cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Olga_Kuts
Silver

Number of connections depending on dst addresses

Hi!

We have a certain group of destination addresses. We need to calculate the total number of connections for this group for a certain period of time. How can we do this at R80.10 in SmartConsole as well as from cli? It is necessary exactly the number of connections, not events.
Thank you!

20 Replies

Re: Number of connections depending on dst addresses

fw tab -u -t connections | awk '{ print $4 }' | sort -n | uniq -c | sort -nr | head -10


This will show the top ten destination IPs hogging slots in the connection table in descending order, however you will need to manually convert the IP addresses displayed  from hex to decimal like so: 0a1e0b53 = 10.30.11.83.    For the top 10 sources, substitute $2 for $4 in the awk command above.  A variant of this command utilizing grep can be used to look for certain IP addresses or subnets.

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
Olga_Kuts
Silver

Re: Number of connections depending on dst addresses

Dear Tim,

Thanks for a quick response! Can we see this information from SmartConsole?

0 Kudos
Admin
Admin

Re: Number of connections depending on dst addresses

There is a way to do this in SmartView Tracker (the so-called "Active Connections" view).

While there is no shortcut to SmartView Tracker installed, you can find the binary in C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM as CPlgv.exe

And, as it turns out, this function still works (performance implications apply).

You can filter the results as desired.

You can also do this in SmartView Monitor to track this over time, if you enable Monitoring on the relevant Gateway object.

In R80+: 

  • Open SmartConsole > Logs & Monitor.
  • Open the catalog (new tab).
  • Click Tunnel & User Monitoring.

See also: Logging and Monitoring R80.10 (Part of Check Point Infinity) 

Highlighted

Re: Number of connections depending on dst addresses

Oh boy, not the Active Connections, please. that can blow your production FWs in an instance. I would look into connection table on CLI instead

0 Kudos

Re: Number of connections depending on dst addresses

...and I see Tim posted the command already

Admin
Admin

Re: Number of connections depending on dst addresses

Completely agree, just providing all the options.

Olga_Kuts
Silver

Re: Number of connections depending on dst addresses

Dameon,

Tell me, please, what about the R80.10 version? Is it possible to generate reports with the number of connections in the SmartConsole? As I understand we must look in the direction of the Network Activity report?

0 Kudos
Admin
Admin

Re: Number of connections depending on dst addresses

The methods we've discussed thus far have been methods to determine this in realtime.

The Network Analysis report (which is in R80.10 and might be in earlier releases) is from SmartEvent and is based on logs.

A couple of snapshots from this report are below.

0 Kudos
vivekk1
Iron

Re: Number of connections depending on dst addresses

Hi,
I want to check active connection log in R80.10 but unable to see.
Could you please suggest how to check?
Regards,
Vivek Kumar
0 Kudos
Olga_Kuts
Silver

Re: Number of connections depending on dst addresses

Hello Tim,

Does this command exclude symbolic links? Following the sk65133, for one connection there can be 4 entries in the table.

0 Kudos

Re: Number of connections depending on dst addresses

The command does not exclude symbolic links; it was more designed to show you which IP addresses were hogging the most slots in the connection table, not necessarily the precise number of connections per IP.

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
0 Kudos
Olga_Kuts
Silver

Re: Number of connections depending on dst addresses

Ok, thanks, and how can we know the precise number of connections per IP via cli?

0 Kudos

Re: Number of connections depending on dst addresses

fw tab -u -t connections | awk '{ print $4 }' | sort -n | uniq -c | sort -nr | head -10 would give the number of sessions per destination ip at a given time but not for a period of time, right?

By the way, with -f you can get the output formatted in decimal dotted format

fw tab -u -t connections -f | awk '{ print $13 }' | sort -n | uniq -c | sort -nr | head -10

0 Kudos

Re: Number of connections depending on dst addresses

Sorry I forgot to mention that you need to grep Rule otherwise  you get pretty much  4 events/ symbolic  per connection

fw tab -u -t connections -f | grep Rule | awk '{ print $13 }' | sort -n | uniq -c | sort -nr | head -10

Re: Number of connections depending on dst addresses

You could get that information with this script

showtable.sh - it shows statistics of the connections, fxw_cache and sam_blocked_ips tables 

./showtable.sh connections global list:20:d

0 Kudos
Olga_Kuts
Silver

Re: Number of connections depending on dst addresses

Unfortunately, my access to this script is restrict.

0 Kudos
Admin
Admin

Re: Number of connections depending on dst addresses

The script was probably in the moderation queue when you tried to access it.

It's not now, please try again.

0 Kudos

Re: Number of connections depending on dst addresses

Since this thread still appears to be going strong, just wanted to mention the undocumented fw ctl conntab command which presents a very pretty and concise look at the connections state table similar to fw tab -f -u -t connections including idle timers (highlighted):

fw ctl conntab connections table

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com

Re: Number of connections depending on dst addresses

I am wondering why fw ctl conntab | grep -c "<"   and fw tab -t connections -s don't match

# fw ctl conntab | grep -c "<"
1619
 # fw tab -t connections -s
HOST                  NAME                               ID #VALS #PEAK #SLINKS
localhost             connections                      8158  4947 159162   12074

0 Kudos

Re: Number of connections depending on dst addresses

I saw this behavior here using three different tools like you did: fw ctl conntab ; Smart Monitor ; fw tab connections and I was no able to trust on the information gave to me...