Share your Cyber Security Insights
On-Stage at CPX 2025
Simplifying Zero Trust Security
with Infinity Identity!
CheckMates Toolbox Contest 2024
Make Your Submission for a Chance to WIN up to $300 Gift Card!
CheckMates Go:
What's New in R82
HeikoAnkenbrand
It is not nice when the "fw ctl conntab" is displayed in an unformatted format. In this way, one always searches for the correct connections with the parameters in the output. I have created a nice overview "sorted by rule numbers". An easy connection table version:-)
When you execute this oneliner, a new cli command "econntab" is created:
cat <<EOT > /usr/bin/econntab
printf '%.s-' {1..132};echo -e "\nRule Proto Source IP S-Port Destination IP D-Port Timeout State";printf '%.s-' {1..132};fw ctl conntab | awk '{print \$6 " "\$2 \$3 \$4 " "\$5 " "\$8}' | sed -e 's/src=//g' | sed -e 's/\],dest=\[/ /g' | sed -e 's/\],/ /g' | sed -e 's/)\;//g' | sed -e 's/\[//g' | sed -e 's/rule\=/ /g' | sed -e 's/\,/ /g' | sed -e 's/state\=/ /g' | sed -e 's/Ifn[c,s]in\=[0-9]*//g' | sed -e 's/Ifn[c,s]out\=[0-9]*//g' | awk '{printf "%.6s \t%10s \t%15s \t%6s \t%15s \t%7s \t%10s \t%20s \n", \$1, \$6, \$2, \$3 ,\$4, \$5, \$7 ,\$8}' 2>&1 | sort -n | uniq
EOT
chmod 770 /usr/bin/econntab
After that, you only need to execute the following cli command in expert mode:
# econntab
With grep you can search for many interesting parameters of the connection table:
# econntab | grep SYN_SENT --> connections that have only sent one TCP SYN packet
# econntab | grep FIN --> connections that are in the process of being disconnected
# econntab | grep ^'61' --> for example all connections of the rule 61
# econntab | grep 1.1.1.1 --> all connections for IP 1.1.1.1
# econntab | grep ICPM --> all ICPM connections
# econntab | grep ' 443 ' | grep "SYN" --> all https connections in "SYN" state
# econntab | grep ' [0-9]/' --> all connections that time out in the next 10 seconds
# econntab | grep -E '^[1-9][0-9][0-9][0-9][0-9][0-9]' --> all implied rules
# econntab | grep -v -E '^[1-9][0-9][0-9][0-9][0-9][0-9]' --> all without implied rules
# econntab | grep '00000070' --> VRRP connections
# econntab | grep '0000002f' --> GRE connections
PS:
If you see rules >100000, this is not an error, but it is an implied rule.
It is not nice when the "fw ctl conntab" is displayed in an unformatted format. In this way, one always searches for the correct connections with the parameters in the output. I have created a nice overview "sorted by rule numbers". An easy connection table version:-)
When you execute this oneliner, a new cli command "econntab" is created:
cat <<EOT > /usr/bin/econntab printf '%.s-' {1..132};echo -e "\nRule Proto Source IP S-Port Destination IP D-Port Timeout State";printf 
@HeikoAnkenbrand very nice script. 👍
There is a small issue present. In the state field I see an Ifncin=21 in some lines.
@HeikoAnkenbrand very nice script.
👍
There is a small issue present. In the state field I see an Ifncin=21 in some lines.
;
HeikoAnkenbrand
I have added the following to the latest version to eliminate the bug.
| sed -e 's/Ifn[c,s]in\=[0-9]*//g' | sed -e 's/Ifn[c,s]out\=[0-9]*//g'
JuPo
@HeikoAnkenbrand love the script.
BTW Is there any reason for not making the oneliner shorter using sed 's///g;s///g;s///g' instead of sed s///g | s///g | s ///g ?
printf '%.s-' {1..132};echo -e "\nRule Proto Source IP S-Port Destination IP D-Port Timeout State";printf '%.s-' {1..132};fw ctl conntab | awk '{print \$6 " "\$2 \$3 \$4 " "\$5 " "\$8}' | sed -e 's/src=//g;s/\],dest=\[/ /g;s/\],/ /g;s/)\;//g;s/\[//g;s/rule\=/ /g;s/\,/ /g;s/state\=/ /g;s/Ifn[c,s]in\=[0-9]*//g;s/Ifn[c,s]out\=[0-9]*//g' | awk '{printf "%.6s \t%10s \t%15s \t%6s \t%15s \t%7s \t%10s \t%20s \n", \$1, \$6, \$2, \$3 ,\$4, \$5, \$7 ,\$8}' 2>&1 | sort -n | uniq
@HeikoAnkenbrand love the script.
BTW Is there any reason for not making the oneliner shorter using sed 's///g;s///g;s///g' instead of sed s///g | s///g | s ///g ?
printf '%.s-' {1..132};echo -e "\nRule Proto Source IP S-Port Destination IP D-Port Timeout State";printf '%.s-' {1..132};fw ctl conntab | awk '{print \$6 " "\$2 \$3 \$4 " "\$5 " "\$8}' | sed -e 's/src=//g;s/\],dest=\[/ /g;s/\],/ /g;s/)\;//g;s/\[//g;s/rule\=/ /g;s/\,/ /g;s/state\=/ /g;s/Ifn[c,s]in\=[0-9]*//g;s/Ifn[c,s]o
...;
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY