Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
bookman
Contributor

Checkpoint Bandwidth utilization check for the uneven spike in the traffic .

 

Hi Team ,

 

I need a way to understand if Checkpoint can show the data of Bandwidth consumed ( per source/network basis ) for the specific time of the day.

 

What are the possible ways i can verify the above.

 

Checkpoint version : R80.20

Blades enabled : Firewall , app control and content awareness

 

Thanks in advance.

 

 

 

0 Kudos
16 Replies
the_rock
Champion
Champion

I believe smart view monitor can show this (under logs and monitor tab in dashboard). Do you have monitoring blade enabled on the firewall?

0 Kudos
bookman
Contributor

Hi @the_rock  ,

 

Thanks for your response.

 

Monitoring blade is not enabled ( not licensed ) , and the only blades that are enabled in the gateway are Firewall , app control and content awareness.

 

Do we have any other options please ?

 

0 Kudos
the_rock
Champion
Champion

Sorry, I saw you mentioned that in the description as far as blades, my bad. Hm, not really sure without monitoring blade, but I can test it in the lab tomorrow. Because, quite honestly, I dont believe there is an easy way (or any way for that matter) to filter for something like this from regular logs, but will confirm.

0 Kudos
bookman
Contributor

Thanks for your response. Very much appreciated. 

0 Kudos
the_rock
Champion
Champion

I see there is an option for bandwidth when searching in logs, but not sure what value to search for, as I never used it before. I will check more tomorrow and let you know. Its under field Other Fields: and then bandwidth,

0 Kudos
PhoneBoy
Admin
Admin

cpview on the gateway is one possibility, at least in real-time.
Make sure you are on a recent JHF.

0 Kudos
bookman
Contributor

Hi @PhoneBoy ,

 

Thanks for your response.

 

Does the cpview also shows the historical bandwidth usage per source/dest ? If not do we have any other options like cpviewer and Smartview or any other options we can really on.

 

@the_rock  That's correct there is a bandwidth option in the other fields but not sure what option to enter since even i haven't used that before.

 

 

0 Kudos
the_rock
Champion
Champion

I did not forget about you, just been a busy day, apologies. I had been trying to figure out how to actually run that filter, but no luck so far. Will definitely work on it Friday morning and update you in this thread.

Andy

0 Kudos
bookman
Contributor

No worries , really appreciate your kind support.

0 Kudos
the_rock
Champion
Champion

Im really sorry, tried every possible option I could think of for that bandwidth setting and no luck : (. Maybe you could confirm with TAC or someone else here can chime in.

0 Kudos
PhoneBoy
Admin
Admin

cpview has historical options (i.e. you can see what was going on at a given point in time), but I don't know that it tracks specific top connections over time or not.

0 Kudos
bookman
Contributor

Thank you for your response.

 

So what are the other options we can rely on to check the historical bandwidth usage per source/network basis.

0 Kudos
Timothy_Hall
Champion
Champion

Try running the fw ctl multik print_heavy_conn command every day, it will show all connections that were classified by the firewall as "heavy" (a.k.a. an elephant flow) over the last 24 hours.  It won't show the top connections per se, but will help identify any bandwidth-hogging connections historically.  To clarify what constitutes a "heavy" connection see here: sk164215: How to Detect and Handle Heavy Connections

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
bookman
Contributor

Thanks for your response.

Does the command help to identify the connection which had heavy flow a week ago ?

Since the issue occurred only once and usually this is occurring whenever the Microsoft patch upgrade over the systems ( happens once in a month ) . So basically wanted to know and get proof is this because of patch upgrade it happens or does any other traffic constituting to this.

Bandwidth spike occurrences are taking from the SolarWinds monitoring , and from the CP want to identify the historical bandwidth hogging connection for that particular time.

0 Kudos
Timothy_Hall
Champion
Champion

No just the last 24 hours and that can't duration be changed, which is why I suggested running it once a day.

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
Antonis_Hassiot
Contributor

Another way to catch real time high bandwidth sources is to run a tcpdump on the gateway for say 10 seconds and then export it to wireshark and sort by Bytes Down

0 Kudos