This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Olga_Kuts
Advisor
‎2017-10-17 05:42 AM

Number of connections depending on dst addresses

Hi!

We have a certain group of destination addresses. We need to calculate the total number of connections for this group for a certain period of time. How can we do this at R80.10 in SmartConsole as well as from cli? It is necessary exactly the number of connections, not events.
Thank you!

20 Replies
Timothy_Hall
Champion
Champion
‎2017-10-17 06:50 AM

fw tab -u -t connections | awk '{ print $4 }' | sort -n | uniq -c | sort -nr | head -10


This will show the top ten destination IPs hogging slots in the connection table in descending order, however you will need to manually convert the IP addresses displayed  from hex to decimal like so: 0a1e0b53 = 10.30.11.83.    For the top 10 sources, substitute $2 for $4 in the awk command above.  A variant of this command utilizing grep can be used to look for certain IP addresses or subnets.

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
Olga_Kuts
Advisor
‎2017-10-17 07:11 AM
In response to Timothy_Hall

Dear Tim,

Thanks for a quick response! Can we see this information from SmartConsole?

0 Kudos
PhoneBoy
Admin
Admin
‎2017-10-17 07:19 PM
In response to Olga_Kuts

There is a way to do this in SmartView Tracker (the so-called "Active Connections" view).

While there is no shortcut to SmartView Tracker installed, you can find the binary in C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM as CPlgv.exe

And, as it turns out, this function still works (performance implications apply).

You can filter the results as desired.

You can also do this in SmartView Monitor to track this over time, if you enable Monitoring on the relevant Gateway object.

In R80+: 

  • Open SmartConsole > Logs & Monitor.
  • Open the catalog (new tab).
  • Click Tunnel & User Monitoring.

See also: Logging and Monitoring R80.10 (Part of Check Point Infinity) 

_Val_
Admin
Admin
‎2017-10-18 08:04 AM
In response to PhoneBoy

Oh boy, not the Active Connections, please. that can blow your production FWs in an instance. I would look into connection table on CLI instead

0 Kudos
_Val_
Admin
Admin
‎2017-10-18 08:05 AM
In response to _Val_

...and I see Tim posted the command already

PhoneBoy
Admin
Admin
‎2017-10-18 09:36 AM
In response to _Val_

Completely agree, just providing all the options.

Olga_Kuts
Advisor
‎2017-11-28 01:29 AM
In response to PhoneBoy

Dameon,

Tell me, please, what about the R80.10 version? Is it possible to generate reports with the number of connections in the SmartConsole? As I understand we must look in the direction of the Network Activity report?

0 Kudos
PhoneBoy
Admin
Admin
‎2017-11-28 07:25 AM
In response to Olga_Kuts

The methods we've discussed thus far have been methods to determine this in realtime.

The Network Analysis report (which is in R80.10 and might be in earlier releases) is from SmartEvent and is based on logs.

A couple of snapshots from this report are below.

0 Kudos
vivekk1
Participant
‎2019-10-03 11:51 AM
In response to PhoneBoy

Hi,
I want to check active connection log in R80.10 but unable to see.
Could you please suggest how to check?
Regards,
Vivek Kumar
0 Kudos
Olga_Kuts
Advisor
‎2017-11-09 06:26 AM
In response to Timothy_Hall

Hello Tim,

Does this command exclude symbolic links? Following the sk65133, for one connection there can be 4 entries in the table.

0 Kudos
Timothy_Hall
Champion
Champion
‎2017-11-09 07:18 AM
In response to Olga_Kuts

The command does not exclude symbolic links; it was more designed to show you which IP addresses were hogging the most slots in the connection table, not necessarily the precise number of connections per IP.

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
Olga_Kuts
Advisor
‎2017-11-09 07:22 AM
In response to Timothy_Hall

Ok, thanks, and how can we know the precise number of connections per IP via cli?

0 Kudos
Luis_Miguel_Mig
Advisor
‎2017-11-09 08:09 AM
In response to Timothy_Hall

fw tab -u -t connections | awk '{ print $4 }' | sort -n | uniq -c | sort -nr | head -10 would give the number of sessions per destination ip at a given time but not for a period of time, right?

By the way, with -f you can get the output formatted in decimal dotted format

fw tab -u -t connections -f | awk '{ print $13 }' | sort -n | uniq -c | sort -nr | head -10

0 Kudos
Luis_Miguel_Mig
Advisor
‎2017-11-09 08:13 AM

Sorry I forgot to mention that you need to grep Rule otherwise  you get pretty much  4 events/ symbolic  per connection

fw tab -u -t connections -f | grep Rule | awk '{ print $13 }' | sort -n | uniq -c | sort -nr | head -10

Luis_Miguel_Mig
Advisor
‎2017-11-22 05:02 AM

You could get that information with this script

showtable.sh - it shows statistics of the connections, fxw_cache and sam_blocked_ips tables 

./showtable.sh connections global list:20:d

0 Kudos
Olga_Kuts
Advisor
‎2017-11-22 06:10 AM
In response to Luis_Miguel_Mig

Unfortunately, my access to this script is restrict.

0 Kudos
PhoneBoy
Admin
Admin
‎2017-11-22 08:32 AM
In response to Olga_Kuts

The script was probably in the moderation queue when you tried to access it.

It's not now, please try again.

0 Kudos
Timothy_Hall
Champion
Champion
‎2017-11-22 05:27 AM

Since this thread still appears to be going strong, just wanted to mention the undocumented fw ctl conntab command which presents a very pretty and concise look at the connections state table similar to fw tab -f -u -t connections including idle timers (highlighted):

fw ctl conntab connections table

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
Luis_Miguel_Mig
Advisor
‎2017-11-22 05:49 AM

I am wondering why fw ctl conntab | grep -c "<"   and fw tab -t connections -s don't match

# fw ctl conntab | grep -c "<"
1619
 # fw tab -t connections -s
HOST                  NAME                               ID #VALS #PEAK #SLINKS
localhost             connections                      8158  4947 159162   12074

0 Kudos
Jones_Jardel_Po
Contributor
‎2018-04-12 05:31 AM
In response to Luis_Miguel_Mig

I saw this behavior here using three different tools like you did: fw ctl conntab ; Smart Monitor ; fw tab connections and I was no able to trust on the information gave to me...