Re: Number of connections depending on dst address...

Olga_Kuts · ‎2017-10-17

Hi!

We have a certain group of destination addresses. We need to calculate the total number of connections for this group for a certain period of time. How can we do this at R80.10 in SmartConsole as well as from cli? It is necessary exactly the number of connections, not events.
Thank you!

Timothy_Hall · ‎2017-10-17

fw tab -u -t connections | awk '{ print $4 }' | sort -n | uniq -c | sort -nr | head -10

This will show the top ten destination IPs hogging slots in the connection table in descending order, however you will need to manually convert the IP addresses displayed from hex to decimal like so: 0a1e0b53 = 10.30.11.83. For the top 10 sources, substitute $2 for $4 in the awk command above. A variant of this command utilizing grep can be used to look for certain IP addresses or subnets.

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones

Olga_Kuts · ‎2017-10-17

Dear Tim,

Thanks for a quick response! Can we see this information from SmartConsole?

PhoneBoy · ‎2017-10-17

There is a way to do this in SmartView Tracker (the so-called "Active Connections" view).

While there is no shortcut to SmartView Tracker installed, you can find the binary in C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM as CPlgv.exe

And, as it turns out, this function still works (performance implications apply).

You can filter the results as desired.

You can also do this in SmartView Monitor to track this over time, if you enable Monitoring on the relevant Gateway object.

In R80+:

Open SmartConsole > Logs & Monitor.
Open the catalog (new tab).
Click Tunnel & User Monitoring.

See also: Logging and Monitoring R80.10 (Part of Check Point Infinity)

_Val_ · ‎2017-10-18

Oh boy, not the Active Connections, please. that can blow your production FWs in an instance. I would look into connection table on CLI instead

_Val_ · ‎2017-10-18

...and I see Tim posted the command already

PhoneBoy · ‎2017-10-18

Completely agree, just providing all the options.

Olga_Kuts · ‎2017-11-28

Dameon,

Tell me, please, what about the R80.10 version? Is it possible to generate reports with the number of connections in the SmartConsole? As I understand we must look in the direction of the Network Activity report?

PhoneBoy · ‎2017-11-28

The methods we've discussed thus far have been methods to determine this in realtime.

The Network Analysis report (which is in R80.10 and might be in earlier releases) is from SmartEvent and is based on logs.

A couple of snapshots from this report are below.

vivekk1 · ‎2019-10-03

Hi,
I want to check active connection log in R80.10 but unable to see.
Could you please suggest how to check?

Regards,
Vivek Kumar

Olga_Kuts · ‎2017-11-09

Hello Tim,

Does this command exclude symbolic links? Following the sk65133, for one connection there can be 4 entries in the table.

Timothy_Hall · ‎2017-11-09

The command does not exclude symbolic links; it was more designed to show you which IP addresses were hogging the most slots in the connection table, not necessarily the precise number of connections per IP.

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones

Olga_Kuts · ‎2017-11-09

Ok, thanks, and how can we know the precise number of connections per IP via cli?

Luis_Miguel_Mig · ‎2017-11-09

fw tab -u -t connections | awk '{ print $4 }' | sort -n | uniq -c | sort -nr | head -10 would give the number of sessions per destination ip at a given time but not for a period of time, right?

By the way, with -f you can get the output formatted in decimal dotted format

fw tab -u -t connections -f | awk '{ print $13 }' | sort -n | uniq -c | sort -nr | head -10

Luis_Miguel_Mig · ‎2017-11-09

Sorry I forgot to mention that you need to grep Rule otherwise you get pretty much 4 events/ symbolic per connection

fw tab -u -t connections -f | grep Rule | awk '{ print $13 }' | sort -n | uniq -c | sort -nr | head -10

Luis_Miguel_Mig · ‎2017-11-22

You could get that information with this script

showtable.sh - it shows statistics of the connections, fxw_cache and sam_blocked_ips tables

./showtable.sh connections global list:20:d

Olga_Kuts · ‎2017-11-22

Unfortunately, my access to this script is restrict.

PhoneBoy · ‎2017-11-22

The script was probably in the moderation queue when you tried to access it.

It's not now, please try again.

Timothy_Hall · ‎2017-11-22

Since this thread still appears to be going strong, just wanted to mention the undocumented fw ctl conntab command which presents a very pretty and concise look at the connections state table similar to fw tab -f -u -t connections including idle timers (highlighted):

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones

Luis_Miguel_Mig · ‎2017-11-22

I am wondering why fw ctl conntab | grep -c "<" and fw tab -t connections -s don't match

# fw ctl conntab | grep -c "<"
1619
# fw tab -t connections -s
HOST NAME ID #VALS #PEAK #SLINKS
localhost connections 8158 4947 159162 12074

Jones_Jardel_Po · ‎2018-04-12

I saw this behavior here using three different tools like you did: fw ctl conntab ; Smart Monitor ; fw tab connections and I was no able to trust on the information gave to me...

Are you a member of CheckMates?

Number of connections depending on dst addresses