Boosting Performance & Stability
with Harmony Endpoint E88.70!
Four Ways to SASE
April 23, 5PM CET | 11AM ET
It's Here!
CPX 2025 Content
Zero Trust: Remote Access and Posture
Help us with the Short-Term Roadmap
The Future of Browser Security:
AI, Data Leaks & How to Stay Protected!
CheckMates Go:
Recently on CheckMates
HeikoAnkenbrand
It is not nice when the "fw ctl conntab" is displayed in an unformatted format. In this way, one always searches for the correct connections with the parameters in the output. I have created a nice overview "sorted by rule numbers". An easy connection table version:-)
When you execute this oneliner, a new cli command "econntab" is created:
cat <<EOT > /usr/bin/econntab
printf '%.s-' {1..132};echo -e "\nRule Proto Source IP S-Port Destination IP D-Port Timeout State";printf '%.s-' {1..132};fw ctl conntab | awk '{print \$6 " "\$2 \$3 \$4 " "\$5 " "\$8}' | sed -e 's/src=//g' | sed -e 's/\],dest=\[/ /g' | sed -e 's/\],/ /g' | sed -e 's/)\;//g' | sed -e 's/\[//g' | sed -e 's/rule\=/ /g' | sed -e 's/\,/ /g' | sed -e 's/state\=/ /g' | sed -e 's/Ifn[c,s]in\=[0-9]*//g' | sed -e 's/Ifn[c,s]out\=[0-9]*//g' | awk '{printf "%.6s \t%10s \t%15s \t%6s \t%15s \t%7s \t%10s \t%20s \n", \$1, \$6, \$2, \$3 ,\$4, \$5, \$7 ,\$8}' 2>&1 | sort -n | uniq
EOT
chmod 770 /usr/bin/econntab
After that, you only need to execute the following cli command in expert mode:
# econntab
With grep you can search for many interesting parameters of the connection table:
# econntab | grep SYN_SENT --> connections that have only sent one TCP SYN packet
# econntab | grep FIN --> connections that are in the process of being disconnected
# econntab | grep ^'61' --> for example all connections of the rule 61
# econntab | grep 1.1.1.1 --> all connections for IP 1.1.1.1
# econntab | grep ICPM --> all ICPM connections
# econntab | grep ' 443 ' | grep "SYN" --> all https connections in "SYN" state
# econntab | grep ' [0-9]/' --> all connections that time out in the next 10 seconds
# econntab | grep -E '^[1-9][0-9][0-9][0-9][0-9][0-9]' --> all implied rules
# econntab | grep -v -E '^[1-9][0-9][0-9][0-9][0-9][0-9]' --> all without implied rules
# econntab | grep '00000070' --> VRRP connections
# econntab | grep '0000002f' --> GRE connections
PS:
If you see rules >100000, this is not an error, but it is an implied rule.
It is not nice when the "fw ctl conntab" is displayed in an unformatted format. In this way, one always searches for the correct connections with the parameters in the output. I have created a nice overview "sorted by rule numbers". An easy connection table version:-)
When you execute this oneliner, a new cli command "econntab" is created:
cat <<EOT > /usr/bin/econntab printf '%.s-' {1..132};echo -e "\nRule Proto Source IP S-Port Destination IP D-Port Timeout State";printf 
@HeikoAnkenbrand very nice script. 👍
There is a small issue present. In the state field I see an Ifncin=21 in some lines.
@HeikoAnkenbrand very nice script.
👍
There is a small issue present. In the state field I see an Ifncin=21 in some lines.
;
HeikoAnkenbrand
I have added the following to the latest version to eliminate the bug.
| sed -e 's/Ifn[c,s]in\=[0-9]*//g' | sed -e 's/Ifn[c,s]out\=[0-9]*//g'
JuPo
@HeikoAnkenbrand love the script.
BTW Is there any reason for not making the oneliner shorter using sed 's///g;s///g;s///g' instead of sed s///g | s///g | s ///g ?
printf '%.s-' {1..132};echo -e "\nRule Proto Source IP S-Port Destination IP D-Port Timeout State";printf '%.s-' {1..132};fw ctl conntab | awk '{print \$6 " "\$2 \$3 \$4 " "\$5 " "\$8}' | sed -e 's/src=//g;s/\],dest=\[/ /g;s/\],/ /g;s/)\;//g;s/\[//g;s/rule\=/ /g;s/\,/ /g;s/state\=/ /g;s/Ifn[c,s]in\=[0-9]*//g;s/Ifn[c,s]out\=[0-9]*//g' | awk '{printf "%.6s \t%10s \t%15s \t%6s \t%15s \t%7s \t%10s \t%20s \n", \$1, \$6, \$2, \$3 ,\$4, \$5, \$7 ,\$8}' 2>&1 | sort -n | uniq
@HeikoAnkenbrand love the script.
BTW Is there any reason for not making the oneliner shorter using sed 's///g;s///g;s///g' instead of sed s///g | s///g | s ///g ?
printf '%.s-' {1..132};echo -e "\nRule Proto Source IP S-Port Destination IP D-Port Timeout State";printf '%.s-' {1..132};fw ctl conntab | awk '{print \$6 " "\$2 \$3 \$4 " "\$5 " "\$8}' | sed -e 's/src=//g;s/\],dest=\[/ /g;s/\],/ /g;s/)\;//g;s/\[//g;s/rule\=/ /g;s/\,/ /g;s/state\=/ /g;s/Ifn[c,s]in\=[0-9]*//g;s/Ifn[c,s]o
...;
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY