Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Maarten_Sjouw
Champion
Champion
Jump to solution

User Count

I'm looking for a way to see how many unique IP's have been passing through the FW during a day. Is there anyone who can tell me how to get this, If I need to run a script that just mails me the total per day every day, that is fine with me, it is just that I do not have a clue how and where to start.

Running R80.10 ATM and no IA in use. We will soon be moving to R80.20 and IA will be enabled also, but this can take another 3-6 months.

Regards, Maarten
1 Solution

Accepted Solutions
Danny
Champion Champion
Champion

I would check if it's possible to get that info from cpstat or cpinfo. If that's not of help I would probably just do a logrotate at midnight, dump the content to text, delete everything except the IPs, sort, uniq, wc -l and email the returned number to my  inbox.

View solution in original post

11 Replies
Danny
Champion Champion
Champion

I would check if it's possible to get that info from cpstat or cpinfo. If that's not of help I would probably just do a logrotate at midnight, dump the content to text, delete everything except the IPs, sort, uniq, wc -l and email the returned number to my  inbox.

G_W_Albrecht
Legend Legend
Legend

According to sk10200: 'too many internal hosts' error in /var/log/messages on Security Gateway, the Security Gateway listens for any IP-based traffic on all interfaces except for the one deemed "external", which is decided by the user and listed in $FWDIR/conf/external.if file. Anytime a host is "heard" talking on a non-external interface, Security Gateway logs this information in $FWDIR/database/fwd.h file and in $FWDIR/database/fwd.hosts file on the Security Gateway.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Maarten_Sjouw
Champion
Champion

Sorry Günther W. Albrecht, I checked but it seems that in a unlimited license environment these files do not exist.

Thanks https://community.checkpoint.com/people/917b8439-9d5c-34f0-b86a-f0e1b0a14cbd  we were able to use this and find the number, now I just need to make sure we collect all the correct information, to make sure that when a logfile crosses the 2GB limit, we collect all information of each day.

But we are on the right path.

Regards, Maarten
Danny
Champion Champion
Champion

I'm glad I could be of help.

Maarten_Sjouw
Champion
Champion

This is what we ended up doing:

cd $FWDIR/log
fwm logexport -np -i log/2019-01-17_000000.log -o 2019-01-17_000000.exp
cat 2019-01-16_000000.exp | grep accept | cut -d ';' -f20 | sort | uniq | grep '^10.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}$' > ip-list

wc -l ip-list > count

Regards, Maarten
0 Kudos
Danny
Champion Champion
Champion

Thanks for posting the final solution.

0 Kudos
JozkoMrkvicka
Authority
Authority

Valid under the assumption that all firewall rules are logged.

Kind regards,
Jozko Mrkvicka
0 Kudos
Maarten_Sjouw
Champion
Champion

Polished it a bit and put it in a bash script with the added point that you can add the logfile name on the command line:

LF=$1
   if [ "$LF" == "" ]; then
   LF="fw.log"
fi
fwm logexport -np -i $LF | grep accept | cut -d ';' -f20 | sort | uniq | grep '^10.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}$' > IP-list
wc -l IP-list > count
echo
echo
echo "For logfile $LF the number of unique IPs is:"
cat count

Regards, Maarten
0 Kudos
G_W_Albrecht
Legend Legend
Legend

This seems appropriate as all these files are used for is User IP counting for checking the license limits. Unlimited licenses do not need that, of course, but you did not mention that in your initial post at all...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Maarten_Sjouw
Champion
Champion

I thought that user based licenses were a thing of the past since the blade licenses? It's a long time ago that I have seen licenses with a user limit, where it also was enforced.

Regards, Maarten
0 Kudos
G_W_Albrecht
Legend Legend
Legend

No, we still have user based licenses (e.g. EPS clients) and seat based licenses (e.g. MAB, only the number of concurrent users is limited). Also see Remote Access Users license + count.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events