This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Justin_Hickey
Collaborator
‎2017-10-05 04:49 AM
Jump to solution

Connections Table Confusion and sk65133

I'm dealing with timeout issues and I need to prove to another organization that Checkpoint is not the cause of the timeout. I want to find the connection in the connection table with the timer showing the live ttl and timeout.

sk65133 seems to be the correct article explaining how to do this but I'm lost on how to craft the correct syntax. The table is all in hex. Please consider this my enhancement request to please convert it to standard decimal. Either that or add real world examples on how to search for a connection in the sk65133.

Let's say I want to find a connection for ip 192.168.255.250 . I cant seem to locate the connection with the below fw tab command and grep. I'm likely doing something wrong. Any insight is appreciated.

ft tab -t 8158 | grep C0A8FFFA

Thanks,

Justin

1 Solution

Accepted Solutions
Timothy_Hall
Legend Legend
Legend
‎2017-10-05 05:43 AM
Jump to solution

Try this:

fw tab -u -t connections | grep -i C0A8FFFA

The current timeout values for that connection will be on the far right of the display for each connection and look like: (3500/3600).  The first number is a countdown timer and shows how much time is remaining until expiration, unless traffic matching that connection is processed in which case the countdown starts anew.  The second number is the expiration time for that type of connection, inherited from the "Stateful Inspection" screen of the Global Properties or overridden by the Advanced tab of the service object in question.  Note that trying to use -f to see decimal IP addresses with the above command will exclude the timeout values from the output.

This situation is mentioned in my book (p. 87-91), check out the TCP state logging function which can be very helpful diagnosing issues such as these (especially a kernel value of 2):

sk101221: TCP state logging

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2

View solution in original post

6 Replies
Marco_Valenti
Advisor
‎2017-10-05 05:42 AM
Jump to solution

before start to searching trought the connection table in my opinion I will try to have a look at the log and see if you have some packet flagged as out of state between the two host  , consider that if you don't have changed stateful setting in the global proprerties the default timeout for a tcp session is 3600 seconds , could be the case that the application in use does not send any keep alive to the client and the gateway then remove from his connection table.

In any case you can retrieve information about the session with a simple tcpdump capture.

Otherwise you can look in the thread my top cli command here , there are a lot of examples for retrieving such info

Timothy_Hall
Legend Legend
Legend
‎2017-10-05 05:43 AM
Jump to solution

Try this:

fw tab -u -t connections | grep -i C0A8FFFA

The current timeout values for that connection will be on the far right of the display for each connection and look like: (3500/3600).  The first number is a countdown timer and shows how much time is remaining until expiration, unless traffic matching that connection is processed in which case the countdown starts anew.  The second number is the expiration time for that type of connection, inherited from the "Stateful Inspection" screen of the Global Properties or overridden by the Advanced tab of the service object in question.  Note that trying to use -f to see decimal IP addresses with the above command will exclude the timeout values from the output.

This situation is mentioned in my book (p. 87-91), check out the TCP state logging function which can be very helpful diagnosing issues such as these (especially a kernel value of 2):

sk101221: TCP state logging

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2
Justin_Hickey
Collaborator
‎2017-10-05 06:14 AM
Jump to solution

Thanks for the replies

fw tab -u -t connections | grep -i XXXXXXXX | grep -i XXXXXXXX
(the X's being the hex equiv. of the ip's) find a ip to hex converter on the web if you're bad at math like me and discard the leading '0x'.

works for me, finds connections between two specific endpoints and shows the ttl/timeout value.  3155/3600

Thanks again.

Astardzhiev
Contributor
‎2017-10-09 02:19 AM
Jump to solution

fw tab -t connections -u -f
-f will format the output to decimal values.You can add "grep" to filter based on your IP address in decimal

Example: fw tab -t connections -u -f | grep 10.10.10.10

However formatting from hex to dec is taking some time, so if you try to catch sort connections it is possible that you will not capture it, so it will be good idea to use Tim's suggestion - hex and grep with -i (without -i grep is case sensitive)

kb1
Collaborator
‎2020-05-13 05:35 PM
In response to Astardzhiev
Jump to solution

hello what if we want to add source as well as destination ip?? i tried using something like this for source and destination-

fw tab -u -t connections -f | grep 10.8.196.217 | grep 40.97.136.200

but it doesnt work!!
0 Kudos
sserrentinoBPS
Explorer
‎2020-06-16 08:14 AM
In response to kb1
Jump to solution

try this:

fwaccel conns | awk -v src=x.x.x.x -v dst=y.y.y.y '$1==src && $3==dst{print}' | sort | sort -n -r

source ip:= x.x.x.x

destination ip:=y.y.y.y

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top