This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
BeaconBits
Contributor
‎2018-10-15 08:42 AM
Jump to solution

Difference between Session and Connection??

Hello everyone,

I know that this question has answered before but allow me to say that even after reading it is still confusing.

Here I would like to know from 'Checkpoint' that what actually they mean about 'Connection' and 'Session'.

Any checkpoint guru please???

Regards,

B

2 Solutions

Accepted Solutions
PhoneBoy
Admin
Admin
‎2018-10-16 04:59 AM
In response to BeaconBits
Jump to solution

A session is a collection (a superset) of connections.

A connection only tells you very basic things (layer 3-4 information) about a single TCP/UDP connection.

It does tell you how that single connection relates to others that have been seen from that same user/host. 

A session correlates what happens over several individual connections, including information from multiple blades (e.g. App Control, URL Filtering, Identity Awareness, etc) into a single log entry.

Through looking at thousands of individual connection logs manually, you could probably tell Joe Roberts spent an hour surfing Facebook.

A session log can show you this in a single log entry with the number of bytes transferred, an estimate of how long he spent, and so on, all correlated automatically. 

View solution in original post

PhoneBoy
Admin
Admin
‎2023-12-26 01:05 PM
In response to bSingh
Jump to solution

Best you can get are the number of connections on the gateway: fw tab -t connections -s.
There are four entries in the connections table for a single connection (more if NAT is involved). 
Sessions are correlated on the management side and we do not keep a count of them.

View solution in original post

10 Replies
PhoneBoy
Admin
Admin
‎2018-10-15 10:03 AM
Jump to solution

A connection is a single TCP connection or virtual UDP/IP Protocol session.

A session provides context for those individual connections by correlating them together.

For example, looking at connections, I can see:

  • Host X opened hundreds of connections on TCP port 443 to servers A, B, and C

Sessions correlated from the above connections tell you:

  • Joe Roberts spent 1 hour using Facebook

Hope that helps.

BeaconBits
Contributor
‎2018-10-16 01:36 AM
In response to PhoneBoy
Jump to solution

Hi Dameon,

Thanks for the explanation.

Do you mind explaning in more example? I'm more looking into what sort of information we can see in session that we can't see in Connection.

OR

Does a Session is a subset of the Connection?

Regards,

Shaiq

0 Kudos
PhoneBoy
Admin
Admin
‎2018-10-16 04:59 AM
In response to BeaconBits
Jump to solution

A session is a collection (a superset) of connections.

A connection only tells you very basic things (layer 3-4 information) about a single TCP/UDP connection.

It does tell you how that single connection relates to others that have been seen from that same user/host. 

A session correlates what happens over several individual connections, including information from multiple blades (e.g. App Control, URL Filtering, Identity Awareness, etc) into a single log entry.

Through looking at thousands of individual connection logs manually, you could probably tell Joe Roberts spent an hour surfing Facebook.

A session log can show you this in a single log entry with the number of bytes transferred, an estimate of how long he spent, and so on, all correlated automatically. 

fcamus
Participant
‎2023-07-26 06:56 AM
In response to PhoneBoy
Jump to solution

Hi,

If users are connecting using VPN (cisco ASA) with ip pool configured instead of DHCP, the client IP will change after each disconnection (no DHCP lease). With wifi, this results in regular ip change for the clients.

So if session is based on ip source, saying "Joe Roberts spent an hour surfing Facebook." may not be correct.

Joe may have had several ip and these ip may have been reused by other user.

correct ? 

Regards,

Fred

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2023-07-27 12:36 AM
In response to fcamus
Jump to solution

You have to configure either a fixed Office Mode IP for each user (easily possible with CheckPoint GWs) or use Identity Awareness.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
bSingh
Participant
‎2023-12-25 11:42 PM
In response to PhoneBoy
Jump to solution

Is that possible to check the number of sessions through the gateway via cli and gui.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-12-26 01:05 PM
In response to bSingh
Jump to solution

Best you can get are the number of connections on the gateway: fw tab -t connections -s.
There are four entries in the connections table for a single connection (more if NAT is involved). 
Sessions are correlated on the management side and we do not keep a count of them.

Ahsan_Khan
Explorer
Explorer
‎2021-01-04 02:57 AM
Jump to solution

Hey 

Does enabling the session logging  - increase load on GW / logserver ? 

0 Kudos
Leandro_RD
Explorer
‎2021-03-16 06:49 AM
In response to Ahsan_Khan
Jump to solution

hi @Ahsan_Khan ,  did you get any answer to your question? I wonder the same.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2021-03-16 09:51 AM
In response to Leandro_RD
Jump to solution

This is a logical result, i would assume - and also the reason that it is disabled by default (and configurable in SmartConsole) since R80.20.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top