Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 

Easy Tool - Real time connection table analysis v4.0

HeikoAnkenbrand
Champion Champion
Champion
Overview


From version R80.10 to version R81.10.

For many Check Point users the question arises again and again, which connections and services are used by a rule, a port, an destination IP or source IP  in real time. For this purpose I have created a small tool, which all information about a rule can be read out in real time from the connection table.

This is good for optimizing the ruleset, as it provides a real-time view of the connection table with

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free

Disclaimer: Check Point does not provide maintenance services or technical or customer support for third party content provided on this Site, including in CheckMates Toolbox. See also our Third Party Software Disclaimer.




(16)
42 Replies

Reimar_W
Participant

Hi @HeikoAnkenbrand 

The script simplifies the search in the connection table.
Great idea and thanks for your great contributions.

Small note:
Unfortunately, the use of multiple filters -p 53 -d 8.8.8.8 does not work.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


(1)

HeikoAnkenbrand
Champion Champion
Champion

Hi @Reimar_W,

I reworked this in the script and it now works with multiple filter parameters.

Thanks
Heiko

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


udo_kimmich
Participant

It's really cool how you can browse with this tool in the connection tabel.
This allows you to get information quickly and easily.

Great job
@HeikoAnkenbrand

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Power_Support
Participant

Hi @HeikoAnkenbrand,

nice solution.

What is the state "conn" in the output?

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


HeikoAnkenbrand
Champion Champion
Champion

Hi @Power_Support 

Bug is fixed in version 2.5!

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


IgorWeller
Participant

Very interesting tool.
Could you also provide an overview of the interfaces in use?

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


HeikoAnkenbrand
Champion Champion
Champion

Incoming and outgoing interface added in version 2.6.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Svendsen
Participant

Great work Heiko, this will become usefull for almost everyone working with CP

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


HeikoAnkenbrand
Champion Champion
Champion

Check Point service names added in version 2.7

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Wolfgang
Authority
Authority

Great tool  @HeikoAnkenbrand . How about VSX, known problems ?

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


HeikoAnkenbrand
Champion Champion
Champion

Hi @Wolfgang,

The script is very complex and I try to integrate VSX. However, one or two functions are not yet VSX compatible.
Please give me another week or two 😉

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


(2)

fwmeister
Contributor

Hi Heiko,

You could add a small option for the top rules using cpstat blades and take the 5 rules and show them .

Cheers

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

HeikoAnkenbrand
Champion Champion
Champion

Hi @Wolfgang,

After a weekend with a lot of programming work I made the script VSX compatible.
You only need to run the command in a VS instance:
# vsenv xy
# econn ...

Now the VS instance should be displayed as shown in the picture:
econn_3_vsx.png

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


(3)

Wolfgang
Authority
Authority

@HeikoAnkenbrand 

work like a charm with VSX. Saved me a lot of time at the moment investigating a problem with some connections.

👍 👍

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

HeikoAnkenbrand
Champion Champion
Champion

From version 2.9 with extended connection table view:
+ Incoming interface
+ Outgoing interface
+ Check Point service name

econn_conn_tab.JPG

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


fwmeister
Contributor

got a few errors (r80.20 hf  take188) Yes, I know it's "old". 🙂

using -t -i -c

awk: fatal: can't open source file `/opt/etool/script/econn_awk1' for reading (No such file or directory)

 

also 

Incomming : sh: -c: line 0: syntax error near unexpected token `('
sh: -c: line 0: `cat /tmp/econn_if |grep ^domain-udp(122)'

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

fwmeister
Contributor

ok. Got that /opt/etool error because I just copied the /usr/bin/econn to firewalls instead of "installing" it. 

 

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

fwmeister
Contributor

Excellent tool! Thanks for sharing! 

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


HeikoAnkenbrand
Champion Champion
Champion

Bugs fixed in version 2.9:
- ICMP issues
- interface issue
- Check Point service issue

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


KostasGR
Advisor

Hello @HeikoAnkenbrand

In case of inline rules the -r flag doesn't seem to work.  For a example for a rule 2.1,2.2 etc.

-r <rule number> Show the information about a specific rule with the corresponding rule number.

 

BR,

Kostas

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


HeikoAnkenbrand
Champion Champion
Champion

Hi @KostasGR,

I use the command "fw ctl conntab" to display the connection tab. Unfortunately this does not support inline rules. Therefore, you can only use the basic inline layer rule. Unfortunately, this cannot be changed technically.

Here is an example from my lab environment:
ecomm_5.JPG

fw ctl conntab -r 3

ecomm_6.JPG

 

Output tool

ecomm_7.JPG

 

 

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Henrik_Noerr1
Advisor

would like to try this, but I get:

/bin/econn: line 10: [[: $#: syntax error: operand expected (error token is "$#")

fw ver
This is Check Point's software version R80.40 - Build 124

uname -a
Linux hostname 3.10.0-957.21.3cpx86_64 #1 SMP Sun Apr 18 18:41:00 IDT 2021 x86_64 x86_64 x86_64 GNU/Linux

 

Regards,

Henrik

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

joschuar
Participant

  @HeikoAnkenbrand 

Great job.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

HeikoAnkenbrand
Champion Champion
Champion

Version 4.0 is now available with many new features:

- VSX Support
- Write connection table to file
- Read connection table from file
- No summary output (option -n)
- Search filter for the corresponding grep parameters in the connection table view output.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


joschuar
Participant

Hello @HeikoAnkenbrand,

first of all a big thank you for another great tool here for the CheckMates community.
The script runs on all our gateways. It is a bit slow with more than 100K connection table entries.
But otherwise a great solution.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

HeikoAnkenbrand
Champion Champion
Champion

In the last few days I have spent a lot of time optimizing the code. Now even larger connection tabs should be output in a reasonable time.

From version 4.0e I will optimize the script code a bit more.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


HeikoAnkenbrand
Champion Champion
Champion

In the latest version 4.0g the script is performance optimized. Therefore, connection tabs larger than 100K can be displayed quickly.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


genisis__
Leader Leader
Leader

Hi Heiko,  Just tried pasting in the script and got this:

 

Real time connection table analysis by Heiko Ankenbrand 2021 (v4.0)

/usr/bin/econn: line 308: syntax error near unexpected token `\$2,a,"."'
/usr/bin/econn: line 308: ` more /tmp/econn_ip.txt | awk '{print \$6 " "\$2 \$3 \$4 " "\$5 " "\$8}' | sed -e 's/src=//g' | sed -e 's/\],dest=\[/ /g' | sed -e 's/\],/ /g' | sed -e 's/\;//g' | sed -e 's/\[//g' | sed -e 's/rule\=/ /g' | sed -e 's/\,/ /g' | sed -e 's/state\=/ /g' | sed -

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Zuhal
Explorer

Hello @HeikoAnkenbrand,


Nice tool.

I sometimes get a grep bug in the ports section!

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos