Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Equipe_reseau
Participant

Question about connections table and cphwd_db table

Hello all,
I have a small question about the proportion and some involved position of the connections located on connections table (fw tab -t connections)
If A(client) connects to B(server), it could be generated as follow:
<0, Client_IP, Client_Port, Server_IP, Server_Port, Protocol_Number> = Client side, inbound
<1, Client_IP, Client_Port, Server_IP, Server_Port, Protocol_Number> = Server side, outbound
<0, Server_IP, Server_Port, Client_IP, Client_Port, Protocol_Number> = Server side, inbound
<1, Server_IP, Server_Port, Client_IP, Client_Port, Protocol_Number> = Client side, outbound
But If A is NATted (I called A+), what will we have?
As my investigation, the third entry will be changed :
<0, Server_IP, Server_Port, A+, Client_Port, Protocol_Number> = Server side, inbound
Am I correct?

So much confusion when looking at tables of checkpoint kernel :))

Another thing,what is the format of table cphwd_db(fw tab -u -t cphwd_db).
I followed sk41618 which give a description:

<Source_IP, Source_Port, Dest_IP, Dest_Port, Proto; Bitmask_of_SecureXL_Flags, Pointer>

In fact, the output is quite different :

Example:
<01010101,0000d80f, ,02020202,00000006; 0004000d, 00002aaa, ac697fb8, 00002aaa> ==> which one is Bitmask_of_SecureXL_Flags?

Thank for your help.

0 Kudos
2 Replies
PhoneBoy
Admin
Admin

I haven't looked at the connections table in detail in a while, but logically what you say makes sense.
The contents of cphwd_db are a bit different likely because the last time the SK was updated was...2014.
I recommend leaving feedback on the SK to ensure it gets updated.
Meanwhile, I'll "phone a friend." 🙂

Equipe_reseau
Participant

Hello,

I came across this topic https://community.checkpoint.com/t5/General-Topics/SecureXL-Connections-Table/td-p/16889, Timothy_Hall had a comment :

"the connection is NATted there are four separate flows being tracked (c2s/outbound pre-NAT, c2s/outbound post-NAT, s2c/inbound pre-NAT, s2c/inbound post-NAT)."

This could answer my first question 🙂 

Thanks

 

0 Kudos