ECONN - Easy Connection Table Tool

HeikoAnkenbrand

This econn tool version 6.8 is a command-line utility for analyzing active firewall connection tables, specifically from Check Point firewalls via the fw tab -t connections -u command. It parses raw connection entries, resolves service names, maps interface IDs to names, and provides powerful filtering options based on IP addresses, ports, protocols, rules, networks, and interface names. Results can be displayed in a structured table, and optional statistics can be generated.

One of its greatest strengths lies in the powerful filtering options. With just a few parameters, the view can be narrowed down to specific source or destination addresses, certain ports, or even entire networks. Filtering by protocol or interface is also possible, allowing administrators to isolate exactly the connections that are relevant to their analysis within seconds.

Beyond simple presentation, econn delivers extensive statistical insights. It highlights which rules are most frequently used, which ports and IP combinations dominate, and how communication is distributed across different interfaces. This helps build a deeper understanding of network behavior and makes it easier to identify irregularities.

Ultimately, the tool provides a quick overview of all relevant communication relationships. Even in complex environments with many segments, traffic becomes more transparent as connections are logically grouped and summarized. For administrators, this means a significant simplification in evaluating communication flows and a valuable aid in day-to-day network operations.

The -stat option provides a general overview of the filtered connections. It summarizes key information such as which ports, rules, protocols, services, and interfaces are involved, giving administrators a quick snapshot of the traffic.

With -statip, the tool lists all unique source and destination IP addresses. This makes it easy to see at a glance which hosts are participating in the current connections.

The -statnet option focuses on networks rather than individual IPs. It groups communication into Class C (/24) and Class B (/16) networks, helping to understand traffic distribution across subnets.

Using -statconn, administrators can see all source–destination IP pairs along with the ports they are using. This highlights who is talking to whom and which services are being exchanged.

The -statport option organizes connections by destination port. For each port, it shows the related IP pairs without duplicates, making it clear which services are most active.

With -statrule, the output is grouped by firewall rule. It shows which source and destination pairs are affected by each rule and the ports they use, which is particularly useful for validating security policies.

Finally, -notab hides the detailed connection table. This is useful when the focus is only on statistics or summaries, reducing clutter in the output.

Install tool:

curl_cli -k https://www.checkpoint.tips/tools/econn > /usr/bin/econn && chmod 770 /usr/bin/econn && dos2unix /usr/bin/econn

Online help:

Usage:
  econn [filters] [options]

Filter options (detailed):
  -s=<IP>        Filter by source IP address
  -d=<IP>        Filter by destination IP address
  -sp=<Port>     Filter by source port
  -dp=<Port>     Filter by destination port
  -n=<Name>      Filter by service name (if available)
  -r=<Rule>      Filter by rule number
  -p=<Protocol>  Filter by protocol (e.g., TCP, UDP, ICMP)
  -net=<CIDR>    Filter if either source or destination IP is in the network
  -snet=<CIDR>   Filter if source IP is in the network
  -dnet=<CIDR>   Filter if destination IP is in the network
  -si=<iface>    Filter by inbound interface name
  -di=<iface>    Filter by outbound interface name
  -g=<string>    Grep-like search: only show rows containing the string

Statistics / Output options:
  -stat          Show general statistics for the current filter
  -statip        Show all unique IP addresses (source & destination)
  -statnet       Show all networks (Class C / B) involved in connections
  -statconn      Show all IP pairs with their associated ports
  -statport      Group output by ports (with IP pairs, no duplicates)
  -statrule      Group output by rules (with IP pairs and ports)
  -notab         Hide the main connection table from output

General:
  --help         Show this help message and exit

Examples:
  econn -s=192.168.1.10 -p=TCP
  econn -dnet=10.0.0.0/8 -stat
  econn -g=established -p=TCP
  econn -sp=80 -statport
  econn -dp=443 -statconn
  econn -r=101 -statrule
  econn -net=192.168.0.0/16 -p=UDP -statip
  econn -g=FIN -stat -notab
  econn -d=8.8.8.8 -statrule -statport
  econn -si=eth0 -di=eth1 -p=TCP -statport -notab

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

Danny

Thanks for sharing another econn update, while it’s getting a bit tricky to keep track of all the different threads.

Just to recap, we’ve got:

community thread for version 0.x is here
community thread for version 1.x is here
community thread for version 4.x is here
community thread for version 5.x is here
community thread for version 6.x is here

To make it easier for everyone to find and follow the latest version, it might be helpful to keep updates consolidated in a single thread. That way, folks can stay up to date and jump in more easily.

HeikoAnkenbrand

What's new in version 6.x:

I decided to create this new version to improve both usability and performance. The old implementation relied heavily on bash and regex, which I have now migrated to Python 3 for cleaner and more maintainable code.
- The evaluation of the rule set is now significantly faster — for example, processing
1 million connections takes only about 5 seconds.
- The new approach is much more resource-efficient and scalable, handling up to
10 million connections without issues.
- On top of that, I’ve expanded the statistics module with new features, including
sorting and grouping options, to make analysis more powerful and flexible:
-statconn -> Show all IP pairs with their associated ports

-statport -> Group output by ports (with IP pairs, no duplicates)

-statrule -> Group output by rules (with IP pairs and ports)

-statif -> Group output by interface (with IP pairs and ports)

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

otto_w

WOW - This tool is absolutely outstanding – it turns raw firewall connection data into clear, structured insights with powerful filtering and statistics, making troubleshooting faster, smarter, and more efficient.

Machine_Head

Nice one - Thanks!

Ingard

Hi @HeikoAnkenbrand,
Can the output be redirected to a file using a switch in the CLI?

HeikoAnkenbrand

Yes for example:

econn -net=192.168.0.0/16 -p=UDP -statrule > output_file.txt

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

Suvi

How can the tool be used to filter and analyze Check Point firewall connections, and can you provide an example of how its filtering or statistical features?

HeikoAnkenbrand

The following command displays all outputs sorted by various criteria, such as rules, ports, and more. In addition, the connection table is presented in the following form:

The following command displays all outputs. You may only need to adjust the search filters if necessary.

econn -stat -statip -statnet -statconn -statport -statrule -snet=10.0.0.0/24 -r=10

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

the_rock

I did a bit if testing yesterday in the lab with this tool, I found it very useful. Amazing job, as always, @HeikoAnkenbrand

Andy

the_rock

Excellent!

Lenhard

Hi @HeikoAnkenbrand ,
Great tool and excellent recommendation for evaluating the firewall connection.
We can test this together in our project next week.

the_rock

Excellent, indeed.

HeikoAnkenbrand

Thanks to netan for the private email.
I have fixed the bug with the interfaces. It should now work without any problems.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

the_rock

Amazing tool, so helpful. Used it few times already, truly excellent.

Fantastic work, as always @HeikoAnkenbrand

Filters

Sort By

Categories

ECONN - Easy Connection Table Tool

Disclaimer: Check Point does not provide maintenance services or technical or customer support for third party content provided on this Site, including in CheckMates Toolbox. See also our Third Party Software Disclaimer.