Timothy Hall
Whilst using the commands you detailed, I've got results I don't understand - hoping you or someone could help.
To put this in context, I have a busy proxy with a one-to-one NAT public IP and connecting to and internet service on HTTPs. The traffic is permitted one way and the internet service never initiates connection to my NAT IP.
Only the proxy uses this NAT and only the proxy connects to this internet service.
As expected, the internet service appears at the top of the top 10 sources:
[Expert@my-firewall:0]# fw tab -u -t connections |awk '{ print $2 }'|sort -n |uniq -c|sort -nr|head -10
24594 0a0b0c0d0e [sanitized HEX value of IP],
it's also the top value of the top 10 destinations:
[Expert@my-firewall:0]# fw tab -u -t connections | awk '{ print $4 }' | sort -n | uniq -c | sort -nr | head -10
16404 0a0b0c0d0e [sanitized HEX value of IP],
...and when I run the following to check, it looks to be roughly the sum of the source value and destination (accepting any discrepancy in the sum may be a result of the time taken to process the commands).
[Expert@my-firewall:0]# fw tab -u -t connections | grep -ci 0a0b0c0d0e [sanitized HEX value of IP],
39915
Running the same command to look at the HIDE NAT IP connections
[Expert@my-firewall:0]# fw tab -u -t connections | grep -ci 1a1b1c1d1e [sanitized HEX value of IP],
7942
Q.1 Why is there a difference between the number of source connections and destination connections
Q.2 Why don't I see a matching number when I examine the Hide NAT address
Thanks in advance.