Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Olga_Kuts
Advisor

Number of connections depending on dst addresses

Hi!

We have a certain group of destination addresses. We need to calculate the total number of connections for this group for a certain period of time. How can we do this at R80.10 in SmartConsole as well as from cli? It is necessary exactly the number of connections, not events.
Thank you!

20 Replies
Timothy_Hall
Champion
Champion

fw tab -u -t connections | awk '{ print $4 }' | sort -n | uniq -c | sort -nr | head -10


This will show the top ten destination IPs hogging slots in the connection table in descending order, however you will need to manually convert the IP addresses displayed  from hex to decimal like so: 0a1e0b53 = 10.30.11.83.    For the top 10 sources, substitute $2 for $4 in the awk command above.  A variant of this command utilizing grep can be used to look for certain IP addresses or subnets.

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Olga_Kuts
Advisor

Dear Tim,

Thanks for a quick response! Can we see this information from SmartConsole?

0 Kudos
PhoneBoy
Admin
Admin

There is a way to do this in SmartView Tracker (the so-called "Active Connections" view).

While there is no shortcut to SmartView Tracker installed, you can find the binary in C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM as CPlgv.exe

And, as it turns out, this function still works (performance implications apply).

You can filter the results as desired.

You can also do this in SmartView Monitor to track this over time, if you enable Monitoring on the relevant Gateway object.

In R80+: 

  • Open SmartConsole > Logs & Monitor.
  • Open the catalog (new tab).
  • Click Tunnel & User Monitoring.

See also: Logging and Monitoring R80.10 (Part of Check Point Infinity) 

_Val_
Admin
Admin

Oh boy, not the Active Connections, please. that can blow your production FWs in an instance. I would look into connection table on CLI instead

0 Kudos
_Val_
Admin
Admin

...and I see Tim posted the command already

PhoneBoy
Admin
Admin

Completely agree, just providing all the options.

Olga_Kuts
Advisor

Dameon,

Tell me, please, what about the R80.10 version? Is it possible to generate reports with the number of connections in the SmartConsole? As I understand we must look in the direction of the Network Activity report?

0 Kudos
PhoneBoy
Admin
Admin

The methods we've discussed thus far have been methods to determine this in realtime.

The Network Analysis report (which is in R80.10 and might be in earlier releases) is from SmartEvent and is based on logs.

A couple of snapshots from this report are below.

0 Kudos
vivekk1
Participant

Hi,
I want to check active connection log in R80.10 but unable to see.
Could you please suggest how to check?
Regards,
Vivek Kumar
0 Kudos
Olga_Kuts
Advisor

Hello Tim,

Does this command exclude symbolic links? Following the sk65133, for one connection there can be 4 entries in the table.

0 Kudos
Timothy_Hall
Champion
Champion

The command does not exclude symbolic links; it was more designed to show you which IP addresses were hogging the most slots in the connection table, not necessarily the precise number of connections per IP.

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Olga_Kuts
Advisor

Ok, thanks, and how can we know the precise number of connections per IP via cli?

0 Kudos
Luis_Miguel_Mig
Advisor

fw tab -u -t connections | awk '{ print $4 }' | sort -n | uniq -c | sort -nr | head -10 would give the number of sessions per destination ip at a given time but not for a period of time, right?

By the way, with -f you can get the output formatted in decimal dotted format

fw tab -u -t connections -f | awk '{ print $13 }' | sort -n | uniq -c | sort -nr | head -10

0 Kudos
Luis_Miguel_Mig
Advisor

Sorry I forgot to mention that you need to grep Rule otherwise  you get pretty much  4 events/ symbolic  per connection

fw tab -u -t connections -f | grep Rule | awk '{ print $13 }' | sort -n | uniq -c | sort -nr | head -10

Luis_Miguel_Mig
Advisor

You could get that information with this script

showtable.sh - it shows statistics of the connections, fxw_cache and sam_blocked_ips tables 

./showtable.sh connections global list:20:d

0 Kudos
Olga_Kuts
Advisor

Unfortunately, my access to this script is restrict.

0 Kudos
PhoneBoy
Admin
Admin

The script was probably in the moderation queue when you tried to access it.

It's not now, please try again.

0 Kudos
Timothy_Hall
Champion
Champion

Since this thread still appears to be going strong, just wanted to mention the undocumented fw ctl conntab command which presents a very pretty and concise look at the connections state table similar to fw tab -f -u -t connections including idle timers (highlighted):

fw ctl conntab connections table

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Luis_Miguel_Mig
Advisor

I am wondering why fw ctl conntab | grep -c "<"   and fw tab -t connections -s don't match

# fw ctl conntab | grep -c "<"
1619
 # fw tab -t connections -s
HOST                  NAME                               ID #VALS #PEAK #SLINKS
localhost             connections                      8158  4947 159162   12074

0 Kudos
Jones_Jardel_Po
Contributor

I saw this behavior here using three different tools like you did: fw ctl conntab ; Smart Monitor ; fw tab connections and I was no able to trust on the information gave to me...

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events