- Products
- Learn
- Local User Groups
- Partners
- More
Access Control and Threat Prevention Best Practices
5 November @ 5pm CET / 11am ET
Ask Check Point Threat Intelligence Anything!
October 28th, 9am ET / 3pm CET
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
Spark Management Portal and More!
fw ctl conntab | grep ip.add.ress | wc -l from the gateway should do it
fw ctl conntab | grep ip.add.ress | wc -l from the gateway should do it
Thats a good command, never seen it before.
Thanks for your reply. How can I identify that this session is relevant to the service like http https exactly?
@Lloyd_Braun Is this result for session count or request count?
It's active sessions (i.e. TCP connection is still open).
Number of records refers to the number of log entries in that file.
Of course, the fact you're showing a screenshot from SmartView Tracker tells me you're probably on a pre-R80 release, which is no longer supported.
SmartView Tracker on R8x isn't supported either (though the binaries are still there).
Our Management Server is R81.10 and Security Gateway is R80.30. I am using C:\Program Files (x86)\CheckPoint\SmartConsole\R81.10\PROGRAM\CPlgv.exe to track the concurrent sessions.
Is there other method to fulfill my requirement?
Even though we include the SmartView Tracker binaries as part of the SmartConsole installation still, it's no longer supported as of R80.
Which means you should find a different way to achieve the same result.
The method @Lloyd_Braun specified is the best way to do it.
@PhoneBoy How can I identify that this session is relevant to the service like http https exactly?
If you look at the output of fw ctl conntab, you have your answer:
<(outbound, src=[10.6.5.251,44738], dest=[3.234.44.184,443], TCP); 2503/3600, rule=0, tcp state=DST_FIN, service=nfsd(393), Ifnsin=1, Ifnsout=1, conn modules: Authentication, FG-1, ISP-Redundancy, SynDoSDefender>
This connection is related to https (TCP 443, as bolded in the above output).
If you just want to see the number of https connections from a specific IP, from expert mode:
fw ctl conntab | grep x.y.z.w | grep ",443], TCP" | wc -l
Is there a way to determine top ten high concurrent connections? I have high spikes of connections on a regular bases and want to determine the IPs involved during this spike event.
Look into sk172229. Also, there are tools like connstat.exe from sk85780, and at least a couple of third-party tools in the ToolBox, by Heiko
Will take a look, thanks.
I still feel that could be wrong use case from CP perspective and correct one is you will always get it or should get it from your web server directly. I mean any one even just telnetting to server on port 443 and killing session; firewall will keep this entry idle for 3600 seconds as per a default timer and he might not be browsing the pages however firewall could still consider this as a session though not valid.
@Blason_R Currently we are using cloud WAF and only permitted public IP addresses can access the web server. We need to figure out LB issue. Therefore, need to check concurrent session count from the firewall level (Sessions or Request count).
Correct !! In this case you can easily get the actual hits on your WAF rather than your firewall because firewall is only going to see the traffic single source or pool of ip addresses belongs to your waf cloud provider.
@Blason_R Yes we can get that information on WAF. Unfortunately App support team inform that, https web traffic is not balancing among the servers (04 web servers). They use Zabbix to monitor their utilization. WAF provide details with TCP connections and Zabbix provides details with per-request. That is why we need to figure out concurrent session count.
Also, is there any way to get old logs detail (Currently we have one month logs in our MGMT) ? like traffic distribution per IP with tcp level...!
You’d have to create a custom report in SmartEvent.
That assumes you’ve logged all the relevant traffic, of course.
cpview might be another option.
Why are you not checking this on the web servers directly, though?
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
User | Count |
---|---|
23 | |
16 | |
12 | |
9 | |
8 | |
8 | |
7 | |
7 | |
7 | |
5 |
Tue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewTue 28 Oct 2025 @ 12:30 PM (EDT)
Check Point & AWS Virtual Immersion Day: Web App ProtectionTue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewTue 28 Oct 2025 @ 12:30 PM (EDT)
Check Point & AWS Virtual Immersion Day: Web App ProtectionThu 30 Oct 2025 @ 03:00 PM (CET)
Cloud Security Under Siege: Critical Insights from the 2025 Security Landscape - EMEAThu 30 Oct 2025 @ 02:00 PM (EDT)
Cloud Security Under Siege: Critical Insights from the 2025 Security Landscape - AMERAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY