\test\test.doc url:www.test.com -r
2. C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR\cpefrcli.exe file:test.doc -r -q
3. C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR\cpefrcli.exe ip:170.12.1.180 file:test.doc
4. C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR\cpefrcli.exe HYPERLINK "url:www.Malicious.com" md5:10010010010010010010010010010010 -q -b c:\ backupToFile.txt
5. C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR\cpefrcli.exe -b c:\backupToFile.txt
Notes:
1. All combination between optional parameters are allowed, the order is not important.
2. Backup option does not require Mandatory parameters (example 5).

Unfortunately while nmon is a quite useful tool, Check Point has explicitly disclaimed support for it:

sk108122: Using the monitoring tool 'nmon' is not supported

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

To be fair Valeri, any debug command has the potential to create impact (see Heisenberg effect).

That said, fw ctl zdebug can be impactful if used improperly.

Correct.

However, the issue with this particular command is that it can be applied without any understanding of kernel debug and appropriate preparations. Same effect is hardly achievable if regular kernel debug process is applied. 

That fact is mostly ignored, as this command pops up all over SecureKnowledge cases these days. This is negligence at best.

please don't confuse us with the facts

lol, gotcha