This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
HeikoAnkenbrand
Champion Champion
Champion
‎2021-08-28 12:09 PM

'fw ctl conntab -x' issue in R81.10

 

From R81 it is possible to delete all sessions matching the filter with the command "fw ctl conntab -x ".

Unfortunately, this does not work for the "rule" filter. Here the complete connection table is deleted 😞

For example:

fw ctl conntab -x -rule=3

Tested with R81.10.

---

fw ctl conntab -h


Usage:
-h/-help # Display this help menu
-x # Delete the selected entries (without this flag, entries are only printed)
-sport # Filter by source port or source port range
-dport # Filter by destination port or detination port range
-proto # Filter by IP protocol or IP protocol range
-sip # Filter by source IP or source IP range
-dip # Filter by destination IP or detination IP range
-rule # Filter by rule or rule range
-service # Filter by service
-type # Filter by type bitmask
-flags # Filter by flags bitmask
-state # Filter by TCP state (SYN_SENT, SYN_ACK, ESTABLISHED, SRC_FIN, DST_FIN, BOTH_FIN)
Using multiple options will display only entries that match both criteria (x AND y)

Usage Examples:
* Display / Delete all port 80 connections in state BOTH_FIN:
fw ctl conntab [-x] -state=BOTH_FIN -dport=80
* Display / Delete all connections from 192.168.X.X:
fw ctl conntab [-x] -sip=192.168.0.0-192.168.255.255
* Display / Delete all old connections:
fw ctl conntab [-x] -flags=0x100/0x100

 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
9 Replies
HeikoAnkenbrand
Champion Champion
Champion
‎2021-09-12 10:41 AM

Any news in this case from Check Point?

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
Ilya_Yusupov
Employee
Employee
‎2021-09-12 11:33 PM
In response to HeikoAnkenbrand

Hi @HeikoAnkenbrand ,

 

can you share if you got any error message?

0 Kudos
shais
Employee
Employee
‎2021-09-13 12:45 AM

Hi,
We are not aware of this issue and are unable to reproduce this in our setup.

Can you please open a ticket with support? this will allow us to get all the required info and do a remote session

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2023-02-01 12:26 AM

Seems to be fixed in R81.20:

fw ctl conntab -x -rule=3

deletes only the rule 3 connections

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
HeikoAnkenbrand
Champion Champion
Champion
‎2023-02-01 01:00 AM
In response to G_W_Albrecht

If you delete the connection in the connection table, it is still contained in the acceleration table and in the Dynamic Dispatcher table. Therefore, you may have some negative effects.

After deletion, they were still contained in the following tabel:

fw ctl multik gconn -p      -> Dynamic Dispacher tabel
fwaccel conns                    -> Acceleration tabel

Personally, I would be very careful about deleting the connetions.

---

Maybe Check Point's R&D can say something about this topic.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2023-02-01 01:04 AM
In response to HeikoAnkenbrand

Very true - but the rule filter works now...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Zolo
Collaborator
Collaborator
‎2025-07-27 02:15 AM
In response to HeikoAnkenbrand

Hello,

I have a question regarding the following: in the output of the command "fw ctl multik gconn -p", there are some connections that have been present for several days, even though they no longer appear in the current connection table.
No connections were removed manually.

Have you encountered this issue before?
Is there a way to remove these entries from the gconn table without a reboot?

BR,

Zolo

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2025-07-27 07:00 AM
In response to Zolo

Totally different command, please start a new thread.  On a firewall, there are actually three separate tables tracking "connections":

fw ctl multik gconn - Dynamic Dispatcher table on SND cores to ensure the packets of a connection are always "stuck" to the same Firewall Worker Instance.  These connections may not necessarily be "alive"; it is just tracking a Firewall Worker Instance core assignment

fwaccel conns - SecureXL's connections table on SND cores for tracking live connections in the fastpath and medium path only

fw tab -t connections & fw ctl conntab - Table for tracking all live connections on the Firewall Worker Instances

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
Zolo
Collaborator
Collaborator
‎2025-07-27 12:44 PM
In response to Timothy_Hall

Thank you Timothy.
I opened a new thread: Dynamic Dispatcher table - Check Point CheckMates

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events